Preparing for Post-Quantum Risk: Quantum Cybersecurity in 2024

The awareness of quantum computing in 2023 was as much driven by the stick of the threat to public key encryption from near-future quantum computers as the carrot of use-case opportunities.

Even before quantum computers are powerful enough to break current encryption standards, threat actors are stealing vast amounts of encrypted data to decrypt at a later date. This activity is known as “harvest now, decrypt later.”

But quantum technologies also offer solutions in terms of ultra-secure communication and quantum key distribution.  

Enter Quantum has collected quantum cybersecurity predictions from experts to find out what to expect in the coming year and how to defend against the quantum threat to secure data.  

Cambridge Consultants associate director of quantum algorithms James Cruise

The game-changing event expected in 2024 will be the final standardization of post-quantum cryptography (PQC) algorithms by NIST, expected sometime between March and June. This will finally open the floodgates on industry activity to put compliant PQC tech on the market  –there have been plenty of prototypes, but without the finalized standard most things have been held back from volume production.

It will also start the clock on the US federal uptake of PQC solutions – Biden’s National Security Memorandum 10 requires a timeline for the deprecation of non-PQC crypto in federal systems to be published within 90 days of the release of the standards.

Related:Quantum Computing Lives Behind the Scene at CES 2024

Early adopters have already made significant strides on the PQC transition, including Cloudflare and Google Chrome. Since Chrome version 116, PQC algorithms have been available for testing, and in the latest release, Chrome 120, if you connect to Cloudflare or another compatible service, PQC will now be used by default under the hood.

The final standardization will enable such early adopters to make prototype services mainstream. However, the impact on many will be low as changes will happen in the background with little impact on users. Further, it is expected to take a few years before mainstream adoption of PQC in IoT devices occurs.

There will be a whole range of legacy technologies that cannot be upgraded and for which there are no PQC replacements. These will remain vulnerable and potentially become an issue if still in use when the quantum computing threat materializes. Security strategies for new products and services should incorporate concepts such as crypto agility to maximize the opportunity to defend against current threats, such as harvest now, decrypt later attacks, as well as future ones.

Qrypt CTO and co-founder Denis Mandich

The harvest now, decrypt later attack methodology is one of the highest potential payouts because the cost of storage is so minimal, and the possible financial value is so high. Therefore, cybercriminals will continue to target low-level access points, as they pay dividends as the entry operation to high-value assets over time. 

Industries with the most monetizable data, including finance, healthcare, government and critical infrastructure – electricity, water, petroleum – will continue to be the industries with the highest risk of data stealing attacks in 2024 and beyond.

As the new Securities and Exchange Commission cybersecurity reporting rules hold chief information security officers (CISO) more responsible for cyber incidents and the number of fraud cases rises, CISOs and cybersecurity leaders will need to closely monitor systems for harvest now, decrypt later attacks and consider the potential security, business and regulatory repercussions.

Thales global head of data security products Todd Moore

Enterprises will finally grasp the importance of being quantum-ready in 2024. It will take standards to be agreed upon to finally get there – these are expected in 2024. But we will start to see interest in quantum computing break out of the technical circles it’s largely languished in until now and onto the agenda of mainstream enterprise decision-makers in 2024.

Public key infrastructure, transport-later security encryption, browsers and code signing are the four essential areas where we will see greater interest in post-quantum cryptography in the coming year, not just in terms of mitigating risk, but as a business differentiator too.