How do you protect your IT systems against a threat that has yet to materialise? That’s the challenge CIOs face as quantum computing comes ever closer. Already, 27% of experts predict at least a 50% likelihood of a quantum computer that can crack existing “unbreakable” cryptography by 2033. What’s noticeable is that timelines are constantly being shortened as the race to produce such computers heats up. The implications are significant. If existing digital signatures on software and firmware become insecure, the trust on which the digital ecosystem is built will be put at risk.

Migrating the whole digital world onto new cryptographic standards will be necessary to update the asymmetric cryptographic algorithms that a large proportion of products, protocols and services rely on. And one of the most difficult and unavoidable aspects of mitigating the quantum threat to crypto is that it’s not just a software problem, says HP. PCs, printers, but also servers and any other IoT rely on cryptography at the lowest hardware and firmware levels, and if that’s broken, then the devices and all of the software on them will become defenceless against cybercriminals.

“Migrating software to quantum-resistant crypto will be a huge task, but migrating hardware will be an even bigger one as long-lived keys and existing crypto can’t just be updated in the field. If attackers break the crypto in those lower layers of the system, no software would be safe as attackers could gain total control of a device. This is why we have started to introduce new cryptography in hardware first”, says Boris Balacheff, Chief Technologist for Security Research and Innovation, HP Inc. Security Lab.

In short, the company emphasises, as the road to cryptographically relevant quantum computers (CRQCs) shortens, the migration to post-quantum cryptography must start now, particularly when it comes to hardware. Hardware refresh cycles are typically long; for example, PCs are in the three- to five-year range. Hardware used in critical infrastructure needs to be future-proofed by being migrated now.

The US National Security Agency has already issued an advisory relating to the need to protect against the future deployment of a CRQC, as has the Dutch government. The US advisory recommends that quantum-resistant cryptography be preferred starting in 2025, and be required from 2030, for sensitive systems.

HP recommends that customers conduct their own assessment of how and when to begin their own cryptographic migration. Use cases with the highest priority should first be identified, and technology vendors engaged to understand their plans for migrating quantum-resistant protections across the products and solutions in use. The final step: To develop a plan to protect against the quantum threat within the relevant timelines.

As a member of the National Institute of Standards and Technology’s National Cybersecurity Center of Excellence Migration to Post-Quantum Cryptography project, HP is contributing to the wider development of migration strategies and methods.

In parallel, the company is already taking steps to protect its own customers. With the launch of an upgraded Endpoint Security Controller (ESC) chip earlier this year, HP now uses quantum-resistant cryptography in hardware to protect PC firmware integrity. The HP ESC chip is isolated from the processor and operating system. Now on its 5th generation, it provides a platform root of trust to protect device integrity, and detect and remediate threats to reduce the risk of data breaches.

By putting the hardware in place to protect HP PC firmware integrity in the event of CRQC attacks, organisations will be future-proofed and able to focus their efforts on the massive task of migrating crypto of their software stack over time.