Post-Quantum Migration: A case for the last mover advantage

Post-Quantum Migration

In case you didn't know, quantum computers that can break cryptography is coming. Estimates vary from as soon as 2028 to as far as 2040, and even the most skeptical of skeptics cannot deny its inevitability. 

And the tools for existing computer applications and system to defend against quantum computers are also available. The National Institute of Standards and Technology (NIST) has been running a Post-Quantum Cryptography (PQC) program since 2016, and the team has identified 4 suitable algorithms that are resistant to quantum attacks and can be used to achieve quantum-safe cryptographic implementations. No need to any specialized hardware and all the migration can be done today.

Yet, you can nary hear about any large-scale post-quantum migration happening.

My theory? The plethora of disincentives to migrate. While not migrating to be quantum-ready in time may be disastrous for many critical industries like banking, healthcare and governments, the downsides to migrating early are just as onerous:

• Potential incompatibility. In this era of interconnectivity, the need for data to be exchanged swiftly and seamlessly is paramount to the ongoing business-as-usual (BAU) operations that many now take for granted. If any one of these connections or flows are overlooked during the migration, the repercussions will come down hard. We  can also expect that many systems involve multiple parties, each with their own business schedules. Getting all of them to agree on a common time to migrate is probably like herding cats.
• Shortage of experienced practitioners. This is the classic chicken-or-egg problem. An enterprise planning for post-quantum migration wants experienced hands to guide them through the process so that mistakes are minimized. But experience comes from making mistakes in the first place. So which organization is willing to be the sacrificial guinea pig here?
• Lack of ROI. Even if the migration was successful, it is still too early to celebrate. A simple request by your CEO or Board of Directors to demonstrate that the system is indeed quantum-safe will be met with looks of incredulity..."Errm, haven't you heard? Quantum computers are NOT YET available"

So how is the quantum cybersecurity industry going to address this systemic inertia? Going with the promise of tighter regulations and tougher penalties may make some organizations take the first step, but may also backfire and cause industry pushbacks. Perhaps we can take a more gradual approach?

I think that addressing the disincentives is key to unlocking the migration opportunity. This may involve i) designing and building quantum-safe solutions that can respect business schedules, are backwards-compatible, and do not require a big-bang upgrade approach; ii) exposing IT staff to quantum and quantum-safe concepts in a meaningful and engaging  way; and iii) aligning migration processes with business plans and quantum-readiness requirements. How? That's what pQCee is working on.