Experts believe that full-scale quantum computers could be one of the most monumental technological breakthroughs of the century. Quantum promises major impacts in everything from financial services and complex manufacturing to artificial intelligence, cybersecurity and beyond. But the technology is not without risk.
Quantum computers “bring with them some very fast computing power that they will be able to bring to a lot of applications — a lot of those applications will be very positive in our lives,” explained Dr. Dustin Moody, a mathematician for National Institute of Standards and Technology’s computer security division, during a webinar hosted by GovCon Wire.
Although we’re still decades away from achieving an operational quantum computer, quantum threats are already starting to emerge today, and organizations must act fast in order to get ahead of the curve and protect their most valuable assets.
“In regards to cryptography, it’s known that once [quantum computers] are big enough, they’ll be able to break a lot of the crypto systems that we rely on today for security,” said Dr. Moody. And today, the scope of what federal agencies and commercial companies need to protect is exponentially wider than it was even just a few years ago.
The Quantum Threat Landscape
The Honorable Sue Gordon, former principal deputy director of national intelligence and two-time Wash100 Award winner, said, “If you think about what the vulnerable attack surface is, national security is so much bigger than we even thought about five years ago.”
“Certainly all the things that the classical national security complex has in terms of safeguarding its weapons technology and sensitive information. But if you think about private data and biological and genomic data and all that information, which is held by companies, the body of systems and the data they contain are so much more interesting than they were a minute ago. You just have to figure that this is where the fight is going to be waged,” Gordon shared.
And in some ways, the fight has already begun.
“There are people who are using the digital environment to advance their interests at the expense of ours. And there is no evidence that that desire is abating,” explained Gordon. “China alone has at least seven different types of quantum computer projects. And they are in the process of conducting these ‘store now, decrypt later’ kinds of attacks, so we know that it’s underway.”
In her remarks, Gordon underscored the urgency behind immediate action, noting that because we can already foresee that quantum attacks will have severe consequences, federal agencies should already be taking steps toward augmented protection. Despite the threat still being 10-20 years in the future, Gordon said there are measures that organizations can take today to jumpstart their journeys in post-quantum cryptography.
What Organizations Can Do Today
“I think the first two [steps] that are the easiest to do are to know what’s on your system, know what crypto systems you currently have — almost an inventory. And the second is what is it that you have that’s important to protect?” Gordon said.
Once those steps are completed, organizations should move on to more concrete support measures for quantum-resistant security — and quickly.
Gordon said, “You need the budget line in place. You need the talent in place. You need to make sure that your staffs are ready, and you need the policy and regulations in place to be able to move to this as quickly as it becomes available.”
“This isn’t something that is a ‘nice to have,’ or that you can just keep operating and just wait and modernize as a fast follower,” she continued. “This is something that you need to be ready to do.”
Dr. Moody added, “If you wait and just watch what everybody else is doing, you’re going to end up being too late and you’ll have data right now that can be at risk, even though we don’t yet have the quantum computer here.”
How The Government Is Taking Action
Thankfully, the federal government has already set its sights on quantum protection as a high priority, and legislation is beginning to back it up.
“In the United States, the White House has released guidance in National Security Memo eight as well as National Security Memo ten to jumpstart the government to action. And the House has passed H.R. 7535, the Quantum Computing Cybersecurity Preparedness Act on July 12th. And there is a complimentary bill in the Senate that we expect to be approved favorably,” explained moderator Jennifer Sovada, president of public sector at SandboxAQ.
NIST is also leading the charge in quantum protection with a project called Migration to Post-Quantum Cryptography, in collaboration with the National Cybersecurity Center of Excellence. Bill Newhouse, cybersecurity engineer at NCCoE, said the project currently has 16 collaborators, including SandboxAQ, to help NIST in its research on how to help organizations protect against quantum attacks.
Newhouse said NIST is testing and experimenting with technologies and tools from its collaborators, and those findings will be shared in a paper whose aim is to educate organizations on how to begin building their quantum resilience.
According to the project’s website, its aim is “initiating the development of practices to ease migration from the current set of public-key cryptographic algorithms to replacement algorithms that are resistant to quantum computer-based attacks.”
NIST’s Post-Quantum Cryptography project is also yielding exciting results thus far. Dr. Moody said that after six years and multiple rounds of analysis, NIST announced the first four algorithms that the agency will be standardizing.
“Three of these algorithms are based on what’s called lattice or lattice-based cryptography, and they’re very efficient. Their key sizes are a little bit larger than what we’re used to, but we expect that most organizations and applications will be able to use these algorithms in their processes,” he shared.
Dr. Moody said NIST expects to have standards for the four algorithms released and ready for implementation by 2024.
To learn more about cybersecurity, join the GovCon Wire Second Annual Cybersecurity in National Security Summit on Sep. 28. Bryan Vorndran, assistant director of the FBI’s cyber division, and David Frederick, executive director of the National Security Agency’s U.S. Cyber Command, are slated to keynote. Register here.