DHS releases roadmap to post-quantum cryptography
The Department of Homeland Security wants agencies to protect their data and systems from advancements in quantum computing, likely to break some widely used encryption methods, using a roadmap released Monday.
Agencies must transition to post-quantum cryptography, but first they need to identify the data they want to protect and inventory and prioritize existing cryptographic systems.
The National Institute of Standards and Technology is developing a post-quantum cryptography standard and partnered on the DHS roadmap in the meantime to share steps that will prepare agencies for the transition.
“Now is the time for organizations to assess and mitigate their related risk exposure,” said Homeland Security Secretary Alejandro Mayorkas in the announcement. “As we continue responding to urgent cyber challenges, we must also stay ahead of the curve by focusing on strategic, long-term goals.”
The roadmap advises chief information officers to engage standards bodies on the latest algorithm and dependent protocol changes.
Agencies should inventory their most sensitive, critical datasets in need of securing for an extended period, according to the roadmap. Those are likely targets for decryption once a capable quantum computer is developed by, say, a foreign adversary like China. Traditional encryption methods that may become vulnerable currently protect customer data, business transactions and communications at agencies.
The roadmap further advises agencies to inventory cryptographic systems and flag those using public-key cryptography as quantum vulnerable. Prioritizing systems for transition will depend on agencies’ missions according to factors like:
- if the system is a high-value asset;
- what the system protects, from passwords to personally identifiable information;
- other systems being communicated with;
- information sharing with federal entities;
- information sharing with outside organizations;
- support for critical infrastructure; and
- the length of time the data must be protected.
Officials should flag acquisition, cybersecurity and data security standards that will need to be updated when NIST releases its post-quantum cryptography standard, according to the roadmap.
Lastly the roadmap recommends agencies develop pre-transition plans.
Mayorkas named post-quantum cryptography a cyber priority for DHS in March.