INDUSTRY PERSPECTIVE EMERGING TECHNOLOGIES
‘Unentangling’ the Quantum Security Executive Order
A White House executive order issued Jan. 19, “Memorandum on Improving the Cybersecurity of National Security, Department of Defense, and Intelligence Community Systems,” outlines several near-term security directives.
Both classical and quantum computing advances are the root of these mandates. The memo pushes nation-state quantum needs to the forefront, with action due dates coming in the very near-term. Leaders need to adapt their security choices as quantum technology is implemented.
In simple terms, the executive order states that government agencies should no longer use unsupported encryption and must move to a zero trust architecture, making room for quantum resilient cryptography and post-quantum communications. This is important since quantum computing is already a threat to national security. National data is currently being stolen and stored with the intention of decrypting it as soon as these powerful quantum computers come on-line.
At first blush, the take-away from this memo is hard to discern. But reviewing an earlier May 2021 White House memo, “Executive Order on Improving the Nation’s Cybersecurity,” helps to clear things up. The 11 sections of that executive order do not mention quantum threats, but behind the scenes they forecast quantum computing threats. On pages 4, 5 and 18 of the May executive order, high-level government zero trust architecture safety goals are defined, without announcing anything quantum related.
Fast-forward to the January memo and notice page 3 ties the May 2021 zero trust architecture requirement with quantum modernization needs. There is an understated directive to counter quantum computing advances.
The January White House Memo states, “…revise cryptographic equipment modernization, quantum resistant protocols and planning for use of quantum resistant cryptography as necessary.” An important next step is discerning when quantum computing can decrypt stolen data. Estimates are as soon as three years.
So, a modernization plan must account for advances in quantum computing across government systems. Zero trust architecture will prove important in battling the post-quantum computing threat because this it enforces user access at the correct level to accomplish the mission.
This architecture also makes room to contain the damage done to national data if a device/user is compromised. Leaders know data breaches are inevitable — or have already occurred — so this zero trust architecture coordinates system security within this dynamic environment.
We must make plans with these imminent quantum advances in mind. Government leaders are balancing near-term needs, current classical computing threats, fiscal year budget restraints, global U.S. interests and daily government operations, all while recognizing this technological change is coming soon.
The January memo puts these changes on the calendar and by March 19 national leaders should have outlined a modernization plan tying quantum resilient protocols and quantum resistant cryptography with critical zero-trust updates.
Leaders are currently collecting technical advice on how to best prepare for these advanced cyber changes. How they lay the foundations of zero trust with quantum resiliency in place for our nation is no easy task.
This framework is critical for helping prevent dynamic threats from gaining full access to valuable national data. Using postquantum protocols and quantum resilient cryptography offers a way of maintaining bandwidth and latency.
The national, commercial and personal security depend on getting this right. Fundamentally, this next security framework must work on existing systems — backwards compatibility — but carry protection against quantum computing systems. Securing U.S. government public keys is critically important for the nation’s banking, commerce, contracting, infrastructure and logistics.
For example, public keys using asymmetric protocols are easy entry points and vulnerable to current as well as upcoming quantum computing.
Technically minded observers may be skeptical. The bookends of skepticism are either “it’s too late” or “this is too early.” Some argue, it’s too late since our already stolen data will be decrypted by adversaries. Others argue, this requirement is too early, and today’s existing technical encryptions are advanced enough. Both perspectives can be argued and should be weighed technically for correct decision making.
However, both risk missing what these memos put in motion, as we will have to take action soon.
We’ve covered the critical points unraveling —or unentangling…pardon the quantum pun — the quantum aspects of the recent January White House memo. Unentangling in quantum work means previous coherent particles are now decoherent. The 2022 memo along with the May 2021 memo are worthwhile reading. Both memos define “thou shall not” or “thou shall” inputs for senior governmental policymakers, management and budgetary leaders.
What can organizations do in the near-term? It’s worthwhile to know the software environment, including operating systems, languages, special libraries and communications protocols. Knowing this environment highlights any public symmetric key vulnerabilities, and this is a good place to begin searching for them.
This will help make room for zero trust architecture and post-quantum protocols and realize the benefits of quantum resilient cryptography as bandwidth/latency trade-offs become apparent.
National data, information exchange and cybersecurity are solid foundations we must shepherd. These governmental memos offer a path to guide steps, as rapid breakthroughs in quantum computing take place almost daily. Exciting times are just ahead.
Pete Ford is senior vice president of federal operations at QuSecure Inc.
Topics: Emerging Technologies