The Cybersecurity and Infrastructure Security Agency (CISA) has released a new guideline aimed at preparing critical infrastructure operators in the United States for the cybersecurity dangers of post-quantum cryptography.
Currently, there are no means by which quantum computing can break modern cryptography in important infrastructure, but CISA said the likelihood of that possibility will grow as more quantum technology becomes readily available.
“When quantum computers reach higher levels of computing power and speed, they will be capable of breaking public key cryptography, threatening the security of business transactions, secure communications, digital signatures, and customer information,” the agency’s guideline says.
CISA said that critical infrastructure operators – especially those that provide any of 55 National Critical Functions (NCF) designed by the agency – should begin now to follow CISA’s post-quantum cryptography initiative webpage and roadmap to begin the process of addressing risks within their organizations.
The guideline offers three NCF-related areas that the government and private sector should prioritize going forward:
- Several NCFs will enable the migration of most other functions to post-quantum cryptography. Success in providing this support will mitigate much of the risk for most users;
- The dependence on industrial control systems (ICSs) is an area of concentrated vulnerability because of the long replacement life cycle of ICS hardware and wide geographic distribution of equipment; and
- NCFs with especially long secrecy lifetimes will require significant support to ensure that the nation’s most sensitive data remains fully secured.
Looking ahead, CISA said that NIST won’t be publishing a new post-quantum crypto standard until 2024, but the agency said it is “still urging industry leaders to begin shifting towards a post quantum cryptography mindset to prepare for a smooth migration.”