‘Unentangling’ the Quantum Security Executive Order

INDUSTRY PERSPECTIVE EMERGING TECHNOLOGIES

‘Unentangling’ the Quantum Security Executive Order

4/13/2022
By Pete Ford

iStock illustration

A White House executive order issued Jan. 19, “Memorandum on Improving the Cybersecurity of National Security, Department of Defense, and Intelligence Community Systems,” outlines several near-term security directives.

Both classical and quantum computing advances are the root of these mandates. The memo pushes nation-state quantum needs to the forefront, with action due dates coming in the very near-term. Leaders need to adapt their security choices as quantum technology is implemented.

In simple terms, the executive order states that government agencies should no longer use unsupported encryption and must move to a zero trust architecture, making room for quantum resilient cryptography and post-quantum communications. This is important since quantum computing is already a threat to national security. National data is currently being stolen and stored with the intention of decrypting it as soon as these powerful quantum computers come on-line.

At first blush, the take-away from this memo is hard to discern. But reviewing an earlier May 2021 White House memo, “Executive Order on Improving the Nation’s Cybersecurity,” helps to clear things up. The 11 sections of that executive order do not mention quantum threats, but behind the scenes they forecast quantum computing threats. On pages 4, 5 and 18 of the May executive order, high-level government zero trust architecture safety goals are defined, without announcing anything quantum related.

Fast-forward to the January memo and notice page 3 ties the May 2021 zero trust architecture requirement with quantum modernization needs. There is an understated directive to counter quantum computing advances.

The January White House Memo states, “…revise cryptographic equipment modernization, quantum resistant protocols and planning for use of quantum resistant cryptography as necessary.” An important next step is discerning when quantum computing can decrypt stolen data. Estimates are as soon as three years.

So, a modernization plan must account for advances in quantum computing across government systems. Zero trust architecture will prove important in battling the post-quantum computing threat because this it enforces user access at the correct level to accomplish the mission.

This architecture also makes room to contain the damage done to national data if a device/user is compromised. Leaders know data breaches are inevitable — or have already occurred — so this zero trust architecture coordinates system security within this dynamic environment.

We must make plans with these imminent quantum advances in mind. Government leaders are balancing near-term needs, current classical computing threats, fiscal year budget restraints, global U.S. interests and daily government operations, all while recognizing this technological change is coming soon.

The January memo puts these changes on the calendar and by March 19 national leaders should have outlined a modernization plan tying quantum resilient protocols and quantum resistant cryptography with critical zero-trust updates.

Leaders are currently collecting technical advice on how to best prepare for these advanced cyber changes. How they lay the foundations of zero trust with quantum resiliency in place for our nation is no easy task.

This framework is critical for helping prevent dynamic threats from gaining full access to valuable national data. Using postquantum protocols and quantum resilient cryptography offers a way of maintaining bandwidth and latency.

The national, commercial and personal security depend on getting this right. Fundamentally, this next security framework must work on existing systems — backwards compatibility — but carry protection against quantum computing systems. Securing U.S. government public keys is critically important for the nation’s banking, commerce, contracting, infrastructure and logistics.

For example, public keys using asymmetric protocols are easy entry points and vulnerable to current as well as upcoming quantum computing.

Technically minded observers may be skeptical. The bookends of skepticism are either “it’s too late” or “this is too early.” Some argue, it’s too late since our already stolen data will be decrypted by adversaries. Others argue, this requirement is too early, and today’s existing technical encryptions are advanced enough. Both perspectives can be argued and should be weighed technically for correct decision making.

However, both risk missing what these memos put in motion, as we will have to take action soon.

We’ve covered the critical points unraveling —or unentangling…pardon the quantum pun — the quantum aspects of the recent January White House memo. Unentangling in quantum work means previous coherent particles are now decoherent. The 2022 memo along with the May 2021 memo are worthwhile reading. Both memos define “thou shall not” or “thou shall” inputs for senior governmental policymakers, management and budgetary leaders.

What can organizations do in the near-term? It’s worthwhile to know the software environment, including operating systems, languages, special libraries and communications protocols. Knowing this environment highlights any public symmetric key vulnerabilities, and this is a good place to begin searching for them.

This will help make room for zero trust architecture and post-quantum protocols and realize the benefits of quantum resilient cryptography as bandwidth/latency trade-offs become apparent.

National data, information exchange and cybersecurity are solid foundations we must shepherd. These governmental memos offer a path to guide steps, as rapid breakthroughs in quantum computing take place almost daily. Exciting times are just ahead.

Pete Ford is senior vice president of federal operations at QuSecure Inc.

Topics: Emerging Technologies

Comments (0)

Name *

Email *

Comment *

Please enter the text displayed in the image.

Characters *

Legal Notice *

NDIA is not responsible for screening, policing, editing, or monitoring your or another user's postings and encourages all of its users to use reasonable discretion and caution in evaluating or reviewing any posting. Moreover, and except as provided below with respect to NDIA's right and ability to delete or remove a posting (or any part thereof), NDIA does not endorse, oppose, or edit any opinion or information provided by you or another user and does not make any representation with respect to, nor does it endorse the accuracy, completeness, timeliness, or reliability of any advice, opinion, statement, or other material displayed, uploaded, or distributed by you or any other user. Nevertheless, NDIA reserves the right to delete or take other action with respect to postings (or parts thereof) that NDIA believes in good faith violate this Legal Notice and/or are potentially harmful or unlawful. If you violate this Legal Notice, NDIA may, in its sole discretion, delete the unacceptable content from your posting, remove or delete the posting in its entirety, issue you a warning, and/or terminate your use of the NDIA site. Moreover, it is a policy of NDIA to take appropriate actions under the Digital Millennium Copyright Act and other applicable intellectual property laws. If you become aware of postings that violate these rules regarding acceptable behavior or content, you may contact NDIA at 703.522.1820.

I have read the legal notice.

Find an Article VIEW ALL ARTICLES