Industry experts warn crypto infrastructure is ‘creaking’

A group of cyber security and financial services experts has warned that the world’s cryptographic infrastructure is “struggling to remain fit for purpose” and is putting digital trust at risk.

In a report, authors from HSBC, Thales and InfoSec Global, including Taher Elgamal, the designer of the secure sockets layer (SSL) protocol, argued that cryptographic systems designed more than 30 years ago are now “creaking” under the weight of the modern digital economy.

“The cryptographic infrastructure has failed to adapt to the new reality and is no longer fit for purpose in many cases,” they noted. “This means the security of fundamental building blocks is no longer a given and, consequently, may be vulnerable.”

Besides the immediate risk from misconfigured or outdated cryptography already in use, they also singled out the future threat from quantum computing, which the Global Risk Institute predicts will be capable of breaking public-key cryptography within five to 15 years.

This looming “Q-Day” has prompted warnings of “store-now-decrypt-later” attacks, where adversaries harvest encrypted data today with the intention of decrypting it once quantum computers are more widely available.

To address many of today’s cryptographic shortcomings and mitigate risks, the authors urged organisations to build an inventory of cryptographic assets and evaluate whether they are cryptographically secure, compliant, adhere to best practices, and are appropriately used for their intended purposes, among other considerations.

And in doing so, technology leaders and the cyber security community must shift their approach in defining cryptographic requirements, going from “you must use cryptography” to “you must use appropriate, robust cryptography”.

The authors also pointed out the distinction between a cryptographic bill of materials (CBOM), which lists the crypto capabilities built into a piece of software, and a full cryptographic inventory, which provides a dynamic view of how those assets are actually configured and used across the enterprise.

While a CBOM is a useful component, the authors stressed that a cryptographic inventory is needed to answer critical operational questions such as: “What have I got? Where are the assets? How effective are they?”

Creating a cryptographic inventory is a major challenge due to the complexity and scale of modern IT environments, which mix on-premise, cloud and third-party systems. The authors advocated for a combination of automated discovery tools and deep subject matter expertise, guided by executive sponsorship.

Just as important is the need to frame cryptographic management as a core business issue that directly affects the balance sheet. Chief information security officers (CISOs) and chief information officers (CIOs) must be able to articulate cryptographic risk in financial terms to the board.

“The value derived from a cryptographic inventory should be measured by its ability to reduce balance sheet risk, manage operational business risk, and provide actionable insights for risk mitigation,” the authors wrote.

Failing to do so can expose organisations to regulatory fines under data protection regimes like the General Data Protection Regulation (GDPR), reputational damage, and an inability to secure cyber insurance.

Ultimately, the responsibility for managing cryptographic assets must be clearly defined. The authors suggested using a RACI (responsible, accountable, consulted and informed) matrix, with a C-level executive, such as the CISO or CIO, being made accountable for all cryptography management.

While various cryptography management capabilities can be outsourced, the authors noted that risk cannot be outsourced and will always be owned by the organisation: “Cryptography must become a strategic asset of an organisation, as it constitutes critical infrastructure.”