CISA Post-Quantum Cryptography Initiative: Too Little, Too Late?
The Cybersecurity and Infrastructure Security Agency (CISA) has established a post-quantum cryptography initiative that aims to unify agency efforts regarding the threats posed by quantum computing.
The initiative builds on existing Department of Homeland Security (DHS) efforts and those that are underway to support critical infrastructure and government network owners and operators during the transition to post-quantum cryptography.
The roadmap identifies where organizations need to develop plans for the transition to post-quantum cryptography and follows a recent announcement by the Department of Commerce’s National Institute of Standards and Technology (NIST) that it has chosen the first group of cryptographic algorithms.
A White House memo released in May had previously directed at federal agencies aims to jumpstart efforts to move vulnerable security systems to a quantum-resistant cryptography security posture and maintain investment in quantum computing technology.
The document, released on May 4, warned quantum computing poses “significant risks to the economic and national security of the United States.”
Post-Quantum Cryptography: Solving the Wrong Problem
Not everyone, however, is convinced that CISA’s initiative is sufficient or particularly helpful, however, including Dr. Eric Cole, advisory board member at Theon Technology, a provider of data security.
“CISA has good intentions, but this is a great example of how out-of-touch the government is with reality and the needs of the private sector,” he said. “Looking at the root cause of many breaches, organizations today are still struggling with key management and key storage.”
He explained that data is encrypted with a single key or set of keys and typically stored with the data in an easily accessible form: From his perspective, the keys are the problem—not the algorithm.
“For a CISO at a large organization, it makes no sense for them to be focused on or worrying about future algorithms when managing and controlling the keys is the biggest problem they have,” Cole explained. “It would be great if CISA actually put together guidance with NIST on how to properly manage and store keys, because until this problem is solved, new algorithms are not going to be the answer. It will just contribute to the problem.”
In addition, Cole pointed out that the use of algorithms is often handled by the product vendors; not from the company implementing the solution.
“An organization today is going to buy products with cryptography embedded in the solution and the organization has to worry about the implementation or key management issue—not the algorithm issue,” he said. “Therefore, the use and integration of quantum computing is going to be handled by the vendors seeking products and not typically by the companies purchasing them.”
Scott Bledsoe, CEO at Theon, said while the passing of the Quantum Computing Cybersecurity Preparedness Act is a symbolic move in the right direction, it may be just a little too late.
“We all know that terabytes and terabytes of data have already been compromised using modern day encryption waiting for quantum to be available for our adversaries to decrypted at a later time,” he said.
A lot of goverment data that has been compromised is PII and financial data that could be used to blackmail any American citizen.
“My gut tells me that the U.S. government will focus on data at rest first, which is a valuable step,” Bledsoe said. “However, they need to focus on data in motion; how we communicate with each other, how we communicate with the U.S. government and how the U.S. government communicates with others. That data has constantly been siphoned and used against us,” Bledsoe said.
He explained that it’s crucial to focus on data in motion now and realize that a lot of the data that CISA wants to encrypt with quantum-proof capabilities is already in the hands of adversaries.
Too Little, Too Late?
Mike Parkin, senior technical engineer at Vulcan Cyber, a provider of SaaS for enterprise cyber risk remediation, agreed that the move comes a little late, but said CISA’s initiative is still a good step.
“People have been saying for years that the development of quantum computing would lead to the end of cryptography as we know it,” he said. “With developments in the field bringing us closer to a usable quantum computer, it’s past time to think about how to deal with the future of cryptography.”
He pointed out the modern internet relies heavily on cryptography across the board, and quantum computing has the potential to break a lot of that encryption, rendering it effectively useless.
“That, in turn, would effectively break many of the internet services we’ve all come to rely on,” Parkin said. “Quantum computing is not yet to the point of rendering conventional encryption useless—at least that we know of—but it is heading that way.”
He said he believes the government is in the position to set encryption standards and expectations for normal use and can work closely with industry to make sure the standards are both effective and practical.
“In this case, government and industry can work together to deploy new quantum-resistant encryption standards before existing ones become obsolete,” he said.
He added that there are several encryption schemes that are shown to be resilient against quantum computing, and there are others under development that specifically resist being broken by the next generation of quantum computers.
“We’ll see how effective any of this is when the first wave of practical quantum computers comes on the scene and starts breaking existing encryption,” Parkin said.
