Search AFCEA Site

Enable breadcrumbs token at /includes/pageheader.html.twig

The Rising Urgency for Encryption Modernization on High Assurance Systems

Cryptographic modernization is a continuous process to stay ahead of evolving threats.
By Michael Blakely
Cryptographic modernization is a continuous process of planning and deploying new encryptor hardware and software to stay ahead of threats. Credit: BoOm-stock.adobe.com generated by AI
Cryptographic modernization is a continuous process of planning and deploying new encryptor hardware and software to stay ahead of threats. Credit: BoOm-stock.adobe.com generated by AI

 

U.S. government information networks handling controlled unclassified and national security information are under continual cyber attack by sophisticated peer and near-peer adversaries. Evolving cyber threats, accelerated by new AI-enabled exploitation tools, present significant changes in the attack methods and technologies used in attempts to infiltrate secure U.S. government networks to access the data transiting them. 

To address this, the U.S. government establishes security requirements for information networks handling controlled unclassified information and national security information. The National Institute of Standards and Technology (NIST), the National Information Assurance Partnership (NIAP) and the Committee on National Security Systems (CNSS) all publish public information network security requirements documents. The requirements in these specifications to protect data-in-transit, data-at-rest, encryption keys, user and log information may be satisfied by dedicated, stand-alone encryption devices. These encryptors are analyzed and tested by independent laboratories and U.S. government agencies to ensure compliance with the relevant specifications. 

Security requirements modernization is accelerating in response to these increasing cyber threats. The NIAP published 13 approved Protection Profiles, and NIST published 59 drafts and the final 800 series Special Publications in the past 24 months. In anticipation of future quantum computer technology, the National Security Agency (NSA) published the Commercial National Security Algorithm Suite 2.0 of quantum-resistant algorithms approved for National Security Systems use in 2022, with updated guidance and clarification in 2024. According to CNSS Policy 15, CNSA 2.0 products are now preferred, and the NSA intends for all National Security Systems to be quantum-resistant by 2035. 

Encryption Hardware Considerations

Encryptors can be kept current with modernized security requirements through software and firmware updates up until the hardware limitations of the encryptors are reached. Once that happens, an encryptor replacement is necessary to maintain the continued security of the information network. The capital cost of replacing obsolete encryptors demands careful consideration and analysis of options. Network owners will want their new encryptors to deliver a long operational life, easy deployment and efficient operation and management. 

Large networks will need to undergo phased upgrades from legacy to modern hardware encryptors. New encryptors must support quantum-resistant algorithms for information protection (block ciphers), key establishment, digital signatures and software signing. With legacy encryptors and algorithms still in use up until 2035, the new encryptors must also support legacy encryption algorithms, networking protocols, encryption keys and management tools to allow for backward compatibility and interoperability. 

Vendor-to-vendor encryptor interoperability is also required if a network comprises encryptors from various vendors. To that end, encryptors that are tested and compliant with industry-accepted interoperability specifications will provide the highest probability of a seamless network upgrade experience. 

Physical replacement of encryptors can be streamlined through the use of existing mechanical, power, data and management infrastructure. Technology evolution and Moore’s law mean it is likely new encryptors will achieve similar performance with less size, weight and power (SWaP). It is likely that a replacement encryptor is available that fits the SWaP of the existing infrastructure. However, if form factors or connectors have changed, the vendor should have sleds, frames and cable adapters available to simplify the replacement of legacy encryptors. Innovations in hardware modularity provide a new level of flexibility, with end-user swappable interface adapters and swapable, upgradable data encryption modules. When deployed today, these innovations will make the next encryptor hardware upgrade in five to 10 years less invasive. 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

Encryption Software Considerations

Network operations have been transformed by modern network management, orchestration and automation software using standards-based application programming interfaces (APIs) to communicate with encryptors. The efficiency provided by these tools enables small teams to operate large data centers and networks. New encryptors must provide the capabilities and APIs to integrate with this ecosystem. Dedicated management software may provide for some unique encryptor needs, such as key distribution and secure tunnel management, while also providing northbound APIs to next-level management tools. 

Encryptor vendors utilize integrated development, security and operations software engineering processes to rapidly release software updates in response to new attack vectors. Network operators must have plans, procedures, tools and staff to quickly update their encryptor software to maintain network security.

Encryptors that have considered their end users’ needs provide field-proven “fire and forget” software update tools. These allow network operators to schedule and deploy software upgrades to multiple encryptors during a predetermined maintenance window, and then receive a report of successful upgrades and resumed device operation. 

Of course, operations teams will require user-centric training from encryptor product vendors to effectively utilize all the capabilities of a complex modern encryptor. Operators of diverse networks with different sizes and speeds of encryptors will improve efficiency by utilizing portfolios of related devices with similar capabilities, interfaces and controls. 

 

Approaching Encryption Key Management

Encryption key procurement and distribution can be one of the most challenging aspects of operating a U.S. government information network. High entropy encryption keys and certificates are generated by government agencies and securely distributed through Key Management Infrastructure (KMI) networks and services. Encryptors designed to interoperate with a KMI can seamlessly load and store the keys and certificates delivered by the KMI. 

A KMI network endpoint may not be available at every information network encryptor endpoint location. Legacy networks required keys to be hand-carried to each location and loaded into the encryptors. Modern networks leverage encryptors that support Over-The-Network Keying. Encryption keys for many network encryptors can be loaded into one encryptor and then transmitted to all the others over the secure encrypted network. 

Taking a Methodical Approach

Upgrading information network encryption to maintain compliance with modernizing security requirements requires thoughtful planning, budgeting and phased deployment. A well-planned deployment will be methodical and low-risk. 

 

 

 

 

 

Network modernization requirements and transition dates published by the CNSS and the NSA provide network operators with key milestones for long-term network modernization planning and scheduling. Encryptor vendors need to provide road maps of encryptors and capabilities that align with the CNSS and NSA transition dates. To support a frictionless transition, vendors should also offer upgrade accessories, API documentation, training, demonstrations and network management software. Vendor pricing transparency is also essential for helping network operators estimate regular, periodic network upgrades and proactively plan budget requests needed to keep networks modernized and their information secure. 

New encryptors and their interoperability with legacy encryptors are first verified by testing in a stand-alone test network. Then a small number are deployed to low-criticality endpoints of the network and tested for functionality and reliability. Finally, the remainder of the network is upgraded in discrete phases that allow for any emergent anomalous behavior to be quickly isolated and rolled back, thereby maintaining the operation and integrity of the network and the mission. 

Ultimately, cryptographic modernization is not a discrete event endured only once or twice. It is a continuous process to plan, budget and deploy new encryptor hardware and software to stay ahead of ever-evolving cyber threats. Increases in funding, acquisitions and the publication pace of security standards demonstrate the U.S. government’s growing attention to keeping its information secure. 

When undertaking this journey, it’s important to remember that although the domain of cryptography can be intimidating, there is no magic involved. What is required is continued collaboration between government and industry cybersecurity partners with the vision, pace, products and services to support ongoing network evolution. 

Mike Blakely is vice president of Secure Network Systems, part of Viasat’s Defense and Advanced Technologies segment and the Viasat Government business. 

Comments

The content of this field is kept private and will not be shown publicly.
About text formats

Plain text

  • No HTML tags allowed.
  • Lines and paragraphs break automatically.
  • Web page addresses and email addresses turn into links automatically.
Enjoying The Cyber Edge?
The Cyber Edge is part of SIGNAL Magazine. Subscribe or join AFCEA to receive SIGNAL and its award winning news.
SUBSCRIBE NOW
LEARN MORE
JOIN AFCEA

Related Cyber Content