Governments are mandating action on post-quantum; what do you need to do about it?
(By Team Post-Quantum) Quantum computers are the greatest existential threat to the world’s information security. Once a sufficiently powerful machine emerges, the public key cryptography (PKC) standards that currently safeguard the digital world will be obsolete in an instant, bringing immeasurable damage to entire industries – from national security, to banking, to utilities networks.
Although the precise date when PKC will be broken is unknown, the threat of adversaries collecting data now with a view to decrypting it when a sufficiently powerful machine emerges (also known as Harvest Now, Decrypt Later), is real and happening today.
Given the immediacy of the issue, governments and regulatory bodies have begun to act, particularly in the United States (U.S.). But what do these actions mean in practice, and what steps can those organisations most at risk do to get ahead?
Governments are mandating action
2022 has been a major milestone in the future of post-quantum security.
After more than six years of deliberation, the National Institute of Standards and Technology (NIST) unveiled its recommendations for the standardisation of new quantum-resistant algorithm in July. CRYSTALS-Kyber was selected for general encryption, and CRYSTALS-Dilithium, FALCON, and SPHINCS+ were selected for digital signatures.
NIST has also advanced four other candidates for additional scrutiny, one of which is Classic McEliece, a joint submission from our team at Post-Quantum. Germany’s national cyber security body known as the BSI, and the Dutch equivalent, are already recommending that enterprises use and deploy Classic McEliece due to its unmatched security credentials.
As European governments begin to take action, so too has the U.S. In May, the Biden Administration issued National Security Memorandum 10. Amongst other things, the memo set out the direction U.S. Government agencies need to take to migrate vulnerable cryptographic systems to quantum-resistant cryptography.
A few months later, the Quantum Computing Cybersecurity Preparedness Act passed in the House following its introduction in April 2022. Similarly to Biden’s memo, the bill seeks to address the migration of executive agencies’ information systems to post-quantum cryptography (PQC). It mandates that federal agencies will need to prepare an inventory of items for the transition to the new standards, and the OBM (Office of Budget & Management) would be given a year to prepare a budget and a strategy for the transition away from current cryptographic standards. Agencies would also be required to update these systems annually, and Congress would receive an annual status briefing.
Following this, the Cybersecurity and Infrastructure Security Agency (CISA) published a set of guidelines for critical infrastructure organisations aiming for a smooth transition. Though NIST’s final standard is unlikely to be confirmed prior to 2024, the CISA released a document – ‘Preparing Critical Infrastructure for Post-Quantum Cryptography’ – stressing the need for critical infrastructure to begin migration now to mitigate the risks of quantum computing and HNDL attacks.
Importantly, the CISA is not alone in the efforts to emphasise the advantage of beginning migration now. The Department of Homeland Security (DHS) published their own ‘Post-Quantum Cryptography Roadmap’ stressing the need to begin laying the groundwork immediately, and the Cloud Security Alliance (CSA) has set a deadline of April 2030 by which all enterprises should have implemented post-quantum infrastructure.
Next Steps for Federal Agencies and Beyond
As governments and regulators begin to demand action, particularly when it comes to migrating high-stake government agencies and industries, the cost of inaction is growing.
But beyond the roadmaps and the clear initial need to take stock of where PKC is used today, what else should you be considering?
- Prioritize crypto-agility, interoperability, and backwards compatibility
When thinking about the transition, it is important to keep the following three concepts in mind to ensure you are balancing security with agility.
- Using Interoperable solutions: so you can establish secure communications with partners irrespective of the encryption algorithms they use.
- Ensuring backward compatibility: so quantum-safe encryption can be introduced seamlessly across your existing IT systems.
- Practicing crypto-agility: so you can use any combination of NIST’s post-quantum algorithms or traditional encryption
- Introduce products that reflect these concepts to gain a greater level of flexibility
Once a solutions provider has been selected, it is important to consider whether the products they offer have these pillars baked into the design.
An example of an introductory step in post-quantum migration is selecting a quantum-safe Virtual Private Network (VPN) to secure data communication flows through the public internet network. Post-Quantum’s ‘Hybrid Post-Quantum VPN’ was recently successfully trialed by NATO, and combined new quantum-secure and traditional encryption algorithms to maintain an interoperable system.
- Don’t neglect identity – in fact, you should start with it
You could secure all of your other encryption, but if someone can access your identity system, then it doesn’t matter what else you do – your systems will think they are the right person, so they can gain ‘legitimate’ access to your systems and infrastructure.
That is, there’s little point in securing your entire infrastructure if you haven’t also considered identity, and starting at the front-end of the info security ecosystem will also allow you to tackle one of the most historically challenging systems for an organisation to upgrade or replace.
In the future, we will need all our digital infrastructure to be quantum-proof end-to-end but, if you are unsure of where to start, identity should be the most important consideration now as it’s the key to the castle.
Post-Quantum is the Diamond Sponsor at the IQT Quantum Cybersecurity event in NYC, October 25-27, 2022. CEO Andersen Chang delivered the opening keynote.