By Michael Baczyk
Is Quantum on the Agenda of Security Executives?
The RSA Conference, the world’s premier cybersecurity event, convened in the heart of San Francisco, attracting over 40,000 attendees from around the world. The sprawling exhibition hall showcased the conference’s immense scale, requiring a full day to thoroughly explore each booth. For more than three decades, the RSA Conference has been a driving force behind the cybersecurity community, expanding its mission beyond annual gatherings to provide continuous support in the face of ever-evolving cyber threats. One of the most pressing concerns is the looming quantum threat, and my primary objective was to gauge the level of awareness and action among governments and commercial players in preparation for Q-day. The conference flew by in a flurry of intense discussions and networking, with days packed with hundreds of conversations. RSAC caters to decision-makers in the field, with 44% of attendees holding positions at the Director, VP, or C-level. I was pleased to discover that awareness of the quantum threat was widespread, with nearly everyone having seen news, heard discussions, or engaged in conversations about quantum computing. However, this awareness did not necessarily translate into immediate, well-defined actions or concrete plans for most of the attendees. While each organization’s roadmap will differ based on its size and agility in adopting new solutions, it is universally clear that the transition to post-quantum cryptography (PQC) should be one of the priorities on every company’s agenda.
There were also encouraging signs that concrete actions are beginning to enter the collective mindset. Many booths not belonging to quantum vendors prominently featured “Post-Quantum Cryptography” as part of their product offerings. Moreover, I heard accounts of companies proactively reaching out to large security firms to initiate the transition to the post-quantum security era. These instances were not limited to banks or financial institutions; I also heard specific examples from the retail sector. While post-quantum cryptography (PQC) is essential for mitigating the risks posed by quantum computers, it represents only one facet of the quantum realm. Preparing for the quantum threat is crucial, but it is equally important to recognize that quantum technologies can also bolster cybersecurity.
The latest topics discussed at RSAC in the post-quantum cryptography (PQC) area included:
- PQC Standardization: The ongoing PQC standardization process led by the National Institute of Standards and Technology (NIST) has been a focal point of discussion, especially with the anticipation of initial PQC standards being released in 2024. The cybersecurity community is eagerly awaiting NIST’s next moves and the implications for the industry.
- Hardware Efficiency Challenges: One significant concern raised was the hardware inefficiency of some proposed PQC schemes. Certain protocols are resource-intensive, making them challenging to implement in a wide range of applications. Addressing these hardware constraints is crucial for the practical adoption of PQC solutions.
- PQC Adoption Strategies: Startups in the PQC domain are grappling with the question of how to effectively sell their solutions. One approach gaining traction is penetrating the supply chain by licensing PQC technologies to established security vendors. This strategy enables PQC startups to leverage the existing customer base and distribution channels of these vendors, facilitating a smoother transition to PQC for end-users.
- Legacy System Compatibility: Many organizations still rely on legacy systems, such as older versions of Microsoft Windows, which may not receive PQC support from the original vendor. This presents a challenge for ensuring comprehensive quantum resilience. PQC startups are exploring ways to offer intermediate layers or adaptors to bridge the gap and provide quantum-resistant security for legacy systems.
- Export Control of PQC Solutions: Some PQC companies may face export control restrictions, limiting their ability to sell their solutions to countries outside of NATO. This adds a layer of complexity to the global adoption of PQC technologies, as companies navigate the legal and regulatory landscape to ensure compliance with export control regulations while still striving to promote widespread implementation of quantum-resistant security measures.
- Growing Interest in the Automotive Industry: With the rapid digitalization of vehicles and the trend towards autonomous driving, the automotive industry is showing increased interest in PQC. Securing in-vehicle systems, communication networks, and infrastructure against quantum threats is becoming a priority for automotive manufacturers and suppliers.
The PQC landscape at RSAC 2024 featured a diverse range of players, each bringing their unique expertise and offerings to the forefront. Notable vendors present included established names such as QuSecure, SandboxAQ, PQShield, Quantropi, and Quintessence Labs, as well as relatively new entrants like pQCee and Quantum Knight.
It is essential to recognize that while these vendors collectively operate within the PQC domain, their specific focus and approach may vary significantly. Some players concentrate exclusively on software-based solutions, developing algorithms, libraries, and toolkits to enable the integration of PQC into existing systems. Others take a more holistic approach, combining software development with hardware innovations to provide comprehensive PQC solutions.
The scope of offerings also differs among vendors. Some companies provide full-suite cybersecurity solutions that encompass various aspects of quantum-resistant security, including key management, authentication, and secure communication protocols. Others choose to specialize in specific areas, such as the encryption layer, focusing on the development and implementation of quantum-resistant cryptographic algorithms. Furthermore, while all these vendors are united in their efforts to address the quantum threat through PQC, some extend their operations to complementary technologies that harness the power of quantum mechanics to enhance security.
In recent years, the cybersecurity landscape has been dominated by software-based solutions, with a strong emphasis on developing and deploying advanced algorithms, protocols, and frameworks to combat evolving threats. Not to mention AI that was a hot topic of this year’s RSAC as well.
In order to provide the highest quality when generating cryptography keys, Quantum Random Number Generators (QRNG) are available in both software and hardware implementations, catering to the diverse needs of the industry. Notable players in the QRNG space include Quantinuum, which offers a software-based deployment solution, and Qrypt, which has recently started showcasing its hardware-based QRNG solution at conferences. Other companies present at RSAC, such as Quantropi and Quintessence Labs, have integrated QRNG capabilities into their broader security suites, recognizing the critical role of high-quality entropy in cybersecurity.
Quantum key distribution (QKD) is also gaining traction, particularly in Europe and Asia, not so much in the US. QKD allows for the secure exchange of cryptographic keys over untrusted networks, leveraging the principles of quantum mechanics to detect any attempts at interception or manipulation. Quintessence Labs present at RSAC has shipped its continuous variable quantum key distribution (CV-QKD) hardware out of Australia, demonstrating the growing demand for QKD solutions in the global market.
All in all, it was a very busy RSA Conference. Although there are a large number of cybersecurity threats that IT professionals need to be concerned with, it is encouraging that there is increased understanding of how a quantum-based attack can affect an organization’s security. Certainly, now is the time to start planning on how your organization will implement the necessary precautionary measures. One needs to understand that these measures will take a long time to fully implement, and it will be very costly for those who wait too long.
May 13, 2024
For those eager to learn more about the quantum threat to cybersecurity and also the players who provide solutions to combat it, check out GQI’s Quantum Safe Outlook Report which provides an in-depth review of this topic. For questions about specific issues you may face in your organization, please don’t hesitate to contact us at [email protected]. Our team will be delighted to provide you with access to our vast collection of information and insights on this topic to help you better understand the landscape of quantum safe cryptography and communications.