By Jen Sovada, Air Force Col. (Ret.) and President, Public Sector, SandboxAQ
Time is of the essence when it comes to making cybersecurity preparations for a future in which quantum computing is a reality. Quantum computers threaten the foundation of data architectures that rely on today’s public-key cryptography, which is considered impossible for classical computers to break. Data not secured with post-quantum cryptography(PQC) can be stolen, stored indefinitely, and then decrypted once the thief has access to a large-scale, fault-tolerant quantum computer.
These “Store Now, Decrypt Later” attacks are happening already. Criminals and adversarial nation-states are harvesting encrypted data and storing it on their own networks as they eagerly anticipate the development of quantum computers that will be able to decrypt the data–perhaps in only a matter of minutes.
On Dec. 9, the U.S. Senate unanimously voted to pass the Quantum Computing Cybersecurity Preparedness Act (H.R.7535), which addresses the migration of federal government information technology systems to PQC. This is a significant step forward, but the law’s execution needs to happen quickly. PQC can prevent the decryption of exfiltrated data, but any data stolen prior to the transition cannot be protected. This is why it is imperative that the U.S. government and American industries implement PQC now.
All areas of government and industry will be affected by the cybersecurity risks posed by quantum computers.
The nature of strategic deterrence is changing in this era of digital transformation and great power competition–adversaries no longer rely solely on kinetic means to wage conflict. From a national security perspective, data at risk could include sensitive files or conversations, economic forecasts and trade negotiations, strategic military plans, weapon prototypes, treaties, the names and locations of intelligence targets or operatives, and much more. Critical infrastructure such as utilities, financial institutions, and transportation could be threatened as well.
From an economic perspective, data at risk could include intellectual property and other trade secrets, sensitive health records, and the passwords and personally identifiable information of private consumers. Some of this data has a limited shelf-life and might be irrelevant by the time quantum computers are available, but much of it will endure.
Earlier this year, President Biden issued an Executive Order and two National Security Memorandums, NSM-8 and NSM-10, related to protecting America against quantum-based cyber threats while becoming a global leader in quantum technology development and use. China, for example, accounts for almost 50% of global investment in quantum technology and, while the U.S. has significantly increased quantum investment, we will not be seen as a global leader in this area until we take every aspect of quantum technology seriously.
In July, the National Institute for Standards and Technology (NIST) released the first four PQC algorithms that comprise the current global encryption standard, with several additional algorithms still under review. The final algorithms are not expected to become fully standardized until 2024.
Also in July, NIST’s National Cybersecurity Center of Excellence (NCCoE) announced the first industry collaborators for its Migration to Post-Quantum Cryptography Project, which helps the government develop practices to enable migration from current public-key cryptography algorithms to PQC.
In November, the Office of Management and Budget (OMB) released a memo that establishes timelines and requirements for federal agencies to designate a cryptographic inventory and migration lead for their organization, to submit a prioritized inventory of quantum-vulnerable cryptographic systems, and to submit an assessment of the funding required to migrate information systems and assets inventoried to PQC.
H.R. 7535 directs OMB to deliver a strategy and budget to address the risk of quantum computers to Congress within a year of the bill’s enactment, and to keep the Hill apprised on coordinated global PQC standardization efforts. But a year is too long to wait for these deliverables, which will require extensive Congressional review and deliberation.
Cryptographically-relevant quantum computers won’t be available for years (the Department of Homeland Security predicts this could be as soon as 2030), but the threat they pose is happening right now as data is stolen daily. The longer the U.S. waits, the greater our nation’s risk of exposure.
It’s no secret that the U.S. government is a large ecosystem with many competing requirements where policy change and compliance can be slow. Transitioning enterprises to new cryptographic standards will take years, possibly decades, and requires planning and testing now.
This Nature paper, “Transitioning Organizations to Post-Quantum Cryptography", highlights the emerging quantum threat and the steps organizations should take to migrate to PQC–beginning with a cryptographic inventory and vulnerability assessment, a step all federal organizations should begin immediately. This discovery process will take each agency several months or more, depending on the size and complexity of its respective IT network, but this first step is essential before the subsequent PQC migration, policy management, and enforcement can begin.
Throughout the migration process, hybrid solutions that use both classical and post-quantum cryptographic protocols will be essential, as will “crypto-agility”–or the ability to rapidly adapt new cryptographic protocols without requiring significant changes to the system’s infrastructure. The process of securing data from quantum threats will be continuous. If an organization is not crypto-agile, it won’t be empowered to maintain complete control over its cryptographic mechanisms and processes to implement seamless updates, for example, as certain algorithms are cracked, and new ones are introduced and standardized.
While H.R. 7535 affirms the necessity of PQC migration, government CIOs and CISOs should not wait until a mandated deadline looms large or they receive a fully-funded, end-to-end PQC budget to address this enterprise-wide challenge. Begin the discovery process now by partnering with an NCCoE-selected vendor to create an inventory that will inform the next steps. There is no time to waste.