Decades After Y2K Panic Comes Y2Q Pressure
Quantum computers are in their infancy, but their cybersecurity risks already concern many involved in information technology, defense and government. A new law follows a series of attempts to prepare the sector for a world where current security standards can be easily breached by powerful behemoths that process algorithms far faster than conventional computing capabilities.
“Quantum computing will break a foundational element of current information security architectures in a manner that is categorically different from present cybersecurity vulnerabilities,” warned a report by The RAND Corporation, a think tank.
“Currently, there is minimal risk of a quantum computer being able to break encryption schemes that currently exist, but because of the fast advance of the technology, it’s something that we have to be aware of,” said John Curry, scientist at the Naval Information Warfare Center Atlantic.
As the post-quantum world starts taking shape, a sense of urgency sets in. Thus, a new regulation has set initial actions to protect critical government systems against an attack from this advanced technology.
Allies are also acting to future-proof their systems. Canada issued its National Quantum Strategy in January. Among recent movers, Japan published new security standards for Internet of Things authentication platforms.
In the United States, the Quantum Computing Cybersecurity Preparedness Act was signed into law in December. This regulation sets requirements and deadlines for nonmilitary government agencies. National security systems are under a separate regulation, the Memorandum on Improving the Cybersecurity of National Security, Department of Defense, and Intelligence Community Systems.
As civilian agencies update their critical systems, a sense of urgency sets in, says an expert who predicts that by the end of the current decade, incremental advances in quantum computing power will start rendering some security protocols obsolete.
“There’s a lot of planning that goes into building a new system, and when a new system is built, it’s something that we want to be able to have operational for a long time,” said Alan Grau, vice president of Sales & Business Development at PQShield, a company that provides post-quantum algorithms.
And the work that goes into post-quantum protection does not stay in the security software, as final products include integrations between code and hardware.
“There’s a lot that needs to be developed in terms of hardware,” Curry told SIGNAL Media in an interview.
“It’s multiple layers, and there’s hardware and software … at multiple layers in the system, all of which need to be updated,” Grau said. He estimated updating all systems to these new protocols within years or decades.
One of the key functions when transitioning toward quantum-safe systems is choosing where to apply the new cryptography. Planning and flexibility need to be at the center, as “federal agencies replace compromised keys and certificates without impacting the functions of mission-critical infrastructure,” said Accenture, a business consultancy firm, in a recent report.
Beyond the government and other critical functions, the potential risks could lie in the daily tasks now being performed by machines rather than humans—such as driving. Autonomous passenger vehicles offer promising future technology, but they also involve risk. For example, an impetuous cyber criminal might turn a routine commute into a murderous rampage.
“[With] a self-navigating vehicle, you’ve got the communication to and from the vehicle; you’ve got all the on-board systems that have to be able to boot securely,” Grau said. “So that involves code signing and code validation, which involves encryption, the secure communication protocols,” Grau explained.
Another aspect of encrypted data is that adversaries may steal data but be unable to decrypt it. Still, if that information is relevant in the long term, inaccessibility in the present is only a temporary problem.
Adversarial states and actors “are working to steal encrypted data today with the intent of decrypting it later—the ‘Hack Now, Crack Later’ strategy,” states Accenture.
At the center of these concerns is an adversary in the East. “China’s vast hacking program is the world’s largest, and they have stolen more Americans’ personal and business data than every other nation combined,” FBI Director Christopher Wray told House members in a recent hearing.
Wray went on to explain that Beijing could possess data on every adult in the United States.
“The [Quantum Computing Cybersecurity Preparedness] Act cannot protect already compromised data from later decryption. Still, the government’s acknowledgment and mitigation of future threats is an important step toward protecting its data in the future,” said Jacob Schneider, partner at law firm Holland and Knight.
The Cybersecurity and Infrastructure Security Agency (CISA) has identified sectors most at risk with this data harvesting tactic. “Organizations with a long secrecy lifetime for their data include those responsible for national security data, communications that contain personally identifiable information, industrial trade secrets, personal health information, and sensitive justice system information,” according to a CISA insight paper.
While the extent of intrusions is unknown, CISA also suggests there are limits to the data that could be compromised, as “organizations typically store data with a long secrecy lifetime on internal networks and rarely transmit it, which limits its vulnerability.”
RAND’s report, “Preparing for Post-Quantum Critical Infrastructure,” states that “although change needs to happen very widely across many thousands of stakeholders across critical infrastructure, a lot of the vulnerability can be mitigated if a much, much smaller number of stakeholders make a few critical changes” which could further limit potential damage to critical systems at risk if their long secrecy lifetime data is decrypted.
A final factor making these tactics hard to implement is the cost. “Campaigns to capture sensitive data and hold them for later decryption are likely to be challenging and resource intensive,” stated RAND.
All experts point to starting a transition toward post-quantum cryptography immediately at all levels of government and business. One of the key factors is that while these computers are not powerful enough yet, current computers can establish ways to prevent decryption.
“Post-quantum encryption algorithms don’t require a quantum computer to execute them: quantum computers are really good at certain kinds of math ... but they’re not just general-purpose supercomputers that are great at everything,” Grau told SIGNAL Media.
Also important is that upgraded security protocols should not impact overall system performance.
“In terms of what it takes to run these algorithms, they work quite well on today’s systems, protocols and computers,” Grau added.
Regardless of who crosses the finish line first in quantum computing, dozens of countries are running their own research programs, and most are funded by governments. Russia, China, India and Saudi Arabia are in the race, and in 2021, the rest of the world invested $24 billion, whereas the United States spent only $1 billion. Since then, the U.S. government has published plans to invest increasing amounts. Thus, 2021 marked the year when everything changed, and the federal government allocated $100 billion to the National Science Foundation, establishing quantum computing as a key future research area for the institution.
Having secure communications or data decrypted is only part of the problem, as sophisticated algorithms can also place intelligence sources that were once available beyond reach.
“Quantum computing could enable adversaries to develop secure communications that the United States would not be able to intercept or decrypt. It may also allow adversaries to decrypt sensitive U.S. information,” said the Future of Defense final report written by the House Armed Services Committee in 2020.
The Quantum Computing Cybersecurity Preparedness Act
The law seeks to “encourage the migration of Federal Government information technology systems to quantum-resistant cryptography,” as stated by the December 21, 2022, text.
It directs the Office of Management and Budget (OMB), in coordination with the National Cyber director and in consultation with the director of the Cybersecurity and Infrastructure Security Agency, to issue guidance for the migration to post-quantum cryptography for agencies outside the national security system.
This guidance should include an inventory of potentially vulnerable technologies, prioritization criteria and a description of the data to protect from federal agencies within six months of passage. This will become a yearly report after the initial delivery.
Once the information is gathered, the OMB will report to Congress the strategy to undertake the migration and estimation of funds required.
Prior to this law, many regulations were issued.
Two relevant precedents are:
Memorandum on Improving the Cybersecurity of National Security, Department of Defense, and Intelligence Community Systems, issued in early 2022, introduces requirements and deadlines for systems that are sensitive to national security. It expands the requirements for these sensitive systems and involves agencies tasked with protecting the country.
In 2022, the U.S. Department of Commerce’s National Institute of Standards and Technology selected four encryption algorithms and is considering four others as potentially useful to quantum computing compliance.