17 November 2022

Preparing for a Post-Quantum Future

Michael J. D. Vermeer

Future quantum computers could create a significant national security risk by enabling attackers to break a foundational element of security in America's networked communication infrastructure. The federal government is engaged in a multi-pronged, coordinated response to address the risks, but the task is just beginning.

Quantum computers may one day break the security behind the current approach to public key cryptography. In 2015, the National Security Agency (NSA) sounded the alarm and announced plans to transition to new quantum-resistant cryptographic algorithms. Shortly afterward, the National Institute of Standards and Technology (NIST) began a multi-year project to standardize such algorithms, calling it post-quantum cryptography (PQC). In 2020, a RAND report explored the national security risks associated with quantum computing and the challenges with transitioning to quantum-safe algorithms, and offered recommendations to the U.S. government to mitigate risk. The report recommended a whole-of-government approach to facilitate and incentivize a migration to PQC, with an emphasis on improving cryptographic agility.

Since then, the federal government has engaged in a flurry of policy actions meant to address this risk. In May 2022, the White House released a National Security Memorandum that initiates coordination of just such a whole-of-government approach, and its directives mirror RAND's recommendations to mandate that federal agencies migrate to PQC, assess risk, inventory vulnerable cryptography use, and plan for cryptographic agility. Congress is also initiating oversight of the PQC migration in federal agencies with the Quantum Computing Cybersecurity Preparedness Act, which recently passed the House and was introduced to the Senate with bipartisan support.

More recently, NIST chose the initial algorithms that will be part of the PQC standard. While recent security breaks in several promising finalist algorithms introduced some doubt about the longevity of the security they provide, the chosen algorithms are expected to provide quantum-resistant security for the foreseeable future. NIST hosted an open process where many experts in the cryptography community engaged in targeted cryptanalysis of the candidate algorithms over many years. The NSA has expressed confidence (PDF) in NIST's process and has mandated the use of the chosen algorithms in its future Commercial National Security Algorithm requirements.

National security systems could require the most urgent attention, but ultimately all of U.S. communication infrastructure may need to transition to post-quantum cryptography. This migration could be complex, costly, and occur over the course of decades. The NIST National Cybersecurity Center of Excellence has initiated a project to develop practices to ease this migration across infrastructure. DHS is also partnering with NIST to help organizations manage the transition, and it has created a roadmap and insights (PDF) on preparing critical infrastructure for PQC. Here again, RAND has provided important support to the government's efforts. RAND helped DHS identify priorities and direction for initial outreach to critical infrastructure owners and operators by assessing the quantum impact on each of the 55 National Critical Functions identified by DHS. This was an important, high-level prioritization, and the report identified areas where significant attention was still needed.

The actions the government has been taking are important, but they are also first steps. Most of them are about assessing the scope of the problem, developing plans to engage with stakeholders, forming priorities, and creating processes for monitoring and reporting on progress. It is critical to invest in these planning activities now, though in most cases it is not yet practical to broadly implement solutions that will provide quantum-resistant security. NIST has chosen the algorithms for the PQC standard, but the full standard may not be released for years.

There are ongoing efforts to develop the communication protocols and technical standards needed to implement quantum-resistance in hardware and software, but these, too, could be years in development. Some implementation efforts may encounter unforeseen roadblocks that don't have straightforward fixes. The NSA published future requirements for CNSA 2.0 so that vendors and system owners have time to plan for the implementation, and their implementation timeline, even for NSS, extends until at least 2033.

Finally, the government has been rightfully focused on getting started on prevention and risk mitigation efforts for both civilian agencies and DoD. At some point, however, it may become necessary to assess where these actions might already be too late. That is, where could encrypted, sensitive information already have been captured and stored by U.S. adversaries for later decryption, and what kind of damage could that cause to national security? This question may need more focused attention for some organizations, and this could become more important over time as quantum computers become more capable.

It is encouraging to see the coordinated, whole-of-government approach the United States is applying to the risk from quantum computing, just as RAND recommended. The urgency, scale, and uncertainties associated with the task of mitigating the national security risk may require sustained effort for many years to come, and much of that work is beginning now.

No comments: