Skip to content

Quantum-Proofing Your Supply Chain

Quantum computing often feels like a distant problem for future physicists to solve. It is easy to dismiss it as science fiction when you have immediate fires to put out today. However, for Third-Party Risk Management (TPRM) leaders, quantum computing is not a future problem. It is a current crisis disguised as a future one.

The threat is not just that a quantum computer will eventually break encryption. The threat is that your adversaries are preparing for that day right now, and they are using your vendors to do it.

The "Harvest Now, Decrypt Later" Threat

The most pressing risk is a strategy known as "Harvest Now, Decrypt Later" (HNDL). In this attack scenario, adversaries intercept and steal encrypted data today. They cannot read it yet because it is protected by standard algorithms like RSA or ECC (Elliptic Curve Cryptography). Instead of discarding this unreadable data, they store it.

Attackers are betting that within the next decade, a Cryptographically Relevant Quantum Computer (CRQC) will emerge. This machine will run Shor’s algorithm, which can factor large integers and solve discrete logarithm problems efficiently. When that happens, the attackers will pull your stolen data off the shelf, use the quantum computer to derive the private keys, and decrypt everything.

If your organization handles data with a long shelf life, such as trade secrets, health records, government intelligence, or personally identifiable information (PII), you are already at risk. If a vendor is currently transmitting your long-term secrets using standard TLS encryption, that data is vulnerable to HNDL.

You might control your internal encryption standards, but you likely have less visibility into your supply chain. Third-party vendors often run legacy systems or rely on outdated libraries that are difficult to patch. If a critical supplier uses vulnerable cryptography to protect your data, they create a backdoor that bypasses your internal defenses.

The window to act is closing. The US National Institute of Standards and Technology (NIST) has already finalized the first set of post-quantum cryptography (PQC) standards. Regulatory bodies will soon expect compliance. You must ensure your vendors are not the reason you fail to meet these new obligations.

Practical Guidance for TPRM Leaders

Waiting for a perfect quantum computer to arrive is a failing strategy. You need to start preparing your supply chain now. Follow this three-step framework to assess and mitigate quantum risk.

Step 1: Demand a Cryptographic Bill of Materials (CBOM)

You cannot secure what you cannot see. Just as a Software Bill of Materials (SBOM) lists every software component in an application, a Cryptographic Bill of Materials (CBOM) inventories every algorithm, key, and library in use.

Require your critical vendors to provide a CBOM or at least a detailed inventory of their cryptographic assets. You are specifically looking for:

  • Public-Key Encryption: RSA (2048-bit or higher is still vulnerable to quantum), Diffie-Hellman, and Elliptic Curve Cryptography (ECDH, ECDSA).

  • Symmetric Encryption: AES-128. While symmetric encryption is more resistant, quantum computers weaken it. You should look for a migration path to AES-256.

  • Hash Functions: SHA-256 and SHA-3 are generally considered safe, but older standards like SHA-1 are immediate red flags.

Step 2: Update Your Vendor Assessment Questionnaires

Generic security questions are no longer sufficient. You need to ask specific, technical questions to gauge a vendor's maturity regarding the post-quantum transition. Add the following questions to your next assessment cycle:

  1. Do you have a PQC migration roadmap? A "no" answer here is a significant risk indicator for a strategic partner.

  2. Are you testing NIST-standardized algorithms? Specifically, ask if they are experimenting with ML-KEM (Module-Lattice-Based Key-Encapsulation Mechanism) for general encryption and ML-DSA (Module-Lattice-Based Digital Signature Algorithm) for digital signatures.

  3. Does your product support crypto-agility? Crypto-agility is the ability to switch cryptographic algorithms without rewriting the entire application. Vendors who hard-code algorithms will face massive disruption when they are forced to upgrade.

  4. How do you protect data in transit against HNDL attacks? Ask if they are implementing hybrid key exchange protocols that combine classical and post-quantum algorithms to protect data traveling over the wire today.

Step 3: Prioritize Based on Data Value

You cannot migrate every system at once. Work with your business stakeholders to classify data based on its longevity and value.

  • Critical Priority: Data that must remain secret for 10+ years (e.g., weapon designs, genetic data, long-term strategic plans). Vendors handling this data must move to hybrid or PQC solutions immediately.

  • High Priority: PII and financial records. These have regulatory mandates that will likely update to require PQC soon.

  • Lower Priority: Operational data with a short shelf life (e.g., session cookies, temporary logs).

Conclusion

The transition to post-quantum cryptography is the largest security upgrade in the history of the internet. It will take years to complete. If your vendors delay starting until the technology is widespread, they will be too late.

By identifying vulnerable assets, asking the right technical questions, and prioritizing your highest risks, you can build a quantum-resistant supply chain. The threat is real, the clock is ticking, and the time to prepare is now.