Federal Government gets serious about post-quantum encryption protection
There is a Chinese proverb that states that the best time to plant a tree was 20 years ago, while the second best time to plant one is right now. Given the quantum arms race going on between the United States and its potential rivals, the same can probably be said about post-quantum computing cybersecurity. And the government is now doing everything it can to get a program in place as quickly as possible.
There have already been mandates, proposals and studies. Earlier this year the White House mandated post-quantum cybersecurity—or PQC—via the National Security Memorandum “Promoting United States Leadership in Quantum Computing While Mitigating Risks to Vulnerable Cryptographic Systems.” And in Congress, the Quantum Computing Cybersecurity Preparedness Act would direct the National Institute of Standards and Technology and the Office of Management and Budget to develop mitigation measures for post-quantum cryptography. Meanwhile, the Department of Homeland Security worked with NIST to develop a roadmap toward better agency protection.
Planning for a safer future is good, but action is better. That is why the federal government awarded a rare Small Business Innovation Research (SBIR) Phase III contract to post-quantum cybersecurity company QuSecure. The sole-source contract, the first and only one issued for PQC, calls for the company to develop an end-to-end solution for post-quantum cybersecurity that can be deployed to federal agencies as quickly as possible.
Nextgov talked with QuSecure Co-Founder and COO Skip Sanzeri about the need for federal cybersecurity protections that can survive in a world where powerful quantum computers can shred today’s most advanced encryption.
Nextgov: Can you first explain what the awarding of a Phase III contract means for post-quantum protections?
Sanzeri: The Phase III award is a mechanism to allow a small technology company to move to the top of the heap and become a prime contractor, in order to supply vital technologies that can be used by the government without the typical bureaucracy or red tape. QuSecure sees this Phase III as an instance where the government recognizes the gravity of the coming situation where quantum computers will crack current encryption.
Nextgov: I am glad you brought up those dangers. One that has been talked about a lot here at NextGov is the fact that foreign governments are attempting to steal government data right now in hopes that they can store it and crack it later when better quantum computers are available. How important is it that we apply quantum resistant protections to government data right now?
Sanzeri: These “store now, decrypt later” attacks are the biggest reason to start upgrading networks and communications to post-quantum cybersecurity. Foreign nation states are stealing data every second of the day. That data is harvested and stored on computers waiting to be decrypted. And quantum computers will [one day] be able to crack that encryption.
For example, if a quantum computer with enough power to crack encryption is developed in five years, data stolen today would still be very valuable if it has 10, 20 or more years of shelf life. And national security secrets, bank account information, and electronic health records may have data security requirements of up to 75 years. Making matters worse, many experts estimate that changing our current encryption across an enterprise or government agency could take as long as 10 years. Adding this to the shelf life of data means that there are 10 more years of exposed data which attackers can weaponize or use against us.
In many cases, we are already behind.
Nextgov: Putting aside the “steal and store” attacks for a moment, how long do you think we have before quantum computers can crack AES-256 or other strong encryption?
Sanzeri: At this point, quantum computers are not strong enough to crack our current encryption. Via an algorithm written by Peter Shor, it was mathematically proven that in order to crack current RSA 2048 encryption, you would need about 4,100 qubits. We are in the 100-qubit era now, but advancing rapidly. Many believe that we will have a powerful enough quantum computer in the next three to five years to crack encryption. Some say it will take longer, but nonetheless most data needs to be protected for 25 years or more. IBM, Google, PsiQuantum, Rigetti, and IonQ all have 1,000 qubit computing roadmaps by 2025.
Nextgov: Not to be a skeptic, but given that quantum computers rely on various different kinds of technologies—some are mechanical, some are electrical—and the fact that their capabilities are constantly expanding, how can you test your protections against that future threat and guarantee federal data protection?
Sanzeri: Very good question. At this point in time, no one has a quantum computer powerful enough to test encryption, and if we wait until we have that quantum computer, it will be too late. The best we can do at this point is to show how current classical cyberattacks can make data and communications vulnerable, then we can show the same classical attacks will not work against quantum resilient communications and data.
Additionally, we must rely on organizations such as NIST, which spent over six years studying algorithms to find algorithm candidates that would withstand quantum computing attacks. Fundamentally, those algorithms have changed to be very complex, such as latticed-based infrastructures that mathematically can withstand quantum attacks. But that’s the best that anybody can do at this time.
Nextgov: Okay, so how long will it be before anti-quantum protection is widely available for deployment across the federal government?
Sanzeri: Even with rapid availability, it will still take years to deploy post-quantum cybersecurity across vast government networks—so that is the entire reason to start early. Once decisions are made, scalability and adoption will happen very quickly.
We’re hoping that the federal government continues its rapid ascent towards a post-quantum world so that our nation’s most important data is protected. Our national security depends on it.
- Cyber security for SMEs: Don’t put yourself at risk
- Redefining cyber security with Zero Trust Network Access
- Addressing communication challenges in cyber security for business
- Bulletproof your business: The ultimate SME cyber security checklist
- CyberHive Connect 2.0 – Revolutionising network discovery and configuration
Get in touch
If you have a question or would like some more information, contact us today.