The Cybersecurity and Infrastructure Security Agency (CISA) published guidelines that critical infrastructure organizations should adopt for a smooth migration to post-quantum cryptography standards. The National Institute of Standards and Technology (NIST) will publish these standards in 2024.
Meanwhile, CISA’s advisory enumerates the potential impact of quantum computing and recommends actions that critical infrastructure and government network operators should take.
CISA made the recommendations after analyzing 55 National Critical Functions (NCFs), their quantum vulnerabilities, and steps to mitigate the security weaknesses to facilitate a smooth transition to post-quantum cryptography.
The DHS and NIST also published a roadmap document with actionable insights for transitioning to the new cryptographic standards. CISA recommends its Preparing Critical Infrastructure for Post-Quantum Cryptography insight document and DHS’ Post-Quantum Cryptography Roadmap.
What is quantum computing and its risks?
Quantum computers are devices with higher computing capabilities recorded up to 158 million times faster than today’s most powerful supercomputers. Their extreme computing capabilities would allow them to solve complex mathematical functions used by modern encryption algorithms.
Experts predict quantum computers will break asymmetric encryption algorithms, such as RSA, that rely on public key exchange between communicating applications. However, symmetric encryption algorithms, such as AES, that depend on a single secret key known by both the sender and receiver can weather quantum computing by using longer secrets.
While quantum computing power will be economically beneficial, it also threatens the safety and integrity of data protected with public key algorithms.
“While post-quantum computing is expected to produce significant benefits, we must take action now to manage potential risks, including the ability to break public key encryption that U.S. networks rely on to secure sensitive information,” said Mona Harrington, acting Assistant Director National Risk Management Center, CISA.
Quantum computing threatens critical infrastructure and national security
Given its immense computing power, quantum computing will break public key cryptography algorithms that protect sensitive data related to NCFs.
Private companies and nation-state actors, including those interested in cyber espionage, seek dominance in quantum computing.
“In the hands of adversaries, sophisticated quantum computers could threaten U.S. national security if we do not begin to prepare now for the new post-quantum cryptographic standard,” CISA wrote.
According to the Secretary of Homeland Security Alejandro Mayorkas, the post-quantum cryptography transition was a priority for cybersecurity resilience.
However, CISA states, “quantum computing technology capable of breaking public key encryption algorithms in the current standards does not yet exist.” Thus, businesses and critical infrastructure operators can conveniently transition to post-quantum cryptography before this emerging technology proliferates.
“Critical infrastructure and government leaders must be proactive and begin preparing for the transition to post-quantum cryptography now,” Mona said.
CISA identified 55 NCFs connecting, distributing, managing, or supplying critical goods or services. Each entity faces specific risks from quantum computing’s ability to break modern encryption standards.
“NCFs are the functions of government and the private sector so vital to the United States that their disruption, corruption, or dysfunction would have a debilitating effect on security, national economic security, national public health or safety, or a combination thereof,” CISA wrote.
Post-quantum cryptography transition bottlenecks
CISA stated that the dependence on geographically dispersed and vulnerable industrial control systems would challenge the post-quantum cryptography transition process. This situation would affect many critical infrastructure organizations that depend on IoTs, including ICS.
CISA listed 18 NCFs that depend on ICS, including water supply, electricity generation, distribution, and transmission entities, transportation, and management of hazardous materials.
NFCs with long secrecy lifetimes face huge risks from quantum computing and would require continued support in the post-quantum computing universe. Such organizations operate on confidential data stored over long periods, such as trade secrets and personal and health information.
The agency enumerated nine NCFs dealing with long secrecy lifetime information, including law enforcement, community health, internet communications, wireless access networks, defense support, and medical records access systems.
CISA warned that threat actors used “catch-and-exploit campaigns” involving collecting encrypted data and storing it for future exploitation when quantum computers break current cryptography algorithms.
However, CISA noted that migrating some priority NCFs to post-quantum cryptography standards would support the migration of others, thus mitigating the risk posed by quantum computing.
DHS’ post-quantum cryptography transition recommendations
The DHS post-quantum cryptography roadmap recommended engaging with standards development bodies and taking inventory of critical data and cryptographic technologies.
Similarly, organizations should identify areas where public key is being used and label such systems as vulnerable.
Lastly, organizations should prioritize systems for replacement based on the following factors.
- Whether the system is a high-value asset
- The nature of other systems it protects and communicates with
- The extent the system shares information with federal and external entities
- Whether it supports critical infrastructure
- How long the data requires protection
CISA’s Insight document follows the federal government’s National Quantum Initiative in 2018 to accelerate quantum research and development for economic development and national security.
In May 2022, the Biden administration issued the National Security Memorandum 10 that, among other things, required advancing the adoption of quantum-resistant cryptography.
U.S. legislators also introduced the Quantum Computing Cybersecurity Preparedness Act in the House in April and passed it in July 2022. The bill seeks to address the migration of executive agencies’ information systems to post-quantum cryptography.