QED-C Releases A Guide to a Quantum-Safe Organization

By Jim Gable, Anametric, Inc.

The Communications & Security committee within the QED-C Use Cases TAC today releases its new report, A Guide to a Quantum-Safe Organization. It is an introduction to preparing for a “post-quantum” world when sufficiently advanced quantum computers can break the encryption standards upon which our modern world greatly depends. It is presented in a magazine style and written more for an interested layman than a highly trained expert. And, yes, we tried to keep it short, too.

In the early stages of planning, we concluded that although there are many sources of information about quantum computers and cryptography, we found none that could best serve as a starting point, a short introduction. We wanted to touch on many aspects of the upcoming transition while most other sources—although perhaps more in-depth—left out significant technical options or economic and practical planning considerations.

For example, we observed that most articles and papers about technical countermeasures tend to come from one viewpoint. We wanted to make an overview that would cover both post quantum cryptography (PQC) and quantum key distribution (QKD) options while also touching on other relevant technologies such as quantum random number generators (RNG) and future quantum networks, for a single stop introduction.

The committee also felt that the existing material typically did not address the economic consequences of both the decryption risk and the process to prepare an organization. Likewise, most articles and papers don’t touch on the practical steps organizations can take starting even now.

We wanted to put this in the proper context of most IT cybersecurity planning. Preparing for future quantum computer attacks is primarily standard IT practices such as resource inventories, prioritization, vendor discussions and appropriate hardware & software upgrades, generally over a long-term horizon.

This cryptographic transition is likely to be the biggest ever in the history of cybersecurity, and will stretch across 10 to 20 years or more. Mistakes will be made, but one of the best ways to sidestep these mistakes is to start now. One of the more interesting conclusions from our research is that for most organizations it’s entirely reasonable to start now and the work relies primarily on normal IT planning and operations.

We are fortunate that our committee members are quite familiar with these issues, and some are known experts. We expanded this base of knowledge with dozens of interviews and discussions, and then ran the final drafts past several technical experts who were not part of the authorship.

We hope many people in many fields will have the opportunity to read the “Guide” and we look forward to receiving many comments and suggestions for future revisions. Most of all, we hope this becomes a useful tool for people and organizations around the world.