The quantum threat is out there. And it’s not a matter of “if”, but a matter of “when”. While the specific “when” is unknown, it’s generally accepted that in anywhere from 7-10 years a quantum computer will be capable of breaking the traditional public key cryptography in use today.
While that might seem pretty far out, we do know that the steps to get ready and then ultimately migrate to post quantum (PQ) cryptography will take several years. We’re not talking about a crypto refresh cycle here. We’re talking about something an order of magnitude more involved and challenging than anything that’s been done before. That’s why we are of the position that the time to prepare for post quantum is now. And we are not alone in that thinking.
If you’ve been keeping up with the news, I’m sure you’ve noticed the uptick in government action that’s been taking place around PQ lately. And this has been happening at a global level. What’s nice about some of these directives is that they are providing (or in our case validating) the blueprint for what needs to be done in order to prepare for post quantum.
This past September the NSA released the CNSA 2.0 Timeline which advised that algorithms for software and firmware signing, should begin transitioning immediately. The algorithms they recommend implementing are based on the NIST round 3 finalist algorithms, which were announced last summer. They’re not trying to get ahead of the process by publishing these requirements ahead of the final selections for standardization, but rather hoping that it will generate awareness of what needs to be done and allow time to “plan and budget for the expected transition”.
Last spring and prior to the NSA announcement, the White House had issued the “National Security Memorandum on Promoting United States Leadership in Quantum Computing While Mitigating Risks to Vulnerable Cryptographic Systems”. It then followed up with another memo in November 2022 which provided additional direction and some clear actions to federal agencies in preparing for the migration to PQC. The first two steps were:
- Designate a lead. The memo stated that within 30 days (which brought us to December 28, 2022), agencies needed to designate a lead for collecting cryptographic information systems. This should be the first step for any organization in order to ensure there is central ownership and oversight over the strategy and transition.
- Perform a cryptographic inventory. The memo then clearly requires agencies to inventory cryptographic hardware and software systems by May 4, 2023. Whether ensuring you have the right technology in place to support the requirements of PQC, or ensuring visibility into all your cryptographic assets (keys, certificates, etc.), this will likely be one of the more challenging and time consuming tasks. It will also help determine if you’re crypto agile which will be key when it comes to implementing PQC.
While final implementation direction and migration strategies are still to come, the memo also suggests that agencies should be working with their vendors to identify post quantum cryptography testing opportunities within their networks. This will be critical universally as standards (when they come) are one thing, but approved working deployments are another. And the “Quantum Computing Cybersecurity Preparedness Act” indicates that agencies will need to quickly migrate to quantum resistant systems once those standards are identified.
So, all eyes will remain on the NIST PQC Competition to see what the final recommendations for standardization are, but in the meantime, there is much to do. And it really is time to get going.
For more information on any of the post-quantum regulations and recommendation, visit our PQ Resources page. Curious how prepared your organization is for PQ? Take our self-assessment.