The Battle for Security: How to Effectively Prepare for the Post-Quantum Computing Era

Quantum Computing and the Security Challenge

One of the main concerns surrounding quantum computing is its ability to easily break today’s encryption algorithms. Even the most robust cryptographic standards that have protected data for decades could be rendered obsolete in an instant, a scenario that worries many security professionals. While companies don’t need to panic just yet—experts estimate it will take five to ten years before quantum attacks become a real threat—the risks are significant enough that the U.S. President Joe Biden signed two quantum computing directives in 2022, signaling it’s time to address this emerging technology.

These presidential directives called on the industry to develop quantum-resistant cryptographic standards, a task the National Institute of Standards and Technology (NIST) completed in August 2024 after years of work. Now, federal agencies are actively preparing to adopt these future standards.

“The culmination of NIST’s work is the starting gun for the transition to post-quantum cryptography (PQC),” said Colin Soutar, Managing Director at Deloitte.

Quantum Security Concerns

The core worry about quantum computing is how easily it can break data transmission encryption algorithms. For example, the asymmetric RSA algorithm, which relies on factoring large numbers and is secure on classical computers, will be easily cracked by quantum computers in a fraction of the time.

Cybercriminals are already aware of this and have begun “data scraping”—collecting encrypted data now in hopes it will be useful once quantum computers mature. With cheap data storage, attackers are stockpiling encrypted information to decrypt it in the future.

Post-quantum computing also highlights the ongoing issue of legacy systems and devices, noted John France, CISO at the International Information System Security Certification Consortium (ISC2).

How to Prepare for PQC Security

Organizations should expect that a full migration to post-quantum cryptography will take several years. The sheer number of services that need updating, the complexity of each, and the reliance on third-party PQC adoption for supply chain security all contribute to the challenge.

Now that PQC standards are available, companies should consider the following steps:

1. Inventory and Classify Data

Review your organization’s information and determine what is confidential. Inventory your data and classify it to identify which information requires cryptographic protection. Consider which data needs stronger protection now, given the threat of data scraping. Not all data stored today will matter in five to ten years, but business secrets and other critical information should be secured both now and in the future.

2. Understand Future Risks

After inventorying and classifying data, conduct a risk assessment to understand how vulnerable information will be protected against emerging threats. Organizations should evaluate their potential vulnerabilities and how much they rely on cryptography, whether built into third-party tools or implemented in proprietary systems.

Understanding current and future risks helps organizations determine the urgency of adopting PQC and start building a roadmap for change. PQC should be considered not just from a technical perspective, but also for its business impact. Assign someone to lead the migration to PQC who can communicate its importance to leadership and explain how it reduces the risk of incidents and breaches.

Also, consider the encryption needs of Internet of Things (IoT) and other embedded devices, many of which may not handle the increased memory and processing demands of PQC algorithms. Test post-quantum algorithms for compatibility with low-power devices with limited resources.

3. Develop a Risk Mitigation Strategy

Once you’ve inventoried data and assessed risks, the next step is to implement risk mitigation strategies and create a dedicated team to manage these processes. This team should be responsible for data security policies, incident response plans, and business recovery plans. They should also assess which company information may already be at risk and how to handle such situations. Review critical data currently stored and determine if it needs additional layers of encryption.

Symmetric encryption, commonly used to secure stored data, will be less affected by quantum computing. For example, Grover’s algorithm can speed up database searches, effectively halving the time needed to break symmetric encryption. Therefore, NIST recommends using at least AES-192 or AES-256 for encrypting stored data.

However, data in transit remains at risk of future decryption. To counter this, asymmetric algorithms should be replaced with PQC encryption standards. This is tied to the concept of “cryptographic agility”—the ability to adapt your infrastructure to new threats and technologies as security standards evolve. Building cryptographic agility will take time, so organizations should start now.

PQC Implementation Options

In August 2024, NIST announced three PQC algorithms designed to withstand attacks from both classical and quantum computers:

• Kyber – A lattice-based cryptographic algorithm for encryption and key establishment. Kyber is considered one of the most efficient post-quantum cryptosystems, offering strong protection and high performance in modern communication protocols.
• Dilithium – A lattice-based digital signature scheme, similar to Kyber, used for authentication and data integrity. Dilithium combines high security with optimal performance, making it suitable for systems requiring efficient digital signatures in the face of quantum threats.
• SPHINCS+ – A hash-based digital signature scheme. Unlike Kyber and Dilithium, SPHINCS+ does not rely on mathematical structures vulnerable to quantum attacks. It offers strong resistance through the use of Merkle trees, though its signatures are larger and less efficient than other algorithms.

NIST continues to evaluate additional algorithms, including Falcon, which is expected to be standardized later in 2024. This ongoing evaluation ensures that if one solution falls short, organizations have alternatives.

John France of ISC2 recommends companies select more than one algorithm—preferably those based on different mathematical principles. In addition to PQC algorithms, organizations may also consider Quantum Key Distribution (QKD), which uses quantum mechanics for secure key exchange. Data encrypted with QKD creates a random quantum state that is difficult to copy, and many QKD protocols can detect eavesdropping. However, the U.S. National Security Agency has stated that QKD is not viable in its current form.

As a result, organizations might combine PQC and QKD standards, suggested Rick Turner, an analyst at Omdia. This would make it harder for attackers, as they would need to break both the encryption and QKD to access data in transit. Turner also advised consulting security solution vendors to see if they are adding PQC to their products and services, and how they are doing it. This can help reduce costs, especially since QKD implementation can be expensive.

Conclusion

The advent of quantum computing marks not only a technological breakthrough but also a fundamental shift in the information security paradigm. Organizations of all sizes and industries are on the threshold of a new reality, where traditional data protection methods may be powerless against quantum algorithms.

Preparing for this future is not just a technical task, but a strategic imperative. Companies that act now are laying the foundation for long-term resilience and competitiveness. Data inventory, risk assessment, and developing migration strategies to post-quantum cryptography are steps that require time, resources, and, most importantly, visionary leadership.

It’s important to understand that transitioning to quantum-resistant systems is not a one-time event, but an ongoing process. As quantum technologies evolve, new threats and solutions will emerge. Therefore, cryptographic agility—the ability to quickly adapt to changing standards and security requirements—will be a key quality for organizations in this new era.