Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Application Security

US Gov Issues Security Memo on Quantum Computing Risks

National security memo warns that quantum computing could jeopardize civilian and military communications, and defeat security protocols for most Internet-based financial transactions

National security memo warns that quantum computing could jeopardize civilian and military communications, and defeat security protocols for most Internet-based financial transactions

The U.S. government is barreling ahead with plans to mitigate future threats from quantum computing with a new White House memo directing federal agencies to jumpstart an all-hands-on-deck approach to migrating to quantum-resistant technologies.

The security memo, released alongside a plan to promote U.S. leadership in quantum computing,  directs specific actions for agencies to take during what is being described as a laborious, multi-year process of migrating vulnerable computer systems to quantum-resistant cryptography.  

“Research shows that at some point in the not-too-distant future, when quantum computers reach a sufficient size and level of sophistication, they will be capable of breaking much of the cryptography that currently secures our digital communications on the Internet,” the government warned.

Noting that quantum computing poses “significant risks to the economic and national security of the United States,” the White House cautioned that a quantum computer of sufficient size and sophistication “will be capable of breaking much of the public-key cryptography used on digital systems across the United States and around the world.”

[ READ: OpenSSH Moves to Prevent ‘Capture Now, Decrypt Later’ Attacks ]

“When it becomes available, [this] could jeopardize civilian and military communications, undermine supervisory and control systems for critical infrastructure, and defeat security protocols for most Internet-based financial transactions,” the White House noted.

To kick start the process, the government said the National Security Agency (NSA) and National Institute of Standards and Technology (NIST) will develop and publish new quantum-resistant cryptographic standards that can protect against these future attacks.

Advertisement. Scroll to continue reading.

The first sets of these standards are expected to be released publicly by 2024.   

Once these are in place, the White House said a “whole-of-government and whole‑of‑society strategy” would be necessary to mitigate as much of the quantum risk as is feasible by 2035.

[ READ: Quantum Computing Is for Tomorrow, But Quantum Risk Here Today ]

“Central to this migration effort will be an emphasis on cryptographic agility, both to reduce the time required to transition and to allow for seamless updates for future cryptographic standards.  This effort is imperative across all sectors of the United States economy, from government to critical infrastructure, commercial services to cloud providers, and everywhere else that vulnerable public-key cryptography is used,” the government said.

The memo outlines deadlines and plans for multi-agency coordination of a quantum migration plan and comes as open-source tools are now being fitted with new features to prevent “capture now, decrypt later” attacks linked to advancements in quantum computing.

According to notes published alongside the release of OpenSSH 9.0, the open-source group is now using the hybrid Streamlined NTRU Prime + x25519 key exchange method by default, a move that includes a backstop against future discoveries of flaws in the NTRU algorithm.

“The NTRU algorithm is believed to resist attacks enabled by future quantum computers and is paired with the X25519 ECDH key exchange (the previous default) as a backstop against any weaknesses in NTRU Prime that may be discovered in the future. The combination ensures that the hybrid exchange offers at least as good security as the status quo,” OpenSSH explained.

“We are making this change now (i.e. ahead of cryptographically-relevant quantum computers) to prevent “capture now, decrypt later” attacks where an adversary who can record and store SSH session ciphertext would be able to decrypt it once a sufficiently advanced quantum computer is available,” it added.

Related: OpenSSH Moves to Prevent ‘Capture Now, Decrypt Later’ Attacks

Related: The Promise and Threat of Quantum Computing

Related: Quantum Computing’s Threat to Public-key Cryptosystems

Written By

Ryan Naraine is Editor-at-Large at SecurityWeek and host of the popular Security Conversations podcast series. He is a security community engagement expert who has built programs at major global brands, including Intel Corp., Bishop Fox and GReAT. Ryan is a founding-director of the Security Tinkerers non-profit, an advisor to early-stage entrepreneurs, and a regular speaker at security conferences around the world.

Click to comment

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Understand how to go beyond effectively communicating new security strategies and recommendations.

Register

Join us for an in depth exploration of the critical nature of software and vendor supply chain security issues with a focus on understanding how attacks against identity infrastructure come with major cascading effects.

Register

Expert Insights

Related Content

Application Security

Cycode, a startup that provides solutions for protecting software source code, emerged from stealth mode on Tuesday with $4.6 million in seed funding.

Vulnerabilities

Less than a week after announcing that it would suspended service indefinitely due to a conflict with an (at the time) unnamed security researcher...

Cybercrime

The changing nature of what we still generally call ransomware will continue through 2023, driven by three primary conditions.

Data Protection

The cryptopocalypse is the point at which quantum computing becomes powerful enough to use Shor’s algorithm to crack PKI encryption.

Cybercrime

A recently disclosed vBulletin vulnerability, which had a zero-day status for roughly two days last week, was exploited in a hacker attack targeting the...

Identity & Access

Zero trust is not a replacement for identity and access management (IAM), but is the extension of IAM principles from people to everyone and...

Data Breaches

OpenAI has confirmed a ChatGPT data breach on the same day a security firm reported seeing the use of a component affected by an...