Security Experts:

Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Application Security

US Gov Issues Security Memo on Quantum Computing Risks

National security memo warns that quantum computing could jeopardize civilian and military communications, and defeat security protocols for most Internet-based financial transactions

National security memo warns that quantum computing could jeopardize civilian and military communications, and defeat security protocols for most Internet-based financial transactions

The U.S. government is barreling ahead with plans to mitigate future threats from quantum computing with a new White House memo directing federal agencies to jumpstart an all-hands-on-deck approach to migrating to quantum-resistant technologies.

The security memo, released alongside a plan to promote U.S. leadership in quantum computing,  directs specific actions for agencies to take during what is being described as a laborious, multi-year process of migrating vulnerable computer systems to quantum-resistant cryptography.  

“Research shows that at some point in the not-too-distant future, when quantum computers reach a sufficient size and level of sophistication, they will be capable of breaking much of the cryptography that currently secures our digital communications on the Internet,” the government warned.

Noting that quantum computing poses “significant risks to the economic and national security of the United States,” the White House cautioned that a quantum computer of sufficient size and sophistication “will be capable of breaking much of the public-key cryptography used on digital systems across the United States and around the world.”

[ READ: OpenSSH Moves to Prevent ‘Capture Now, Decrypt Later’ Attacks ]

“When it becomes available, [this] could jeopardize civilian and military communications, undermine supervisory and control systems for critical infrastructure, and defeat security protocols for most Internet-based financial transactions,” the White House noted.

To kick start the process, the government said the National Security Agency (NSA) and National Institute of Standards and Technology (NIST) will develop and publish new quantum-resistant cryptographic standards that can protect against these future attacks.

The first sets of these standards are expected to be released publicly by 2024.   

Once these are in place, the White House said a “whole-of-government and whole‑of‑society strategy” would be necessary to mitigate as much of the quantum risk as is feasible by 2035.

[ READ: Quantum Computing Is for Tomorrow, But Quantum Risk Here Today ]

“Central to this migration effort will be an emphasis on cryptographic agility, both to reduce the time required to transition and to allow for seamless updates for future cryptographic standards.  This effort is imperative across all sectors of the United States economy, from government to critical infrastructure, commercial services to cloud providers, and everywhere else that vulnerable public-key cryptography is used,” the government said.

The memo outlines deadlines and plans for multi-agency coordination of a quantum migration plan and comes as open-source tools are now being fitted with new features to prevent “capture now, decrypt later” attacks linked to advancements in quantum computing.

According to notes published alongside the release of OpenSSH 9.0, the open-source group is now using the hybrid Streamlined NTRU Prime + x25519 key exchange method by default, a move that includes a backstop against future discoveries of flaws in the NTRU algorithm.

“The NTRU algorithm is believed to resist attacks enabled by future quantum computers and is paired with the X25519 ECDH key exchange (the previous default) as a backstop against any weaknesses in NTRU Prime that may be discovered in the future. The combination ensures that the hybrid exchange offers at least as good security as the status quo,” OpenSSH explained.

“We are making this change now (i.e. ahead of cryptographically-relevant quantum computers) to prevent “capture now, decrypt later” attacks where an adversary who can record and store SSH session ciphertext would be able to decrypt it once a sufficiently advanced quantum computer is available,” it added.

Related: OpenSSH Moves to Prevent ‘Capture Now, Decrypt Later’ Attacks

Related: The Promise and Threat of Quantum Computing

Related: Quantum Computing’s Threat to Public-key Cryptosystems

Written By

Ryan Naraine is Editor-at-Large at SecurityWeek and host of the popular Security Conversations podcast series. He is a security community engagement expert who has built programs at major global brands, including Intel Corp., Bishop Fox and GReAT. Ryan is a founding-director of the Security Tinkerers non-profit, an advisor to early-stage entrepreneurs, and a regular speaker at security conferences around the world.

Click to comment

Expert Insights

Related Content

Application Security

Cycode, a startup that provides solutions for protecting software source code, emerged from stealth mode on Tuesday with $4.6 million in seed funding.

Data Breaches

GoTo said an unidentified threat actor stole encrypted backups and an encryption key for a portion of that data during a 2022 breach.

Network Security

NSA publishes guidance to help system administrators identify and mitigate cyber risks associated with transitioning to IPv6.

Cyberwarfare

Websites of German airports, administration bodies and banks were hit by DDoS attacks attributed to Russian hacker group Killnet

CISO Strategy

Cybersecurity-related risk is a top concern, so boards need to know they have the proper oversight in place. Even as first-timers, successful CISOs make...

Nation-State

The North Korean APT tracked as TA444 is either moonlighting from its previous primary purpose, expanding its attack repertoire, or is being impersonated by...

Malware & Threats

Microsoft plans to improve the protection of Office users by blocking XLL add-ins from the internet.

Identity & Access

Hackers rarely hack in anymore. They log in using stolen, weak, default, or otherwise compromised credentials. That’s why it’s so critical to break the...