Spectra Assure Free Trial
Get your 14-day free trial of Spectra Assure
Get Free TrialMore about Spectra Assure Free TrialWhile quantum computing is years away from practical deployment, it will pose a major threat to software supply chain security — and now is the time for security teams to prepare for that. A significant step was recently taken in spurring preparedness when the U.S. Department of Commerce’s National Institute of Standards and Technology (NIST) introduced its principal set of encryption algorithms designed to withstand attacks from a quantum computer.
Encryption tools rely on complex math problems that conventional computers find difficult or impossible to solve, NIST explained in a statement. However, a sufficiently capable quantum computer would be able to sift through a vast number of potential solutions to these problems very quickly, thereby defeating current encryption. The algorithms NIST has standardized are based on different math problems that would stymie both conventional and quantum computers.
Dustin Moody, who heads NIST's Post Quantum Cryptography (PQC) standardization project, said in a statement:
These finalized standards include instructions for incorporating them into products and encryption systems. We encourage system administrators to start integrating them into their systems immediately because full integration will take time.
As quantum computing technology advances, existing cryptographic algorithms could become vulnerable to attacks, a threat that is particularly acute for public-key algorithms and the security of software supply chains, which rely heavily on cryptographic methods to ensure the integrity and authenticity of software components. By implementing PQC, organizations can ensure that these components are secure against future quantum threats. That will involve evaluating and selecting third-party cryptographic components that align with PQC standards and strategies.
The NIST algorithms mark the start of a new era for CISOs and their security teams, said Duncan Jones, head of cybersecurity at Quantinuum, an international quantum computing hardware and software company.
Duncan JonesMoving forward, public and private sectors alike must pursue a layered, defined strategy that includes PQC as well as cybersecurity solutions that leverage quantum mechanics, such as proven quantum randomness for encryption-key generation. When combined with PQC algorithms, these quantum-derived technologies can help protect against a far fuller range of threats posed by quantum computers.
Here's why NIST's new quantum protection standards matter for bolstering software supply chain security.
See RL's new Essential Guide Software Supply Chain Security for Dummies
Three finalized federal information processing standards (FIPS) were announced by NIST on August 13:
Skip Sanzeri, founder and COO of QuSecure, expressed enthusiasm about NIST's big PQC push.
Skip SanzeriIt is very exciting that NIST has finally announced the first approved post-quantum algorithms, which are the result of a more than eight-year effort. Overall, this is the first significant upgrade to cryptography in over 20 years.
Sanzeri said the time is now for global enterprises to begin testing post-quantum cybersecurity on their network communications "so little time is wasted before quantum computers become powerful enough to break weaker forms of encryption."
Enterprises should consider cryptographic agility, because it’s expected that post-quantum algorithms will change over time. “It is vital to have the means to hot-swap algorithms, key strengths, and cryptographic libraries. With quantum computing and AI becoming more powerful, public-key encryption is at a greater disadvantage every day," Sanzeri said.
Although practical quantum computers may be 10 years or more away, adversaries have already begun preparing for that day. “We know that data stolen today could be decrypted at any time in the future, and sensitive data such as health records or financial data falling into the wrong hands would be damaging,” Quantinuum's Jones explained. “We work with a wide range of enterprise customers, and it’s clear that successful CISOs recognize quantum is an ally as well as a threat.”
QuSecure's head of product, Meg Gleason, said that it's essential to recognize that attacks on our data encryption — prompted by the anticipated threats from quantum computing — will not arrive with any prior warning.
Meg GleasonNow that the standards are here, it's the responsibility of business and security leaders to implement these new algorithms and protect the data their organizations and customers depend on.
Adam Everspaugh, a cryptography expert at Keeper Security, said the cybersecurity industry must prioritize integrating NIST’s new cryptographic standards into existing systems. "While this process is complex and time-consuming, the time to act is now. The collaboration between NIST, CISA, NSA and the broader cybersecurity community has been crucial in reaching this milestone, and continued cooperation will be vital as we move forward,” he said.
The challenges for IT and security teams are significant, from ensuring compatibility with existing systems to managing the transition of cryptographic keys, Everspaugh said.
Adam EverspaughHowever, the urgency of this shift cannot be overstated. The potential for quantum computers to break widely used encryption algorithms like RSA and elliptic curve cryptography is a very real threat that could compromise the security of sensitive data worldwide.
Assuming that cryptographic schemes like RSA and ECC will be rendered insecure by quantum computers around 2029 or 2030, Jason Soroko, senior vice president of product at Sectigo, recommended this timetable for becoming quantum-secure:
As quantum computing technology continues to advance, the security of software supply chains is facing a significant threat. By adopting post-quantum cryptographic algorithms, organizations can protect their software supply chains from future quantum-enabled cyberthreats, ensuring the confidentiality, integrity, and authenticity of their software components. This proactive approach is essential for maintaining robust cybersecurity in the face of the evolving technological challenges in a post-quantum world.
Explore RL's Spectra suite: Spectra Assure for software supply chain security, Spectra Detect for scalable file analysis, Spectra Analyze for malware analysis and threat hunting, and Spectra Intelligence for reputation data and intelligence.
Get your 14-day free trial of Spectra Assure
Get Free TrialMore about Spectra Assure Free Trial