Detecting the Quantum-Vulnerable Cryptography in Your Enterprise (Q11b)
To minimize the risk that a future Cryptographically Relevant Quantum Computers (CRQC) poses to current and soon-to-be-deployed operational systems, we need to find ways to accelerate the adoption of the emerging quantum-safe public key cryptography standards. One important approach is to identify and report quantum-vulnerable cryptography in software, hardware, and services, along with the context needed to understand the associated risks and remediations. This enables organizations to discover where they are quantum-vulnerable, and to prioritize remediations and mitigations. Some vendors and open source projects are now developing capabilities in this direction, using a wide spectrum of techniques including network scanning, network monitoring, file scanning, and the analysis of executables and source code. As part of its project on the Migration to Quantum-Safe Cryptography, the NIST National Cybersecurity Center of Excellence (NCCoE) and some industry collaborators are experimenting with and documenting these methodologies. This presentation covers the problem of detecting and remediating quantum-vulnerable cryptography, the techniques for solving that problem, the timelines that government and industry are aiming for, and the challenges facing risk management.