Cyber officials cite legacy systems as post-quantum readiness challenge
Legacy systems, operational technology systems, and lack of guidance are among the barriers to agency implementation of post-quantum cryptography standards, according to a survey of government cyber professionals by General Dynamics Information Technology.
The online survey of 200 cyber professionals across the government found that 48% of respondents cited legacy systems as a barrier to implementation of new standards designed to protect information against cyberattacks by future quantum computer capabilities.
Meanwhile, 29% respondents said operational technology systems were a “complicating factor.” And lack of planning, guidance and strategy were also an issue for implementation according to 37% of respondents, the survey found.
The results come a couple of months after the first post-quantum cryptography standards were finalized by the National Institute of Standards and Technology, beginning a process of implementation across the public and private sectors. The survey results paint a picture of federal agencies just beginning to create strategies and identifying barriers in those efforts.
“With legacy systems, there’s a lot of complexity and customization. There’s uniqueness to these systems that make them difficult to upgrade,” Tim Gilday, GDIT’s senior director of emerging technologies, said on a call with press ahead of the survey’s release. “So a lot of attention is going to need to be paid as teams are formed and as plans are made around these systems.”
According to the survey, 50% of respondents said their agencies are actively developing their post-quantum cryptography readiness strategies and 35% are defining their plans and budgets. Interestingly, 17% said they had no defined plans for post-quantum cryptography and it wasn’t a priority.
In summarizing the survey on the call with press, Matthew McFadden, vice president of cyber at GDIT, said “agencies are making significant progress,” but supporting their post-quantum cryptography strategy will be key.
While the study was conducted in July and August before NIST’s standards were finalized, McFadden pointed to yearslong efforts that have been in progress to create the standards, noting that the standards existed in draft form for some time and people were aware they were coming.
When asked about the 17% that didn’t have plans, McFadden said part of the issue is budget and resources and that there’s hope that “now that the standards are here, that will change, and we can get that number down.”
The government has already required agencies to make some progress on identifying where cryptography that would need to be updated exists. In 2022, the Office of Management and Budget directed agencies to inventory cryptography on certain systems and estimate funding needed for migration to post-quantum standards. Based on those figures, the White House later concluded that the approximate funding needed for the transition between 2025 and 2035 would be $7.1 billion.
Going forward, McFadden also noted that a challenge will likely be the “dynamic nature of” the agencies’ post-quantum cryptography inventories, noting that automation will be key.
“What you submit one day may be different the next day, and that’s really why automation is critical for ensuring that, you know, we’re effectively managing the risk across these environments,” McFadden said.
Meanwhile, Gilday said there will be a lot to be learned from agencies that have already implemented the standards. According to the survey, 8% of respondents said they had fully assessed and integrated the current standards.
“What were the pitfalls? What were the lessons learned in implementing?” Gilday said. “And can we accelerate that either through our own knowledge and dissemination with government leaders and or through the NIST consortium?”
