In recent months, mitigating the quantum threat has been a key focus in the thinking around US cybersecurity. That’s largely due to the expectation of cryptographically relevant quantum computers, capable of breaking currently-used cryptography within the next few years.
The threat poses a significant concern to the security of US Federal agencies and critical infrastructure, as well as any system currently relying on traditional cryptography.
In response, a strategy is quickly emerging, with published recommendations, standardized algorithms, guidance and legislation – each aiming towards enabling a smooth transition to post-quantum cryptography (PQC).
In November, the US Government Accountability Office (GA0) released an official report into this developing strategy. The GAO’s approach includes identifying key goals, potential gaps that need to be addressed, and recommendations for leadership and alignment. Various entities have published guidance, but is it strategically co-ordinated? Does the strategy lack detail?
The report suggests that there are three key goals, and provides a detailed review of the guidance published on each of the following:
- Standardization of post-quantum cryptographic algorithms
- Migration of Federal systems
- Encouraging adoption in all sectors of the economy
In taking this approach, the GAO has been able to compare the emerging strategy (formed by published documents from multiple Federal entities over the course of the last eight years) with the essential characteristics typically required for a national strategy. For example, to what extent has the risk been identified and the problem defined? What’s the methodology and scope of post-quantum algorithms? Are there objectives in place?
With all this in mind, the report identifies where the strategy falls short:
Lack of comprehensive risk assessment
The GAO concludes that although several documents defined the problem, there was no agreed definition of a cryptographically relevant quantum computer, making it more difficult to identify the problem. In addition there’s no conclusive risk assessment for federal agencies and their systems. A detailed analysis of the urgency for migration for specific agencies and their critical functions is required.
Limited milestones and performance measurements
The strategy lacks defined milestones, according to the GOA, and there are no strategic performance measurements for encouraging the adoption in all sectors. This makes tracking the migration much more difficult, and obscures accountability.
Incomplete resource allocation
While a cost estimate exists for migrating Federal systems, the GAO is uncertain about its accuracy. The strategy doesn’t identify sources of investment, or discuss the allocation of resources and budget in detail. Similarly, there should be scope for risk management of the cost in line with a clear project plan for Federal agencies.
Insufficient Co-ordination
The emerging strategy exists in response to a quickly accelerating threat, and as a result there’s been no single Federal entity seemingly responsible for co-ordinating and overseeing implementation. Mechanisms for co-ordination exist, and in fact, the GAO points out that the Office of the National Cyber Director is well-positioned to lead the effort.
What about international approaches?
While the US is the key player in setting the approach for a quantum security strategy, several international organizations have already advocated a ‘hybrid’ approach combining the power of PQC algorithms with traditional cryptographic methods. This is especially advocated in the light of ‘harvest-now-decrypt-later’ attacks designed to steal sensitive data today with the intention of decrypting at the point a cryptographically relevant quantum computer is available. This approach, while beneficial, does present challenges such as a need for increased computing resources and potentially a second migration away from the hybrid solution when PQC can be fully deployed.
Key recommendations
The report makes some clear recommendations intended to help align the strategy with the desirable characteristics of a national security strategy, including direction and oversight from the National Cyber Director. Specifically, the recommendations point towards:
- The definition of the problem, including the parameters that define a cryptographically relevant quantum computer
- Comprehensive risk assessment that encompasses both Federal agencies and critical national infrastructure
- Detailed objectives and performance measures for standardization, migration, and adoption of the strategy
- Clear resource allocation, risk-management processes and understanding of investment sources
- Roles and responsibilities, particularly for encouraging the use of PQC in all sectors
It’s increasingly clear that transitioning to PQC is critical for US Federal agencies and information systems. While awareness of the quantum threat is increasing, the need for a co-ordinated strategy is also becoming more urgent, and this report is a timely intervention – recommending that the strategy is well-deployed under the leadership of the National Cyber Director.
In addition, the report underscores the importance of migration, not just to Federal agencies, but also to the wider industry landscape, and ultimately the supply chains that affect the rest of the world. It’s encouraging that a co-ordinated approach is being recommended, emphasizing the urgency of the quantum threat and the effort taken to defend against it.