Despite high-level awareness and mounting concerns over the impending quantum threat, security leaders are “taking baby steps” on implementing post-quantum encryption (PQE), awaiting further developments, standards, vendor, and open-source product announcements, according to Forrester's latest 2024 State of Quantum Security report.
The report underscores the urgency for organizations to prepare for Q-Day – the day when quantum computers will have the capability to break traditional asymmetric cryptography and algorithms.
“Q-Day, when quantum computers can break traditional, asymmetrical encryption may be in the future, but preparation is in full swing,” stated Forrester VP and principal analyst Andras Cser.
However, the analyst firm noted industry progress on PQE implementation has been slow. While 71% of surveyed security leaders feel knowledgeable about quantum computing as an emerging technology, only 21% of the respondents rank it among the technologies causing the most concern. This highlights a significant gap between awareness and actionable progress.
“Some organizations hear that post-quantum is 15 years out, and it’s hard to get that tension,” Steve Stevens, the executive director of financial industry standards body X9, stated in the Forrester report.
Mixed messages for post-quantum migration Forrester noted when planning for the post-quantum migration, security and research leaders often have to contend with some mixed messages, including:
- National Institute of Standards and Technology (NIST)’s repeated competitions risk slowing algorithm adoption. The NIST in 2022 revealed the first group of winners from its post-quantum cryptography competition, which was initiated in 2016. Many security leaders are still waiting for NIST’s post-quantum cryptography (PQC) standards, which are expected to be released this year.
- Government agencies are waiting on NIST but want the private sector to start planning. Despite closely following NIST, government agencies globally offer broader and more aggressive recommendations. For example, the Germany's BSI information security office strongly encourages post-quantum migration, emphasizing hybrid implementation with classical schemes, while starting work on an open-source library with some of the post-quantum algorithms.
- Industry organizations and consultancies push inventory but then hit a wall. Security industry associations and consulting firms currently focus on advising their members and customers on how to discover and inventory encrypted data and the algorithms used to encrypt it. Another common theme among organizations is to ask third parties for their migration plans.
Tech giants start implementing post-quantum security measures Forrester pointed out that some leading tech companies and organizations like Google and Cloudflare have begun implementing post-quantum algorithms, and Apple’s recent announcement of PQ3 for iMessage is another notable push.
In addition, Hewlett-Packard in March introduced its business PCs equipped with quantum-resistant chips at the company’s annual Partner Conference 2024. The company built its upgraded Endpoint Security Controller (ESC) chip into select PCs to protect firmware against potential quantum computer attacks.
Palo Alto Networks, a major player in the traditional cybersecurity industry, is also leaning into quantum security. The vendor has started implementing quantum-resistant capabilities across its technologies while partnering with federal agencies and other industry peers for PQC migration.
In February, the Linux Foundation announced the launch of the Post-Quantum Cryptography Alliance (PQCA). The founding members of this initiative include Amazon Web Services (AWS), Cisco, IBM, IntellectEU, NVIDIA, QuSecure, SandboxAQ, and the University of Waterloo.