National Cybersecurity Strategy Calls for Post-Quantum Cryptography Preparation

Yesterday, the White House released the National Cybersecurity Strategy.  The document provides guidance across five pillars: Defend Critical Infrastructure, Disrupt and Dismantle Threat Actors, Shape Market Forces to Drive Security and Resilience, Invest in a Resilient Future, and Forge International Partnerships to Pursue Share Goals.  One of the strategic objectives of the fourth pillar (Strategic Objective 4.3) is “Prepare for Our Post-Quantum Future.”  In that objective, the White House is urging the Public Sector and the Private Sector to prepare for the negative impact of Quantum Computing on the security provided by cryptographic algorithms in widespread use today.  

Here is the full text of Strategic Objective 4.3 of the National Cybersecurity Strategy:

Strong encryption is foundational to cybersecurity and global commerce. It is the primary way we protect our data online, validate end users, authenticate signatures, and certify the accuracy of information. But quantum computing has the potential to break some of the most ubiquitous encryption standards deployed today. We must prioritize and accelerate investments in widespread replacement of hardware, software, and services that can be easily compromised by quantum computers so that information is protected against future attacks.

To balance the promotion and advancement of quantum computing against threats posed to digital systems, NSM 10, “Promoting United States Leadership in Quantum Computing While Mitigating Risks to Vulnerable Cryptographic Systems,” establishes a process for the timely transition of the country’s cryptographic systems to interoperable quantum-resistant cryptography. The Federal Government will prioritize the transition of vulnerable public networks and systems to quantum-resistant cryptography-based environments and develop complementary mitigation strategies to provide cryptographic agility in the face of unknown future risks. The private sector should follow the government’s model in preparing its own networks and systems for our post-quantum future.

SafeLogic firmly supports the White House’s call for organizations to now prepare for the migration to quantum-resistant cryptography. That migration will be massive if past, far more modest migrations in the cryptographic algorithm space offer any guidance. Cryptographic controls are foundational to privacy and trust in the digital world, and the world has primarily been taking for granted that these just work.

However, with the disruptive force that quantum computing represents, what was assumed secure yesterday, may not be so tomorrow. The most significant impact will be on Public / Private asymmetric cryptographic systems, although symmetric crypto systems will also be impacted (e.g., by the requirement for increased key lengths).

While it may still be five to ten years before quantum computers are at a point where they begin to threaten legacy crypto systems, organizations cannot wait to start planning for the migration. There are at least two reasons for this. First, the migration will take a very long time, so getting started sooner rather than later is prudent.  Second, there is already a class of store-now-decrypt-later (SNDL) attacks where attackers are capturing data today they cannot yet decrypt, hoping they will be able to do so later as quantum computers become more powerful.  Depending on the nature of the data, it may still be sensitive even ten years from now, so organizations need a long-term plan to protect it.

To facilitate the migration to quantum-resistant algorithms, organizations are going to look to their cryptographic software providers to offer capabilities such as support for hybrid crypto use cases, crypto-agility, interoperability with existing languages and technologies, ability to replace cryptography across the whole technology stack, robustness, security, FIPS 140 validation, commercial-grade support, among others. As a premier provider of cryptographic solutions, SafeLogic is committed to being a trusted solution provider to help its customers with a seamless migration to quantum-resistant cryptography.