While there’s never been doubt about the importance of digital security, over the last few years it seems to have garnered a lot more attention – specifically by governments across the globe. That’s no surprise given some of the issues being looked at such as the growth of connected devices and services in the IoT space, for example. But one area that is seeing an increase in calls to action these days is mitigating the threat quantum computers will pose to traditional public key cryptography in use today.
Late last year, we saw an abundance of specific direction coming out of the United States. This direction came in the form of the NSA releasing the CNSA 2.0 Timeline, which outlined the timeline for the migration to post-quantum cryptography (PQC). The timeline spans several years and acknowledges the need to plan and budget for the transition, but it also states that – at least for software and firmware signing – the transition needs to begin immediately. Further, the White House issued not one, but two clear calls to action for government agencies to begin preparing for the quantum threat by designating a lead for collecting cryptographic information systems by December 2022, and then they must have also performed a cryptographic inventory by May 4, 2023.
But attention around the quantum threat and the need to migrate to post-quantum cryptography isn’t limited to the United States. This is a global issue, and as such, has garnered global attention. Here are a few examples:
- The General Intelligence and Security Service (AIVD) of the Netherlands very recently released a handbook that advises all organization to start preparing for the quantum threat now, and it also provides some clear steps to begin on that journey.
- The European Union Agency for Cybersecurity (ENISA) produced a report that outlines what organizations can implement now to ensure their data remains secure, including the strategy of choosing a hybrid implementation, which would mix traditional cryptography with quantum-safe cryptography.
- The Federal Office for Information Security (BSI) in Germany published its own guide with the intent of outlining the threat, demystifying PQC, and making recommendations on how to prepare.
- The National Agency for the Security of Information Systems (ANSSI) in France has a position paper. The paper expresses France’s views on the quantum threat – including that the threat should be considered today to address the current threat of “harvest now, decrypt later,” where sensitive data is being collected by bad actors today, with the intent of decrypting it once a quantum computer is capable.
One thing all the above countries and more (such as Canada, the UK, and Australia) have in common is everyone is awaiting the results of the National Institute of Standards and Technology’s (NIST’s) competition and the subsequent standards. NIST kicked off a post-quantum cryptography competition, announced the first set of winners in the summer of 2022, and is expected to release draft standards any day now. Although a few European countries have been looking at other algorithms, that’s merely to have options on top of what NIST recommends. A recent discussion paper out of the European Policy Centre drives home the importance of a coordinated European action plan, but really this needs to be a global coordination to avoid fractured standards. NIST is seen as the gold standard for independent, open, and transparent competitions, so ideally once NIST comes out with its final recommendations, that will result in international standards and adoption.