In October last year, the Biden White House announced its National Cybersecurity Strategy, urging a more robust collaboration between the private and public sectors to fortify the nation’s cybersecurity posture.
The strategy underscored the crucial role of emerging technologies in combating threats to the United States and its global partners. Consequently, the government has made clear its intent to invest in a gamut of advanced technologies, which include applications in cyber and space domains, missile defeat capabilities, trusted artificial intelligence, and quantum systems, aiming for swift deployment of new capabilities on the battlefield.
This occurred after the Biden Administration asserted its commitment to quantum readiness by issuing NSM-10 earlier in 2022, and NSM-8 prior to that. The well-named ‘National Security Memorandum on Promoting United States Leadership in Quantum Computing While Mitigating Risks to Vulnerable Cryptographic Systems’ outlines a series of deadlines for government agencies to prepare their information systems for the quantum era. It charts the process for a timely transition of the nation’s cryptographic systems to quantum-resistant cryptography.
The Alliance for Telecommunications Industry Solutions welcomed the federal government’s insurance for quantum readiness. March of 2022, the ATIS launched a whitepaper that focused on the threat to network providers, stating “that quantum’s computational power will eventually compromise current encryption algorithms widely used by network operators. New cryptography algorithms and technologies will be required to secure communications and data against the threat of quantum computers. Although quantum computing is still in the early stages of development, network operators should begin to understand its implications on current communications and data management.”
For its part, the NIST (National Institute of Standards and Technology) released a new document in April on its post-quantum cryptography (PQC) guidelines. The intention behind this is to raise awareness of the proliferation of public-key cryptography and its functional dependencies within most products, services, and operational environments. The document's primary objective is to help organizations comprehend their network's security architecture and dependencies on public-key encryption, enabling them to prioritize modernization and plan to replace public-key encryption with quantum-resistant cryptography.
Gaining visibility
As NIST presses ahead to finalize the PQC standard by 2024, it re-emphasizes its earlier warnings that organizations must initiate their migration planning promptly. The first step for businesses is to gain full visibility into an exhaustive inventory of the usage of cryptography across their organizations.
These discovery activities are crucial for organizations and government departments to identify which cryptographic algorithms they use to secure data and communications. This knowledge will drive the necessary migration prioritization decisions. Ideally, a risk-based strategy should be employed to prepare for migration to quantum-resistant cryptography.
Indeed, the assessment of existing infrastructure and data isn't a one-time endeavor. Continuous monitoring of network traffic is vital to provide users with a near real-time view of risks and solutions based on the five core CISA zero-trust pillars: data, applications, network, device, and identity.
Changing things up
Regular scoring of cryptographic vulnerabilities and risk factors like unencrypted traffic, clear-text passwords, expired certificates, self-signed intermediate certificate authorities, and insecure encryption algorithms using standard guidelines must become routine. Only then will users acquire a sound understanding of their cybersecurity posture and gain access to a prioritized risk mitigation list. This list will be pivotal to maintaining compliance, passing audits, and preparing for the 'great crypto migration.' It suffices to say the shift toward replacing legacy encryption with quantum-safe algorithms is already underway.
Complex undertaking
Undoubtedly, this process is extensive. Cryptography is embedded in countless devices, applications, and platforms. Most organizations lack knowledge about when, where, or how they’re utilizing encryption, who oversees it, or how to manage it continuously in an agile manner.
If anything, the private sector should emulate the government’s model in preparing its networks and systems for the post-quantum future. Irrespective of the approach taken, understanding how best to embark on the organizational journey toward quantum safety and replacing legacy encryption with post-quantum cryptographic algorithms is essential.
Looking back at the extensive efforts in preparation for the Y2K rollover provides some useful insights. General market awareness and public pressure motivated technology vendors, commercial and private businesses, and government agencies to upgrade their systems in anticipation of the Y2K bug. This heightened awareness prevented the widespread failure of the global computing infrastructure, with fallout limited to a handful of minor incidents.
Lessons learnt
Cryptographic migration should adopt a similar strategy. Organizations should engage their community and all stakeholder groups to promote quantum literacy and develop an organizational understanding of PQC and technology readiness levels. This includes raising awareness from the board level down to procurement teams, incorporating quantum-safe priorities and requirements into requests for proposals, product iterations, vendor relationships, network infrastructure upgrades, and customer deployments, to name a few elements.
Moreover, organizations should consider active participation in industry groups, consortiums, and standards bodies like the QED-C, Quantum Alliance Initiative, and the Quantum Industry Coalition, to keep leadership and team members updated and informed about evolving risk profiles, potential solutions, and proven best practices.
Identifying technology partners like Quantum Xchange, who have experience with large-scale enterprise deployments and offer holistic cryptographic management solutions that include discovery, deployment and management., is also important. Such trusted partners can alleviate fear, anxiety, or reservation about quantum preparedness by providing expert resources and products built for resilience. This approach also ensures that the migration can occur without significant disruption to existing systems and processes that must remain operational, secure, and accessible.
A new way
Be it the U.S. administration take preventative measures, or industry alliances such as GSMA urging quantum readiness, it is clear that change is coming. We can see clear indications that a new way is being paved by recent news out of China. China Telecom recently invested $434 million to establish the China Telecom Quantum Information Technology Group co. Communications providers will need to be at the forefront of this critical infrastructure to ensure continued safety.
In reality, many existing information systems are not designed to support rapid adaptations of new cryptographic primitives and algorithms without significant changes to the system's infrastructure or intense manual effort. Therefore, designing a crypto-agile system to support multiple cryptographic primitives and algorithms simultaneously is imperative.
Crypto-diversification, an added safety measure and architectural approach, anticipates a breach or attack. It enhances crypto agility with advanced features, including continuous key rotation and intelligent multipath key routing, and leverages a fault-tolerant and load-balanced mesh network where data links are protected by varied methods, including different PQCs on each link. If a link or algorithm is attacked, the added complexity and randomness brought by this crypto-diverse network significantly mitigate the risk or damage because session keys, PQCs, certificates, etc., are continually changing.
Existing infrastructure management plans and practices should suffice in managing a quantum-safe adoption strategy. Suppose the communication infrastructure's most sensitive, valuable, and at-risk parts have been identified. In that case, a massive upfront inventory and audit of encryption strategies throughout the organization are likely unnecessary.
What is certain is that a monumental change is on the horizon, and organizations can ill afford to be unprepared.
