A new coalition of private sector quantum computing leaders has unveiled its first roadmap to ‘cryptographic agility’ with one urgent message to all sectors: start preparing now.
The Quantum-Safe 360 Alliance – which includes Keyfactor, IBM, Thales, and Quantinuum – published its first guide on August 14 for transitioning to post-quantum cryptography (PQC).
The goal of the white paper? Helping “enterprises tackle the challenges of PQC transitions,” through a “coordinated, public effort to provide clear guidance and accelerate preparedness for the quantum era,” the coalition said.
“Viable quantum computing could arrive in less than five years, which means time is a precious commodity for security practitioners,” said the alliance.
“When quantum computers achieve the ultimate cryptographic breakthrough, the resulting vulnerabilities could trigger unprecedented data theft risks and economic consequences, potentially leading to the largest transfer of wealth in recorded history,” it said.
To prevent those consequences, the alliance said organizations need to achieve cryptographic agility – or the ability to quickly adapt cryptographic standards to the latest threats without waiting for years to defend against immediate threats.
“It is both a measure of preparedness and a design principle for updating, replacing, and adapting cryptographic systems with minimal disruption to operations and architecture,” the alliance said, adding that agility “represents the next evolution of secure encryption.”
Getting there will require applying a comprehensive framework similar to that of zero trust security, alliance members wrote, which means covering every element of cryptographic implementation.
Discovering and prioritizing the scope of a quantum threat and evaluating an organization’s assets is the initial step those looking to make the transition to PQC should take. From there, using incremental implementation can avoid disrupting ongoing operations through testing and staging, iterative deployment, and continuous monitoring and improvement, the group said.
Taking those steps can begin action that is critical now, rather than later, the alliance said, explaining that adversaries who harvest encrypted data now and then decrypt it later can exploit current weaknesses and use that information later when quantum computing is viable.
“Delaying action only increases exposure to these risks,” warned the alliance, adding “the shift to quantum-resilient cryptography is unavoidable,” and acting now “is critical to risk mitigation and maintaining compliance as regulations evolve in kind.”
While certain sectors – such as finance, defense, telecommunications and the Federal government – are ahead in PQC adoption, local governments are lagging behind, which poses the “challenge of catching up to avoid vulnerabilities, the group said.
There are technical challenges in transitioning to PQC too, the alliance noted, saying that legacy systems, Internet of things devices, and outdated software “often struggle to support the computational demands of PQC.”
Applying best practices – such as starting now, centralizing planning, building expertise, and planning iterative implementation – can help address some of those challenges.
Vendor accountability is another way to address challenges, with the alliance saying that an “organization’s procurement power is a key tool for demanding quantum readiness from vendors, accelerating industry-wide adoption.”
“This collaborative approach is key – organizations do not need to navigate the complexities of transitioning to post-quantum cryptography alone,” said the alliance. “Let the journey to quantum safety begin.”