Industry Perspective: ‘Untangling’ the Quantum Security Executive Order
A White House executive order issued Jan. 19, “Memorandum on Improving the Cybersecurity of National Security, Department of Defense, and Intelligence Community Systems,” outlines several short-term security guidelines.
Both classical and quantum computing advances are at the root of these mandates. The memo pushes the quantum needs of the nation-state to the fore, with deadlines for action coming at very short notice. Leaders must adjust their security choices as quantum technology is implemented.
In simple terms, the executive order states that government agencies should no longer be allowed to use unsupported encryption and move to a zero trust architecture, making room for quantum-resistant cryptography and post-quantum communications. This is important because quantum computing already poses a threat to national security. Currently, national data is being stolen and stored with the intention of decrypting it once these powerful quantum computers come online.
At first glance, the take-away of this memo is hard to discern. But revising an earlier White House memo from May 2021, “Executive Order on Improving the Nation’s Cybersecurity,” helps clear things up. The 11 sections of that order make no mention of quantum threats, but behind the scenes they predict quantum computer threats. Pages 4, 5 and 18 of the May executive order define at a high level the government’s security goals in the field of zero trust architecture, without announcing anything quantum related.
Fast forward to the January memo and on page 3, a link is made between the zero trust architecture requirement of May 2021 and the quantum modernization needs. There is a restrained guideline to counter advances in quantum computing.
The January White House Memo states, “…review cryptographic equipment modernization, quantum-resistant protocols, and planning for the use of quantum-resistant cryptography as needed.” An important next step is distinguishing when quantum computing can decrypt stolen data. Estimates are as fast as three years.
A modernization plan must therefore take into account the advances in quantum computing in government systems. Zero trust architecture will prove important in the fight against the post-quantum computing threat as it enforces user access at the appropriate level to accomplish the mission.
This architecture also allows for mitigating damage to national data if a device/user is compromised. Leaders know that data breaches are inevitable – or have already occurred – so this zero trust architecture coordinates system security within this dynamic environment.
We must plan with this imminent quantum advance in mind. Government leaders are balancing short-term needs, current classic computer threats, fiscal year budget constraints, global U.S. interests and day-to-day government activity, all while recognizing that this technological change is coming soon.
The January memo puts these changes on the calendar, and by March 19 national leaders should have mapped out a modernization plan that couples quantum-proof protocols and quantum-proof cryptography with critical zero-trust updates.
Leaders are currently gathering technical advice on how best to prepare for these advanced cyber changes. How they lay the groundwork for zero confidence with quantum resilience for our nation is not an easy task.
This framework is critical to prevent dynamic threats from gaining full access to valuable national data. Using post-quantum protocols and quantum-resistant cryptography provides a way to conserve bandwidth and latency.
National, commercial and personal security depend on getting this right. Fundamentally, this next security framework should work on existing systems – backwards compatibility – but protect against quantum computing systems. Securing U.S. government public keys is critical to the nation’s banking, commerce, contracts, infrastructure and logistics.
For example, public keys that use asymmetric protocols are easy access points and vulnerable to both current and future quantum computers.
Technically minded observers can be skeptical. The bookends of skepticism are either “it’s too late” or “this is too early”. Some argue that it is too late, as our already stolen data will be decrypted by adversaries. Others argue that this requirement is too early and that current technical encryptions are advanced enough. Both perspectives can be argued and must be technically balanced for proper decision-making.
However, both risk missing out on what these memos set in motion as we need to act soon.
We’ve discussed the critical points that unravel — or untangle…pardon the quantum pun — the quantum aspects of the recent White House memo from January. Untangling in quantum work means that earlier coherent particles are now decoherent. The 2022 memo and the May 2021 memo are worth reading. Both memos define “thou shalt not” or “thou shalt” input for senior government policymakers, management and budget leaders.
What can organizations do in the short term? It is worth knowing the software environment, including operating systems, languages, special libraries and communication protocols. Knowing this environment will expose any public symmetric key vulnerabilities, and this is a good place to look for them.
This will help make room for an architecture without trust and post-quantum protocols and realize the benefits of quantum resilient cryptography as the trade-offs between bandwidth and latency become apparent.
National data, information sharing and cybersecurity are solid foundations that we must cherish. These government memos provide a path to guide steps as rapid breakthroughs in quantum computing happen almost daily. Exciting times are ahead.
Pete Ford is Senior Vice President Federal Operations at QuSecure Inc.
Subjects: Emerging Technologies