_Sergey_Tarasov_Alamy.jpg?disable=upscale&width=1200&height=630&fit=crop&w=696&resize=696,0&ssl=1 "Exploring Legislative Opportunities for Cryptographic Agility")
_Sergey_Tarasov_Alamy.jpg?disable=upscale&width=1200&height=630&fit=crop&w=1200&resize=1200,0&ssl=1&description=Exploring+Legislative+Opportunities+for+Cryptographic+Agility){kind=link}
Photo credit: www.darkreading.com
COMMENTARY
In the rapidly evolving landscape of cybersecurity, one fundamental mistake is the belief that existing risks will remain constant. This mindset often overlooks the emergence of new threats, which can lead to significant vulnerabilities. Established threats such as ransomware, phishing, and business email compromise are well-known, yet security experts must acknowledge that innovative risks are constantly surfacing.
The advent of quantum computing presents a unique challenge, particularly regarding the potential for breaking existing algorithms. This situation offers cybersecurity professionals and lawmakers a valuable opportunity to proactively prepare for the future by embracing the concept of cryptographic agility. This approach refers to the capability of a system to transition seamlessly to new cryptographic protocols in response to vulnerabilities in current algorithms, without disrupting operations.
The Possibility of Cryptographic Agility Adoption
As quantum computing technology progresses, one pressing question emerges: is the average technology company equipped to adopt cryptographic agility?
While quantum computing itself is not new, the development of new cryptographic algorithms to address these advancements has been ongoing, notably since 2016 when the National Institute of Standards and Technology (NIST) initiated calls for innovation in encryption methods. Recently, three promising algorithms were published, yet the United States still lacks comprehensive legislation requiring businesses to implement cryptographic agility.
This legislative gap subjects sensitive data stored in the U.S. to potential risks, leaving smaller companies vulnerable without consistent regulatory guidance. Many depend on larger tech firms and initiatives like the Shared Responsibility Model to set standards for cryptographic practices.
NIST’s recent publication of three new encryption standards—ML-KEM, ML-DSA, and SLH-DSA—demonstrates a proactive approach. However, effective enforcement of these standards will need federal backing to ensure widespread adoption across security departments.
Cryptographic Agility: A Legislative NecessityÂ
To navigate emerging threats, such as the capabilities of quantum computing, it is wise to take cues from more advanced regulations abroad. U.S. security experts should study Europe’s legislative advancements, which often surpass American standards.
Notable examples include the new NIS and DORA regulations, which prioritize cryptographic agility as a fundamental security practice. Although these regulations originate outside U.S. borders, they could serve as a blueprint for the U.S. to craft its own legislation on quantum computing protections.
One of the difficulties with this issue is that, while we understand the necessity of preparing for quantum computing, the timeline for when traditional algorithms will be compromised remains uncertain. Discussions about when key vulnerabilities will be exposed often range widely, with speculations suggesting anywhere from a decade to several decades. Recent reports have raised concerns about entities, such as Chinese agencies potentially cracking significant algorithms, highlighting the urgency of preparing for these threats sooner rather than later.
This ambiguity underscores the critical importance of legislative measures implemented ahead of potential quantum challenges.
The Business Benefit of Cryptographic Agility
Adopting a cryptographic agility framework not only bolsters data security and privacy but also presents substantial business advantages.
Embracing cryptographic agility equips businesses with a strategic advantage. Taking preemptive measures before quantum computing fully emerges can enhance a company’s profitability, as it could serve as a significant distinguishing factor in the marketplace. With relatively few organizations currently implementing these best practices, companies that do so can carve out a competitive niche in their respective industries.
The Time to Prepare With Cryptographic Legislation Is Now
Assessing the risks associated with quantum computing presents significant challenges, as there is currently no consensus on how long it will take before widely used algorithms like AES-256 are deemed insecure. Estimates vary significantly, from 10 to 30 years, leading industries and lawmakers to hesitate in pursuing measures for cryptographic agility, often claiming they have ample time. However, the imperative remains clear: proactive engagement with cryptographic legislation is essential now. Companies adopting these practices will not only be ahead of the curve but will also enjoy a competitive edge.
In the realm of cybersecurity, the opportunity to prepare for the looming impact of quantum computing is a crucial privilege that organizations must not overlook. Prompt action is necessary to safeguard trusted algorithms that underpin current technologies.
Source
www.darkreading.com