Navigating the Quantum Frontier: US Government Releases Key Guidance on Post-Quantum Cryptography Migration

US Government Publishes Guidance on Migrating to Post-Quantum Cryptography

The Cybersecurity and Infrastructure Security Agency (CISA), the National Security Agency (NSA), and the National Institute of Standards and Technology (NIST) have recently released new guidance aimed at encouraging organizations to begin planning for the migration to post-quantum cryptography. The guidance, titled “Quantum-Readiness: Migration to Post-Quantum Cryptography,” highlights the impact of quantum capabilities and emphasizes the need for organizations, particularly those in critical infrastructure, to develop quantum-readiness roadmaps and engage with vendors to ensure the security of their cryptographic systems in the face of future quantum threats.

Preparing for the Post-Quantum Cryptography Era

The release of this guidance follows a White House memo and a previous CISA alert on the risks posed by quantum computing. The document stresses the importance of early planning, as cyber threat actors may be targeting data today that will still require protection in the future. It highlights the risk of a “catch now, break later” operation, where adversaries collect encrypted data today and decrypt it once they have access to a cryptanalytically-relevant quantum computer (CRQC).

The guidance emphasizes the need for organizations to update or replace existing cryptographic products, protocols, and services that rely on vulnerable public key algorithms. It calls for the adoption of quantum-resistant algorithms to ensure future security. The document anticipates the release of NIST’s post-quantum cryptographic (PQC) standards in 2024 and urges organizations to proactively prepare for migration to products that adhere to these standards.

Creating Quantum-Readiness Roadmaps

The guidance advises organizations to establish quantum-readiness project teams to assess their reliance on quantum-vulnerable cryptography and identify areas that require migration to post-quantum cryptographic solutions. This includes operations related to digital signatures, software and firmware updates, and other applications and services that make use of public key cryptography.

Organizations are often unaware of the extent to which they rely on public key cryptography within their operational environments, leading to a lack of visibility. The guidance emphasizes the importance of creating comprehensive inventories to gain a better understanding of the applications and functional dependencies on public-key cryptography that exist within an organization.

The guidance also calls upon manufacturers and vendors of products that use quantum-vulnerable cryptography to review NIST’s draft PQC standards and prepare to support them once they are finalized.

Editorial: Protecting Against Future Threats

The publication of this guidance by CISA, NSA, and NIST is a commendable step toward ensuring the long-term security of cryptographic systems in the face of evolving threats posed by quantum computing. As quantum computers continue to advance in capability, the encryption algorithms that currently secure our data will become vulnerable to attacks that these powerful machines can swiftly break.

By urging organizations to develop quantum-readiness roadmaps and engage with vendors to adopt post-quantum cryptographic solutions, the US government is taking a proactive approach to address a critical cybersecurity challenge. This guidance provides organizations, particularly those in critical infrastructure sectors, with a framework to prepare for the migration to quantum-resistant cryptographic algorithms that will protect their data in the post-quantum era.

However, it is worth noting that the shift to post-quantum cryptography carries its own challenges. The development and standardization of new cryptographic algorithms will take time, and organizations will need to carefully assess the compatibility and efficiency of these new solutions within their existing infrastructure. Additionally, the adoption of post-quantum cryptography will require significant computational resources, which may pose financial and operational challenges for some organizations.

Advice: Embracing Quantum-Readiness

Given the potential impact of quantum computing on the security of today’s cryptographic systems, organizations should not delay in taking steps to prepare for a post-quantum future. The guidance provided by CISA, NSA, and NIST offers a solid starting point for organizations to create quantum-readiness roadmaps and engage with vendors.

Organizations should begin by establishing a project management team responsible for assessing their reliance on quantum-vulnerable cryptography. This team should conduct a comprehensive inventory of applications and services that rely on public key algorithms and identify areas that require migration to post-quantum cryptographic solutions.

The team should closely monitor the development and standardization of post-quantum cryptographic algorithms by NIST and engage with vendors to ensure their solutions align with the PQC standards once they are finalized. Organizations should also allocate resources to test and validate the compatibility and efficiency of post-quantum cryptographic solutions within their existing infrastructure.

While the migration to post-quantum cryptography presents challenges, the importance of protecting sensitive data against the future threat of quantum computing cannot be overstated. The work done by CISA, NSA, and NIST to provide guidance and foster awareness around this issue is a crucial step in safeguarding our digital infrastructure.