The world has approximately three years to prepare to make cryptography “quantum proof,” while this process takes five to ten years for most companies nowadays, according to experts in quantum computing and cryptography who spoke during one of Tuesday's panels at Tel Aviv Cyberweek.
“When we talk to organizations, we are talking about five to ten years to cross the chasm to become what is called quantum safe. And with estimates that it’s coming in three, four, or five years, it’s really, in my view at least, one of the biggest cyber challenges of our decade, if not the biggest one," said Ben Volkow, CEO and founder of Qiz Security.
Another problem raised by the speakers is that organizations, in many cases malicious, today are harvesting encrypted data to decrypt it later, once they have access to quantum decryption.
Dan Sadot, founder and CEO of CyberRidge, warned: "As we speak, as we sit here, our information at some point in the world is being harvested as we speak. So the takeaway is that we're currently being harvested and we must close the harvesting gap."
And on the other hand, Ido Shargil, head of product at AT&T Israel, warned that the main challenge quantum brings to big corporations is adapting a massive number of users and systems, sometimes 30 or 40 years old, to new cryptographic standards.
He also warned that, even if he noticed a trend in which certain sectors began preparing for a world where quantum computing and decryption are prevalent, especially in the financial, defense, and healthcare sectors, the road ahead is long and the timeframes are short.
“The current state is that by 2027, what we call sensitive information connections need to be encrypted, going to PQC, post-quantum cryptography, with most of the interfaces and the assets needed to finalize that by 2030," Shargil explained.
Facing the quantum computing crisis
Volkow also talked about the current state of regulations and guidelines in Israel. “Here in Israel, the Bank of Israel has done an amazing job, including recommendations around building the cryptographic inventory, the roadmap, and getting prepared for post-quantum cryptography. But it’s still guidance. And when we talk to banks, they tell us, ‘okay, I’ll wait until there is a regulation,’" he said.
Oren Butchmits, CTO at the Israel National Cyber Directorate, agreed with this idea, saying that a regulation would not only force the adoption of PQC but also “create certainty.”
"This is done through regulation. Basically, you tell the market what you expect... this is like the base that everyone knows is the [goal] they need to target," he said.
He also explained that the government's main strategy nowadays is to actively use its regulatory and large-scale buyer powers to secure the country’s data against PQC.
“From our perspective, being a national policy, we need to create a kind of common approach, identify common problems, and sometimes provide common solutions. Do we need to create a kind of national Quantum Key Distribution (QKD) network? This is something we will not tell one organization to do, but if we identify this as a problem across the board, then the government might do this on its own," he detailed.
Keywords in face of Post Quantum Cryptography
At the end of the panel, each speaker summarized, in a single sentence, the key aspect to consider in a PQC world. “Get a plan in place and start preparing for post-quantum cryptography,” warned Volkow.
“Turn the quantum threat into an ecosystem opportunity by cooperating with academia and industry to create a national advantage for Israel,” said Butchmits.
Sadot recommended that we should “close the ‘harvesting gap’ by implementing solutions that prevent data harvesting.” Shargil concluded: “Act now to prepare for post-quantum cryptography, especially for those on the fence.”