OMB Urges Agencies to Begin Transition to Post-Quantum Cryptography

The Office of Management and Budget released a memo last week outlining the steps agencies should take in order to secure their networks against a catastrophic post-quantum attack. The memo’s impetus is the threat of a cryptographically relevant quantum computer, which could break cryptographic algorithms used by defense, civilian and health agencies to safeguard data.

The memo includes a list of requirements for agencies to follow such as taking inventory of current cryptographic systems with a focus on high value assets (HVAs). OMB also asked agencies to create encryption keys and connections as well as validate digital signatures.

Agencies will then submit an inventory log to the Office of the National Cyber Director and the Cybersecurity and Infrastructure Security Agency (CISA) who are helping coordinate the effort.

The deadline for agencies to complete the OMB’s request is May 4, 2023.

Meanwhile, CISA’s Preparing Critical Infrastructure for Post-Quantum Cryptography also offers guidance on how to prepare for the possible effects of post-quantum computing.

Bill Newhouse, Cybersecurity Engineer & Project Lead with the National Cybersecurity Center of Excellence at the National Institute of Standards and Technology (NIST), said if a cryptographically relevant quantum computer were developed, it would potentially have the ability to break public key encryption algorithms.

“So, we need to figure out where we’re using them and what we’re protecting with them and how we’re using them so when that computer exists the threat of those being broken is gone because we have introduced new algorithms that are post quantum cryptographic algorithms,” Newhouse said during ATARC’s The Quantum Security Challenge event in August.

Christopher Crist, Chief of Development, Security, and Operations with the U.S. Transportation Command at the Defense Department said DOD is very much aware that now is the time they should be preparing for post-quantum computing.

“For many years we’ve been trying to move away from waterfall methodologies and move towards more agile and a DevSecOps  methodology.  Also trying to add in 7 pillars of zero trust and try to improve risk management framework for our programs, so it’s a lot when something like this comes up,” Crist said. “We don’t want to view it as another thing we’re worried about.  It’s important and we have concerns, we’re trying to be agile and include things like this in our conversation.”

During the event Newhouse talked about actions agencies can take today to prepare for what they may encounter in a post-quantum world. He said the Canadian Forum for Digital Infrastructure Resilience has a quantum readiness group and they encourage you to start by updating and patching and can asking vendors if they’re using standardized validated cryptography.

“Say hey these algorithms have been approved by private testing laboratories running tests designed through an international consortium including NIST,” Newhouse said. “There will be a tendency for people to run toward these new algorithms and yet they’re not validated.”

Newhouse also advised agencies to focus on protecting sensitive data and research the risks associated with potentially vulnerable cryptographic algorithms.

“You will have algorithms that can be exploited cryptographically therefore know what you have and what you’re protecting, how you’re using it and for what processes.  There’s a lot of housekeeping you can do today to prepare yourself and then ask your vendors what they are doing to get quantum safe for you,” Newhouse said.

When preparing for post-quantum, Crist said algorithms should be continuously vetted. Agencies can also take advantage of Cloud One’s container repository Iron Bank to boost cybersecurity against quantum attacks.

“You can pull the containers and use them in your environment, it’s a great idea — but if you’re not ready to take on the containers and aren’t modernized enough to do that, it doesn’t help you,” Crist said.  “When we talk about this, we certainly need to ensure that our programs are ready to go and ready to incorporate these newer methods.”

A Software Bill of Materials (SBOM) can also help federal agencies prepare for post-quantum computing by tracking components and changes in the software supply chain for potentially dangerous anomalies or poor cybersecurity practices.

“What libraries are we relying on, what software components, what vendors are working with, the licenses that we have, all of that, is something that we’re digging into now to have a better understanding of what we’re currently using,” Crist said.

The White House released an executive order announcing the creation of a National Quantum Initiative Advisory Committee in May, which recommended NIST stand up an effort to discuss migration to post-quantum cryptographic algorithms.

“The positive is the work is happening, and there are realizable algorithms that are being standardized,” Newhouse said.  “Companies have also started quantum working groups to build quantum computers to do their normal business processes and enhance their business processes, there’s a lot of great science and activities coming from these devices as well.”

While quantum computers pose numerous cybersecurity threats, they can also create new efficiencies in government, according to Joe Altepeter, Program Manager of the Defense Sciences Office at the Defense Advanced Research Projects Agency (DARPA).

“People are hopeful that if you could really make a big working quantum computer it could do things like figure out a better way to make corrosion resistance in Navy ships, it could have a better way to optimize supply chain logistics, it can have a better way to discover new drugs new pharmaceuticals that can help deal with deadly diseases and new ways to combat climate change,” he said in a CyberCast interview with GovCIO Media & Research in March.

Altepeter also believes quantum computers can help the Defense Department evolve for future fights.

“They could be transformative for almost every aspect of what we do in the military but none of those applications has been proven,” Altepeter said. “So there really is room right now for everything from a quantum computer to be the most important technology of the 21st century for the DOD and for the world, that’s why DARPA is hoping to make a lot of progress in the next few years to figure this out.”