The US Cybersecurity and Infrastructure Security Agency (CISA) has outlined the steps that critical infrastructure organizations should take to prepare for the migration to the new post-quantum cryptographic standard.
The National Institute of Standards and Technology (NIST) is expected to publish the standard in 2024, but CISA urges stakeholders to prepare in advance, citing potential risks from quantum computing to the entire critical infrastructure.
Quantum computers use qubits, or ‘quantum bits’, to deliver higher computing power and speed in certain scenarios, including solving mathematical problems that the current encryption standards rely on.
As such, quantum computing is expected to become a threat to current cryptographic standards, which support network security and also ensure data confidentiality and integrity.
“In the hands of adversaries, sophisticated quantum computers could threaten U.S. national security if we do not begin to prepare now for the new post-quantum cryptographic standard,” CISA says.
Quantum computers are expected to break public key cryptography (also known as asymmetric encryption, a fundamental element of data encryption in all secure communication, including online banking), impacting the security of business transactions, digital signatures, and customer data.
Symmetric key cryptography, which relies on a single key for data protection, is expected to be less impacted by quantum computers, as long as it starts using longer key sizes, instead of migrating to quantum-resistant algorithms.
“While quantum computing technology capable of breaking public key encryption algorithms in the current standards does not yet exist, government and critical infrastructure entities—including both public and private organizations—must work together to prepare for a new post-quantum cryptographic standard to defend against future threats,” CISA says.
[ READ: NIST Post-Quantum Algorithm Finalist Cracked Using a Classical PC ]
Creating an inventory of vulnerable critical infrastructure systems is a first step that should be taken as part of the Post-Quantum Cryptography Roadmap that the Department of Homeland Security (DHS) and NIST have developed, the agency says.
After analyzing the 55 National Critical Functions (NCFs), CISA has identified vulnerabilities that need to be addressed for a successful migration to post-quantum cryptography, and has outlined steps that should be taken towards mitigating them.
CISA says there are several NCFs that will support the migration to post-quantum cryptography across critical infrastructure, thus mitigating the risk posed by quantum computing: internet-based services, identity management services, information technology services, and protection of sensitive information.
According to CISA, a major challenge will be the migration of industrial control systems (ICSs) to post-quantum cryptography, mainly because of the associated costs and because the equipment is often geographically dispersed. Nonetheless, organizations should prepare for this migration by including in their strategies the actions needed to address risks from quantum computing capabilities.
CISA also warns of the unique quantum challenges faced by NCFs that depend on long-time data confidentiality, including “catch-and-exploit campaigns in which adversaries capture data that has been encrypted using current encryption algorithms and hold on to such data with the intention of decrypting it when a quantum computer capable of breaking the encryption is available.”
Organizations in this category include those responsible for the security of nation’s sensitive data, industrial trade secrets, personally identifiable information (PII), personal health information (PHI), and sensitive justice system information.
“Although NIST will not publish the new post-quantum cryptographic standard until 2024, CISA urges leaders to start preparing for the migration now by following the Post-Quantum Cryptography Roadmap. Do not wait until the quantum computers are in use by our adversaries to act. Early preparations will ensure a smooth migration to the post-quantum cryptography standard once it is available,” CISA notes.
Related: Senators Introduce Bipartisan Quantum Computing Cybersecurity Bill
Related: QuSecure Scores Post-Quantum Cybersecurity Contract Worth More Than $100M Annually
