Cryptographic Agility's Legislative Possibilities & Business BenefitsCryptographic Agility's Legislative Possibilities & Business Benefits

COMMENTARY

One of cybersecurity's major pitfalls is assuming that risks will always stay the same. Failing to consider emerging threats has caused detriment in the security field. When varied threats already exist that are time-tested and successful, like ransomware, phishing, or business email compromise, security professionals often don't consider that new risks arise daily. 

Quantum computing and the potential for cracked algorithms are among the first instances where security professionals have a heads-up on an emerging trend. As a result, both professionals and legislators can use this time to their advantage and prepare by putting forth maximum effort to approach cryptographic agility. This model is defined as the ability for technology to seamlessly switch to new protocols or mechanisms when algorithms become insecure (without system interruption).

The Possibility of Cryptographic Agility Adoption

A critical question that has emerged as quantum computing and algorithm cracking approaches is whether cryptographic agility is genuinely possible for the average tech company. 

Quantum computing is not a new concept, and new cryptographic algorithms to prepare for that hypothesis have been developing progressively since 2016 (note the National Institute of Standards and Technology's call for new algorithms — three of which were published last fall). Yet the United States is far from documenting robust legislation to mandate cryptographic agility in the US market. 

Unfortunately, this puts the data stored on US soil at risk, leaving US businesses to fend for themselves. Small players within the US may be at the mercy of legislation and large tech companies to pave the way for cryptographic agility (such as through the Shared Responsibility Model). 

NIST has done a solid job of widely distributing the three new encryption standards it has published (ML-KEM, ML-DSA, and SLH-DSA). Still, proper enforcement may only be possible at the federal level, which is required to make cryptographic agility a widespread practice in security departments.

Cryptographic Agility: A Legislative Necessity 

One reliable way to plan for any emerging threat, including quantum computing that could crack standard algorithms, is to look to the courts. US security professionals and tech businesses should consistently look toward Europe, since its cybersecurity legislation is often further ahead and more mature. 

Two examples are the emerging NIS and DORA regulations, which strongly emphasize cryptographic agility as a security best practice. Though these sweeping directives were enacted outside US borders, they provide a framework America could use to build its quantum computing legislation. 

A significant challenge regarding quantum computing and the cracking of standard algorithms is that we know it is coming — though not precisely when. The field lacks detail on how soon key cracking and invalidation will occur (though heavily debated, news articles emerged last fall indicating that Chinese agencies had cracked reputable algorithms — some argue the risk is coming sooner than 2030). 

This uncertainty underscores the strong benefit legislation would provide ahead of the arrival of quantum computing.

The Business Benefit of Cryptographic Agility

Implementing a cryptographic agility model has benefits beyond data security and privacy protection. This adoption also has significant business benefits.

Cryptographic agility is a strategic move for a company. Preparing before quantum computing fully emerges is an opportunity to positively contribute to a company's bottom line, because cryptographic agility could be an organization's market differentiator. With so few businesses embracing this best practice, implementing it today would present a distinct competitive advantage. Security and safety are not the only motivators for implementing a cryptographic agile program. 

The Time to Prepare With Cryptographic Legislation Is Now

A quantum computing risk assessment is challenging to conduct because no professional in the security space has been able to identify, with precision, how many years it will take until an algorithm like AES-256 (a popular symmetric model which is often the topic during encryption resiliency debates) is found to have flaws. Instead, the field has relied on very vague definitions and estimates, ranging from 10 years to 30 years down the road. Industries and legislators are postponing the goal of becoming cryptographically agile by decades, using both excuses that "we have time" and "we do not know when this risk will be realized." Nevertheless, the time to prepare with cryptographic agile legislation is now — and even without it, businesses that adopt the model have a distinct competitive advantage.

The cybersecurity field is fortunate to have adequate notice; they must prepare before quantum computing emerges and alters the trusted algorithms technology has relied on.