Post-quantum cryptography oversight lacking for agencies
The Department of Homeland Security’s post-quantum cryptography roadmap lacks deadlines and oversight needed to ensure agencies’ compliance, according to the leader of Thales’ encryption team.
Agencies should be given a drop-dead date to submit plans for protecting their most sensitive data and modernizing their cryptographic systems to a leadership council that has yet to be designated, said Todd Moore, senior vice president of encryption products.
DHS partnered with the National Institute of Standards and Technology to develop the roadmap — intended to prepare agencies for advances in quantum computing that will break the asymmetric encryption many use to protect data and systems — but a means of enforcement is lacking.
“I think the government could do a little bit more to add weight above just the guidance,” Moore told FedScoop. “Have some sort of a way where agencies have to comply, versus maybe comply.”
The guidance does an “excellent” job of generating a sense of urgency among agencies concerning the demise of current cryptography, which is anywhere from five to 10 years off, Moore said. That sense of urgency has been building for some time with Thales seeing an uptick in inquiries from agencies, as well as the health-care and finance sectors.
DHS’s roadmap suggests agencies analyze their organizations, inventory their most sensitive data and begin taking steps to protect it today because nation-states like China are stealing that data and archiving it for later, when they have a quantum computer capable of decryption.
Current guidance falls short in this regard as well.
“It’s really understanding where that data flows, not just within one organization, but across multiple organizations,” Moore said. “I think it’s important when you map to understand those different interactions between different agencies.”
Next-generation, quantum-resistant algorithms already exist. NIST’s Post-Quantum Cryptography Standardization Process has spent the last three years evaluating them, narrowed down to seven finalists, for recommended use in the post-quantum era.
Thales sponsored one such algorithm, and only one or two will be chosen by NIST next year to be the standard — likely for digital signature and public-key encryption respectively.
Once NIST sets the standard, agencies will be able to start deploying technologies using the appropriate algorithm or algorithms, but DHS’s roadmap makes no mention of the fact agencies can and should test them out in non-production environments now, Moore said.
Thales is already modeling the algorithms so agencies and banks can look at latency and performance to see how it impacts their environments for preparedness.
“Our hardware security module for data at rest and our high-speed encryptors, which is data in motion, were able to actually insert those algorithms,” Moore said. “We call it cryptographic agility, the ability to model these post-quantum algorithms in these products.”