Survey identifies gaps in federal post-quantum cryptography initiative

Federal cyber experts say they need more formal guidance and a range of other tools for a post-quantum cryptography effort that's expected to cost billions.

A new survey of federal cyber experts has found most agencies are mapping out their journey to post-quantum cryptography, but many feel hamstrung by a lack of formal guidance on an initiative that’s expected to cost billions of dollars in the coming decade.

In a study released today, General Dynamics Information Technology found 50% of federal cyber experts have a strategy for post-quantum cryptography readiness, while 22% are engaged in pilot projects and 12% are preparing their workforce for a post-quantum future.

Only 17% of those surveyed responded that they had “no defined strategy” and “PQC initiatives are not currently a priority.”

But 37% of respondents also said a “lack of planning, guidance and strategy” poses a critical challenge to the post-quantum cryptographic transition.

“Agencies are looking for more clear roadmaps to make them actionable and make better progress, as well as resourcing their teams, budgets and all those things,” Matthew McFadden, vice president of cyber at GDIT, said during a media roundtable.

While no quantum computer known to exist today can break current encryption methods, cybersecurity experts are concerned adversaries could steal data today and decrypt it in the future.

A White House post-quantum cryptography report, released in July, pointed to the concern around “record-now-decrypt-later” attacks. It states that the threat “means that the migration to PQC must start well before a quantum computer capable of breaking current encryption is known to be operational.”

GDIT based its study on an online survey of 200 federal cybersecurity experts across civilian, defense, homeland security and intelligence agencies. Those surveyed were involved “in either the selection or management of firms that provide enterprise IT or digital modernization services,” the study explains. The survey was conducted this past July and August.

In mid-August, the National Institute of Standards and Technology finalized three encryption standards designed to withstand attack from a quantum computer. NIST says organizations should start adopting those standards today.

McFadden pointed out that NIST released the draft standards one year ago, meaning agencies and industry have had time to start transition preparations. The finalization of the standards serves as a “forcing function,” he added.

“Now the standards are here. They know the threshold they need to meet. And this now becomes part of compliance,” McFadden said.

Federal agencies have been working for several years on Office of Management and Budget guidance to inventory systems that could be susceptible to quantum decryption.

Following the finalization of the NIST standards in August, Federal Chief Information Officer Clare Martorana said OMB will soon issue guidance directing agencies to develop a prioritized migration plan for post-quantum cryptography.

In addition to seeking more detailed guidance, respondents to GDIT’s survey said key challenges include integrating PCQ into the cybersecurity supply chain (24%), managing enterprise-wide cryptography (17%) and insufficient automation for cryptographic management (14%).

Additionally, 48% of respondents identified the “significant impact on legacy systems” as a technical barrier. They also highlighted the implications for operational technology (29%) and the difficulties with non-centralized systems (17%).

Despite the challenges, GDIT’s study points to how 22% of agencies are already engaged in pilot projects on post-quantum cryptography. McFadden said many of the pilots are focused on areas where agencies “start small, make sure it works correctly, and then try to roll it out to the larger enterprise.”

“Those pilot projects may be, ‘Hey, do a discovery for your [high value asset] systems to help automate pulling back that cryptography,’” McFadden said. “That could mean, ‘Let’s take an application and implement the new algorithms and see how effective it is.’”

And in August, the Cybersecurity and Infrastructure Security Agency finalized plans to begin incorporating automated post-quantum cryptography discovery and inventory tools into governmentwide programs like the Continuous Diagnostics and Mitigation (CDM) capability.

But the transition to post-quantum cryptography will not be cheap. The White House report released in July estimated that the migration for “prioritized information systems” will cost the government approximately $7.1 billion between 2025 and 2035. And that estimate does not include classified systems run by defense and intelligence agencies.

GDIT’s study found just 11% of respondents had a budget allocated to the post-quantum cryptography transition, while 35% said planning and budget was “undefined.”

“We don’t know how that budget is initially being allocated,” McFadden said. “Are they from current IT investments, or is it from those HVA system budgets? There hasn’t been that top level funding yet allocated. So I think part of this is driving awareness to help provide budgets to support this at the same time.”

Copyright © 2024 Federal News Network. All rights reserved. This website is not intended for users located within the European Economic Area.

Related Stories