CISA’s Post-Quantum Cryptography (PQC) Initiative will work with interagency and industry partners to mitigate quantum computing threats and assist critical infrastructure and government network operators during the cryptography transition.
Digital communications are what allow critical infrastructure systems to transfer data. Cryptographic methods verify the source and protect transmitted and stored data, safeguarding data in transit. Certain frequently used encryption techniques are becoming more vulnerable as quantum computing develops over the next decade. This memorandum describes the policies and projects of my administration concerning quantum computing.
Overview
Private corporations and nation-states are aggressively seeking quantum computing capabilities. Quantum computing offers exciting new possibilities, but it threatens cryptographic standards that protect data confidentiality and integrity and network security. Quantum computing technology is not yet available to break public key encryption algorithms in current standards, but government and critical infrastructure entities—both public and private—must cooperate to prepare for a new post-quantum cryptographic standard to defend against future threats.
Secretary of Homeland Security Alejandro N. Mayorkas emphasised post-quantum encryption in his March 2021 cybersecurity resiliency vision. In National Security Memorandum 10, the U.S. government outlined its goals to maintain its quantum information science (QIS) competitive edge and reduce quantum computing risks to cyber, economic, and national security.
Now, the government and critical infrastructure corporations must coordinate preparatory steps to ensure a seamless transition to NIST’s 2024 post-quantum encryption standard.
CISA Approach
Since July 6, CISA has coordinated and advanced agency quantum computing programs under the Post-Quantum Cryptography (PQC) Initiative. New CISA program leverages DHS and NIST initiatives to enable government network owners and operators transitioning to post-quantum cryptography with interagency and industry partners.
Four key areas will be under CISA’s PQC Initiative’s oversight:
- Evaluating risk in the 55 National Critical Functions (NCFs) helps one to determine vulnerability throughout the U.S. vital infrastructure. Through this comprehensive assessment of priority NCFs, CISA will identify the areas where post-quantum cryptography transition work is underway, identify areas of high risk, and identify areas that may require federal assistance.
- Planning: Plan where CISA and its partners should concentrate resources and interaction with owners and operators in both public and commercial sectors.
- Policies and Standards: Work with partners to improve the security of the Federal Civilian Executive Branch (FCEB), state, local, tribal, and territorial (SLTT) entities; critical infrastructure; and the fundamental technology supporting all of these entities.
- Once standards are in use throughout the FCEB, SLTT, and critical infrastructure sectors, engage stakeholders to create mitigating strategies and promote their application. Create technology tools to assist in these endeavours.
Critical Infrastructure of Post-Quantum Cryptography
Transmission of data in critical infrastructure systems depends on digital communications. Data encryption included into the devices and systems guards the data from access and espionage, therefore securing it in transit. Over the coming decade, quantum computing poses a growing danger to certain quite popular encryption techniques.
The DHS and NIST Post-Quantum Cryptography Roadmap identifies and inventories susceptible critical infrastructure systems in 55 National Critical Functions. For CISA, the RAND Corporation examined all 55 NCFs and uncovered quantum computing hazards, helping to comprehend these threats to critical infrastructure systems.
Four NCFs were identified to be particularly important for effective migration by the RAND research since they affect all others:
- Share conversations, information, and Internet-based materials.
- Offer related trust support services together with identity management.
- Offer IT goods and services.
- Protect Sensitive Information: Stakeholders all over all NCFs will be obliged to apply the goods and services these four NCFs will create in order to enable more upgrades to take place.
To guarantee their readiness to not only migrate themselves but also to help the migration of digital communications across other NCFs, CISA advises those in charge of these NCFs to closely collaborate with NIST, DHS, and other government agencies.
General Recommendations on Post-Quantum Cryptography
Following the DHS Post-Quantum Cryptography Roadmap will help companies start getting ready for the change even if NIST does not intend to release a standard for usage by commercial devices until 2024.
- inventorying the systems of your company for public-key cryptography-using devices.
- Inventorying, classifying, and figuring out the organisational data’s lifetime.
- Testing the new post-quantum cryptography standard in a lab setting; organisations should wait until the official release to apply the new standard in a production context.
- Developing a strategy for implementing systems of your company to the new cryptographic standard comprising:
- By use of an interdependence analysis, one should identify problems influencing the sequence of systems transition.
- decommissioning outdated technologies that would become useless with the release of the new standard.
- Ensuring validation and testing of goods, including the new standard.
- Developing post-quantum cryptography acquisition rules. This procedure should consist of:
- defining fresh transition service standards.
- Interviewing suppliers to find required basic technologies and to ascertain feasible integration into the road map of your company
- Notifying the suppliers and IT departments of your company about the forthcoming change.
- Teaching the staff of your company about the approaching change and offering any relevant training.
Related Topics:
