IBM’s Cryptography Bill of Materials to speed up quantum-safe assessment

Quantum computing could one day solve important problems in business and science, but it also brings risk. The encryption schemes we use today to safeguard sensitive data — such as financial and health records — could be obsolete in a future where quantum computers reach their full potential.

The good news? Governments and organizations are taking these risks seriously, now. And IBM Quantum Safe solutions exist today.

In May of this year, the White House released a National Security Memorandum, laying out the administration’s plan for securing critical systems against potential quantum threats. In July, the U.S. National Institute of Standards and Technology (NIST) announced four quantum-safe algorithms for post-quantum cryptographic standardization, which they expect to finalize by 2024. Three of these four were developed by IBM scientists, in collaboration with industry and academic partners. And just last month, the US government issued directions on migrating to quantum-safe cryptography to its agencies.

Industries are also taking action. Telecommunications industry organization, GSMA, formed a Post-Quantum Telco Network Taskforce in September of this year — which IBM and Vodafone joined as initial members — to help define policy, regulation and operator business processes to protect The World Economic Forum recently estimated that more than 20 billion digital devices will need to be either upgraded or replaced in the next 10-20 years to these new forms of quantum-safe encrypted communication.telcos from this quantum future. Without quantum-safe controls in place, sensitive data, such as confidential business and customer information could be at risk.

IBM’s solution for migrating to quantum-safe software

To address this need to move to quantum-safe solutions, our cryptography team behind the IBM Quantum Safe technology and NIST algorithm contributions has developed a new approach, dubbed Cryptography Bill of Materials (CBOMs).

The CBOM is an extension of the well-known Software Bill of Materials (SBOM) concept from software supply chains that allows systems and software to be described using a standardized list of components, libraries, and dependencies. Our CBOM describes cryptographic assets while extending existing software supply chain tooling. It simplifies the creation and management of a cryptography inventory across diverse software, services, and infrastructure, and allows complex cryptographic components to be added to well-established tools and processes to assess software supply chain security and integrity.

How it works: Discover and locate cryptography, prioritize, move to quantum-safe cryptography

Our approach for cryptography inventory and migration consists of three non-intrusive and active methods to discover a cryptography presence and use in systems, software, or Software as a Service (SaaS):

1. Discover: Prioritize cryptography inventory. Passively or actively scan the IT environment to identify all cryptography in use and enrich the findings with contextual information about the value and criticality of related data.
2. Analyze: Root cause and migration recommendations. Perform a deep scan of prioritized systems and software to locate where the unwanted cryptography resides and provide a prioritized action plan for remediation.
3. Remediate: Upgrade to quantum-safe cryptography. Use ready-made drop-in replacements to upgrade systems and software from a rapidly growing quantum-proofed software repository.

Analyzing our own systems, applications, infrastructure

We have just successfully completed the first end-to-end validation of automatically inspecting one of IBM’s live essential business applications, maintaining some of the company’s most sensitive data, for use of soon-out-of-policy cryptography (e.g., RSA, elliptic curves). The outcome is a simple risk-based prioritization of the cryptography inventory. The application and data will then be migrated to use quantum-safe cryptography algorithms. 

Our tooling specifically addresses the two pressing initiatives currently underway in many organizations and agencies, triggered by the White House’s executive order to improve the United States’ cybersecurity (EO 14028, May 12, 2021) and National Security Memorandum 10 to mitigate risks to vulnerable cryptographic systems (NSM-10, May 4, 2022), as well as directions for agencies on the Migration to Post-Quantum Cryptography (M-23-02, Nov 18, 2022), which state that agencies must establish a security software supply chain, and a prioritized inventory of currently deployed cryptographic systems.

Ready to help clients and partners make their data and systems quantum safe

IBM Tape, and IBM z16 systems are already quantum safe. We are working with clients all over the world to assess, prepare, and migrate their systems to quantum-safe cryptography. Our CBOM specification and tooling is available for organizations as a basis for information-capturing and exchange of cryptography assets.

The quantum era will bring about solutions to some of the world’s most-pressing problems, alongside these important cybersecurity considerations that many companies will face this century. But with the IBM Quantum Safe CBOM, they can feel confident that they will be prepared for this new era — and to embrace the potential it brings.