PQC Is Here, More Policies Are Coming
The Pentagon will soon release a policy on post-quantum cryptography (PQC) adoption for defense organizations. Additionally, an anticipated executive order will set PQC migration deadlines for federal agencies.
Cyber experts gathered at the annual TechNet Cyber conference in Baltimore on Thursday to discuss the consequential reality of quantum computing.
“Quantum is here. You should worry about it and why we care about the threat,” said Matthew McFadden, vice president at General Dynamics Information Technology.
McFadden, along with his fellow panelists, spoke on the concept of “harvest now, decrypt later,” a malicious cyber strategy used by adversaries to collect and store encrypted data until it can be decrypted by quantum computers.
As various nations and companies—including larger players IonQ and IBM—are working to establish cryptographically relevant quantum computers, it is uncertain who will win the race.
“We don’t know today exactly when that [cryptographically relevant] quantum computer will be [here], so that highlights the urgency to … today start looking at those migrations,” said Melchior Aelmans, senior staff architect for quantum platforms at IonQ.
Aelmans was referring to migrations discussed by Bill Newhouse, cybersecurity engineer and project lead at the National Institute of Standards and Technology (NIST) National Cybersecurity Center of Excellence.
“No migration in the history of cryptography is ever finished,” Newhouse stated. “If you scan your network … you’re going to find algorithms that are in use that have been deprecated for a long time.”
Therefore, organizations such as NIST, the Internet Engineering Task Force, the International Organization for Standardization and the Institute of Electrical and Electronics Engineers must set necessary standards and protocols.
“Soon we will have TLS 1.3 with PQC … Let’s turn that into a marketing thing: you can’t get PQC without TLS 1.3,” Newhouse quipped, referring to the latest and more secure version of transport layer security.
Additionally, Newhouse noted a soon-to-be published Pentagon policy that will address PQC adoption across defense organizations.
“Dr. Britta Hale is at the Department of War CIO office, and she has a policy document that will be out sometime in the next couple months,” he said.
No migration in the history of cryptography is ever finished.
Newhouse also noted an effort coming from the White House.
“There’s an executive order that’s been in the works for a while, and I think when it hits the street, shortly thereafter, a fair number of policy documents will follow so that they’re a little more in sync.”
Just two weeks ago, Nextgov/FCW reported on a related draft executive order that would set deadlines for federal agencies and contractors to migrate to PQC standards.
“… The current version tasks the Office of Management and Budget with issuing guidance and deadlines for transitioning high-impact systems to encryption standards intended to withstand code-breaking powered by an eventual fully operational quantum computer,” the report states.
By the end of 2030, all federal agencies are required to adopt PQC for key establishment. By the end of 2031, agencies must transition digital signatures on high-impact systems and high-value assets to a PQC standard.
As stated in the report, industry contractors must also comply with the 2030 PQC standard deadline.
TechNet Cyber is organized by AFCEA International. SIGNAL Media is the official media of AFCEA International.
Comments