Microsoft’s addition of post quantum cryptography (PQC) algorithms to Windows 11 is a fillip for businesses facing the imminent decryption of their data by quantum computers – but even as early movers share their experiences, a new Trump edict could derail the efforts.
That threat – which is escalating given that quantum giants are just years away from powerful cryptographically relevant quantum computers (CRQCs) capable of unscrambling today’s encrypted data within minutes – affects every information system on Earth.
The US National Institute of Science and Technology (NIST) spent a decade driving efforts to develop new encryption algorithms that could withstand CRQCs’ attacks, launching the first new standards last August while imploring every company to adopt them “immediately”.
Yet for most companies, adopting the standards means getting their software vendors to upgrade the complex array of systems their businesses rely on – which is why Microsoft’s recent move to add the new NIST standards is so important.
PQC algorithms are now part of Microsoft’s SymCrypt, the core cryptographic library that enables data encryption within Windows 11, and with its latest announcement, Microsoft made the algorithms available through its Windows Insiders and Linux developer programs.
The move “will enable customers to commence their exploration and experimentation of PQC within their operational environments,” Aabha Thipsay, Microsoft principal product manager lead in Microsoft’s Azure Edge + Platform organisation, explained.
This, she said, will allow companies to “proactively assess the compatibility, performance, and integration of these novel algorithms alongside their existing security infrastructure [and] offer valuable insights into the ways in which PQC can help mitigate emerging threats.”
Microsoft’s move follows a similar change by cloud giant Amazon Web Services (AWS), which added PQC algorithms in its AWS Key Management Service, AWS Certificate Manager and AWS Secrets Manager – all of which are used by cloud applications to secure customer data.
Early efforts are bearing fruit
A recent survey by industry body ISACA found that most companies are still taking a wait-and-see approach to quantum decryption, with just 5 per cent of businesses saying they have a defined strategy to protect themselves from the threat of quantum decryption.
Given that estimates now place Q-Day – the day when still-nascent CRQCs become powerful enough to break today’s encryption – around 2031, and that Google recently warned that reaching that point will be easier than previously thought, businesses are running out time.
Quantum-safe encryption “is a key action for enterprises that require long-term confidentiality of data” such as banks, healthcare, public safety, defence, and even manufacturing companies, SingTel quantum solution architect Brendan Ong explained.
As a key partner in the Singapore government’s National Quantum-Safe Network (NQSN) initiative, SingTel – the parent company of Australian telco Optus – has worked with partners to integrate quantum-safe capabilities into a NQSN+, secure nationwide network using PQC.
“It’s really for those who need to protect their data for the long term,” Ong said during a recent webinar in which he noted that “this is not a one month, two month, two year, three year journey.”
Adequately protecting current and future data against quantum decryption “actually requires a lot of planning,” he said, “as well as collaboration in the industry to actually get this whole quantum safe migration movement going.”
The devil is in the details
For most companies, the need to rapidly audit all of their current applications – and those used by their partners – is a worrying throwback to calls for better supply chain security, as cyber criminals target secure companies by moving laterally from less-secure partners.
Even where platform providers like Microsoft and AWS support PQC, auditing the PQC capabilities of current systems will require a major effort, which is why one of former US President Joe Biden’s last acts was to sign an executive order mandating PQC.
Quantum computers “pose significant risk to the national security, including the economic security, of the United States,” Biden said, directing the federal government “to prepare for a transition to” PQC, including cataloguing PQC-capable products within 6 months.
That order is no more after a new order by current President Donald Trump rescinded Biden’s order – which, he said, “attempted to sneak problematic and distracting issues into cybersecurity policy” including “unproven and burdensome software accounting processes”.
The Australian Signals Directorate (ASD), for its part, has said that it is watching the ongoing development of PQC and encourages Australian industry to “continue R&D of quantum technologies… [including] practical vulnerability research to better understand the risks.”
