Cryptographic discovery is the process of creating an actionable, prioritized cryptographic inventory by detecting, tracing, and rating the cryptography in use throughout an enterprise based on its security in the post-quantum era. Cryptographic discovery is an intuitive goal, but it can be extremely difficult to achieve. Common cybersecurity tools detect cryptography by design, but they do not catalog vulnerable cryptography to enable prioritization and remediation. For this reason, most tools are ill-equipped to provide the visibility organizations need into cryptographic vulnerabilities driven by emerging quantum computing technologies.

Many new products are emerging in the market to address this gap, but adding additional security tools comes at a price, increasing both the total cost of migration and the time it takes to complete the migration. That is time many organizations don’t have given the risks of “Hold Now, Decrypt Later” attacks and resources they may not need to expend. Rather than purchasing new products, some organizations are turning to novel data engineering methods to overcome common cryptographic discovery challenges.

When the U.S. government raised the alarm on the criticality of PQC in 2022 through National Security Memorandum 10, the Quantum Computing Cybersecurity Preparedness Act, and OMB’s Memorandum on Migration to PQC, one Fortune 10 retail company took note. They found that investing in a scalable, production-grade analytics platform to dynamically discover cryptography across their large, federated systems enabled them to understand their risk exposure without the need for new cyber telemetry.

Extract, transform, load (ETL) pipelines were used to optimize the use of cryptographic metadata from existing sensors and maintain traceability to certificates and unique connections. As a result, security leaders across the organization could use the dashboard to see a real-time snapshot of cryptographic strength across the network and analysts could trace vulnerable cryptography back to its source for remediation, submit custom queries, and expand the discovery tool’s coverage to new network boundaries.

1.   Start small: Define a priority network for an initial cryptographic discovery initiative, recognizing that everything cannot be transitioned all at once.

2.  Optimize reuse: Extract cryptographic data from existing sensors on the network to increase speed-to-solution and avoid added infrastructure costs and complexity.

3.  Engineer for flexibility: Invest in a scalable platform that can be used for both initial inventories during PQC planning and ongoing monitoring during PQC implementation.

Cryptographic discovery is a common starting point in the journey to post-quantum security, but it isn’t the only place an enterprise can take its initial steps toward PQC. Discovery allows organizations to achieve breadth in PQC planning; prototyping enables depth. Prototyping focuses on modeling and measuring the performance and interoperability impacts of transitioning to PQC.

The math behind PQC is fundamentally different than that of legacy public key cryptography. Higher computational complexity makes PQC a robust defense against quantum attacks. It also introduces network and infrastructure challenges such as increased latency, increased bandwidth, and lack of interoperability. Understanding the impact of these challenges is important to inform procurement decisions, implementation decisions, and algorithm selection in use cases with multiple PQC algorithms, such as digital signatures.

A federal agency responsible for securing critical networks was especially attuned to the importance of performance and interoperability during their PQC transition. They needed a prototype system to provide quantifiable performance and interoperability test results, including impacts on existing hardware and software.

The agency used a test harness to help quantify the effects of PQC by simulating multiple connections and executing test scenarios that varied network traffic, bandwidth constraints, and algorithms used throughout the connection across authentication and transport layer security (TLS) negotiations. A dashboard automatically visualized searchable results. This enabled analysts to understand how negotiations would default to classical algorithms when an endpoint was not configured for PQC; identify the effects of hybrid certificate chains; and quantify the overhead cost and impact on the network.

1.  Develop reference architectures: Determine where cryptography is used in a priority use case to define prototype implementation, showcase vendor dependencies, and outline interoperability requirements.

2.  Establish a reusable test environment: Establish a laboratory environment that can simulate hybrid and full PQC solutions to determine optimal algorithm selection and implementation.

3.  Engineer a PQC prototype: Assess hardware and software limitations performance impacts, and interoperability across the identified use case. 

Since the 1970s, public key algorithms have secured our digital lives. These unintrusive protections have been embedded deep into hardware, software, and digital protocols. But agility and governance were not baked into design decisions about cryptographic implementation. Hardware vendors integrated cryptography in ways that often prevent it from being updated without replacing an entire chip. Software vendors didn’t track the cryptography throughout the different layers of their applications. These vendors did not imagine a future where the underlying math behind every public key cryptographic algorithm would be vulnerable to attack. Yet that is the reality today, and it requires enterprises to adopt new PQC standards.

Now, NIST’s initial PQC standards (published in August 2024) provide the best available approach to defend against the quantum threat. However, it is possible that future technology advances could make those standards vulnerable to attack. It is also possible that additional and forthcoming PQC standards could offer performance advantages over NIST’s initial standards.

This is where cryptographic agility comes into play. Cryptographic agility refers to the ability to rapidly find, monitor, update, and replace cryptography. It addresses an enterprise’s capacity to navigate future cryptographic changes. This agility is essential for PQC, but its significance extends beyond post-quantum cybersecurity. When undertaken proactively and in concert with other cyber modernization priorities, PQC strategies that emphasize agility can increase the overall effectiveness and efficiency of organizations’ procurement decisions.

A defense customer recognized the need to invest early in PQC to safeguard their infrastructure during high-impact missions. They were already transforming larger cyber operations in areas like zero trust and cryptographic modernization, but they knew these initiatives did not address PQC. These larger efforts can involve the purchase of new, expensive, built-to-last equipment, such as tactical radios and encryptors. Streamlining these decisions to include PQC considerations stood to increase the efficiency and effectiveness of their procurement in the long run, reduce unnecessary purchases, and prevent vendor lock-in with solutions that were not actively preparing for the PQC transition. They needed to develop a plan for cryptographic agility.

Convening internal and external stakeholders, the agency cataloged cryptographic dependencies across vendor and legacy equipment; monitored the existing, new, and potential cryptographic implementations; and inventoried replacement options for capabilities that could not support PQC algorithms.

1.  Integrate PQC into ongoing cybersecurity modernization: Define how PQC aligns with future security architectures to buy down future technical debt and enable rapid adoption.

2.  Enumerate procurement policy impacts: Make PQC a priority with vendors to prevent lock-in with products that lack PQC transition plans.

3.  Establish strategies for infrastructure management and policy enforcement: Enable knowledge transfer to enforce governance throughout the transition.

• CISOs must design unique PQC transition roadmaps that align with their agency’s attack surface and threat vectors.
• Enterprises can avoid added infrastructure costs and increase speed-to-solution by extracting cryptographic data from existing network sensors and analyzing that data in novel ways to enable PQC migration.
• Integrating PQC transition plans with other cyber modernization efforts is critical to prevent vendor lock-in with solutions that are not actively preparing for the PQC transition.