While there are no quantum computers now in operation that threaten current security levels, Federal officials warned on Wednesday that agencies must act now to prepare for when that day comes – because there will be “no safety net” to fall back on.
At the IBM Think Leadership Exchange in Washington, D.C., experts explained that quantum computing will soon be able to break many common forms of encryption, posing a significant cybersecurity threat. Therefore, they said agencies need to begin their transition to post-quantum cryptography (PQC) algorithms as soon as possible.
“When we think about the coming of quantum computing being able to break encryption schemes, we need to be ready for that,” said Michael Hayduk, the deputy director of the Air Force Research Laboratory’s Information Directorate.
“So, even though we don’t have a cryptographically relevant quantum computer right now, the hardware is progressing very fast. It’s on this trajectory that we didn’t even see coming a few years ago” or even ten years ago, he emphasized.
Hayduk explained there is a “harvest now, decrypt later” threat in which adversaries are collecting encrypted data now with the goal of decrypting it once quantum technology matures.
This means that even though it could be over 10 years until quantum computers are able to break current forms of encryption, it could be too late to protect your data by that point.
As Ray Harishankar – an IBM Fellow focused on Quantum Safe – put it, “It will be broken, the only question is when.”
To help agencies prepare, the National Institute of Standards and Technology (NIST) unveiled its first set of three encryption algorithms earlier this year designed to withstand cyberattacks from a quantum computer. After nearly a decade of research, the algorithms are ready for immediate use by system administrators.
The White House has established the year 2035 as the primary target for completing the migration to PQC across Federal agencies. However, NIST acknowledged that migration timelines may vary based on the specific use case or application.
Gary Jones, the associate chief of strategic technology at the Cybersecurity and Infrastructure Security Agency (CISA), said that his team is “starting to get our senior leaders aware of this” so that they’re ready for 2035.
“Get the senior leadership educated on what they can do now … tell them, ‘Hey, there’s a harvest now, decrypt later [threat]. So, they’re actually taking the data, and we will have bigger problems later as we move on,’” Jones advised. “Getting solutions in and starting to get them educated on what we need to do now is one of the biggest areas.”
Jones shared a timeline of PQC migration activities at CISA, noting that while 2035 is the White House’s target, CISA is setting its internal target for 2030.
“Everything is going towards 2035. We at CISA … we know how fast the government works, so we said 2030 was our date, and then we were going to give some slack time of five years to give some implementation,” Jones said. “So, 2030, was pretty much our cut-off.”
As for the U.S. Customs and Border Protection (CBP), one official said the agency started its PQC journey “a couple of years back.”
“We started because we realized that with potential ‘Q day,’ when we get a quantum computer that can actually break those codes … all of a sudden, now we are in deep trouble,” said Edward Mays, the deputy assistant commissioner of infrastructure and support services and chief enterprise infrastructure officer at CBP.
“For some agencies, the ‘harvest now, decrypt later’ is really important. But I think for me, it’s not just that. It’s continual, and this is also a part of zero trust from our perspective,” Mays said. “A lot of those things that we’re doing from the respect of zero trust are really important … [but] if they go wrong, there’s a fallback position. If this goes wrong, there is no safety net.”
