What’s inside:

• Party like it’s Y2Q, then do these five things

• Resources: NIST Post Quantum Cryptology Standards, the Biden administration’s memo on quantum to establish US superiority and ensure security, and a handy post-quantum cryptography roadmap

• Take note: IBM Fellow Jerry Chow makes quantum make sense, an exclusive interview with Dave Raley, who will help you get your prototype to market faster

Party like it’s Y2Q, but first do these five things

Countdowns usually end with fireworks, champagne, or at least a deployment that doesn’t break prod. But the Cloud Security Alliance’s (CSA) “Countdown to Y2Q” aka “the countdown to quantum destruction” isn’t exactly party vibes. Their forecast? By 2030, quantum computers will rip through today’s encryption and all we’ll end up with is a broken padlock emoji 🔓(which, let’s be real, doesn’t even look that broken).

Why you should care: encryption is going, going, gone

Why should you care? Algorithms we’ve leaned on for decades (RSA, ECC, etc.) go from “mathematically solid” to “sand castle at high tide” once quantum shows up. We’re talking minutes to crack, not months or years.

Where does that leave your organization? With two missing features:

• No confidentiality: everything you thought was private is now basically a public repository.

• No integrity: you can’t trust that a website, email, machine, or file is what it claims to be or that it hasn’t been mangled in transit.

And sure, that CSA clock says we’ve got a few years left to procrastinate. But here’s the kicker: the problem isn’t just “future you.” It’s happening right now.

Ever heard of harvest now, decrypt later? Bad actors are hoarding your encrypted data like the junior devs stuffing their hoodies with office snacks, waiting for the quantum commute to dig in. At your company’s expense. 🍪

FYI: The Quantum Computing Cybersecurity Preparedness Act (QCCSP) tasks the U.S. Office of Management and Budget with prioritizing moving federal IT systems to quantum-resistant cryptography. And the National Security Agency (NSA) has directed the Defense Information Systems Agency (DISA) to make sure that post-quantum cryptography rolls out in national security IT systems by 2035.

Here are a few terms worth noting:

Quantum computing

Think of quantum computing like an octopus: the “brain” has a sense of the problem, while the tentacles work through different answers all at the same time. Parallel brute-force, but squishier and cuter. (Also, if you’ve read Adrian Tchaikovsky’s Children of Ruin, you already know octopi are smarter than us and are just one pandemic away from running the planet.)

Qubit

Sounds like a sugary cereal or off-brand Lego set, but it’s the basic unit of quantum computing. Classical bits are 0 or 1. Qubits can be 0, 1, or a little bit of 0 and 1 at the same time (also known as superposition). Let the fun begin!

Post-Quantum Cryptography (PQC)

The set of new algorithms NIST is rolling out to replace the soon-to-be-broken classics (RSA, ECC, etc.). You’ll see terms like quantum-safe, quantum-secure, quantum-resistant, which all essentially mean the same thing. But note that quantum cryptography actually refers to something different, cryptography made possible by quantum mechanics.

Crypto-agility (or algorithm agility)

Think of it like swapping your phone case: the old cracked one comes off, a shiny new one goes on, and your trusty phone keeps working just fine. Crypto-agility is crucial for post-quantum cryptography. It allows today’s algorithms to be swapped with tomorrow’s quantum-resistant ones without a big overhaul.

And now, what you’ve all been waiting for, a to-do list!

Five things developers can do today

1. Create an inventory of all classical cryptography methods. Don’t forget about third-party vendors. Roll up your sleeves and roll out that spreadsheet.

2. Bookmark standards and track PQC release schedules. VIA’s development team recommends checking out NIST IR 8547 and OpenSSL.

3. Start experimenting with post-quantum cryptography libraries now. They’re still under development, so they are still evolving. But you should prepare yourself for larger keys and signatures (not to mention other unknowns), which will impact storage, bandwidth, and processing time.

4. Remember crypto-agility from your vocab lesson earlier? Bake crypto-agility into your engineering and appsec processes. Get leadership on board because you’ll need their support.

5. Plan for hybrid: both classical and post-quantum algorithms side-by-side. VIA referenced Commercial National Security Algorithm (CNSA) Suite 2.0 guidelines and identified applications of each algorithm within VIA’s applications. Since PQC security libraries are not widely adopted or battle-tested (yet), VIA uses a hybrid approach. In other words, VIA integrates PQC with today’s classical algorithms.

Have questions about PQC security libraries? VIA engineers have been there, done that. Drop your questions in the comments or reply to this newsletter.

Need to know

1. NIST Post Quantum Cryptology Standards

   Quantum is nothing new to the National Institute of Standards and Technology (NIST). The agency has already published a handful of PQC standards and reference guides.

2. National Security Memorandum on Promoting United States Leadership in Quantum Computing While Mitigating Risks to Vulnerable Cryptographic Systems

   The Biden Administration jump-started the federal government’s earnest attempt to safeguard the U.S. in a post-quantum cryptographic world, signing the Quantum Cybersecurity Preparedness Act in late 2021, then quickly issued National Security Memo (NSM) 10 to “identify key steps needed to maintain the Nation’s competitive advantage in quantum information science (QIS), while mitigating the risks of quantum computers to the Nation’s cyber, economic, and national security.” The memorandum laid out specific actions that agencies must follow in what the administration said would be a “multi-year process of migrating vulnerable computer systems to quantum-resistant cryptography.”

3. Post-quantum cryptography migration roadmap

   A high-level, easy-to-share survival guide for swapping out today’s breakable algorithms with quantum-safe algorithms, without breaking your systems. Four steps: prep, inventory, plan/execute, and keep watching, because quantum will be keeping you on your toes.

Take note

With all the information swirling around, it’s hard to know where to focus. Don’t worry. We’ve sorted through current headlines, insights, and events and handpicked what should be on your radar for the week.

Worth your time

IBM’s Quantum Director Talks AI, Breaking Crypto, Basics of Quantum (Video)

Matthew Berman sits down with IBM Fellow Jerry Chow, who somehow makes quantum computing make sense. Chow breaks down how quantum can shred today’s encryption, how quantum-safe protocols keep us secure, and where AI and quantum might take us next.

This just happened

“Mitigating Cybersecurity Threats and Preparing for a Quantum-Driven Landscape”from CAPTECHU

Why should post-quantum cryptography steal all the spotlight? PQC is basically Luke Skywalker staring down the quantum Death Star, but even Luke needs backup. Like everything in security, it’s about layers: you lock the blast doors, place a team of Chewbacca’s in the hallway, and get a few blaster rifles. This article outlines why defense in depth is critical, and how decentralization is a key part of the rebel alliance.

Don’t miss this

Meet Dave Raley, the mind behind Operation Stormbreaker and Digital Program Manager at Marine Corps Community Services (MCCS).

If you’ve ever wondered how to take a software prototype from idea to market faster, Dave’s the one you want in your corner. 🚀

Stay tuned next week!

Building software for the DoD shouldn’t be a constant battle with access. We know, because we’ve been there. We built VIA’s Zero Trust Fabric to fix all that.

Try it free