DHS Issues Roadmap for Transition to Post-Quantum Cryptography
A growing concern among US government officials is the development of Cryptographically Relevant Quantum Computers (CRQCs): quantum computers capable of breaking current cryptography. Dustin Moody, a mathematician at the National Institute for Standards and Technology (NIST), warns that the possibility of a nation-state adversary using a quantum computer to access sensitive information is very real. Already, nation-state actors are stealing encrypted data with the intent of retroactively decrypting the data once a CRQC is available, an attack campaign known as ‘steal now decrypt later.’
Although it is not known when exactly such a computer will become available, NIST is treating quantum computing as a current threat. Since 2016, NIST has been developing a set of new post-quantum cryptography (PQC) standards to protect against the quantum threat. Rapid adoption of these standards will be critical in ensuring the security of our data before CRQCs become operational.
US government agencies outside of NIST have also been preparing for the arrival of CRQCs. In particular, the Department of Homeland Security (DHS) is leading the way for a transition to PQC plan. DHS recently released a roadmap outlining a transition strategy which calls for government and commercial agencies to catalog their most sensitive information and prioritize the upgrade of their systems accordingly. Federal initiatives, such as the DHS roadmap, will help accelerate adoption of PQC in both the commercial and government sectors.
Failure of organizations to adhere to the transition strategy in a timely manner poses a significant security risk. Tim Mauer, Senior Counselor for the Cybersecurity and Emerging Technology to the Secretary of Homeland Security, warns that it is too easy to ignore the task of transitioning to PQC until it is too late. A single technological breakthrough in quantum computing could drastically accelerate the arrival of a CRQC. Organizations need to be prepared for the transition to PQC well ahead of time. “If organizations aren’t thinking about the transition now,” says Maurer, “and then they become overwhelmed by the time the NIST process has been completed and the sense of urgency is there, it increases the risk of accidental incidents … Rushing any such transition is never a good idea.” The roadmap provided by DHS serves as useful guidance for organizations to begin the transition to PQC now, before NIST finalizes their PQC standards in 2024. According to Vadim Lyubashevsky, a cryptographer at IBM, the risk is that organizations will rush this transition and implement the weakest solution put forth by NIST thereby creating further cyber vulnerabilities in the future. This is exactly the situation that national security officials and DHS hope to avoid.
Innovative PQC companies, such as QuSecure, will play a key role in the transition to PQC. Government and commercial require a practical cybersecurity solution that provides quantum-resilience with minimal disruption to existing systems. QuSecure utilizes NIST-candidate post-quantum algorithms in an architecture that can be easily integrated with existing systems. Companies like QuSecure, along with government agencies like NIST and DHS, will help expedite this critical transition to post-quantum cryptography.