CISA: How post-quantum cryptography safeguards against quantum threats
CISA: How post-quantum cryptography safeguards against quantum threats
The rise of quantum computing promises transformative advancements across industries, but it also introduces profound security challenges. At the heart of these concerns lies the vulnerability of our current cryptographic systems – frameworks that protect everything from personal data to critical infrastructure. As quantum technology advances, the encryption methods we rely on today could soon become obsolete, leaving sensitive information exposed to unprecedented risks.
Enter post-quantum cryptography, the field dedicated to developing cryptographic algorithms capable of withstanding the computational power of future quantum machines. This emerging discipline is not just a technical necessity but a critical frontier in the fight to safeguard global security. Governments, industries, and researchers are racing against time to ensure our digital infrastructure is ready for a post-quantum world.
In this interview, CISA’s Dr Jones delves into the pivotal role of post-quantum cryptography in securing the digital landscape. From addressing vulnerabilities in public key infrastructure (PKI) to the efforts being led by global and national organisations, the conversation focuses on what it will take to protect our systems in an era defined by quantum innovation. As the quantum revolution accelerates, understanding and adopting these next-generation solutions is more crucial than ever.
As quantum computing advances, what potential security issues does the technology pose?
This is a question we get quite frequently. The primary risk we’re looking at is authentication. When we consider cryptographic vulnerabilities, the most significant threat is to authentication mechanisms. This includes business transactions, secure communications, digital signatures, and customer information.
These areas are critical because authentication is central to identity verification and secure key transport, whether symmetric or asymmetric. Essentially, it threatens the entire PKI. A cryptographically relevant quantum computer (CRQC) could compromise all the secure communications we rely on today, breaking the encryption that underpins PKI.
This isn’t just about quantum computing as we know it today. It’s specifically about CRQCs – error-correcting quantum computers capable of breaking PKI. Such systems would endanger sensitive information secured with PKI, including business transactions, communications, and long-term intelligence. An adversary with access to a CRQC could decrypt data collected now or in the future under the “harvest now, decrypt later” approach. This makes the threat very real and urgent.
Anything using cryptography, especially asymmetric cryptography, is at risk. Symmetric cryptography has a bit more time before being significantly threatened, but asymmetric cryptography faces an immediate issue with CRQCs. Fortunately, the National Institute of Standards and Technology (NIST) has released quantum-resistant standards to help mitigate or delay the problem.
What are the primary goals of CISA’s Post-Quantum Cryptography Initiative, and how do you see its impact on securing critical infrastructure?
The goals are multi-faceted but centre around analysis, testing, and standardisation of new cryptographic primitives. For instance, CISA is focused on guiding and supporting critical infrastructure sectors to mitigate risks in existing systems. Education is the first priority: ensuring that teams and organisations understand the threat and how to address it.
Next, we evaluate the sensitivity of organisations’ data and assets – identifying what’s at risk and for how long. This includes inventorying IT and OT systems and working with vendors to implement and validate standards. It’s not just about rolling out new standards but ensuring that vendors and third-party suppliers meet these standards accurately.
Budgeting is another critical aspect. Organisations need to allocate resources for necessary hardware, software updates, or replacements to transition to post-quantum cryptography. This includes updating lifecycle plans for IT and OT systems and ensuring state, local, tribal, and territorial (SLTT) entities are part of the preparation process.
Finally, we emphasise the cyclical nature of this work – monitoring and adapting as new standards emerge. NIST has already released 14 new standards under review, and as cryptographic needs evolve, so will the standards we must implement.
It seems like two key challenges are ensuring no one is left behind in this transition and keeping up with the constantly changing landscape?
That’s absolutely right. This isn’t a “drop the mic and walk away” situation. Cryptography is inherently mathematical, and over time, even classical algorithms are broken. The same will apply to quantum algorithms as CRQCs grow more capable. This is why crypto agility – our ability to adapt to new and stronger algorithms – is critical.
How does CISA assess vulnerabilities across the 55 national critical functions?
That’s primarily handled by the National Risk Management Center (NRMC). They assess vulnerabilities by analysing cross-sector interdependencies and prioritising outreach based on stakeholder feedback.
Each critical infrastructure sector has unique risks, so we must work closely with stakeholders to understand their priorities and address vulnerabilities effectively. It’s about balancing the categorisation of critical functions with real-world input from those directly involved.
You mentioned NIST. How do you collaborate with other agencies to streamline this transition?
We collaborate extensively with agencies like the Office of Management and Budget (OMB), the Office of the National Cyber Director (ONCD), NSA, and others. We aim to speak with one voice across agencies, ensuring consistency and coordination. For instance, we work closely with NIST to assess cryptographic discovery and inventory tools, which help identify cryptographic elements in systems.
International collaboration is also essential because divergent standards can create operational challenges. We engage with international partners and the private sector, emphasising the importance of adopting NIST’s standards. This unified approach ensures that we’re moving forward collectively.
This is not just CISA leading the charge – it’s a joint effort involving NIST, CISA, NSA, and other agencies like the Department of Energy (DOE), Department of Justice (DOJ), and the Department of Health and Human Services (HHS). Together, we’re ensuring this transition is a coordinated and comprehensive process.
How do you drive awareness and engagement with the private sector?
We engage the private sector through regular meetings and participation in industry conferences. We’ve noticed a shift – initially, most conferences focused on AI, but now more are recognising the quantum threat. We’re getting invited to larger platforms, like RSA, where we can reach broader audiences.
Awareness is growing, but it’s still like turning an aircraft carrier – it takes time. Once the industry fully grasps the threat, we expect momentum to build rapidly.
How will you measure the success of the Post-Quantum Cryptography Initiative?
It’s essential to examine how organisations are implementing these practices in terms of awareness and preparation.
In terms of inventory discovery and risk assessment, understanding the risks within an organisation is a crucial measurement. For instance, if organisations can start generating policies that cover implementation, validation, and testing for quantum readiness, that’s a positive step forward.
Vendor management is another critical aspect. It’s vital to ensure that vendors are engaged effectively to update and align products with the necessary specifications.
Additionally, awareness and preparedness play significant roles. Executing early actions, such as establishing policies addressing the quantum threat, is essential. These policies should guide how organisations should approach the challenges posed by quantum technologies.
While NSM 10 was a solid starting point, follow-up policies are necessary to build on that foundation. Creating comprehensive roadmaps is also important. We already have some roadmaps in place, but the level of effort required for each milestone on those roadmaps is a key factor to consider.
Finally, I would like to highlight the incredible work of NIST, CISA, and other agencies over the past few years. We’ve made tremendous progress in getting quantum threats on senior management’s radar. A few years ago, this wasn’t even part of the conversation, but now it’s front and centre. That’s a huge accomplishment, and it’s critical we keep building on this momentum.