MY TAKE: Fostering Digital Trust – the role of ‘post-quantum crypto’ and ‘crypto agility’ in 2024

By Byron V. Acohido

Notable progress was made in 2023 in the quest to elevate Digital Trust.

Related: Why IoT standards matter

Digital Trust refers to the level of confidence both businesses and consumers hold in digital products and services – not just that they are suitably reliable, but also that they are as private and secure as they need to be.

We’re not yet at a level of Digital Trust needed to bring the next generation of connected IT into full fruition – and the target keeps moving. This is because the hyper interconnected, highly interoperable buildings, transportation systems and utilities of the near future must necessarily spew forth trillions of new digital connections.

And each new digital connection must be trustworthy. Therein lies the monumental challenge of achieving the level of  Digital Trust needed to carry us forward. And at this moment, wild cards – especially generative AI and quantum computing — are adding to the complexity of that challenge.

I had the opportunity to sit down with DigiCert’s Jason Sabin, Chief Technology Officer and Avesta Hojjati, Vice President of Engineering to chew this over. We met at DigiCert Trust Summit 2023.

We drilled down on a few significant developments expected to play out in 2024 and beyond. Here are my takeaways:

PKI renaissance

Trusted digital connections. This is something we’ve come to take for  granted. And while most of our digital connections are, indeed, robustly protected, a material percentage are not; these range from loosely configured cloud IT infrastructure down to multiplying API connectors that many companies are leaving wide open, all too many APIs simply going unaccounted for.

Each time we use a mobile app or website-hosted service, digital certificates and the Public Key Infrastructure (PKI) come into play — to assure authentication and encrypt sensitive data transfers. This is a fundamental component of Digital Trust – and the foundation for securing next-gen digital connections.

The goal is lofty: companies and consumers need to feel very confident that each device, each document, and each line of code can be trusted implicitly. And PKI is the best technology we’ve got to get us there.

Sabin

“PKI has been around for 30 years in lots of different reincarnations,” Sabin noted. “We’re hitting a massive resurgence, almost a renaissance of PKI right now, because there are so many use cases where the simple ingredients of PKI can be used very effectively to solve the business needs of today.”

Enter the concept of “cryptographic agility” —  a reference to the rise of a new, much more flexible approach to encrypting digital assets. Crypto agility has arisen because digital connections are firing off more dynamically than ever before. Thus companies increasingly require the ability to update encrypted assets in a timely manner and even switch them out as needed, Sabin says.

Post-quantum crypto

A high level of Digital Trust, one that leverages crypto agility, is needed for companies to thrive in environment where cyber attacks are becoming more targeted and severe – and with generative AI providing a great boon to the attackers.

What’s more, a fresh layer of risks posed by the rise of quantum computing looms large. And this is were something called “post-quantum cryptography” (PQC) comes into play.

The National Institute of Standards and Technology (NIST) is in the late stages of formally adopting established standards for PQC; this will result in NIST-recommended encryption algorithms that can withstand potential threats posed by quantum computers.

Sabin pointed me to a recent Ponemon Institute polling of 1,426 IT security pros that reveals a worrying lack of PQC-readiness among companies across the US, Europe, the Middle East and Asia-Pacific. The survey found a skills shortage, budget constraints and uncertainty about PQC causing some 61 percent of respondents to acknowledge that their organizations are not prepared.

Yet quantum computing exposures are happening today. Threat actors are pursuing a “harvest now, decrypt later” strategy, Savin told me. They’re hoarding stolen cyber assets encrypted with current day algorithms, he says, and patiently waiting for quantum hacking routines to emerge that will enable them to crack in.

PKI playground

To aid and abet the PQC transition, DigiCert has been collaborating with industry partners to develop encryption methods that can withstand the threats posed by quantum computing. DigiCert recently released the DigiCert PQC Playground—a part of DigiCert Labs designed to let security code writers and tech enthusiasts experiment with the NIST-endorsed PQC algorithms which are slated to go into effect in 2024.

Hojjati

Playground visitors can get in the practice of issuing certificates and PKI keys under NIST’s three most advanced encryption algorithms: CRYSTALS-Dilithium, FALCON, and SPHINCS+. Hojjati told me this free tool is intended to be an incubator for development and innovation, demystifying PQC by providing a user-friendly environment for experimentation.

The aim is to alleviate apprehension surrounding the deployment of PQC algorithms and certificates, Hojjati says. This will give software developers, CISOs and other stakeholders a sandbox to test and understand the practical implications of integrating the new NIST algorithms into their systems, he says.

As standards and best practices solidify, a new senior leadership role — , the Chief Digital Trust Officer – has cropped up. The office of CDTO is gaining traction in large enterprises that are proactively pursuing Digital Trust. These new security leaders are not just technologists, Sabin says, they are strategists and visionaries.

“In the last 18 months we’re already seeing a number of companies create this new C-level role, recognizing that Digital Trust is critical to their capabilities, their business objectives and the vision of the company,” Sabin says.

A we turn the corner into 2024, Digital Trust is in sight. I’ll keep watch and keep reporting.

Acohido

Pulitzer Prize-winning business journalist Byron V. Acohido is dedicated to fostering public awareness about how to make the Internet as private and secure as it ought to be.


(LW provides consulting services to the vendors we cover.)

 

Share on FacebookShare on Google+Tweet about this on TwitterShare on LinkedInEmail this to someone