The Cybersecurity and Infrastructure Security Agency (CISA), the National Security Agency (NSA), and the National Institute of Standards and Technology (NIST) have published new guidance to encourage organizations to begin early planning for post-quantum cryptography migration.
Titled Quantum-Readiness: Migration to Post-Quantum Cryptography (PDF), the document details the impact of quantum capabilities and urges organizations – especially those in critical infrastructure – to create quantum-readiness roadmaps, conduct inventories, assess risks, and start engaging with vendors.
Following a White House memo and a CISA alert on quantum computing risks, the new guidance comes in anticipation of NIST’s post-quantum cryptographic (PQC) standards, expected to be released in 2024.
“Early planning is necessary as cyber threat actors could be targeting data today that would still require protection in the future (or in other words, has a long secrecy lifetime), using a catch now, break later or harvest now, decrypt later operation,” the guidance reads.
According to the document, existing cryptographic products, protocols, and services, which rely on public key algorithms, will likely be updated or replaced to become quantum-resistant and protect against future threats.
CISA, NSA, and NIST encourage organizations to proactively prepare for migrating to products that adhere to post-quantum cryptographic standards and to implement measures to reduce the risks posed by a ‘cryptanalytically-relevant quantum computer’ (CRQC).
“While the PQC standards are currently in development, the authoring agencies encourage organizations to create a quantum-readiness roadmap by first establishing a project management team to plan and scope the organization’s migration to PQC,” the document reads.
Quantum-readiness project teams, the guidance notes, should assess an organization’s reliance on quantum-vulnerable cryptography, such as those performing operations related to digital signatures, including software and firmware updates, and then begin the quantum risk assessment processes and vendor engagement.
“Organizations are often unaware of the breadth of application and functional dependencies on public-key cryptography that exist within the products, applications, and services widely deployed within their operational environments, leading to a lack of visibility. The project team should lead the creation of such an inventory,” CISA, NSA, and NIST note.
The three agencies encourage manufacturers and vendors of products that use quantum-vulnerable cryptography to review the NIST-published draft PQC standards and prepare themselves to support PQC as soon as the standards are finalized.
Related: IBM Delivers Roadmap for Transition to Quantum-safe Cryptography
Related: News Analysis: UK Commits $3 Billion to Support National Quantum Strategy
Related: Cyber Insights 2023 | Quantum Computing and the Coming Cryptopocalypse
More from Ionut Arghire
- Generative AI Startup Nexusflow Raises $10.6 Million
- Researchers Extract Sounds From Still Images on Smartphone Cameras
- Hackers Set Sights on Apache NiFi Flaw That Exposes Many Organizations to Attacks
- Cloudflare Users Exposed to Attacks Launched From Within Cloudflare: Researchers
- FBI Warns Organizations of Dual Ransomware, Wiper Attacks
- Lumu Raises $30 Million for Threat Detection and Response Platform
- Cisco Warns of IOS Software Zero-Day Exploitation Attempts
- Russian Zero-Day Acquisition Firm Offers $20 Million for Android, iOS Exploits
Latest News
- Bankrupt IronNet Shuts Down Operations
- AWS Using MadPot Decoy System to Disrupt APTs, Botnets
- Generative AI Startup Nexusflow Raises $10.6 Million
- In Other News: RSA Encryption Attack, Meta AI Privacy, ShinyHunters Hacker Guilty Plea
- Researchers Extract Sounds From Still Images on Smartphone Cameras
- National Security Agency is Starting an Artificial Intelligence Security Center
- CISA Warns of Old JBoss RichFaces Vulnerability Being Exploited in Attacks
- Hackers Set Sights on Apache NiFi Flaw That Exposes Many Organizations to Attacks
