As organizations increasingly feel the pressure to move toward post-quantum encryption, whether through White House executive orders, NIST mandates, or international regulations, many are still dealing with cryptographic debt.
This debt is the accumulation of risk that arises from outdated or embedded encryption, which was never designed to remain secure against quantum or AI-powered attacks.
Threat actors are already preparing for a post-quantum world by employing “harvest now, decrypt later” strategies. Now is the time for organizations to prepare for the impacts that quantum will have on the channel. There’s an opportunity to be a leader in this space.
Urgency around post-quantum encryption acceleration
QuSecure, a provider of post-quantum cryptography (PQC) solutions, leverages its expertise and tools to deliver PQC and cryptographic agility. Their co-founder, Dave Krauthamer, sat down with Channel Insider to dig into the emerging threats.
According to Krauthamer, the transition to post-quantum is really about crypto modernization.
“We’ve had a static environment for cryptography forever where it doesn’t change, it just stays there, and it works, to one that we have now with threats from quantum and AI and just brute force that are breaking down what we’ve used and had in the past,” said Krauthamer.
“The urgency is around this movement more towards crypto modernization. How do I create an agile network that can adapt in real time to real-time threats around quantum AI and other threats?” he adds.
Krauthamer says that there has been a perception that the threats behind quantum are way out in the future. In reality, that timeline is collapsing. The latest executive order on quantum brought the timeline for quantum preparedness in from 2035 to 2030.
“There’s a lot of threats we face there around poorly implemented crypto, around the fact that only about 25 percent of the companies actually know what cryptography is in their network,” said Krauthamer. “Poorly implemented crypto is as dangerous as harvested crypto.”
For example, a large organization could have 7,800 applications with embedded cryptography that may be difficult to identify. They could be poorly implemented crypto stacks that aren’t monitored, so there’s this lack of visibility and potential threat vectors that an organization doesn’t understand.
The concern around cryptographic debt
Cryptographic debt is the silent killer of an organization’s security posture.
It is the silent accumulation of expired certificates, outdated encryption algorithms, and forgotten key management processes that organizations don’t know about or how to upgrade it. It creates blind spots throughout the IT stack, creates legacy risk at scale, and drives next-gen threats.
“One of the customers we’re talking to, they calculated how much it would cost to remediate all these embedded crypto applications and it would cost upwards of half a billion dollars to fix this cryptographic debt,” said Krauthamer. “It’s this huge ticking time bomb.”
Instead of an organization finding its own Ethan Hunt to come in and defuse this bomb in one go, the goal is to become crypto-agile, where you can swap these applications out instantaneously as the threat patterns change to keep everything current in real time.
For crypto-agility, organizations should build a Cryptographic Bill of Materials (CBOM); automate key rotation, algorithm upgrades, and certificate renewals; and adopt flexible, modular crypto systems that allow them to pivot quickly.
Harvest now, decrypt later
Another key aspect of security in the quantum future goes beyond the vulnerabilities directly within the technology stacks of organizations.
Threat actors have already begun the process of utilizing “harvest now, decrypt later” strategies, harvesting encrypted data today to decrypt it later when quantum capabilities become more prevalent.
“It’s said that about a quarter of all the encrypted data is already being harvested and it’s already sitting on a server in a foreign nation state,” warned Krauthamer. “In a lot of cases, this is banking information, this is sensitive data that has long shelf lives associated with it. So, you have to assume that if you’re a leader in cyber or a CIO, that your data is being exfiltrated.”
With AI added to the equation, and its ability to decode keys and crack ciphers, it creates even greater risk, particularly in the way the internet is architected, which Krauthamer says is “trust everyone and build a wall around it and hope they can’t jump over the wall.”
“That whole architecture needs to be revisited. We have true secure communications with zero trust fabrics, policy-driven crypto-agility, where that identity and zero trust layer is just locked in, so AI, quantum, and brute force can’t just crack around it,” Krauthamer explains.
QuSecure for your quantum future
One of the most common misconceptions around quantum is that it’s a far-off threat, but the industry has started to see standards come out with the Payment Card Industry (PCI), Digital Operational Resilience Act (DORA), and Fast IDentity (FIDO) around crypto-agility.
What sets QuSecure apart in helping organizations address post-quantum encryption challenges is that they are a network orchestration capability.
“We run in the cloud, on hardware, on the orchestrator side, and then we can run on any endpoint to fix this problem quickly from a network orchestration capability,” said Krauthamer.
To prepare for a quantum future, Krauthamer suggests that organizations should leverage excellent information resources, to start. Forrester, Frost and Sullivan, and Gartner are all great resources to gain more knowledge about crypto-agility and quantum.
Additionally, there’s a huge opportunity in the channel to become leaders in this space and address these challenges that quantum poses.
“The channel can be really effective in the thought leadership element of this, and I think that, as it relates to the channel, just understanding that this is going to be a big wave that’s going to come and you can be in front of it, lead it, and really drive thought leadership,” said Krauthamer. “It’s coming– it’s a big wave. It’s going to be a really fun wave to be on, and the channel will largely help drive it.”
He adds that “We believe that probably 60 percent of our revenue will come out of the channel and it’ll be a primary catalyst for making this happen.”
Post-quantum cryptography solutions will be significant to the future of quantum-era threats. Read more about F5’s additions of PQC to its platforms to secure apps and APIs.
