A White House official said Tuesday it’s critical that Federal agencies start testing quantum-resistant cryptographic algorithms on their IT systems today to ensure critical networks aren’t accidentally shut down when the time comes to transition systems to post-quantum cryptography.
Nick Polk, a senior advisor to Federal Chief Information Security Officer Chris DeRusha, said during the GDIT Emerge: Quantum event in Arlington, Va., on Dec. 5 that the White House is strongly encouraging agencies to begin testing the cryptography in production environments.
“Now that we know where this cryptography is, we need to start to map out all the dependencies and ensure that when we do start to flip switches that everything [works],” Polk said. “We can’t be in a situation where we accidentally shut down big parts of the network because we needed to migrate this encryption key that happens to have a dependency that we didn’t know about. So, a big part of that is going to be testing this cryptography in production environments.”
The push to move to post-quantum cryptography follows President Biden’s 2022 National Security Memorandum calling for the Federal government to leverage its resources to help all U.S. digital systems migrate to quantum-resilient cybersecurity standards by 2035.
The Office of Management and Budget released a memo in November 2022 to inform agencies of the forthcoming requirement to transition to quantum-resistant systems. This memo includes marching orders to begin testing post-quantum cryptography in production environments.
In February of this year, the White House’s Office of the National Cyber Director released specific guidance for government entities to submit to the administration prioritized inventories of cryptographic systems by May 4, 2023.
It is unclear whether or not all agencies met this deadline earlier this year, but Polk said that agencies have been working closely with the Cybersecurity and Infrastructure Security Agency (CISA) on this “difficult task.”
“The memo is the easy part, but the actual migration has proven to be of course, as we anticipated, definitely one of those devils in the details type situations,” Polk said. “The Office of the National Cyber Director collected the first inventory and funding estimates from the agencies this past May, and we have been working closely with CISA and some other folks to parse through that and really help the agencies work towards a very defensible inventory and especially very standardized funding estimates.”
“The inventory has been definitely a difficult task for all agencies. We anticipated this because encryption is everywhere – public key cryptography has hidden everything,” the White House official added.
Despite the availability of quantum computing still being “five, 10, 15 years” away, according to Polk, the government needs to work to protect its citizens’ data today.
“We hear a lot, ‘Well, why are we doing this if it’s still theoretical,’ but … encryption is really critical right now. We just can’t really afford to have unencrypted data that’s sensitive on our networks, because we know we have adversaries that will get it,” Polk said. “It’s really important to think about the fact that when a quantum computer does become operational, you have to think through what’s going to happen the next day, and really, that’s what we tried to point out.”