The mantra of cybersecurity experts on quantum computing threats is, “winter is coming.” While it may not the “The Game of Thrones,” that winter is one of giant, qubit-using quantum computers hacking encrypted algorithms in the blink of an eye.
Cybersecurity experts acknowledge the coming threat and have begun working to head it off.
“Right now, the situation is that the public key cryptography has been used everywhere for internet security, for application security, for the chassis, the platform, everywhere, but the quantum computers will change everything we understand about the security. So we need something, some new public key cryptography system, which can resist quantum attacks,” said Lily Chen, the acting cryptographic technology group manager in the computer security division at the National Institute of Standards and Technology.
Chen spoke at a recent webinar hosted by the Advanced Technology Academic Research Center (ATARC) on quantum computing, where experts went through the steps agencies need to take to prepare for post-quantum cybersecurity.
The White House and various agencies have already started work to mitigate this threat. In May, President Joe Biden signed a national security memorandum outlining the administration’s plan to address the risks posed by quantum computers to cybersecurity. The Quantum Computing Cybersecurity Preparedness Act passed Congress in July and required agencies to take steps to beef up their cybersecurity to prepare for quantum computing attacks. The Department of Homeland Security and NIST formed a working group to help organizations protect their data and systems.
“The transition to post-quantum encryption algorithms is as much dependent on the development of such algorithms as it is on their adoption,” said DHS Secretary Alejandro Mayorkas in a recent statement about the working group.
Although the threat of quantum computing is still in the future, data stolen now could be saved until a time when quantum computing is available to break the encryption. That means some of the steps agencies can take now are the same tried and true steps security officers have advocated for years. The first one of those steps is taking an inventory of data and deciding how vulnerable it is.
“You need to analyze what data you’re worried about, right? And then also the value of that data. Certain data has higher value than others. You need to kind of put some kind of a risk assessment on both the shelf life of that data, and also the value of that data. And that’s kind of one area where you can start to focus,” said Bill Becker, the chief technology officer at Thales Defense and Security Inc., a high tech firm focused on connectivity, big data, artificial intelligence, cybersecurity and quantum technology.
The next step involves talking to the vendors to find out how often they are updating their algorithms. Becker said there may be options for trying to test resiliency.
“So there’s things you can do. If you’ve got a crypto-agile application, or even hardware firmware, it can usually be updated. So you talk to your vendor, right? They probably have, or they may have a prototype that you can test with, to understand the impact of the network, like, let’s talk about high speed encryption, right? Or something like that,” he said.
There are also hybrid prototypes that combine classic public key cryptography with new quantum resistant features. Becker advised asking vendors for hybrid prototypes to test out.
Even as new products become available, one of the frustrations is a lack of standardization and validation. New algorithms are still in the development stage. “That’s so frustrating because the algorithms aren’t validated and internationally standardized,” said Bill Newhouse, an engineer with the National Cybersecurity Center of Excellence, Applied Cybersecurity Division, Information Technology Laboratory at NIST.
The new algorithms are, however, quickly evolving, and standardization looks like it is on the horizon. NIST recently reported that it selected four encryption algorithms that will become part of NIST’s post-quantum cryptographic standard. NIST spent six years vetting different encryption methods designed to ward off such an attack. Now, the agency’s post-quantum cryptography standardization project expects to finalize the standards in two years.