Jump to Content
Security & Identity

Cloud CISO Perspectives: How Google is preparing for post-quantum cryptography (and why you should, too)

August 15, 2024
https://storage.googleapis.com/gweb-cloudblog-publish/images/Cloud_CISO_Perspectives_header_4_Blue.max-2500x2500.png
Phil Venables

VP, TI Security & CISO, Google Cloud

Hear monthly from our Cloud CISO in your inbox

Get the latest on security from Cloud CISO Phil Venables.

Subscribe

Welcome to the first Cloud CISO Perspectives for August 2024. Today I’m adapting our upcoming Perspectives on Security for the Board report. It examines three key cybersecurity topics from the vantage of the board of directors: multifactor authentication, digital sovereignty, and — the one I’ll be focusing on here — post-quantum cryptography.

As with all Cloud CISO Perspectives, the contents of this newsletter are posted to the Google Cloud blog. If you’re reading this on the website and you’d like to receive the email version, you can subscribe here.

--Phil Venables, VP, TI Security & CISO, Google Cloud

How boards can help navigate the quantum leap

By Phil Venables, VP, TI Security & CISO, Google Cloud

Quantum computers are a hot topic in the tech world. They’re a new type of machine that uses quantum mechanics to solve complex mathematical problems that can stump today’s computers — and they could pose a risk to existing cybersecurity technology and practices.

If powerful enough, quantum computers could potentially crack the codes, or encryption, that protect our online communications and sensitive data. This could have serious consequences, jeopardizing online privacy and the security of our digital world. We’re already seeing cyberattacks where threat actors steal vast troves of encrypted data.

https://storage.googleapis.com/gweb-cloudblog-publish/images/Phil_Venables_small.max-2200x2200.jpg

One reason they might have for doing that is to decrypt the data at a later date. In one anticipated scenario, these threat actors use the quantum computers of the near future to access data that today would be considered inviolate.

Fortunately, there are alternative cryptographic systems known collectively as post-quantum cryptography (PQC) that offer a secure way forward. Standards to guide the development of "quantum-safe" cryptographic systems have just been finalized by National Institute of Standards and Technology (NIST) — and they run on today’s conventional computers.

At Google, we take these risks seriously, and we’re taking steps on multiple fronts to address quantum computing risks. We began testing PQC in Chrome in 2016, we’ve been using PQC to protect internal communications since 2022, and we’ve taken additional quantum computing protective measures in Google Chrome, Google servers, and in experiments for connections between Chrome Desktop and Google products (such as Gmail and Cloud Console.)

Preparing for PQC doesn’t need to be managed as a “big bang”. Board members should speak with their CISO, CIO, and CTO about developing a post-quantum cryptography strategy.

Additionally, Google engineers have contributed to official, formal quantum computing standards released by NIST, ISO, and other standards organizations, and we are working with partners to produce formally-verified PQC implementations that can be used at Google and beyond.

Board members should understand the consequences of not preparing for PQC, and ask questions of their organization’s leaders including the CISO, CIO, and CTO, and despite the unpredictable timeline for quantum breakthroughs.

There are four primary reasons that drive our interest in getting ready for PQC now — and not delaying action.

  • Business impact of cryptography failing. Quantum attacks could be able to break the cryptography used to protect data critical to delivery of your most important business services.
  • Migrating cryptography takes a long time. Although quantum-safe cryptographic algorithms are available and can be implemented on existing hardware, upgrading to new cryptographic algorithms and protocols requires significant time and effort.
  • Harvest now, decrypt later. Future technology could unlock the secrets hidden in data that cybercriminals are stealing today — secrets that could be the very lifeblood of your organization, such as intellectual property, trade secrets, and sensitive communication records.
  • Standardization and upcoming regulations. Well-recognized standards bodies, including NIST, have just released post-quantum cryptography standards. Even the White House is developing directives urging federal agencies to prepare for quantum computing advancements. We anticipate new regulations across various industries, and Google is actively participating in working groups such as the Financial Services Information Sharing and Analysis Center (FS-ISAC) and the PQC Alliance to address these developments.

From PQC preparation to PQC action

Preparing for PQC doesn’t need to be managed as a “big bang”. Board members should speak with their CISO, CIO, and CTO about developing a post-quantum cryptography strategy. This should include preparing for integration of new, quantum-resistant algorithms into existing systems, while ensuring efficiency and scalability and weighing cost, risk, and usability.

  • Implement a PQC strategy: Acquire expertise to distinguish between hyped up announcements of small improvements, marketing, and actual advancement in quantum engineering. Follow up with both industry best practices including our post-quantum cryptography blogs and academic and industry research, including Google’s Quantum Research.
  • Assess the business risk: Conduct a risk assessment to identify critical data that is most vulnerable to quantum attacks. Identify where cryptography is utilized — it is likely pervasive throughout your systems. Create an inventory of all systems employing cryptography to safeguard data at rest, in transit, and in use. Classify the data and perform a threat analysis. Google's quantum threat analysis can serve as an example of how to determine which changes should be addressed first.
  • Analyze the broader risk: Assess the wider impact to other systems that might need to change. This could be like a Y2K problem where the format of data (for example, larger digital signatures) in databases and applications might need significant software changes beyond the cryptography.
  • Learn from the past: Reflect on how your organization successfully dealt with major cryptography-related issues in the past. This will help identify strategies that worked well and areas for improvement. Organize a tabletop exercise — a workshop for the organization's leadership (and board members) to raise awareness of the complexities associated with migrating cryptographic systems — and to identify the necessary steps moving forward. Google's adoption of PQC can serve as an example for other organizations.

To be clear, we’re not sure of exactly when we’ll see a quantum computer powerful enough to break today’s security. Whether it happens in 5, 10, or 15 years, the task of adopting post-quantum cryptography is substantial.

Additionally, with NIST’s new PQC standards, regulators, governments, customers, and auditors are likely to question your organization about its PQC plans. Therefore, it's crucial for organizations to initiate the transition immediately.

For more leadership guidance from Google Cloud experts, please see our CISO Insights hub and contact us at Ask Office of the CISO.

In case you missed it

Here are the latest updates, products, services, and resources from our security teams so far this month:

  • Join our Security Summit 2024 for a masterclass in modernizing cloud security: Join our upcoming Security Summit on August 20 to learn about the latest innovations and strategies to help protect your business and customers from emerging threats. Read more.
  • mWISE Conference 2024: Your front-row seat to the future of cybersecurity: Experts from Mandiant, Google Cloud, and the wider cybersecurity community will come together September 18-19 at mWISE in Denver, Colo. This is your chance to immerse yourself in the latest threat intelligence, cutting-edge tools, and engage with the strategic minds that are shaping the future of cybersecurity. Register today.
  • Practical tips to make cloud governance work for you: To keep from getting tangled, business leaders rely on robust governance and 3LoD to help clearly delineate and assign key organizational functions and roles. Here’s tips from our Office of the CISO. Read more.
  • Experimenting with Gemini 1.5 Pro and vulnerability detection: Learn how Gemini Pro 1.5, with its code scanning and code generation capabilities, can help you analyze complex code and identify vulnerabilities. Read more.
  • Level up your Kubernetes security with the CIS GKE Benchmarks: To make Kubernetes-driven compliance easier to manage, we’ve updated the CIS Google Kubernetes Engine benchmarks. Here’s what’s new. Read more.
  • Create a powerful Kubernetes security duo with custom Org Policy and Policy Controller: Custom Org Policy and Policy Controller can help secure your GKE clusters and achieve governance and compliance at scale. Here’s how. Read more.
  • Google and Alphabet vulnerability-hunting rewards are now up to five times larger: Since the creation of the Google Vulnerability Rewards Program in 2010, we have been rewarding bugs found in our systems and applications. We’re updating the reward amounts — you can now earn up to $151,515. Read more.
  • Keeping your Android device safe from text message fraud: There are a number of Android-only security features that can significantly mitigate, or in some cases fully block, SMS Blaster fraud. Read more.
  • Building security into the redesigned Chrome downloads experience: The redesigned Chrome downloads experience gives us the opportunity to provide even more context when Chrome protects a user from a potentially malicious file. Read more.
  • Improving the security of Chrome cookies on Windows: Cybercriminals using cookie theft infostealer malware continue to pose a risk to the safety and security of our users. We already have a number of initiatives in this area, and we’re adding a new layer of protection to make Windows users safer from this type of malware. Read more.
  • Deliver Sovereign Cloud solutions with the new Google Distributed Cloud initiative: The Managed GDC Provider initiative lets select partners deploy, operate, and manage Google Distributed Cloud services as a fully managed offering. Read more.

Please visit the Google Cloud blog for more security stories published this month.

Threat Intelligence news

  • Iranian-backed group steps up phishing campaigns against Israel, U.S.: Google’s Threat Analysis Group has new insights on APT42, an Iranian government-backed threat actor, and their targeted phishing campaigns against Israel and Israeli targets. TAG is also confirming recent reports around APT42’s targeting of accounts associated with the U.S. presidential election. Read more.
  • UNC4393 goes gently into the SILENTNIGHT: Mandiant details the evolution of UNC4393's operational tactics and malware usage throughout its active lifespan, with a focus on the period following the QAKBOT botnet takedown. Read more.

Now hear this: Google Cloud Security and Mandiant podcasts

  • Listen again: Leaping at quantum problems: What’s the real threat posed by quantum computers, and how can post-quantum cryptography help defenders? Jennifer Fernick, Google senior staff security engineer, shares her insights on all things quantum with our Cloud Security podcast hosts Anton Chuvakin and Tim Peacock. Listen here.
  • SIEMingly for real? How to pull off a full SIEM migration in just one week: Can you really complete a SIEM platform migration in a week? Manan Doshi, senior security engineer, Etsy, tells Anton and Tim all about Etsy’s recent experience moving to Google Security Operations. Listen here.
  • Cloud security journeys, from improvement to transformation: Google security experts Jaffa Edwards and Lyka Segura tell Anton and Tim customer stories of how mere improvements can be transmogrified into full transformations. Listen here.

To have our Cloud CISO Perspectives post delivered twice a month to your inbox, sign up for our newsletter. We’ll be back in two weeks with more security-related updates from Google Cloud.

Posted in