In its annual Tech Trends report, Deloitte warns of fast-calculating quantum computers and their ability to break the public-key cryptography that businesses rely on. Organizations must inventory their current cryptography and update it with new quantum-resistant encryption algorithms, the pro services firm recommends.
If that kind of all-hands-on-deck effort to guard against unknown catastrophe gives you some of those scary New Year’s Eve 1999 vibes, you’re not alone. Deloitte pros compare the quantum update prep to remediation strategies for Y2K—the two-character programming problem that surfaced almost 25 years ago as computers and applications registered a new century.
The National Institute of Standards and Technology (NIST) recently released post-quantum encryption standards, and vendors like Apple, Google, and Microsoft have modified products and platforms to incorporate quantum-ready encryption.
Deloitte, in its report, pointed to NIST’s National Cybersecurity Center of Excellence for cryptographic discovery and inventory tools that can help orgs.
“In their response to Y2K, organizations saw a looming risk and addressed it promptly. Today, IT faces a new challenge, and it will have to respond in a similar, proactive manner,” the authors wrote.
Bill Briggs, CTO at Deloitte, talked with IT Brew about Y2K and what is being dubbed “Y2Q.”
Responses below have been edited for length and clarity.
What lessons from the Y2K experiences should be applied to quantum encryption preparations?
Y2K was something that the…business leader, C-suite, and board member could understand, and there wasn’t much ambiguity of, is this something we should care about? It was a pretty clear story of: Our operational backbone is at potential risk here if we don’t invest. People look back maybe, and say, “Well, planes didn’t fall out of the sky. Was it really a big deal, or did we just make a big deal out of nothing?” It wasn’t a big deal because of the hard work and investment that went in to make sure that we were ready.
Top insights for IT pros
From cybersecurity and big data to cloud computing, IT Brew covers the latest trends shaping business tech in our 4x weekly newsletter, virtual events with industry experts, and digital guides.
So, there’s a similar lesson here. This isn’t to be overly hysterical, or to use this to force an undue amount of risk and attention from the business, but it is something that should be talked about now in appropriate terms of, it’s not now, it’s not tomorrow, but it’s coming, and we’re going to have to do something about it to get the similar level of business buy-in for the investment.
What’s at stake here?
Transactional system integrity, private information in government and healthcare—basically the underpinnings of modern security and privacy.
What should companies do?
First off, we have to understand exactly where and how deeply the encryption logic is embedded up, down and across our stack. And that’s something that’s just not easily known. Finding out where the potential affected systems and libraries and networks and data are? It’s prevalent, but we have to be precise. So, get a sense of what changes are going to be required. There are different techniques depending on the level of the stack. But it’s like Y2K, where it’s going to require some pretty invasive remediation into infrastructure, data network, application, integration, layers and more.
Is there a tool that helps with inventory, or is it a manual effort?
Our clients are the biggest organizations in the world. There’s no easy approach to go and get a handle on the entirety of your technology footprint. There are tools to make it so it’s not completely manual, and we’re trying to make it even more AI driven and automated, but the workload is significant.
Read IT Brew’s previous story: How to start using post-quantum encryption.