Industry leaders urge strong strategies for post-quantum readiness

World Quantum Readiness Day saw specialists from the fields of quantum computing, cryptography, enterprise architecture and product security share practical guidance for organisations navigating post-quantum transitions and building quantum readiness strategies.

Stages of quantum adoption

The event began with a discussion between John Furrier and Amit Sinha, CEO of DigiCert, who reflected on how the industry’s attitude towards quantum computing has evolved. Sinha explained the psychological journey many organisations experience when facing a large-scale technological shift: “Moving to Quantum is a huge change for organisations, and whenever people and organisations are faced with a big change, they usually go through the five stages of grief.”

Sinha highlighted that approximately 43% of organisations are in the acceptance phase and actively progressing towards quantum safety, while 24% remain in denial. “Part of the reason we are doing this event is to make sure everyone understands the importance of migrating to quantum safety,” he noted.

He added, “My bet is this is the year where most organisations, the vast majority of them accept that the time to act is now and they all have to move and upgrade their digital trust fabric to make it quantum safe.”

Developments in quantum computing

The rapid pace of progress in the quantum computing sector is causing a shift in perceptions. Sinha drew attention to substantive developments by major technology firms: “IBM was a pioneer and continues to be a pioneer in quantum computing chip sets and infrastructure. But more recently, if you look at all the hyperscalers, Google, Microsoft, AWS, and more recently, Nvidia and Cisco, they’ve all announced their bigger, faster, better quantum processors.”

He described the sector as being akin to the early days of transistor development, emphasising the challenging problems of increasing quantum bit count and improving error correction. The disruption potential is significant, as Sinha explained: “If RSA is broken today, the internet would melt down. Similarly, we know Diffie-Hellman can be broken, and these are foundational algorithms that allow us to share keys, do encryption, do authentication.”

Availability of post-quantum cryptography

Questions remain about the readiness of cryptographic solutions to withstand future quantum attacks. Sinha addressed these concerns directly: “Post quantum cryptography is here. DigiCert has been working along with other cryptography experts. We’ve been collaborating with the National Institute of Standards and Technology, NIST. Last year…NIST had announced the first three post quantum cryptography algorithms. One for encryption and two for authentication. They are the FIPS 203, 204 and 205 standards.”

He continued, “The DigiCert One platform supports all of these algorithms today, where customers can…play around, experiment, benchmark, performance, etc. So the short answer is PQC algorithms are here now.” Work is ongoing at the Internet Engineering Task Force (IETF) to update encryption standards such as TLS 1.3 to leverage these algorithms.

Industry action and certificate landscape

Sinha noted that industry leaders are responding proactively: “You use iMessage…on your Apple device. Probably use WhatsApp. All of these messaging protocols have adopted PQC. For key exchange. That is because people are concerned about harvest now and decrypt later style attacks.”

He pointed to changes in certificate validity, which will add operational demands: “Apple and Google recently introduced…a ballot that got approved. Which is going to take certificates that are today issued for a year and shrink that to 47 days.” This trend, according to Sinha, will require organisations to modernise their public key infrastructure (PKI) and embrace automation to avoid frequent outages.

Sinha observed, “If you prepare for crypto agility, if you have automation in place. You can get…over 300% ROI from that investment because you have less outages. You’re not spending money in…manual certificate rotations…Now on the PQC side, what’s interesting is analysts such as Gartner are coming back and saying…Gartner, for example, has said current asymmetric cryptography must be retired by 2029.”

Lessons from industry finalists

The Quantum Dispatch panel featured Luke Valenta, Research Engineer at Cloudflare, Martin Reilly, Digital Identity Offering Manager at DXC Technology, and Deepika Chauhan, Chief Product Officer at DigiCert.

At Cloudflare we care deeply about advancing privacy, security, and performance for everybody on the internet. We didn’t just start early with some secret projects, but we’ve been sharing our journey openly from the start. Our first blog post on this was back in 2017. So yeah, we’re trying to bring everybody along with us on the post quantum journey, and if we’d worked in a silo, there’s no way we’ve been able to achieve the impact we have. So I think it’s just been…a matter of collaborating with others and, and moving everyone forward at the same time.

Reilly noted the internal approach at DXC Technology: “The approach we took…was developing a framework by being our own customer zero…So by being our own customer, zero, that gave us the learnings and insight and discoveries to kind of build that framework, which we could then apply to our customers and use that to kind of build the infrastructure they need to take themselves forward based on our learnings as…customer zero.”

Chauhan remarked, “Many years back, we started the process of productising [PQC] in our Core Dig One platform so that our customers have the tools to begin their P QC transition journey.” She highlighted challenges such as cryptographic libraries and hardware not fully supporting PQC and the need to educate both staff and customers.

Advice for organisations starting the transition

Panelists underscored the importance of cryptographic inventory. “Creating the cryptographic inventory is the step zero of beginning any migration. And the complexity of creating…the cryptographic inventory cannot be overstated. It’s a…real hard task, but it’s really essential. It’s the step zero because the inventory gives you the roadmap. How do you begin the journey? How do you start prioritising your systems and your applications?” said Chauhan.

Luke Valenta added, “A cryptographic inventory is never going to be complete. So it’s all really about the…process, and, and journey of putting that together. At Cloudflare in our migration, we started this inventory and we used that to figure out what are the highest priority systems to transition to post quantum first.”

Reilly noted, “Just raising the awareness and visibility of all the places where an enterprise uses cryptography – it can be a shock when that depth and breadth of the required transformation becomes apparent…It’s often the case. There’s no one tool will give you a hundred percent coverage and you’ll never have a complete answer, even with multiple tools deployed.”

Impact of quantum readiness on business

The panel identified a marked increase in customer interest and a shift in perception, with quantum computing increasingly seen as both a risk and a business opportunity. Valenta shared, “There was, there’s sort of a turning point earlier this year. Where…previously it was only kind of very forward thinking customers that were asking us about pq. But now, it’s…really picked up and it’s become a talking point.”

Reilly commented, “It’s a shift from quantum computing as a threat to an opportunity…Now, we’ve got more customers now talking about quantum computers as something that can help ’em solve business problems and big science problems.”

Looking ahead

Anticipated actions include evolving standards for public trust, further automation, and knowledge sharing within the community. Chauhan stated, “What’s next in the journey from a product point for DigiCert, I would say is the standards exist, but the standards still need to evolve for the public trust…And the third thing I would say what’s next is till now, it’s been making customers aware of, Hey, you need to make the transition. But also sharing some of the best practices of what the journey looks like.”

Reilly anticipated two tracks: “DXC Quantum readiness is now as much about being ready to seize…advantage from new applications of quantum computers…as it is about securing things like machine identity, securing the data of our customers in banking and aerospace. With the quantum ready cryptography.”

Valenta added, “They’re kind of two migrations to post quantum cryptography, the encryption, which we made significant progress on and then for, authentication…The authentication side is the, the next and the bigger step that, early adopters are moving towards.”

Key lessons and ongoing priorities

The panel concluded with a focus on cyber hygiene, crypto agility, and readiness for continuous change. “I think the main lesson would be to…focus on your basic security best practices. And that’s gonna pay off for the post quantum migration,” said Valenta. Reilly advised, “crypto agility and good crypto hygiene is a practice that helps prepare DXC and prepares our customers for quantum readiness. But it is good for business anyway and is good for your technical agility and brings benefits now, even if quantum computers take longer to arrive.”

Chauhan remarked, “It’s actually about preparing to do it again in a few years, so it’s not just a one-time thing. It’s developing that muscle for crypto agility within the organisation. And crypto agility is about having visibility of your crypto assets, assigning ownership to those, automating them, because if you have crypto agility, it allows you to adapt, whether it’s PQC or the 47 day certificates. Or any other changes which are coming along.”