Recently, DigiCert, which provides Transport Layer Security (TLS)/Secure Sockets Layer (SSL) and Public Key Infrastructure (PKI) solutions, released the results of a quantum computing survey of 400 IT directors, IT security managers and IT generalists. The study focused on enterprises with more than 1,000 employees in the United States, Germany and Japan.
The survey explored these IT decision-makers’ understanding of the looming threat of quantum computing to cryptography, and their knowledge of post quantum cryptography (PQC) as a method of potentially mitigating the risks of quantum computing.
We spoke to Tim Hollebeek, Industry and Standards Technical Strategist at DigiCert, to learn more about the survey’s findings.
What did DigiCert hope to learn from the survey?
Our survey gathered perspectives from IT decision-makers in four major industries – financial, industrial, healthcare and transportation. Our goal for this research was to gain the industry’s take on quantum computing and PQC, especially since the impact is expected to be felt soon. How soon was one of our questions for survey participants.
We asked respondents a total of 55 questions. Among them: How big is the threat of quantum computing to your business? How crypto-agile would you rate your organization? When do you believe quantum computing will advance to the point where it can crack existing cryptographic algorithms?
In addition, we wanted to learn how adequately informed they were on measures they could take to protect their organizations from a quantum computer attack. Perhaps more importantly, we wanted to know whether they were following through and taking any of those steps to protect their organizations.
What is quantum computing and why is a threat to advanced encryption algorithms?
Computers have traditionally stored information as strings of bits, but quantum computers store information in qubits, and can manipulate data using quantum mechanics.
Advanced encryption algorithms have typically been mathematically tough enough to be secure for the lifetime of the device. Until quantum computing, cyber-criminals had two options – work the math operations of the algorithm backward to gain access to the protected data or take a brute-force attack approach that involved submitting multiple password guesses in hopes of landing on the correct answer.
The first commercial quantum computer – the IBM Q System One – was just introduced in January. Much has been written about quantum computing’s value in the areas of particle physics, machine learning and the medical sciences. However, the potential must not be ignored, namely the possibility that such technology could be used to crack previously uncrackable encryption.
Is the IT industry aware of quantum computing’s threat to cryptography?
Cryptography involves protecting data from unauthorized users through the creation of complex algorithms. A majority of survey respondents considered quantum computing a threat to these algorithms. Sixteen percent consider it an “extremely large” threat, 39 percent view it as a “somewhat large” threat, 29 percent say it’s a “somewhat to extremely small” threat, and 1 percent wasn’t sure.
When they were asked to look toward the future, even more of them considered quantum computing a threat, with 71 percent saying quantum computing presents a “somewhat” to “extremely” large threat and just 18 percent calling it a “somewhat” to “extremely” small threat.
How soon does IT think quantum computing will become a threat?
Five percent of survey respondents believe quantum computing will advance this year to the point where it can crack existing cryptographic algorithms. A whopping 71 percent predicted it will before 2025. Of those, most – 18 percent – predicted 2022 will be the year that happens. That year was also the median prediction for when PQC would be required to combat the threat of quantum computing.
Twenty-six percent said it won’t happen until 2025 or later. And 2 percent said never! An overwhelming number – 94 percent – anticipate they’ll be working for their current company whenever it is that they’ll need to start worrying about an attack from a quantum computer.
How’s their level of awareness on PQC and the role it can play in mitigating these threats?
Things get interesting when it comes to that. While 71 percent of IT decision-makers reported being “somewhat” to “completely” aware of the definition of PQC, only 63 percent selected the correct definition – cryptographic algorithms that are designed to be secure against quantum computing attacks.
Almost 60 percent of survey respondents revealed their confusion about PQC by telling us they were currently deploying hybrid certs – a combination of PQC and Rivest, Shamir and Adelman (RSA)/Elliptic Curve Cryptography (ECC). That’s unlikely, though, because PQC certificate availability is currently limited to just early testing situations.
The confusion is understandable since PQC is new. Thankfully, despite that confusion, respondents say their organizations are convinced enough of PQC’s value to budget for it. Thirty-five already have a budget for PQC and another 56 percent are working on it.
What kinds of PQC threat mitigation strategies are they considering?
Eight out of 10 survey respondents told us it is “somewhat” to “extremely” important for IT to learn about quantum-safe security measures. For example, 95 percent considered encryption in the form of TLS digital certificates a “critical first step” in technology to developing quantum-safe security practices. Eighty-six percent say their organization already installs encryption in the form of certificates directly into applications and Internet of Things (IoT) devices.
Other tactics included monitoring, which topped the list of IT tactics, and increasing their understanding of crypto-agile their companies are so they can switch to PQC certificates if needed.
What can companies do to protect themselves against the threat of quantum computing?
The best advice I can offer is to prepare now. The threats posed by quantum computing are coming. While you still have time, develop a PQC budget, understand your company’s risk and connect with a leading vendor that can help you protect your data with TLS data certificates.
Where can readers go for more information on the survey or on DigiCert?
Our “2019 Post Quantum Crypto Survey” details the top insights from the research study while our website offers information on the company and our TLS/SSL solutions. SW
Oct2019, Software Magazine