The Impact of NIST’s PQC Standardization on the Federal Cybersecurity Ecosystem

By: MeriTalk Staff

Blogs

Aug 29, 2024 | 1:07 pm

quantum computer processor chip intel computing hardware

By Kaniah Konkoly-Thege, Chief Legal Counsel, SVP Government Relations at Quantinuum

A lot has taken place in the quantum industry since the National Institute of Standards and Technology (NIST) announced its selection of PQC algorithms for standardization in 2022. From technology to global policy, advancements are causing experts to predict a faster timeline to reaching fault-tolerant quantum computers. Technology advances may also accelerate the timeline for when a future quantum computer could overwhelm the encryption tools we currently rely upon to protect everything from national security information to banking and healthcare data. The newly-released NIST PQC standard s are a critical step toward protecting data in the quantum age and warrant the attention of the entire federal cybersecurity ecosystem.

Since NIST Algorithm Selection (2022): Industry Progress

Over the last decade, the quantum information science ecosystem has moved from early-stage scientific exploration and investigation into applied commercial research and development. Governments worldwide now view quantum as a strategic technology critical for both economic and national security.

As an industry composed of mostly start-ups and tech giants, several important advancements took place over the past two years. Quantum capabilities in hardware have, for certain problems, moved beyond the limit of what supercomputers can simulate; software integration has advanced quantum computing out of the current noisy intermediate-scale quantum (NISQ) level to Level 2 resilient quantum computing; and from a cybersecurity perspective, standardization of a new cryptographic system has now been released by NIST, the world’s leading standards organization.

Advancements in Global Government Investment

According to U.S. National Security Advisor Jake Sullivan, “… advancements in science and technology are poised to define the geopolitical landscape of the 21st century … Preserving our edge in science and technology is not a ‘domestic issue’ or ‘national security’ issue. It’s both.” This sentiment has been reflected by government officials all over the world. As quantum technology has advanced from the lab to the marketplace, the need to fund quantum research and commercialization, while also fortifying critical systems and data to withstand future cyberattacks from a quantum computer, has become even more stark.

The World Economic Forum estimates that governments have invested over $40 billion USD in quantum technologies as of January 2024, with over $15 billion invested by China alone. 2023 was the first year where government funding outpaced private funding in a sign that governments increasingly view quantum as an integral piece of international competitiveness from both an industrial and a military policy perspective.

The global race to lead in quantum technologies is very much ongoing. According to Sullivan, the U.S. must “… ensure that emerging technologies work for, not against, our democracies and security.” The NIST announcement is further proof that the time for governments and companies to invest in quantum solutions is now.

Advancements in U.S. Government Policy

As NIST’s initial PQC algorithm competition advanced, a myriad of U.S. government actions have been released with the goal of protecting government data and cybersecurity systems vis-à-vis fault-tolerant quantum computers:

In May of 2022, President Biden issued the National Security Memorandum on Promoting United States Leadership in Quantum Computing While Mitigating Risks to Vulnerable Cryptographic Systems (NSM-10).
The Quantum Computing Cybersecurity Preparedness Act was signed into law in December of 2022. The Act acknowledges the threat to encryption posed by fault-tolerant quantum computers and seeks to mitigate that threat by strengthening U.S. government agency systems and instructing the Office of Management and Budget to issue further guidance one year after NIST issues its PQC standards (which imputes a deadline of August 13, 2025).
A key piece of legislation, the National Quantum Initiative Act (NQIA) enacted by Congress in December 2018, authorized over $1.2 billion to support quantum research and development. The NQIA expired on September 30, 2023, and while the NQIA Reauthorization was unanimously reported out of the House Committee on Science, Space, and Technology earlier this year, it is currently awaiting a vote in the House of Representatives and would then need to be taken up by the Senate.

While government investment does not directly equate to the regulation of quantum, it is clear that the NQIA and other government funding sources have and will continue to influence the behavior of companies in the quantum ecosystem. Government strategies and funding schemes often function as soft-law regulations that serve the purpose of signaling government priorities and guiding private investment, research initiatives, workforce development, and diplomatic decisions across the globe.

Quantum, like many emerging technologies, sits at the crossroads of technology and international relations, and the funding and scaling of quantum businesses will likely be heavily affected by geopolitics and government strategies over the coming decade.

PQC Milestone: Post-Standardization Begins

NIST’s standardization announcement on Aug. 13 marks the start of a new era, one of planning and implementation. Specifically, this milestone is critical to federal agencies and agency partners who are mandated under NSM-10 to transition to quantum-resistant cryptography by 2035. According to the mandate, some key post-standardization requirements take effect:

Federal civilian agencies must start regular reporting of timelines and plans to make the transition. Federal partners are also advised to prepare themselves to support PQC as soon as possible after the standardization takes place, according to NSA/CISA.
The Secretary of Commerce will be proposing (within 90 days) a timeline for the deprecation of quantum-vulnerable cryptography standards. The goal will be to move “the maximum number of systems off quantum-vulnerable cryptography” over the next decade.
Heads of agencies operating or maintaining National Security Systems (NSS) must submit (within one year) an initial plan to transition to quantum-resistant cryptography in all NSS.

This is more than a box-checking exercise, as these standards will take on force of law for federal agencies and agency partners who are mandated under NSM-10 to transition to quantum-resistant cryptography by 2035. Additionally, the PQC algorithms are likely to become “market standard” in the private sector and be encompassed in the definition of “adequate cybersecurity measures” in commercial contracts, audits, and due diligence exercises.

Cryptographic Agility and Resilience

The U.S. government’s quantum computing cybersecurity preparedness must remain flexible, reflecting the evolving nature of the technological breakthroughs across the industry as well as the ever-increasing capacities of threat actors who may seek to capitalize upon quantum.

PQC migration is a necessary and critical step toward protecting vulnerable digital systems from powerful quantum computers in the future. The migration to PQC will take years and a hybrid approach that utilizes today’s algorithms, such as RSA, alongside PQC algorithms is prudent to maintain adequate security should any issues arise during the PQC transition. Maintaining this cryptographic agility will be key to ensuring cybersecurity against threats, classical and quantum alike.

To achieve true resilience against quantum attacks, government agencies and private organizations should consider a layered-defense strategy that includes PQC and cybersecurity solutions that leverage quantum mechanics, such as provable quantum entropy for encryption key generation. When combined with PQC algorithms, these quantum-derived technologies can help protect against a far fuller range of threats posed by quantum computers.

The Unfunded Mandate Challenge

According to the OMB report delivered to Congress last month, the total government-wide cost required to perform a migration of prioritized information systems to PQC between 2025 and 2035 will be approximately $7.1 billion in 2024 dollars. This total does not include funding for National Security Systems which was to be estimated separately.

Prior to the standardization, NSM-10 discouraged the procurement of any commercial quantum-resistant cryptographic solutions. Now that the initial standardization is complete, federal agencies will be authorized to procure such solutions. The question then becomes, how will these procurements be funded? It is vital for Congress to reauthorize the NQIA and to fund programs to further commercialize quantum computing while also pulling policy levers such as tax incentives, loan guarantees and strategic investments across U.S. government agencies to procure solutions to identify vulnerabilities and transition to PQC algorithms over the coming decade.

What Next and When?

Beyond the standardization of these initial PQC algorithms, NIST has made further calls for digital signature algorithm candidates, seeking to diversify its algorithms to increase the probability that these solutions will remain secure as the technology continues to develop. It will be several years before these additional signature algorithms are standardized.

While there is no set formula for assessing the risk and timing of the quantum threat, federal agencies and partners can rely on progress in the following three areas as indicators: hardware progression, error correction, and algorithm development. Given where we stand today, the need to complete agency migration to PQC to effectively protect sensitive defense and critical infrastructure systems and information needs to be prioritized, as technological developments could necessitate such quantum secure solutions sooner than 2035.

While exact timelines remain unknown, federal agencies should focus on enhancing cryptographic agility so the U.S. remains resilient against potential quantum computing threats. For the hundreds of cybersecurity partners supporting U.S. government systems, it is important to consider that those who have not yet integrated PQC algorithms to make their offerings quantum-secure should expect to have such offerings listed as vulnerable systems on inventory reports each year until they are compliant, or risk losing their government contracts.

Cookie	Duration	Description
AWSALBCORS	7 days	Amazon Web Services set this cookie for load balancing.
cookielawinfo-checkbox-advertisement	1 year	Set by the GDPR Cookie Consent plugin, this cookie records the user consent for the cookies in the "Advertisement" category.
cookielawinfo-checkbox-analytics	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Analytics".
cookielawinfo-checkbox-functional	11 months	The cookie is set by GDPR cookie consent to record the user consent for the cookies in the category "Functional".
cookielawinfo-checkbox-necessary	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookies is used to store the user consent for the cookies in the category "Necessary".
cookielawinfo-checkbox-others	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Other.
cookielawinfo-checkbox-performance	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Performance".
CookieLawInfoConsent	1 year	CookieYes sets this cookie to record the default button state of the corresponding category and the status of CCPA. It works only in coordination with the primary cookie.
JSESSIONID	session	New Relic uses this cookie to store a session identifier so that New Relic can monitor session counts for an application.
PHPSESSID	session	This cookie is native to PHP applications. The cookie stores and identifies a user's unique session ID to manage user sessions on the website. The cookie is a session cookie and will be deleted when all the browser windows are closed.
viewed_cookie_policy	11 months	The cookie is set by the GDPR Cookie Consent plugin and is used to store whether or not user has consented to the use of cookies. It does not store any personal data.
_pxhd	1 year	PerimeterX sets this cookie for server-side bot detection, which helps identify malicious bots on the site.

Cookie	Duration	Description
lidc	1 day	LinkedIn sets the lidc cookie to facilitate data center selection.
li_gc	5 months 27 days	Linkedin set this cookie for storing visitor's consent regarding using cookies for non-essential purposes.
UserMatchHistory	1 month	LinkedIn sets this cookie for LinkedIn Ads ID syncing.
__cf_bm	30 minutes	Cloudflare set the cookie to support Cloudflare Bot Management.

Cookie	Duration	Description
AWSALB	7 days	AWSALB is an application load balancer cookie set by Amazon Web Services to map the session to the target.
_gat	1 minute	Google Universal Analytics sets this cookie to restrain request rate and thus limit data collection on high-traffic sites.

Cookie	Duration	Description
AnalyticsSyncHistory	1 month	Linkedin set this cookie to store information about the time a sync took place with the lms_analytics cookie.
CONSENT	2 years	YouTube sets this cookie via embedded YouTube videos and registers anonymous statistical data.
ln_or	1 day	Linkedin sets this cookie to registers statistical data on users' behaviour on the website for internal analytics.
pardot	past	The pardot cookie is set while the visitor is logged in as a Pardot user. The cookie indicates an active session and is not used for tracking.
UID	1 year 1 month 4 days	Scorecard Research sets this cookie for browser behaviour research.
vuid	1 year 1 month 4 days	Vimeo installs this cookie to collect tracking information by setting a unique ID to embed videos on the website.
_ga	1 year 1 month 4 days	Google Analytics sets this cookie to calculate visitor, session and campaign data and track site usage for the site's analytics report. The cookie stores information anonymously and assigns a randomly generated number to recognise unique visitors.
_ga_*	1 year 1 month 4 days	Google Analytics sets this cookie to store and count page views.
_gcl_au	3 months	Google Tag Manager sets the cookie to experiment advertisement efficiency of websites using their services.
_gid	1 day	Google Analytics sets this cookie to store information on how visitors use a website while also creating an analytics report of the website's performance. Some of the collected data includes the number of visitors, their source, and the pages they visit anonymously.
__gads	1 year 24 days	Google sets this cookie under the DoubleClick domain, tracks the number of times users see an advert, measures the campaign's success, and calculates its revenue. This cookie can only be read from the domain they are currently on and will not track any data while they are browsing other sites.

Cookie	Duration	Description
anj	3 months	AppNexus sets the anj cookie that contains data stating whether a cookie ID is synced with partners.
bcookie	1 year	LinkedIn sets this cookie from LinkedIn share buttons and ad tags to recognize browser IDs.
bscookie	1 year	LinkedIn sets this cookie to store performed actions on the website.
GoogleAdServingTest	session	Google sets this cookie to determine what ads have been shown to the website visitor.
IDE	1 year 24 days	Google DoubleClick IDE cookies store information about how the user uses the website to present them with relevant ads according to the user profile.
li_sugr	3 months	LinkedIn sets this cookie to collect user behaviour data to optimise the website and make advertisements on the website more relevant.
muc_ads	1 year 1 month 4 days	Twitter sets this cookie to collect user behaviour and interaction data to optimize the website.
personalization_id	1 year 1 month 4 days	Twitter sets this cookie to integrate and share features for social media and also store information about how the user uses the website, for tracking and targeting.
test_cookie	15 minutes	doubleclick.net sets this cookie to determine if the user's browser supports cookies.
uuid2	3 months	The uuid2 cookie is set by AppNexus and records information that helps differentiate between devices and browsers. This information is used to pick out ads delivered by the platform and assess the ad performance and its attribute payment.
VISITOR_INFO1_LIVE	5 months 27 days	YouTube sets this cookie to measure bandwidth, determining whether the user gets the new or old player interface.
YSC	session	Youtube sets this cookie to track the views of embedded videos on Youtube pages.
yt-remote-connected-devices	never	YouTube sets this cookie to store the user's video preferences using embedded YouTube videos.
yt-remote-device-id	never	YouTube sets this cookie to store the user's video preferences using embedded YouTube videos.
yt.innertube::nextId	never	YouTube sets this cookie to register a unique ID to store data on what videos from YouTube the user has seen.
yt.innertube::requests	never	YouTube sets this cookie to register a unique ID to store data on what videos from YouTube the user has seen.
_mkto_trk	1 year 1 month 4 days	This cookie, provided by Marketo, has information (such as a unique user ID) that is used to track the user's site usage. The cookies set by Marketo are readable only by Marketo.
__gpi	1 year 24 days	Google Ads Service uses this cookie to collect information about from multiple websites for retargeting ads.

Archives