Agile Cryptography for Pharma Companies

December 20, 2022
Agile Cryptography for Pharma CompaniesAgile Cryptography for Pharma Companies

Quantum technologies may have a significant impact on the pharmaceutical industry as a whole, from accelerating drug discovery and formulation optimization to molecular modeling new compounds at a level of accuracy and usefulness that was not previously achievable. 

That said, the pharmaceutical industry also faces new challenges as a result of quantum computing. It is expected that when error-corrected quantum computers become available, they will break today's public-key-based encryption (PKE) protocols, putting intellectual property – including compounds and formulas, clinical trial records, and sensitive patient data at even greater risk. 

No one knows exactly when quantum computers will be viable enough to break PKE, although the Dept. of Homeland Security predicts it could be as soon as 2030. Knowing the long-term potential economic windfall that’s locked within encrypted pharma data, adversaries have begun launching Store Now, Decrypt Later (SNDL) attacks to acquire and store such data until working quantum computers are available to decrypt it. If this happens, the outcomes could be catastrophic, ranging from millions of dollars in unfulfilled R&D to billions of dollars in lost future profits.

To protect their organization and customers against SNDL, pharma companies must identify and inventory every instance of vulnerable public-key cryptography throughout their entire IT infrastructure so that both hardware and software systems can be upgraded with quantum-resistant protocols - called Post-Quantum Cryptography (PQC). 

PQC represents the next evolution in cryptography. For the past six years, the National Institute of Standards and Technology (NIST) has been working with a consortium of cryptologists and mathematicians from 25 countries to develop new quantum-resistant algorithms that will become the new global encryption standard. This July, NIST unveiled four PQC candidate algorithms and several alternates that are still being evaluated for standardization. This was the sign that corporations and government agencies had been waiting for to begin migrating to PQC.

After an initial discovery process, which could take several months or more, depending on network size and complexity, CIOs and CISOs will have a better understanding of their cybersecurity posture and can decide what areas to prioritize for PQC migration – starting with the most vulnerable data and critical systems. The key is to begin the discovery process immediately. Once encrypted data has been stolen, it can no longer be protected. 

The discovery phase also represents a great opportunity for CIOs and CISOs to update or re-architect their IT infrastructure. The typical pharmaceutical IT architecture is an amalgam of modern and legacy systems, oftentimes the by-product of numerous mergers & acquisitions. The hardware and software upgrades needed to make their systems quantum-resistant could also make them more modern and responsive to meet their business, R&D and regulatory needs.

Once critical systems and data have been upgraded, pharmaceutical companies can transition other systems to PQC on a timetable that fits their budget or other obligations. But in order to maintain the highest level of cyber protection, pharma companies will also need to implement solutions that bestow “crypto-agility” — the ability to encapsulate cryptographic primitives or algorithms, making it easy to switch and replace these primitives as new standards emerge. In addition, pharmaceutical companies may need to create a hybrid cybersecurity architecture – a mix of existing and new technologies – to maintain regulatory compliance and to protect against both classical and quantum-related threats. Crypto-agility is essential in this regard.

SandboxAQ's security product is built on a crypto-agile platform. Our end-to-end Security Suite assists pharmaceutical companies in assessing their vulnerabilities, testing new PQC algorithms, facilitating PQC migration, and managing a new agile cybersecurity architecture.


Without a doubt, migrating to PQC will be complex, time-consuming and costly – relative to the size of the network. Due to the potential disruption of SNDL and other threats, migrating to PQC requires a generational shift in global cybersecurity architecture. That said, SandboxAQ can help streamline the discovery and execution phases. We’ve partnered with two of the world’s foremost global system integrators (GSIs)  – Deloitte and EY – which have domain expertise in pharma and quantum, and the global scale and intimate knowledge of their clients’ IT architecture.

Another great resource for information is NIST’s National Cybersecurity Center of Excellence (NCCoE), where organizations can find and share business insights, technical expertise, and challenges via a variety of Communities of Interest. SandboxAQ was selected by NIST as one of only 17 technology collaborators for the NCCoE, and we’re helping the government to initiate the development of practices to ease migration from current public-key cryptography algorithms to replacement algorithms that are resistant to quantum computer-based attacks. 

For organizations that are still researching their options, several of our cryptography and cybersecurity experts wrote an insightful white paper titled, “Transitioning Organizations to Post-Quantum Cryptography,” which was published in Nature, the world’s foremost international scientific journal. The paper outlines current and future quantum-related threats, steps organizations need to take to become quantum-resistant and crypto-agile, and other helpful information. We encourage you to read this and contact us with any questions you may have.

Regardless of which vendor, partner, or technology approach pharmaceutical companies choose, one thing is certain: the longer you wait, the greater the risk to your organization, investors and customers. It is imperative that you begin the process of migrating to PQC as soon as possible.