Cryptographic Agility for EU Cybersecurity Professionals

Most teams only think about cryptographic-agility after it’s too late. A vulnerability gets published. Or a regulator introduces a new mandate. Or support for an algorithm is deprecated. And suddenly, what used to be a secure-by-design system is now a liability. Here’s the truth: Cryptographic agility isn’t just about preparing for quantum. It’s about surviving basic operational realities: - Algorithms fall out of favor - Vendors deprecate formats - Threat models evolve - Implementation bugs surface in the wild If your encryption is hardcoded, deeply embedded, or coupled tightly to a single system, you’re stuck. You won’t just be patching. You’ll be rewriting, revalidating, and hoping you catch everything. What does crypto-agility actually look like? 1. Abstraction at the edge: Encryption should live at the edge of your architecture. Not deep inside your codebase. Use APIs, SDKs, or services to contain crypto logic and isolate it from business logic. 2. Algorithms are policy-driven: Your developers shouldn't need to choose between AES or a future PQC algorithm. That choice should live in policy, not code. The system should adapt without rewrites. 3. Central control with distributed enforcement: You want visibility and governance, without introducing bottlenecks. Let the control plane define what should happen. Let the data plane enforce it close to the source. 4. Built-in upgrade paths: If you can’t rotate keys, change algorithms, or re-encrypt without downtime, you’re not agile. Support versioning and transitional modes from the start. 5. End-to-end observability: Agility depends on knowing how encryption is being used. Log every encryption, decryption, and policy change. Without visibility, there’s no control. Agility isn’t an afterthought. It’s a design principle. And once it's missing, it's nearly impossible to bolt on later. We wrote a deeper guide that breaks this down with real implementation examples. Link in comments.

https://lnkd.in/dD8ThHXM (To appear at SSR 2025) CRA and Cryptography: The Story Thus Far Markku-Juhani O. Saarinen, Tampere University, Finland ABSTRACT We report on our experiences with the ongoing European standardisation efforts related to the EU Cyber Resilience Act (CRA) and provide interim (November 2025) estimates on the direction that European cryptography regulation may take, particularly concerning the algorithm ``allow list'' and PQC transition requirements in products. We also outline some of the risks associated with the partially closed standardisation process, including active impact minimisation by vendors concerned with engineering costs, a lack of public review leading to lower technical quality, and an increased potential for backdoors. The Cyber Resilience Act came into effect in December 2024, and its obligations will fully take effect for makers of ``products with digital elements'' from 2027. CRA compliance is a requirement for obtaining the CE mark and a prerequisite for selling products in the European Single Market, which comprises approximately 450 million consumers. The CRA has a wide-ranging set of security requirements, including security patching and the use of cryptography (data integrity, confidentiality for data at rest and data in transit). However, the Cyber Resilience Act itself is a legal text devoid of technical detail -- it does not specify the type of cryptography deemed appropriate to satisfy its requirements. The technical implications of CRA are being detailed in approximately 40 new standards from the three European standardisation organisations, CEN, CENELEC, and ETSI. While the resulting ETSI standards can be expected to be available for free even in the drafting stage, the CEN and CENELEC standards will probably require a per-reader license fee. This, despite recent legal rulings asserting that product security and safety standards are part of EU law due to their legal effects. Taking a recent (2024) example of cryptographic requirements in such standards, we observe that the definitions and language in the Radio Equipment Directive (RED DA) harmonised standard (EN 18031 series) may allow vendors to take an approach where weak cryptography is considered ``best practice'' right until exploitation is feasible. Recognising recent developments such as the EU Post-Quantum Cryptography transition roadmap, many CRA standardisation working groups are moving towards a ``State-of-the-Art Cryptography'' (SOTA Cryptography) model where approved mechanism listings are published by the European Cybersecurity Certification Group (ECCG). CRA-compliant products may still support other cryptographic mechanisms, but only SOTA is permitted as a safe default for Internet-connected products.

The EU published its Post-Quantum Cryptography (PQC) Roadmap in June 2025, setting out fairly aggressive target dates for migration. But without introducing any explicit enforcement mechanisms. That has led many to conclude that the roadmap lacks enforcement power and is therefore “just a non-binding recommendation.” It’s a very common misconception. The roadmap expects all EU Member States to begin transitioning to PQC by launching national strategies and taking concrete “first steps” in the migration process. In practical terms, this means starting assessments, awareness campaigns, and cryptographic inventories no later than 2026. I’m increasingly involved in conversations around these topics. So I tried to clarify how EU recommendations typically operate in conjunction with binding regulations. The roadmap is more than a polite suggestion. While non-binding on its own, it aligns closely with enforceable frameworks such as NIS2 and DORA, effectively creating indirect mandates through risk-based compliance requirements. The EU does not need a standalone PQC regulation for the roadmap to matter. It functions more like a lens through which regulators and auditors will interpret what “appropriate,” “proportionate,” and “state-of-the-art” cryptography means under existing law. NIS2 already requires entities to maintain policies and procedures on the use of cryptography. DORA goes further, explicitly requiring financial entities to track the evolving cryptographic threat landscape - including “threats from quantum advancements.” And the Commission is not presenting this as permanently voluntary. It has made clear that it will monitor progress and may take additional steps, including proposing binding acts of Union law, if necessary. I tried to summarize this “roadmap + binding law” logic here: https://lnkd.in/dcf4bsht #PQC #PostQuantum #QuantumSecurity #Cybersecurity #Cyber #NIS2 #DORA

𝗗𝗮𝘆 𝟴: 𝗗𝗮𝘁𝗮 𝗦𝗲𝗰𝘂𝗿𝗶𝘁𝘆 𝗮𝗻𝗱 𝗣𝗼𝘀𝘁 𝗤𝘂𝗮𝗻𝘁𝘂𝗺 𝗥𝗲𝗮𝗱𝗶𝗻𝗲𝘀𝘀 In today’s hyper-connected world, data is the new currency and the perimeter, and it is essential to safeguard them from Cyber criminals. The average cost of a data breach reached an all-time high of $4.88 million in 2024, a 10% increase from 2023. Advances in 𝗾𝘂𝗮𝗻𝘁𝘂𝗺 𝗰𝗼𝗺𝗽𝘂𝘁𝗶𝗻𝗴 further threaten traditional cryptographic systems by potentially rendering widely used algorithms like public key cryptography insecure. Even before large-scale quantum computers become practical, adversaries can harvest encrypted data today and store it for future decryption. Sensitive data encrypted with traditional algorithms may be vulnerable to retrospective attacks once quantum computers are available. As quantum technology evolves, the need for stronger data protection grows. Google Quantum AI recently demonstrated advancements with its Willow processors, which 𝗲𝗻𝗵𝗮𝗻𝗰𝗲𝘀 𝗲𝗿𝗿𝗼𝗿 𝗰𝗼𝗿𝗿𝗲𝗰𝘁𝗶𝗼𝗻 𝘂𝘀𝗶𝗻𝗴 𝘁𝗵𝗲 𝘀𝘂𝗿𝗳𝗮𝗰𝗲 𝗰𝗼𝗱𝗲. These breakthroughs underscore the growing efficiency and scalability of quantum computers. To address these threats, Enterprises are turning to 𝗮𝗴𝗶𝗹𝗲 𝗰𝗿𝘆𝗽𝘁𝗼𝗴𝗿𝗮𝗽𝗵𝘆 to prepare for Post Quantum era. Proactive Measures for Agile Cryptography and Quantum Resistance: 1. 𝗔𝗱𝗼𝗽𝘁 𝗣𝗼𝘀𝘁-𝗤𝘂𝗮𝗻𝘁𝘂𝗺 𝗔𝗹𝗴𝗼𝗿𝗶𝘁𝗵𝗺𝘀 Transition to NIST-approved PQC standards like CRYSTALS-Kyber, CRYSTALS-Dilithium, Sphincs+. Use hybrid cryptography that combines classical and quantum-resistant methods for a smoother transition. 2. 𝗗𝗲𝘀𝗶𝗴𝗻 𝗳𝗼𝗿 𝗔𝗴𝗶𝗹𝗶𝘁𝘆 Avoid hardcoding cryptographic algorithms. Implement abstraction layers and modular cryptographic libraries to enable easy updates, algorithm swaps, and seamless key rotation. 3. 𝗔𝘂𝘁𝗼𝗺𝗮𝘁𝗲 𝗞𝗲𝘆 𝗠𝗮𝗻𝗮𝗴𝗲𝗺𝗲𝗻𝘁 Use Hardware Security Modules (HSMs) and Key Management Systems (KMS) to automate secure key lifecycle management, including zero-downtime rotation. 4. 𝗣𝗿𝗼𝘁𝗲𝗰𝘁 𝗗𝗮𝘁𝗮 𝗘𝘃𝗲𝗿𝘆𝘄𝗵𝗲𝗿𝗲 Encrypt data at rest, in transit, and in use with quantum resistant standards and protocols. For unstructured data, use format-preserving encryption and deploy data-loss prevention (DLP) tools to detect and secure unprotected files. Replace sensitive information with unique tokens that have no exploitable value outside a secure tokenization system. 5. 𝗣𝗹𝗮𝗻 𝗔𝗵𝗲𝗮𝗱 Develop a quantum-readiness strategy, audit systems, prioritize sensitive data, and train teams on agile cryptography and PQC best practices. Agile cryptography and advanced data devaluation techniques are essential for protecting sensitive data as cyber threats evolve. Planning ahead for the post-quantum era can reduce migration costs to PQC algorithms and strengthen cryptographic resilience. Embrace agile cryptography. Devalue sensitive data. Secure your future. #VISA #PaymentSecurity #Cybersecurity #12DaysofCyberSecurityChristmas #PostQuantumCrypto

🔑"𝐇𝐚𝐫𝐯𝐞𝐬𝐭 𝐍𝐨𝐰, 𝐃𝐞𝐜𝐫𝐲𝐩𝐭 𝐋𝐚𝐭𝐞𝐫" (𝐇𝐍𝐃𝐋) attacks intercept RSA-2048 or ECC-encrypted files, stockpiling them for future decryption. Once a powerful quantum computer comes online, they can unlock those archives in hours, exposing years’ worth of secrets. This silent threat targets everything from personal records to diplomatic communications. 🔐 📌 HOW CAN CYBERSECURITY LEADERS AND EXECUTIVES PREPARE? 🎯🎯𝐁𝐮𝐢𝐥𝐝 𝐂𝐫𝐲𝐩𝐭𝐨𝐠𝐫𝐚𝐩𝐡𝐢𝐜 𝐀𝐠𝐢𝐥𝐢𝐭𝐲: Ensure your systems can swiftly swap out cryptographic algorithms without extensive re-engineering. 𝐂𝐫𝐲𝐩𝐭𝐨-𝐚𝐠𝐢𝐥𝐢𝐭𝐲 𝐢𝐬 𝐭𝐡𝐞 𝐚𝐛𝐢𝐥𝐢𝐭𝐲 𝐭𝐨 𝐫𝐚𝐩𝐢𝐝𝐥𝐲 𝐭𝐫𝐚𝐧𝐬𝐢𝐭𝐢𝐨𝐧 𝐭𝐨 𝐮𝐩𝐝𝐚𝐭𝐞𝐝 𝐞𝐧𝐜𝐫𝐲𝐩𝐭𝐢𝐨𝐧 𝐬𝐭𝐚𝐧𝐝𝐚𝐫𝐝𝐬 𝐚𝐬 𝐭𝐡𝐞𝐲 𝐛𝐞𝐜𝐨𝐦𝐞 𝐚𝐯𝐚𝐢𝐥𝐚𝐛𝐥𝐞. Designing for agility now will let you plug in PQC algorithms (or other replacements) with minimal disruption later. 🎯𝐈𝐦𝐩𝐥𝐞𝐦𝐞𝐧𝐭 𝐇𝐲𝐛𝐫𝐢𝐝 𝐂𝐫𝐲𝐩𝐭𝐨𝐠𝐫𝐚𝐩𝐡𝐲: Do not wait for the full PQC rollout. 👉 𝐒𝐭𝐚𝐫𝐭 𝐮𝐬𝐢𝐧𝐠 𝐡𝐲𝐛𝐫𝐢𝐝 𝐞𝐧𝐜𝐫𝐲𝐩𝐭𝐢𝐨𝐧 𝐍𝐎𝐖! Combine classic schemes like ECDH or RSA with a post-quantum algorithm (e.g. a dual key exchange using ECDH + Kyber). 🎯𝐌𝐚𝐢𝐧𝐭𝐚𝐢𝐧 𝐚 𝐂𝐫𝐲𝐩𝐭𝐨𝐠𝐫𝐚𝐩𝐡𝐢𝐜 𝐁𝐢𝐥𝐥 𝐨𝐟 𝐌𝐚𝐭𝐞𝐫𝐢𝐚𝐥𝐬 (𝐂𝐁𝐎𝐌): 👉𝐈𝐧𝐯𝐞𝐧𝐭𝐨𝐫𝐲 𝐚𝐥𝐥 𝐜𝐫𝐲𝐩𝐭𝐨𝐠𝐫𝐚𝐩𝐡𝐢𝐜 𝐚𝐬𝐬𝐞𝐭𝐬 𝐢𝐧 𝐲𝐨𝐮𝐫 𝐨𝐫𝐠𝐚𝐧𝐢𝐳𝐚𝐭𝐢𝐨𝐧: algorithms, key lengths, libraries, certificates, and protocols. A CBOM provides visibility into where vulnerable algorithms (like RSA/ECC) are used and helps prioritize what to fix. 🎯🎯𝐀𝐥𝐢𝐠𝐧 𝐰𝐢𝐭𝐡 𝐍𝐈𝐒𝐓’𝐬 𝐐𝐮𝐚𝐧𝐭𝐮𝐦 𝐌𝐢𝐠𝐫𝐚𝐭𝐢𝐨𝐧 𝐑𝐨𝐚𝐝𝐦𝐚𝐩: Follow expert guidance for a structured transition. 𝐓𝐡𝐞 𝐔.𝐒. 𝐠𝐨𝐯𝐞𝐫𝐧𝐦𝐞𝐧𝐭 (𝐂𝐈𝐒𝐀, 𝐍𝐒𝐀, 𝐚𝐧𝐝 𝐍𝐈𝐒𝐓) 𝐚𝐝𝐯𝐢𝐬𝐞𝐬 𝐞𝐬𝐭𝐚𝐛𝐥𝐢𝐬𝐡𝐢𝐧𝐠 𝐚 𝐪𝐮𝐚𝐧𝐭𝐮𝐦-𝐫𝐞𝐚𝐝𝐢𝐧𝐞𝐬𝐬 𝐫𝐨𝐚𝐝𝐦𝐚𝐩, starting with a thorough cryptographic inventory and risk assessment. Keep abreast of NIST’s PQC standards timeline and recommendations.  National Institute of Standards and Technology (NIST) #𝐇𝐍𝐃𝐋 Cyber Security Forum Initiative #CSFI 🗝️ Now is the time to future-proof your encryption! 🗝️ 𝑌𝑜𝑢 𝑠ℎ𝑜𝑢𝑙𝑑𝑛'𝑡 𝑎𝑠𝑠𝑢𝑚𝑒 𝑡ℎ𝑎𝑡 𝑦𝑜𝑢𝑟 𝑑𝑎𝑡𝑎 𝑖𝑠 𝑠𝑒𝑐𝑢𝑟𝑒 𝑗𝑢𝑠𝑡 𝑏𝑒𝑐𝑎𝑢𝑠𝑒 𝑖𝑡 𝑖𝑠 𝑒𝑛𝑐𝑟𝑦𝑝𝑡𝑒𝑑...

The Quantum Security Imperative: Why Your 2025 Data Needs Protection Today If you’re still thinking quantum computing is a distant threat, you’ve already missed the window. Recent quantum security research from leading institutions emphasizes a critical reality: the “Harvest Now, Decrypt Later” threat is widely assessed by governments as a credible ongoing risk. Nation-state adversaries are believed to be harvesting encrypted traffic at scale. Once Cryptographically Relevant Quantum Computers arrive (estimated 2030-2035), Shor’s algorithm could retroactively decrypt previously harvested data. Mosca’s Theorem makes this concrete: If your data needs secrecy for 10 years, migration takes 5 years, and quantum arrives in 12 years, you’re already 3 years late. In healthcare, finance, and national security, that inequality has become a critical risk. The CASCADE Framework Applied: PEOPLE: Your teams need quantum literacy now. CISOs, architects, and developers must understand PQC implications. Start cross-functional quantum readiness teams today. DATA: Build your Cryptographic Bill of Materials. You can’t protect what you don’t inventory. Prioritize patient records, financial transactions, and trade secrets with 10+ years of confidentiality requirements. PROCESS: Implement crypto-agility as standard architecture. When algorithms break (like SIKE in 2022), you need to swap them without recompiling your stack. Embed PQC into procurement, development lifecycles, and vendor management. TECHNOLOGY: Deploy hybrid encryption now. Wrap data in both classical (ECC) and post-quantum (ML-KEM/Kyber) algorithms. NIST finalized FIPS 203, 204, and 205 in August 2024. Start piloting in non-production environments. BUSINESS: U.S. government directives, including NSM-10, mandate federal preparation and planning for PQC migration. Under GDPR and HIPAA, retroactive quantum decryption creates significant regulatory and liability risk. Board-level risk committees need PQC on the agenda now. The execution framework: Prevent (crypto-agility architecture, quantum-resistant algorithms, vendor PQC roadmaps), Detect (CBOM scanning, automated RSA/ECC discovery, traffic analysis), Recover (hybrid encryption, quantum-resistant backups, re-encryption strategies). Early PQC migration planning significantly reduces transition costs. In IoT-heavy industries (automotive, manufacturing, utilities), the cost of physical device replacement escalates exponentially with delay. The dual-track strategy: Offensive (pilot quantum computing for portfolio optimization, supply chain logistics, molecular simulation), Defensive (treat PQC migration as critical infrastructure). Bottom line: Quantum computing’s promise remains years away. The data-collection phase of the quantum threat is already active. What’s your organization’s crypto-agility roadmap? #QuantumComputing #Cybersecurity #PostQuantumCryptography #RiskManagement #CISO

🔐 Preparing Financial Systems for the Post-Quantum Era A recent report by Europol, FS-ISAC, QSFF, and the Quantum Readiness Working Group of the Canadian Forum for Digital Infrastructure Resilience highlights a critical message: 👉 The migration to post-quantum cryptography (PQC) is not just a technical upgrade. It is a strategic transformation that requires: 🔭 Long-term foresight 🤝 Cross-industry coordination ⚙️ Disciplined execution across the entire ecosystem 🚨 Why this matters Quantum computing will eventually challenge the security foundations of today's cryptographic systems. Organizations—especially in financial services and critical infrastructure—must begin preparing now, not later. 🛠 Practical steps organizations can take today One of the most effective starting points is addressing cryptographic anti-patterns. These are common weaknesses that slow down cryptographic agility and increase operational risk. Examples of “no-regret” actions include: 🔄 Automating certificate lifecycle management 🌐 Standardizing TLS configurations 🧑💻 Eliminating insecure coding practices 🔑 Improving crypto-key governance and visibility These improvements provide immediate benefits by: ✔ Strengthening cyber resilience ✔ Reducing operational risk ✔ Accelerating readiness for post-quantum security standards 🧠 Strategic recommendation In high-security environments, I strongly recommend exploring Post-Quantum Security (PQS) architectures. One promising approach is deploying PQS within Virtual Secure Compartmented Information Facilities (VSCIF) — particularly for advanced secure platforms such as the CONCURRENCE SuperApp. This combination can significantly enhance data protection, operational security, and long-term cryptographic resilience in a quantum-ready world. 🌍 The bigger picture Preparing for the post-quantum era is not simply about new algorithms. It is about building crypto-agile infrastructure that can evolve as new threats and technologies emerge. Organizations that start early will gain a strategic advantage in security, trust, and digital resilience. Follow and Connect: Woongsik Dr. Su, MBA #PostQuantumCryptography #QuantumSecurity #CyberSecurity #PQC #FinancialServices #CryptoAgility #DigitalResilience #QuantumComputing #SecureInfrastructure #FutureSecurity

Crypto Agility Isn’t Optional Anymore — NIST Just Drew the Line Last week, NIST quietly dropped one of the most important cybersecurity documents of the year. It’s not flashy. It won’t make headlines. But it will shape the way CISOs, developers, and security architects think about cryptography for the next decade. The subject? Crypto agility. In short: how fast can you replace the cryptographic algorithms your systems rely on—without breaking everything? The new draft white paper, “Considerations for Achieving Crypto Agility,” released May 2nd, is a call to action. And here’s the truth: If your systems can’t adapt to cryptographic change—you’re already behind. ⸻ Why Now? Most organizations are still dragging legacy encryption behind them like a rusted anchor. Case in point: • AES was standardized in 2001 • But its predecessor (Triple DES) wasn’t fully deprecated until 2024 That’s 23 years to make a change we knew was coming. Now, with quantum computing on the horizon and AI accelerating exploit discovery, we may not have 23 months. ⸻ What NIST Is Saying The paper outlines real-world roadblocks most organizations face: • Cryptographic modules are hard-coded in legacy systems • Post-quantum algorithms are resource-heavy • Updates introduce breakage risk across supply chains But it also lays out a survival plan. NIST urges leaders to build crypto agility through: • Modular design: abstract your cryptographic components • Clear APIs: make algorithms swappable, not hardwired • Hybrid strategies: combine current and post-quantum methods • Automated scanning: know what crypto you’re running—everywhere These are not “nice to haves.” They’re lifelines. ⸻ Why This Matters to the C-Suite and Boards Because crypto agility isn’t a technical problem. It’s a business risk. Boards are asking, “Are we ready for quantum threats?” The right answer isn’t “We’ll wait and see.” It’s “We can pivot—fast.” In healthcare, finance, and government systems, cryptographic agility is no longer theoretical. It’s operational resilience. It’s compliance. It’s trust. ⸻ What You Should Do This Quarter If you’re in leadership, here’s your 3-step playbook: 1. Get visibility: Inventory the cryptographic algorithms in your environment 2. Demand agility: Ask vendors and engineering teams, “How swappable is our crypto?” 3. Get involved: Read the NIST draft paper and submit feedback before it’s finalized This isn’t just about NIST or quantum or compliance. It’s about whether your organization can adapt fast enough to survive the next cryptographic disruption. ⸻ #cybersecurity #NIST #cryptoagility #quantumsecurity #CISO #infosec #postquantum #riskmanagement

🚀 #G7 Cyber Expert Group (CEG) Roadmap for Financial Sector Post Quantum Cryptography (#PQC) Transition The roadmap is designed to be flexible, allowing entities to tailor timelines based on their unique risk profiles and system complexity. While presented sequentially, the CEG notes that these activities will often overlap, run in parallel, and require iterative revisiting. The Timeline target is 2035 ‼️ 👩🏫 The 6-Phase Transition Roadmap: 1. Awareness & Preparation Goal: Build executive-level understanding of the quantum risk. Activities: Define key roles, develop an initial post-quantum resilience strategy, and begin mapping critical systems, sensitive data, and communication protocols that are at risk. 2. Discovery & Inventory Goal: Understand the scope of the challenge. Activities: Create a comprehensive inventory of all cryptographic assets and communication protocols. Crucially, this includes identifying dependencies on third-party vendors and assessing their quantum maturity. 3. Risk Assessment & Planning Goal: Develop actionable, tailored plans. Activities: Create specific migration plans, distinguishing between critical and non-critical functions. This phase involves selecting appropriate quantum-resistant tools and standards, and adapting internal governance processes. 4. Migration Execution Goal: Begin the actual transition of technology. Activities: Progressively deploy quantum-resistant solutions. The G7 recommends starting with the highest-priority functions identified in the assessment phase and adapting the pace as the threat landscape evolves. 5. Migration Testing Goal: Ensure the new systems work and are resilient. Activities: Rigorously test migrated functions. The roadmap encourages participating in ecosystem-oriented quantum-resilience exercises to ensure interoperability across the sector. 6. Validation & Monitoring Goal: Maintain a secure posture indefinitely. Activities: Implement continuous validation and improvement. Institutions must achieve cryptographic agility—the ability to easily adapt to new cryptographic standards as threats change over time. 🦹♀️ Running parallel to the six phases, the roadmap identifies three continuous lines of effort essential for success: 1. Governance and Risk Management: Embedding QRC considerations into existing organizational frameworks and executive oversight. 2. Management of External Dependencies: Continuously monitoring the maturity of vendor tools, standards, and the evolving quantum threat landscape. 3. Stakeholder Dialogue: Engaging structurally across the sector to share insights and identify common issues. ➡️ Also, prioritizing critical systems early, 2030-32, limits the downside risk of quantum computers arriving sooner than anticipated. Let's discuss. 🤩💚 Learn with Quantum Security Defence we support our members with continuous education, business networking and advisory. #Cybersecurity #FinTech #QuantumComputing #G7 #RiskManagement #Cryptography