<p>Cybersecurity executives have a long way to go before they are ready for a quantum computing world, researchers warn — and they’re likely running out of time.</p>
<p>A new <a target=”_blank” href=”https://www.forescout.com/blog/pqc-adoption-gaps-90-percent-of-systems-are-still-not-quantum-safe/” rel=”noopener”>report</a> from Forescout Research Vedere Labs found that 90% of systems remain unprepared for Q-Day — when a quantum computer can first break today’s public-key cryptography. Some experts anticipate that moment will arrive by 2030, leaving enterprises with only a few years left to prepare. And while many organizations are slowly upgrading their SSH and TLS protocols to become post-quantum cryptography (<a href=”https://www.techtarget.com/searchsecurity/definition/post-quantum-cryptography”>PQC</a>)-compliant, significant gaps remain.</p>
<blockquote class=”main-article-pullquote”>
<div class=”main-article-pullquote-inner”>
<figure>
It’s time to adjust the mindset. We still talk to people who ask, ‘Does that really affect my industry? Do I need to care?’
</figure>
<figcaption>
<strong>Daniel dos Santos, vice president of research, Forescout </strong>
</figcaption>
<i class=”icon” data-icon=”z”></i>
</div>
</blockquote>
<p>”This isn’t theoretical anymore,” said Daniel dos Santos, vice president of research at Forescout. “It’s happening. Whether we get a quantum computer [capable of defeating public-key encryption] by 2030, at this point, is somewhat irrelevant. It’s time to adjust the mindset. We still talk to people who ask, ‘Does that really affect my industry? Do I need to care?'”</p>
<p>When Vedere Labs started tracking the <a href=”https://www.techtarget.com/searchenterpriseai/tip/Why-business-leaders-must-explore-post-quantum-pre-quantum”>PQC transition</a> a year ago, dos Santos said he would have rated the level of urgency CISOs should feel as a 2 or 3, on a scale of 1 to 10. Today, he rates it as higher than 5.</p>
<p>”It’s not as simple as clicking a button and everything is migrated,” he said, noting how comparable transitions — to TLS 1.3 and IPv6 protocols, for example — are still ongoing due to their complexity. “We’re talking about road maps here for two, three, four, even five years to actually become PQC-safe and compliant.”</p>
<section class=”section main-article-chapter” data-menu-title=”Quantum computing risks and challenges”>
<h2 class=”section-title”><i class=”icon” data-icon=”1″></i>Quantum computing risks and challenges</h2>
<p>One group CISOs should probably assume is preparing for Q-Day: malicious hackers.</p>
<p>”Governments and cybersecurity agencies have warned for years that sophisticated adversaries may be collecting encrypted data today in anticipation of future decryption,” said Lina Dabit, executive director of the office of the CISO at cyber advisory firm Optiv Canada, and formerly an inspector in the Royal Canadian Mounted Police’s cybercrime team.</p>
<p>The public sector faces particular risk, with significant, ongoing nation-state campaigns <a href=”https://www.techtarget.com/searchsecurity/news/366643451/OT-attacks-shift-from-recon-to-physical-control-raising-stakes”>targeting critical infrastructure</a> and governmental organizations, Dabit added. Potentially compounding PCQ transition challenges is the fact that critical infrastructure, such as power facilities and water treatment plants, has long struggled with timely patching. That’s something governments and the people they serve can ill-afford to overlook as quantum threats evolve.</p>
<p>According to experts, quantum is also particularly challenging for medical facilities and financial institutions, since they manage extremely sensitive data and operate under some of the most stringent regulatory requirements. Dos Santos said medical devices and ATMs are among the most difficult to secure.</p>
<p>As the former CISO and CIO of Silicon Valley Bank, Nick Shevelyov is well aware of the pending PQC threat and its potential impact on the financial sector. But he argued that previous transitions have prepared the industry for the current challenge, citing the industry’s migration off the SHA-1 algorithm and the rollout of EMV chips on credit cards.</p>
<p>”Banking has run this play before,” said Shevelyov, now founder and CEO at cybersecurity advisory firm vCSO.ai. “The lesson is that a long transition is won or lost on governance, not on technology. Resilience is execution, held together by governance.”</p>
<p>The second lesson, he added, is to evaluate and <a href=”https://www.techtarget.com/searchsecurity/tip/Cyber-risk-quantification-benefits-and-best-practices”>quantify quantum
[…]
Content was cut in order to protect the source.Please visit the source for the rest of the article.
Read the original article: