Blog post

State and local government can now prepare for post-quantum security

The federal government is bracing for the day when quantum computers become powerful enough to decipher many commonly used encryption methods. In doing so, it aims to ensure that public and private organizations of all types are included in the movement towards more quantum security.

2022 could see the next step in this work, with the National Institute of Standards and Technology (NIST) due to publish a first standard for quanta-proof encryption algorithms. The Department of Homeland Security (DHS), meanwhile, has created resources to help prepare entities to adopt the new standards, and it plans to push for greater awareness of these offerings in the New Year.

ANTICIPATE QUANTUM RISKS

Expected advances in quantum computing could introduce far-reaching risks, threatening the encryption that secures everything from digital communications to credit card payments.

No one knows when the hypothetical abilities against crypto will emerge, but senior DHS officials have said Government technology that they aim to be ready in case they arrive as early as 2030.

NIST has been working for several years to identify new encryption methods that can withstand even this computing power. It launched a call for so-called “quantum-resistant” encryption algorithms in 2016 and has since ranked submissions to a handful of the most promising.

The upcoming standard could incorporate several different approaches, to ensure its relevance, given that it’s unclear exactly how quantum computing will evolve, NIST mathematician Dustin Moody previously said.

“It’s important that the eventual standard offers multiple routes of encryption, in case someone manages to break one later,” Moody said in a 2020 NIST blog post.

The advent of quantum computing threatening cryptography may seem far away, but DHS expects the transition to quantum-proof encryption to be a long process, so it’s important for organizations to start early. .

STRENGTHEN AWARENESS

Releasing the NIST algorithms is only half the battle. The other is to ensure that they are widely – and quickly – adopted.

The roadmaps and DHS resources released this year are intended to help organizations of all types prepare to transition to the next quantum resistance algorithms. One of the department’s priorities for the start of 2022 is to involve more organizations in these guides, said a senior DHS official, who spoke with GovTech on condition of anonymity.

“[We created] communication that was digestible and understandable to our partners and gave them actions they can take now, to instill some urgency that the problem is not so far away that we can’t do anything, but we have to start to prepare ”, the manager mentioned.

Quantum computing’s threat to traditional encryption may not yet be high on states’ priority lists. An official from the National Association of State Chief Information Officers (NASCIO) said GovTech they did not know that this was a current topic of discussion among CIOs.

MAKE PLANS NOW

The DHS guidelines urge organizations of all types to begin evaluating which of their systems and datasets will need to be updated to the new standard.

“The key question for us at this point, and for state and local governments, is to take an inventory of the data that may be relevant, even in 10 to 15 years, to determine if they need to take action at this point. Said a second senior DHS official. GovTech.

Not all data will be at risk: Symmetric-key cryptography will remain strong against advanced quantum computing as several asymmetric (or public-key) encryption systems become vulnerable, says DHS in its Post-Quantum Cryptography FAQ , created in partnership with NIST.

The old-fashioned encryption won’t dissolve overnight either. Instead, malicious actors will need to collect targeted encrypted data and then execute computational efforts against them to break through in a single communications session, according to a 2021 interview with the head of the IT security division. from NIST, Matt Scholl. This means that organizations can first transition the systems with the highest priority, such as those most at risk, important or sensitive.

Identifying a transition plan early prepares organizations for faster adoption once new NIST standards become available. This will reduce how long – and how much – data remains vulnerable to attackers equipped with quantum. Those who wait and then scramble to upgrade systems also risk making mistakes that introduce vulnerabilities, writes Michaela Lee of the Harvard Kennedy School Belfer Center.

Concerns about the smooth transition to post-quantum algorithms are prompting some entities not only to develop their transition plans, but also to start trying new cipher algorithms now, without waiting to see which ones get the final seal of approval. from NIST.

Todd Moore, vice president of encryption solutions at global technology company Thales, said GovTech that the company and some of its larger customers are using sandboxes to test several of the algorithms in the NIST finalist group. Cryptologists at Thales have collaborated on one of these algorithms, according to the company’s website, and the company works with clients in industries such as the US federal government and finance.

Testing allows organizations to learn how different encryption algorithms impact their operations. For example, some algorithms require more computing power or cause higher latencies, so organizations must adapt to them.

These tests also help customers troubleshoot and ensure that they have considered all relevant systems.

“A bank, for example, recognizes that it has a vulnerability at some point in a transaction. They fix that, but then they realize there’s a signing operation or a keying operation that they missed, ”Moore said. “The feedback we’re getting, especially from the banks, is that they start the implementation process and then all of a sudden a light bulb goes out – ‘Oh, we forgot that here.’ This is one of the reasons people have to start early.

IS THERE FAIR ADOPTION?

Once state and local governments know what needs to be updated, it may be up to the private sector to ensure they can make those changes. DHS officials said a critical part of the effort is to ensure private software vendors incorporate the new encryption methods into their products, creating more secure offerings for governments and other end users. .

DHS officials have said they want to ensure that smaller and less mature players can migrate to quantum-resistant encryption alongside their larger counterparts, without their limited resources holding them back. The federal government is currently analyzing the situation to identify possible equity gaps. Solving such problems could mean that large organizations take steps that improve the situation of smaller ones, an official said.

“Many transitions in the past – and this one too – will be led by the private sector. But it also carries a risk that those without the resources will not get on board at the same time, ”said the sole DHS official.

Intellectual property issues could also present a challenge for widespread adoption, Moore said. The algorithms considered by NIST are open source, but their implementations could be licensed or patented, he said.