Why should CISOs, CTOs and CIOs care and act?
Having personally attended virtual meetings with the NationalCybersecurity Center of Excellence (NCCoE), at the National Institute of Standards and Technology (NIST), on the Quantum Computing Cybersecurity Preparedness Act, in the fall of 2021, I am pleased to see progress has occurred a year later!
The Quantum Computing Cybersecurity Preparedness Act passed the US House back in July, passed the Senate, and now will be signed into law by President Joe Biden. It was co-sponsored by Sens. Rob Portman, R-Ohio, and Maggie Hassan, D-N.H. in a bi-partisan bill. Once enacted, the legislation will require the Office of Management and Budget (OMB) to prioritize federal agencies’ acquisition of and migration to IT systems with post-quantum cryptography, based on NIST standards, recommendations, guidelines and vendors they have invited.
Why do we need to care and act?
NIST has stated, “quantum computers could potentially crack the security used to protect privacy in the digital systems we rely on every day — such as online banking and email software.”
NIST has identified solutions that are not hackable from Quantum Computing: https://www.nist.gov/news-events/news/2022/07/nist-announces-first-four-quantum-resistant-cryptographic-algorithms, with an initial list of vendors like Cisco Systems, AWS, VMware, Samsung, Thales, IBM, and others identified: https://content.govdelivery.com/accounts/USNIST/bulletins/31f0b39
Question? My firewall solutions provider, cloud provider and IoT vendor all say they are adopting the NIST solutions, in upcoming releases, am I good for now?
Answer? Possibly not, if any form of software development is occurring in the Enterprise, from a web site with back office ERP, or CRM functions, to anything else.
All programmatic interfaces like APIs need to be protected, and if DevOps for applications development is occurring, then DevSecOps processes, methods, and tools are needed, ideally with the NIST standards and guidelines enforced.
As we know, Gartner has stated the #1 Security Vulnerability will be from Exposed API’s: “2017 Prediction: By2022, API abuses will be the most-frequent attack vector resulting in data breaches for enterprise web applications.”
So to address the above, secure tokenization using OAuth has been leveraged which uses authorization tokens to prove an identity between consumers and service providers, and ZTNA concepts (Zero Trust Network Access) are often considered, but the algorithms used for it are susceptible to being hacked from Quantum Computing, if the vendors are not in sync with the NIST solutions.
The C-suite for enterprises must connect the dots and bridge existing and emerging processes, methods, tools, and education into a holistic security platform, with the NIST standards, including Web Application Firewalls, DPI/DLP (Deep Packet Inspection/Data Loss Prevention) solutions, to Identity Management solutions and Security Vulnerability scanning of all software being developed, along with continuous monitoring and reporting in place.
When will hackers start using Quantum Computing?
The likelihood of the hacker working in his/her basement having access to Quantum Computing is likely zero now, and may become prevalent by 2030. However, the State-sponsored hackers from non-democratic countries, such as China, are likely being giving access to Quantum Computing now, to their teams, or supplying the technology to Russia, North Korea, and Iran, hence the urgency.
Next Steps!
The OMB will require all US Federal Agencies to perform a Cybersecurity Annual Assessment report with adherence to the NIST recommendations being assessed, starting in 2023. So to be in sync, Enterprises should perform a holistic audit of all Cybersecurity solutions, with queries to each vendor on their migration plan to the NIST standards. For newer purchases, RFI/RFPs can have a line item for each vendor’s migration plan to the NIST-recommended solutions.
Bottom Line
Quantum computing cybersecurity vulnerabilities are poised to impact all current and future investments. When reassessing RFIs and RFPs for cybersecurity vendors, enterprise CISOs, CTOs, and CIOs should heed NIST’s standards, recommendations, and guidelines. Work with your invited vendors to find the best ways to meet your digital transformation initiatives by fully preparing for future quantum computing vulnerabilities.
- Akshay Sharma
Advisor at Lionfish Tech Advisors