Understanding Cryptography in the Quantum Age... Demystifying Canada’s Quantum Strategy

As part of the Canadian government’s 2021 budget, $360 million was allocated over seven years to launch a Canadian National Quantum Strategy (NQS), whose objective is to advance the emerging field of quantum technology. The NQS’ recent report released on February 8, 2022, not only covers the Quantum sector’s role in the Canadian economy, but also provides a detailed plan for Canada to mitigate the “significant risk” that quantum computing represents in breaking the currently cryptography underlying our secure Information and Communications Technology (ICT) systems. The report requests the government use its influence to help “raise awareness of quantum security issues,” and states “we must foster a sense of urgency in responding to these issues.”  

Quantum computers already in operation today are not yet powerful enough to be a significant threat to current cryptography. While some believe the development of powerful quantum computers to be far off, the tens of billions of dollars that are being invested globally in the Quantum sector have led to its rapid development. As a result, within as few as 5 to 10 years quantum computers are likely to become powerful enough to break much of the current cryptographic communications infrastructure.  

The NQS report explains that existing critical infrastructure needs to be protected in order to be made ‘quantum-safe.’ This means Canada’s infrastructure needs to utilize new cryptography that is resistant to cyber-attacks by adversaries with quantum computers. With this same goal in mind, the U.S. National Institute of Standards and Technology (NIST) is currently nearing the end of its project to provide technical standards for an initial suite of new quantum-safe cryptographic solutions.


Why now?  
‍
This report suggests a lack of urgency on the quantum threat, which is likely because some stakeholders see it as too distant a development, and it emphasizes the need to “look beyond near-term quantum cryptography risks.” Of particular concern is the threat to information requiring long-term confidentiality, which needs to remain private for at least a decade. In this situation, adversaries can store or retain information that is openly transmitted (using current encryption protocols), and then decrypt it in the future once large-scale quantum computers become available. To avoid this type of ‘harvest and decrypt’ attack, the NQS states “Canada should respond proactively, placing a high priority on the timely development and adoption of quantum-resistant cryptography.”  

The report outlines the scale of this security problem: “New projects that are planned or underway need to address the risks posed by quantum computing. Planning now to build in quantum-safe features is preferable to trying to retrofit systems later. In many cases, existing technology may need to be replaced rather than migrated. The interoperability of old and new systems will be a major issue, as transitioning to new cryptographic systems may take years.” Overhauling an entire security infrastructure is a formidable task indeed. Replacing it by a new quantum safe cryptographic infrastructure will require careful planning done in a timely manner.


Canada as a Quantum Safe Cryptography Leader
‍
While the NQS points out that “many companies, institutions and researchers are unaware of the quantum computing risk and how to prepare,” it also identifies Canada as having “strong expertise in technologies that enhance cybersecurity against these risks.”

The NQS indicates we have a promising future in this sector, where “we can be a leader in the advancement of quantum readiness and agility, both nationally and internationally.” It further states that “Canadian innovation and investment have the potential to be on the leading edge of quantum security and make a global commercial impact.”


Cryptographic Agility Management is the Solution
‍
On a positive note, the report indicates a way forward. The first step is for an organization to identify where quantum-vulnerable cryptography resides. This would require the analysis and discovery of the organization’s entire cryptographic inventory, which can be done with a services such as InfoSec Global’s AgileSec Analytics tool.

Once vulnerable cryptography is identified, prototyping hybrid/quantum-resistant cryptography systems “should begin as soon as possible, followed by transitioning to post-quantum cryptography.” When implementing hybrid/quantum-resistant cryptography systems, it is advisable to follow the forthcoming standards and recommendations by NIST mentioned above.  It is unrealistic to expect every company to have their own in-house team of quantum-resistant cryptographers. Instead, the report states that “those who own sensitive information and manage sensitive assets need to be engaged.” It suggests that having “a testing platform for Canadian businesses lacking quantum experience or expertise would help them experiment with product deployment and realize the implications of quantum computing on cybersecurity.” An important concept that is brought to light is that of crypto agility—the ability to transition between cryptosystems, in this case from legacy to quantum secure systems seamlessly and automatically. The NQS report explains crypto agility “should be built into NQS security considerations and into government IT systems and planning.” Having a crypto agile platform, especially at the application level as is done in InfoSec Global’s Cryptographic Agility Management Platform will allow for a more fluid cryptographic migration.


Government Role in Quantum Secure Solutions
‍
The report recognizes that the current amount of funding for the NQS is insufficient to address the risks of quantum to cybersecurity. It advises that the federal government will need to play an ongoing role to drive quantum readiness in general and encourage industry to move on the quantum security issue more quickly through mandates, incentives and funding. The NQS states that the Canadian government becoming an early adopter of security solutions “will help to drive investment and innovation, provide testbeds, facilitate interoperability and foster commercial adoption.” They recommend that governments not only use their procurement power and funding, but also their “regulatory powers to ensure that providers offer quantum-secure products and services.” Even before government regulation or incentives are put in place, there is ample reason to begin the migration process to quantum safe cryptography. Talk to us to identify your cryptographic vulnerabilities and build crypto agility into your systems by emailing us at info@infosecglobal.com.