How to minimize quantum whiplash
News feeds are buzzing about NIST’s formalization of post-quantum cryptography (PQC) standards. These protocols are intended to protect data from decryption by future, large-scale, fault-tolerant quantum computers. Paul Stimers of the 2,200-attorney law firm Holland & Knight wonders, however, why we’re referring to this problem in the future tense.
The Accident Today, the Pain Felt Tomorrow
If you’ve read any of the countless articles out there, you’re no doubt familiar with the expression “harvest now, decrypt later.” We know that today’s data is being stored by malicious actors with the intent to decrypt the information with quantum computers as soon as it becomes feasible to do so. We tend to focus on the “decrypt later” part as if we’re in a race to protect our data before this capability manifests.
But as Mr. Stimers puts it, the car accident has already happened. Unlike most vehicle collisions, however, cybercrime isn’t an “accident;” the driver actively intended to hit us. The key takeaway, though, is that our information has already been stolen, and the damage has already occurred. Like whiplash, though, we’re just not feeling it right away. We’re merely waiting to feel the impact of this event, which we ought to be referring to in the past tense.
The Open Question of Liability
A car accident doesn’t just cause damage, however. There’s the issue of liability afterward. As a driver in the United States, you’re responsible for ensuring your passengers are wearing seat belts.
Now that your organization can install PQC seatbelts for your clients or customers, what will be your liability if you don’t? If you have the opportunity to protect tomorrow’s data today, but you don’t, will you be held liable?
This is an open question today, but it may not stay that way. Mr. Stimers notes that as implementation becomes a best practice, it will become increasingly more important for companies to follow it. If you don’t, you may at least have to explain why you didn’t. The questions you need to ask yourself are:
a) Are the standards effective?
b) Are they implementable?
c) What does it cost?
d) Given a, b, and c, can I afford not to do this?
Mr. Stimers clarified that liability can be nuanced. “Durable” data will stay relevant long-term and should be of concern, but you don’t necessarily have to worry about non-durable data. There is also “ephemeral” data, which is not yet valuable in the context of PQC because it loses relevance quickly. In other words, you don’t necessarily have to buckle in your gym bag, but you definitely have to buckle in people. To determine which is which, you can ask yourself:
a) How durable is this data?
b) How valuable is this data?
c) What is my exposure, including liability and reputational damage, if this data is compromised
d) Given a, b, and c, can I afford not to buckle in this system – not to migrate this system to PQC?
Conclusion
Some organizations really don’t have a choice. Actors with cybersecurity reputations have to lead the way, otherwise they’ll have to explain themselves as a branding matter. Other examples are banks and financial institutions; why would one risk not being secure if it can be? But if you’re reading this and wondering if you’ll someday have to justify not migrating to PQC protocols, you probably should.
https://www.bing.com/images/create/a-businessperson-with-a-neck-brace-suffering-whipl/1-66c1875ece5541e990f12ab7eea8bce0?id=ZLNqjJ1hqRPjYM5WgN8plA%3D%3D&view=detailv2&idpp=genimg&idpclose=1&thid=OIG1.XIevT6NhAKA.0.7UzYZH&frame=sydedg&skey=u0pbLGvpoqa0uLomPmMyulg3xyxXMycmsPR7B1XgJvI&form=SYDBIC
