News, news analysis, and commentary on the latest trends in cybersecurity technology.

Why the US Needs Quantum-Safe Cryptography Deployed Now

Quantum computers might be a decade away, but guess how long it will take to switch systems over to post-quantum cryptography?

4 Min Read
Illustration of a lock icon in a quantum stream
Source: sakkmesterke via Alamy Stock Photo

While it's not easy to predict the next breakthrough, most experts estimate quantum computers with tens of thousands of qubits that can crack current encryption will be developed by the mid-2030s.

The challenge is not solely technical, and coordination across government and industry will be required to implement and deploy solutions. Aware of the impending threat, the US government is setting plans in motion. Last year the National Institute of Standards and Technology (NIST) announced four quantum-resistant cryptographic (PQC) algorithms it will develop into standards by 2024. The National Security Agency (NSA) set a 2035 deadline for national security systems to implement PQC. And late last year Congress passed the Quantum Computing Cybersecurity Preparedness Act, which addresses the migration of all other federal government IT systems to PQC along the same timeline as the NSA.

Why the urgency if the so-called "Q-Day" is likely a decade away? First, because US adversaries can record encrypted Internet traffic today, store it indefinitely, and then decrypt it once they have a capable quantum computer, known as harvest now, decrypt later (HNDL) schemes.

Second, the process of cryptographic migration could take more than a decade to complete depending on the size and complexity of an organization and its IT architecture. The Internet has become so complex and dependent on infrastructure from different organizations that one weak link can undo all of the preparation by the others. And that decade lines up with the timeline for quantum computers that can break current cryptography.

Protecting All the Things

The tech industry will update a myriad of security standards to incorporate PQC algorithms to protect their intellectual property and other valuable data assets. Open source software needs to integrate these algorithms and standards. Major operating systems need to incorporate them as well, from Windows to Apple and Android.

Beyond software, we also need hardware chips to implement these algorithms — especially hardware security modules that manage encryption keys in an extremely secure manner.

Devices including smartphones, cars, industrial systems, and network infrastructure will also require upgrading. They all rely on cryptography to securely connect to the Internet and cloud-based control systems. We need to protect the Internet of Things from widespread hacking. These upgrades may be more difficult because they could rely on hardware encryption devices, such as SIM cards in smartphones.

Last, and perhaps most importantly, the public key infrastructure that cryptography currently depends on needs to be upgraded to support PQC algorithms.

Making PQC Happen in the Real World

Cryptography on the Internet works because of trusted third parties known as certificate authorities. Their job is to certify the authenticity of encryption keys. When you visit your bank's website, a certificate authority is vouching for your bank's encryption keys, allowing you to trust them. These authorities need to be upgraded to support PQC as well.

Among the most important use cases is code signing. Every time your computer downloads a software update from the Internet, it verifies a digital signature that guarantees its authenticity and asserts that it hasn't been modified by a hacker. This is extremely important because a malicious software update could effectively take control of your device and its data.

PQC migration will begin with developing a cryptographic inventory that maps all of the cryptography deployed in an organization to identify potential vulnerabilities. A comprehensive cryptographic inventory will also help to create a migration road map and projected costs before analysis, remediation, and management begins.

A hybrid approach to cryptography will also be required for some time, when both old and new encryption keys are simultaneously supported. With that infrastructure in place, enterprisewide upgrades can be implemented. Cryptographic agility will be essential to respond to evolving cybersecurity compliance requirements and threats, without requiring significant infrastructure changes, to ensure organizations maintain mission continuity.

Efforts are already underway to bring visibility and acceleration to PQC adoption. NIST has industry collaborators working with it on a Migration to Post-Quantum Cryptography project. The wireless industry has created a task force exploring standardization. Workshops like Real World PQC are bringing together global stakeholders.

But the entire tech industry needs to move together with urgency to meet a threat that is already present. Regardless of whether Q-Day is five or 50 years away, sensitive data and communications are vulnerable to exposure in the future without immediate, comprehensive action.

About the Author(s)

Charles Clancy

Senior VP and Chief Futurist, MITRE, and General Manager, MITRE Labs

Charles Clancy is a senior vice president at MITRE and heads MITRE Labs. In addition, Clancy serves as MITRE’s Chief Futurist, working to realize a future where emerging technology is democratic, sustainable, and equitable.

Before joining MITRE in 2019 as vice president for intelligence programs, Clancy served as the Bradley Distinguished Professor of Cybersecurity in the Department of Electrical and Computer Engineering at Virginia Tech and executive director of the Hume Center for National Security and Technology. There, he led Virginia Tech's research and experiential learning programs in defense and intelligence. He started his career at the National Security Agency, filling a variety of research and engineering roles, with a focus on wireless communications.

He was named a Fellow of the Institute for Electrical and Electronics Engineers (IEEE) for his work in information security and digital communications and elected a member of the Virginia Academy of Science, Engineering, and Medicine. He has co-authored more than 250 academic publications and patents, as well as six books. He co-founded five venture-backed startup companies that apply commercial innovation to the intersection of telecommunications and national security.

Clancy sits on the AFCEA International Board of Directors' Executive Committee, the AFCEA Intelligence Committee, the Systems Engineering Research Center Advisory Board, the Alliance for Telecommunications Industry Solutions Next G Alliance, and the Center for New American Security Task Force on Artificial Intelligence and National Security. He also serves on academic advisory boards at Howard University, Norfolk State University, North Carolina A&T State University, and Virginia Tech.

Clancy holds a bachelor's degree in computer engineering from the Rose-Hulman Institute of Technology, a master's degree in electrical engineering from the University of Illinois at Urbana-Champaign, and a doctorate in computer science from the University of Maryland, College Park.

Teresa H. Shea

President, Oplnet LLC

Teresa Shea, a recognized leader in intelligence and defense, is president of Oplnet, LLC. She serves on numerous boards and is an advisor with a passion for a safer and more secure nation.

With more than 35 years of public and private experience, Teresa was previously the vice president of Cyber Offense and Defense Experts (CODEX) within Raytheon Intelligence and Space.CODEX is a business focused on providing cyber capabilities for offense, defense, and security initiatives for government and commercial customers.

Teresa served as executive vice president of technology and director of Cyber-Reboot at In-Q-Tel. She joined In-Q-Tel after a distinguished 32-year career with the National Security Agency (NSA). She held several key leadership assignments during her career at NSA, culminating as the director of Signals Intelligence. In this position, she was the principal signals intelligence (SIGINT) advisor to the directors of NSA, the Director of National Intelligence (DNI), countless US military officers, and US government high-ranking officials.

Teresa is recognized within the community as a trusted partner and a mission-focused, creative leader. She received numerous awards during her career, including the President's Distinguished Rank Award from Presidents George W. Bush and Barack Obama; the National Intelligence Distinguished Service Medal awarded by the Honorable James R. Clapper, Director of National Intelligence; the Central Intelligence Agency's Donovan Award; and the Department of Defense Medal for Distinguished Civilian Service by Secretary of Defense Ash Carter.

Teresa holds a bachelor's of science in electrical engineering from Georgia Tech and a master's of science in electrical engineering from John Hopkins University. She currently serves on the Army Intelligence Board, NSA Advisory committee, GA Tech Board, and CIGENT Board of Directors, and is a strategic advisor for Forgepoint Capital and SandboxAQ.

Keep up with the latest cybersecurity threats, newly discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox.

You May Also Like

More Insights