Site search
Preparing for the post-quantum era of security
Preparing for the post-quantum era of security

How to prepare for the post-quantum world

Key considerations

Given the risk posed by 'harvest now, decrypt later' attacks (where threat actors collect and store encrypted data now, with the intent of decrypting it once commercially useful quantum computers become available—various reports claim Chinese 'threat groups' may have started harvesting encrypted data as early as 20201), organisations need to begin encrypting data with post-quantum methods as soon as possible.

Australian organisations also need to begin implementing uplift activities and assessing their existing cybersecurity practices to ensure compliance by 2030.

Estimated likelihood of achieving CRQC

Source: Reproduced from Planning for post-quantum cryptography | Cyber.gov.au 

Checklist for preparing your organisation for the post‑quantum era

Adapting to the quantum future requires not only technical solutions but also strategic legal planning. 

Develop a credible roadmap for staged migration to post-quantum cryptography and encryption, encompassing risks both within the organisation and its supply chains. The ASD has said that a comprehensive transition plan should be in place by the end of 2026.

Conduct a comprehensive cryptographic mapping exercise and risk assessment. This will include:

  • identifying where the organisation relies on vulnerable algorithms that will need to be phased out.
  • assessing the 'crypto-agility' in its technical architecture—how quickly the organisation can adapt and switch out encryption protocols.
  • assessing the longevity and sensitivity of data assets to identify which are most at risk of 'harvest now, decrypt later' strategies.
  • engaging with third-party vendors and service providers to assess their quantum readiness and plans to support post-quantum cryptography.
  • assessing insurance coverage for quantum risk.
  • allocating OpEx and CapEx budget to the transition.
    • for financial institutions, updating risk registers.

Consider whether internal policies and procedures need to be updated.

Review and update third-party risks assessments regarding quantum computing risks.

When procuring new cryptographic equipment and software intended for use beyond 2030, ensure post-quantum cryptographic tools are used.

Review and update contracts to address quantum-related cybersecurity provisions and liability.

Monitor ongoing developments from standard-setting bodies such as the ASD and NIST.

Ensure there is clear accountability within existing governance frameworks for this risk.

Ensure the quantum risk is on the board agenda, incorporating both reporting and training.

 

Footnotes

  1. See Chinese could hack data for future quantum decryption, report warns , The Guardian, 30 November 2021.