The government is close to picking quantum-resistant encryption standards. Now it must plan for what to do if they fail.
(SCMagazine) Over the next few months the National Institute for Standards and Technology will finalize a short list of new encryption algorithms and standards that are designed to withstand the threat of quantum computers, which are expected to one day mature to the point where they are capable of breaking many classical forms of encryption.
The National Cybersecurity Center of Excellence, a research center within NIST, is working on a migration playbook to help organizations identify vulnerable systems and game out questions around implementation. Officials expect the process of switching out encryption protocols at most large organizations to be a years-long slog, one fraught with uncertainty.
One of the biggest challenges is expected to be visibility — many organizations lack the process and expertise to identify which parts of their IT environment are reliant on the form of encryption that is most at risk from future quantum codebreaking.
“A lot of people don’t have any real sense of where [their public key encryption] are deployed in their systems. The non-technical folks that rely on them probably just don’t really recognize that it’s all going to be rather complicated,” said Bill Newhouse, a cybersecurity engineer at NIST during a recent presentation to the Information Security and Privacy Advisory Board.
Over the next six months, the agency’s cyber center will meet with members of industry and academia to begin building, testing and troubleshooting migrations in a lab setting. They’ll also continue to work with agencies like NSA and the Cybersecurity and Infrastructure Security Agency, which both have defensive cybersecurity missions and in-house expertise on the challenges around encryption.
While the agency is still on track to finish picking a handful of new algorithms this year, the accompanying standards will still need to go through a lengthy review and public comment process, and officials said they don’t expect them to be formally in place until at least 2024. While voluntary, NIST guidance is often widely adopted across private industry and quantum encryption is such a specialized subject that their Post Quantum Cryptography project is being closely watched by other standards bodies around the world.
“This is no Y2K or a doomsday scenario. All your keys won’t turn to dust,” NIST Computer Security Division Chief Matthew Scholl intones in a recent video the agency made to raise awareness around the coming transition. “It’s no time to panic, it’s time to plan wisely.”