Post Quantum Cryptography for web browsing (HTTPS) is not a comprehensive solution for quantum-in-cyber risk. Many still think that it is.

The recent buzz about Post Quantum Cryptography (PQC) for web browsing (HTTPS) (link) has led some to believe it's the definitive answer to quantum-related cyber risks. However, it's crucial to approach such claims with a discerning eye. The media often amplifies news for better engagement, but this particular coverage might have strayed beyond mere exaggeration.

At its core, the term "quantum cyber risk" describes the current data security risk caused by loss of trust in cryptography algorithms used to protect data. Data requires protection while it holds value, though over its lifetime. The problem appears at the intersection of the data shelf life and cryptography algorithms' untrustworthiness. For those keen to delve deeper, here are some links (https://www.ey.com/en_au/cybersecurity/quantum-in-cyber-risk-is-real-inaction-is-no-longer-an-option and https://www.ey.com/en_au/technology/critical-look-at-quantum-computing).

While the introduction of PQC for HTTPS sessions is undoubtedly a significant stride (despite the standards not being fully established yet), it serves as a testing ground for organisations and individuals to gauge its efficacy, limits, and potential challenges. Yet, it's worth noting that data security extends far beyond just web browsing. The three primary data modalities—data in transit, data at rest, and data in processing—all demand their unique set of protective measures depending on context.

The phrase "unique set of protective measures" might not have the same ring as "revolutionary change" or "protection from quantum apocalypse", but its essence is genuine. It reflects that context is paramount, with prioritisation naturally occurring as organisations navigate the vast remediation landscape.

Considerations for context include, but are not limited to:

• Attack Economics: Are certain data sets particularly enticing for threat actors? Is there a financial incentive behind launching specific attacks?

• Quantum Computing Progress: How long before decryption capabilities become available to attackers?

• Data Longevity: Does the data have a short shelf life, like a one-minute authentication token, or does it bear long-term significance, akin to state secrets spanning decades?

In essence, a truly robust solution begins with a comprehensive understanding of data where PQC enabled HTTPS session may close a specific gap.

Link to the Chromium blog with the PQC support announcement - https://blog.chromium.org/2023/08/protecting-chrome-traffic-with-hybrid.html