Deloitte’s managing director of risk and financial advisory Colin Soutar anticipates that in 2024, “post-quantum cryptography (PQC) will come of age,” driven by the upcoming PQC standard release from the National Institute of Standards and Technology (NIST). Organizations across various sectors, led by federal and financial entities, are preparing for this transition. Soutar also shed light on the expanding ecosystem of PQC vendors and the role they play in this transition.
More organizations advance toward quantum readiness
“Drafts of PQC standards have recently been released and with that, in 2024, I expect that we will see a new group of organizations begin to take steps towards quantum readiness – starting with assessments of their cryptographic exposure – while those who have already commenced that journey will add further to their cryptographic agility plans,” Soutar noted in his predictions.
The three draft PQC standards NIST released earlier this year include the Module-Lattice-based Key-Encapsulation Mechanism Standard, Module-Lattice-based Digital Signature Standard and Stateless Hash-Based Digital Signature Standard. A fourth standard derived from Falcon is expected to be released soon and the institute expects to finalize its PQC standards by 2024.
Potential PQC regulations
It’s uncertain whether regulators will immediately adopt and mandate the use of the NIST Federal Information Processing Standards (FIPS) upon release of the PQC standards, or delay the implementation, Soutar told SDxCentral.
“I think in the federal environment, there’s an immediate connection to what they have to do,” he said, adding that for commercial entities, particularly those that are deemed within critical infrastructure, it would be very interesting to watch if they are going to adopt the standards immediately and some industries may wait for regulations to adopt PQC.
“From our perspective, we are cautious about that being a driver for adoption of the PQC standards, because the regulators may wait for more of a commonplace, linear set of activities, whereas quantum computing almost by its very nature, it’s not linear, and we don’t know how quantum computing may mature more rapidly than people had thought,” Soutar said.
Instead, he suggests organizations both in the federal and commercial spaces should take action to understand their potential post-quantum threat exposure, conduct an inventory of existing cryptographic systems and assets, learn how to adopt the upcoming PQC standards, aiming for crypto agility or maybe a classic and post-quantum hybrid cryptosystem in the future.
Industries at the quantum-readiness forefront
Regarding the industry readiness for quantum computing, the U.S. federal sector and other governments around the world are leading, followed by the financial sector. Some large financial institutions are proactively assessing their exposure and potential market advantages, Soutar said.
Healthcare, technology vendors especially the hyperscalers like Google, Amazon Web Services and Microsoft, telecommunications and space operation sectors are also becoming aware of the need for quantum readiness, he added.
The expanding PQC vendor landscape
“In addition, the continued expansion in the number and capabilities of PQC vendors will help organizations’ programs to improve by offering a greater ability to upgrade cryptographic algorithms across vast, heterogeneous environments,” Soutar forecasts.
He categorizes PQC vendors into three categories: hyperscalers or large cloud service providers; traditional security vendors that started to look at post-quantum threats, PQC or have been working in public key infrastructure; and specialized vendors that have been established because of the post-quantum threats.
Cybersecurity vendors and PQC services
Soutar expects more traditional security vendors to add post-quantum services to their portfolio. “They have a more nuanced understanding of quantum. And a lot of the discovery services that are being done tend to be similar across the vendors these days.”
However, more quantum-specialized vendors have unique expertise in PQC algorithms, quantum computer developments, and quantum-derived technologies like quantum key distribution and quantum random number generation, he said.
Selecting the right PQC vendor
Choosing a PQC vendor requires a tailored approach. Soutar said Deloitte helps clients navigate this post-quantum transition process.
“We offer services similarly around the discovery of the algorithms that are there, working on roadmaps in terms of transition. And then if there are particular technologies that can be pulled through, we often work with the client in terms of what their specific needs are, and we can help them make that decision themselves based on the different aspects that they’re looking for,” he said.