Plaintext: A Step Toward A Quantum-Resistant Future
Welcome to Dark Reading in Plaintext, brought to your inbox this week by Deloitte. In this issue of Plaintext, we look at what it means for quantum-resistant cryptographic algorithms to come to Windows 11. We also note that the bill to harmonize cybersecurity regulations is back in Congress. If you enjoy Plaintext, please share with friends and colleagues!
Windows Insiders to Test Quantum-Resistant Cryptography. At this week's Build 2025 conference, Microsoft announced the availability of post-quantum cryptography (PQC) tools to SymCrypt, Windows's core cryptographic code library. The updated library is available for Windows Insiders and Linux in Canary Channel Build 27852 and higher, and Linux's SymCrypt-OpenSSL version 1.9.0. This means security teams can now explore PQC's impact on their Windows environment and experiment with the post-quantum computing algorithms selected by the National Institute of Standards and Technology (NIST).
While powerful quantum computers don't exist outside of sophisticated laboratory settings, they are based on well-established science and expected to emerge within the next few years. This capability directly threatens the encryption standards our world relies on today, with Gartner estimating that quantum computing will render traditional cryptography unsafe by 2029. Systems that currently require millions of years for standard computers to crack could be broken by a quantum computer in hours or minutes.
Developers can invoke the new PQC algorithms using the Cryptography API: Next Generation (CNG) and begin migrating and testing their applications for PQC-readiness. For key exchanges, the supported ML-KEM parameter sets include 512, 768 and 1024-bit options, with varying levels of security and trade-offs in performance. For digital signatures, such as those used for code signing, certificate issuance, and identity verification, Microsoft offers ML-DSA with security levels 2, 3 and 5, depending on the configuration.
This practical approach helps security teams identify potential challenges, optimize implementation strategies, and enable an easier transition as industry standards evolve. — Microsoft Security Community blog
It would be too late to start planning network and system upgrades until quantum computers are in commercial production. Some of the tasks could take up to a decade to fully implement. New infrastructure device purchases, such as routers and firewalls, hardware refreshes for new workstations and printers, and application upgrades take time. This is why Microsoft encourages a hybrid approach during the transition period, where the organization simultaneously relies on a post-quantum algorithm (such as ML-KEM or ML-DSA) and a traditional algorithm (RSA, ECDH, or ECDSA). That would mean using ML-KEM alongside existing algorithms (like ECDH or RSA) for situations requiring public key encapsulation or key exchange, or using ML-DSA alongside ECDSA or RSA for digital signatures. Security teams and CISOs need to recognize that the transition is expected to be unprecedented in scale, cost, and difficulty.
Dark Reading in Plaintext is brought to you by Deloitte
It's time to transform your digital future.
Our cyber solutions can help you operate with resilience, grow with confidence, and focus on success for your organization. Explore our solutions here.
Congress Tackles Cybersecurity Regulations. No, they aren't getting rid of them. Instead, Senators Gary Peters (D-Mich.) and James Lankford (R-Okla.) have reintroduced legislation to address the volume of conflicting and overlapping cybersecurity regulations. Navigating a maze of conflicting requirements from different federal agencies can feel like a full-time job, often pulling focus away from enterprise defense. The Streamlining Federal Cybersecurity Regulations Act would create an executive branch panel, led by the Office of the National Cyber Director (ONCD), specifically tasked with harmonizing the regulations to make compliance more manageable. Members would include the heads of each regulatory agency, the Cybersecurity and Infrastructure Security Agency, the National Institute of Standards and Technology, and the Office of Information and Regulatory Affairs (part of the Office of Management and Budget).
"Bureaucratic red tape shouldn't get in the way of preventing a cyber-attack, but complicated regulations are making it more difficult to address the major cyber threats facing our national security and critical infrastructure." — Sen. James Lankford (R-Okla)
What We Are Reading
Enjoy these links? Subscribe to receive Dark Reading Daily every morning!
What We Heard On-Air
Tune in to our on-demand webinar, Tips on Managing Cloud Security in a Hybrid Environment.
"...the 'one key to rule them all' problem..." —Jake Williams, Hunter Strategy
From Our Library
Check out some of the latest reports from our Dark Reading Library!
On That Note
Dark Reading wants to hear from you! What types of cybersecurity media do you consume? What are your must-read sources of information? Answer these questions and more on our survey. Thank you!
Dark Reading in Plaintext is brought to you by Deloitte
I the
Thanks for sharing, good to see that MS is an advocate in QRC.
Erwin Schrodingers Cat is not the same as his (at the time) very experimental mathematical contributions. The Cat = thought experiment (no matieral changes actually occur) The Equation = https://www.linkedin.com/posts/kyle-grant_general-relativity-industries-activity-7331807946785406976-NoAV?utm_source=share&utm_medium=member_ios&rcm=ACoAAAT2CesB-tS3MAe_L_MUjC7seEGcIhEmYAA