In roughly a decade, security experts predict that stable quantum computing will threaten to break today’s cryptographic standards. The US federal government has already been preparing for this eventuality for years, and concrete changes are beginning as new National Institute of Standards and Technology (NIST) are shaping up.
While the new standards will not be complete until at least 2024, some early components are now in place. Four encryption algorithms for web security have been selected, and a new bill provides a structure for annual progress reports to Congress.
Stronger cryptographic standards needed as current algorithms could be broken in mere minutes
The Quantum Cybersecurity Preparedness Act is meant to keep Congress informed on this transition, as well as establishing an inventory of equipment that needs to be changed out and the budget and timeframe for doing so. If the bill passes the Office of Budget and Management will have a year to lay out a general plan for the improvement of defenses against quantum computing threats, and the Department of Commerce would be tasked with developing guidance for critical infrastructure companies. Congress would be briefed annually on progress.
In the meantime, four encryption algorithms have been selected to be part of the emerging cryptographic standards: three as identity verification methods, and one as a general method of encryption of web traffic. The project is selecting a mix of different methods so that not only do they rely on the different functions, but there are backups available should one algorithm be compromised. NIST is reviewing additional algorithms and plans to announce more candidates at some unspecified point in the near future.
Defensive upgrades to counter quantum computing will be a major challenge
The cybersecurity adjustment to a quantum computing world will take years, with general estimates of about 8 to 10 years remaining before the threat becomes imminent. Federal government preparation has already been underway for nearly six years, as NIST first called for the development of new and stronger cryptographic standards in 2016 and is just now selecting the first batch of candidates.
The upgrade is expected to be long and painful for both the public and private sectors, as most people are not even yet aware that this is a looming threat. An early “crypto-agile” approach is emerging as a means for organizations to address the issue without completely upending existing infrastructure, but early action is key if this is to work.
The scheduled publication of quantum computing guidance in 2024 will likely be the first detailed advisory as to how to handle this process. In the interim the Department of Homeland Security has issued a roadmap to help organizations get prep work out of the way. Items that can be accomplished now include inventorying all systems currently using cryptographic technologies as well as sensitive data sets that require enhanced protection, mark any systems that are using public key encryption that may be quantum computing vulnerable, and create a priority hierarchy for system transitions.