Is Asia Pacific ready to deal with post-quantum computing threats?

• IT leaders in APAC are sounding the alarm about the need to invest now in quantum-safe transition planning
• However, a lack of clear ownership, budget or executive support are obstacles in path to preparation.
• Many organizations are in the dark about the characteristics and locations of their cryptographic keys.

Post-quantum computing threats are quickly becoming a real problem around the world. While many still believe it may be some time before cybercriminals actually leverage quantum computing in their activities, some countries are already taking the necessary steps to prepare to deal with the problem.

What makes post-quantum threat a big concern is that cybercriminals are able to use quantum computing to crack encryption at a much faster rate. This poses an enormous threat to data and user security, especially with the increase of hack now, decrypt later cybercriminal activities.

Currently, the US is the most prepared in dealing with post-quantum threats. The Cybersecurity and Infrastructure Security Agency’s (CISA) Post-Quantum Cryptography (PQC) Initiative is expected to unify and drive efforts with interagency and industry partners to address threats posed by quantum computing and to support critical infrastructure and government network owners and operators during the transition to post-quantum cryptography.

CISA’s new initiative builds on existing Department of Homeland Security (DHS) efforts as well as those underway at the Department of Commerce’s National Institute of Standards and Technology (NIST) to support critical infrastructure and government network owners and operators during the transition to post-quantum cryptography.

Post-quantum cryptography in Asia Pacific

Interestingly, while the US has taken initiatives to deal with post-quantum computing threats, it’s a totally different scenario in the Asia Pacific. According to a study by DigiCert, most companies are still hampered by obstacles in preparing for these threats.

The study explored how organizations are addressing the post-quantum computing threat and preparing for a safe post-quantum computing future, revealing that while IT leaders are concerned about their ability to prepare in the timeframes needed, obstacles which include lack of clear ownership, budget, and executive support are slowing them down.

“Post-quantum cryptography is a seismic event in cryptography that will require IT leaders to begin preparation now. Forward-thinking organizations that have invested in crypto agility will be better positioned to manage the transition to quantum-safe algorithms when the final standards are released in 2024,” said Amit Sinha, CEO of DigiCert.

In the APAC region, Sinha pointed out that the need for quantum-safe cryptography is paramount. As industry bodies and governments drive progress, he urges businesses to prioritize their preparations for PQC to safeguard their data and maintain trust in an increasingly interconnected world.

Key findings from the DigiCert study showed that globally, 61% of respondents say their organizations are not and will not be prepared to address the security implications of PQC. Almost half of respondents (49%) also stated that their organizations’ leadership is only somewhat aware (26%) or not aware (23%) about the security implications of quantum computing.

At the same time, only 30% of respondents felt their organizations are allocating a budget for PQC readiness while 52% of those surveyed mentioned their organizations are currently taking an  inventory of the types of cryptography keys used and their characteristics.

Meanwhile, in Asia Pacific, the study showed:

• 39% of organizations say that their organizations have less than five years to get
• 53% of respondents currently have a strategy (19%) or will have in the next six months (34%) to address the security implications of quantum
• 63% of organizations do not have a centralized crypto-management strategy (23%) or they have a very limited one, only applied to certain applications or use cases (37%)

Challenges to a safe post-quantum computing future

The report also indicated that most security teams are now challenged when it comes to dealing with cybersecurity. First, security teams need to keep ahead of cyberattacks. Second, security teams also need to be prepared for a post-quantum computing future.

But the problem is, only 50% of respondents say their organizations are very effective in mitigating risks, vulnerabilities and attacks across the enterprise. With ransomware and credential theft the top two cyberattacks experienced by organizations, most security teams feel they don’t have enough time to focus on post-quantum cryptography.

As 51% believe they only have less than five years to be ready, having sufficient funding and talents are also reasons hindering their progress. Despite this, 30% of respondents say their organizations are allocating budget for PQC readiness.

In terms of understanding the characteristics and locations of their cryptographic keys, 52% feel their organizations are currently taking an inventory of the types of cryptography keys used and their characteristics. However, only 39% of respondents say they are prioritizing cryptographic assets and only 36% of respondents are determining if data and cryptographic assets are located on-premises or in the cloud.

This can be rather concerning, especially with the amount of time needed to locate and categorize data. This is why hacking now, decrypt later is becoming a bigger concern today, as cybercriminals themselves are probably aware of the challenges most organizations are dealing with currently.

In fact, very few organizations have an overall centralized crypto-management strategy applied consistently across the enterprise. To secure information assets and the IT infrastructure, organizations need to improve their ability to effectively deploy cryptographic solutions and methods.

As such, to be ready for post-quantum computing, there needs to be visibility into cryptography keys and assets as well as centralized crypto-management strategies. These need to be applied consistently across the enterprise with accountability and ownership. And all of this can only be possible with sufficient backup from leadership teams.

---

---

---

---