Leaps in quantum technologies over the past decade have sparked cause for concern regarding the security of today’s encrypted data. While quantum computing brings with it many potential benefits, such as uses in drug development, financial services, and complex modeling problems, quantum computers will also be capable of breaking our current encryption, a prospect that has caused alarm among US federal agencies.
Due to the cybersecurity threat posed by quantum computers, there has been an effort on behalf of multiple federal agencies to develop and refine quantum-resilient encryption algorithms, as well to implement guidelines for agencies to transition their existing encryption to quantum-resilient standards. NIST (National Institute of Standards and Technology), DHS (Department of Homeland Security), and the White House have all contributed to the planning of this quantum-resilient migration. A successful transition plan will require the cooperation of all the agencies mentioned above and will be dependent on four core components – research, practicality, preparation, and execution.
Advances in quantum computing have been increasing exponentially with billions of dollars invested in the quantum industry worldwide, including a $10B Chinese investment into quantum computing and quantum communications. As such, the arrival of a Cryptographically Relevant Quantum Computer (CRQC), a quantum computer that can break cryptography, may be closer than we think. While experts debate on exactly how soon a quantum computer will be able to break encryption, a recent study conducted by Dimension Research for Cambridge Quantum indicated that 60 percent of the quantum experts interviewed believe that quantum advances will break encryption by 2023. Consider also that a quantum attack from a peer-adversary would likely occur without warning and, thus, the motivation to upgrade encryption immediately becomes clear.
Another consideration driving the urgency of the quantum-resilient migration is the prevalence of “steal now decrypt later” (SNDL) attack campaigns in which encrypted data is stolen today with the intent to decrypt the data using a quantum computer when available. These attack campaigns have been happening for years, are occurring with frequency today, and are likely to continue to increase as quantum computers and attack strategies become more advanced. Therefore, it is imperative that federal agencies with sensitive government data take measures to prevent further loses and liability by immediately beginning the transition to quantum resiliency.
NIST Leads the Way in Research
One of the leading and most practical quantum cybersecurity technologies today is post-quantum cryptography (PQC). PQC refers to a group of encryption algorithms that are thought to be secure from an attack by a quantum computer. It should be noted that PQC does not actually rely on quantum technologies or quantum principles, but rather complex encryption schemes that are believed to be unbreakable even by a quantum computer. Since 2016, NIST has served as the leader in research and development of PQC with the launch of the Post-Quantum Cryptography Standardization program. After testing an initial pool of over 80 potential quantum-resilient algorithms, NIST has narrowed down the candidate list to seven algorithms. The agency is conducting a final round of testing and hopes to have a handful of highly secure algorithms standardized before quantum computers are capable of breaking encryption.
One of the difficulties in NIST’s research efforts has been testing the quantum-resilience of the candidate algorithms. Quantum computers are not yet able to break classical encryption methods, so NIST must rely on rigorous mathematical testing based on approximations of possible quantum computing power. Ultimately, quantum-resilient algorithms will be sufficiently tested only when a CRQC is available. However, to protect data from a future quantum attack as well as from current SNDL campaigns, these PQC algorithms must be tested and implemented before a nation-state actor has developed a CRQC, because by that point it will already be too late.
DHS Issues Preparation Roadmap to Success
The Department of Homeland Security (DHS) is leading the way for a transition plan to PQC. DHS recently released a roadmap outlining a transition strategy, which calls for government and commercial agencies to catalog their most sensitive information and prioritize the upgrade of their systems accordingly. Federal initiatives, such as the DHS roadmap, will help accelerate adoption of PQC in both the commercial and government sectors.
Failure of organizations to adhere to a PQC transition strategy in a timely manner poses a significant security risk. Tim Mauer, Senior Counselor for the Cybersecurity and Emerging Technology to the Secretary of Homeland Security, warns that it is too easy to ignore the task of transitioning to PQC until it is too late. A single technological breakthrough in quantum computing could drastically accelerate the arrival of a CRQC. Organizations need to be prepared for the transition to PQC well ahead of time.
“If organizations aren’t thinking about the transition now,” says Maurer,“ and then they become overwhelmed by the time the NIST process has been completed and the sense of urgency is there, it increases the risk of accidental incidents … Rushing any such transition is never a good idea.”
The roadmap provided by DHS serves as useful guidance for organizations to begin the transition to PQC now, before NIST finalizes their PQC standards in 2024. According to Vadim Lyubashevsky, a cryptographer at IBM (News - Alert), the risk is that organizations will rush this transition and implement the weakest solution put forth by NIST, thereby creating further cyber vulnerabilities in the future. This is exactly the situation that organizations need to avoid.
The White House Mandates Urgency
In January, President Biden signed a National Security Memorandum (NSM-8) on Improving the Cybersecurity of National Security, Department of Defense, and Intelligence Community Systems. This is the first time that any White House national security directive has mentioned quantum-resilient cryptography in the context of federal cybersecurity planning, and it is a monumental step in the right direction toward quantum cybersecurity. A key provision in the memorandum states that federal agencies have 180 days to identify encryption instances not in compliance with NSA-approved quantum resilient algorithms.
While the importance of this memorandum cannot be stressed enough, there are critical components left out of the memorandum that still need to be addressed. First, quantum cybersecurity needs to be an international effort – a single U.S. ally that is not prepared for the quantum threat puts the U.S. at risk. Second, the private sector must now take initiative to update its encryption standards with the expedience just outlined by the federal government. There is no reason to wait for NIST to finalize its quantum-resilient algorithms, action needs to be taken now to secure the federal and private sectors. Lastly, there are quantum-resilient cryptography solutions available now that can protect data and communications from current quantum cyber threats, and organizations in the government and commercial sectors alike need to begin implementing these solutions. NSM-8 is a landmark document and a long overdue wake-up call for the understanding of the quantum threat, but there is still much work to be done.
Post-Quantum Solutions for Today
Innovative PQC companies will play a key role in the transition to a quantum resilient world. Government and commercial entities require practical cybersecurity solutions that provide quantum resilience with minimal disruption to existing systems. Quantum cybersecurity must be approached holistically, by combining NIST-candidate post-quantum algorithms with end-to-end architectures that protect the entire network from quantum attacks. We must look to these PQC companies as well as to government agencies such as NIST and DHS to help expedite this critical transition to post-quantum cryptography.
About the author: Patrick Shore is Program Manager at QuSecure. He is a highly motivated individual with strong analytical skills and a passion for science and technology. He is experienced across multiple disciplines in science, business and management. He earned his degree in Physics from Claremont McKenna College and has a mission to make an impact in the innovative industry of clean technology.
Edited by Erik Linask