The world is rapidly awakening to the threat posed by adversaries empowered by quantum computers. When my company began researching and developing quantum-safe algorithms for public-key encryption in 2009, very few people were even aware of the issue. A handful of leaders in the Western intelligence community were working on their own approaches but interest from policy-makers and the private sector was limited. Fast forward a decade and the environment has changed drastically.
The U.S. should be commended for its bipartisan Quantum Computing Cybersecurity Preparedness Act, signed in late December. The Act requires that the Office of Management and Budget (OMB) prioritize the migration of federal agency IT systems to quantum-safe encryption within a year of new post-quantum encryption standards being released by NIST.
For those of us in the post-quantum cryptography community, this is the leadership we’ve long craved and it may have arrived just in time. We know that adversaries are harvesting data today to decrypt it later when quantum computing has further matured. In this sense, secrets may already have been lost. The crucial question we now receive frequently from government is: How can we position our agency to become quantum-safe?
We believe the OODA framework, first developed by U.S. Air Force Colonel John Boyd, can be applied to help prepare for quantum. Clearly, the findings of the analysis every organization undertakes and the actions that are decided upon are likely to vary, but for those unsure of where to start, OODA is well suited to structuring the journey to quantum-safe.
Observe: gather information
The first step for anyone is to identify the problem and gain an overall understanding of the internal and external environment. This part is an easy undertaking in the context of quantum, as we already know a lot about the risk.
It is well documented that various nation-states have used Border Gateway Protocol attacks to reroute internet traffic. Quite possibly with the intention of harvesting today, to decrypt tomorrow. For example, the Russians have regularly rerouted Ukrainian internet traffic since the invasion of Crimea in 2014. More recently in 2020, Russian telco Rostelcom rerouted traffic from Google, AWS, and 200 other companies.
We also know that quantum computing is prioritized in China’s 14th five-year plan, with an ambition to be the world leader by 2030. Today, China is thought to be the largest investor in quantum computing, meaning the risk it could be the first state to develop a cryptographically relevant quantum computer is far from zero.
Finally, and most importantly, we know that breaking today’s encryption algorithms is only a matter of time and engineering. Running Shor’s algorithm is theoretically proven to break both RSA and Elliptic Curve; we’re just waiting for a better quantum machine.
Orient: making sense of the information
The next step involves reflecting on what has been found and considering what should be done next. This will depend on your organizational profile, but will broadly involve situating yourself in the macro context, then narrowing the focus to how the broader environment impacts you specifically.
One of the key reflections that all organizations will need to consider is exposure to risk. This can loosely be done by considering the data you hold and how long it needs to be secured – that is, your data’s shelf life. Broadly speaking, organizations that are most at risk from HNDL attacks happening now are those that hold data that has a long shelf life. Even though a viable code-breaking machine isn’t here yet, the immediate and real threat that is posed by HNDL today means that any long-term data transferred across networks could be at risk of interception and future decryption.
There are several examples to illustrate this. For instance, any federal agency that holds plans, employee names, access privileges, or confidential government secrets will clearly be top of the list.
But strategic sectors like Critical National Infrastructure, including energy production and distribution firms, could be vulnerable. Any Intellectual Property-based industry like automotive, pharmaceutical, technology and specifically microprocessors hold designs that will still have strategic relevance for many years to come.
Financial institutions also hold data with long shelf life, such as customers’ biometric data and primary account numbers (PAN). If a bad actor was to get their hands on this encrypted data now with a view to decrypting it later, then there would be chaos across the entire financial ecosystem.
Decide: mapping a path forward
Once you have put your organization in context and understood exposure to risk, the third step is making suggestions toward a response plan.
This is where many organizations will begin to diverge. For example, the recent action taken in the U.S. means that federal agencies are time-bound to take specific action against a clear timeline, whereas actors within the private sector are not yet subject to the same ‘push’ of regulation. Nonetheless, there are parallels between the path that is being mapped by federal agencies and the action that will need to be taken by private-sector actors, particularly those with vulnerable data.
One such area is logistical – do you have the right personnel and budgets in place? Any quantum migration will be a resource-heavy investment, so having a dedicated team and assigning resource investment is a vital prerequisite to developing any sort of response plan. It’s why one of the first actions required for federal agencies in the OMB Memorandum has been to designate a cryptographic inventory and migration lead.
But do you need to be more proactive than that? The answer for many organizations is likely to be ‘yes’. If their networks carry data with a long shelf life then auditing crypto libraries isn’t enough and there is a strong case for deploying a quantum-safe Virtual Private Network, which can protect data in transit today while the broader migration plans take shape.
Act: taking concrete action
The final step is to carry out the decision and related changes that need to be made in response to the decision. For most organizations, including those at the federal level, it is unlikely that many are at this stage today, and you are more likely to be in either the Orient or Decide phases.
However, an increasing number of organizations that prioritize cybersecurity are already acting. One of the ‘lowest impact, highest reward’ actions that can be taken now is to upgrade to a hybrid, quantum-safe VPN to protect data flowing between your sites.
Overall, it’s clear that the world must mitigate the risk that quantum computers pose to our security infrastructure. Following years of innovation across the private sector and increased movement by governments, a path toward a quantum-safe world has emerged, but for many, it’s difficult to know where to start. Using the OODA Framework provides the structure to begin migrating and keep our world safe.
The views expressed here are the writer’s and are not necessarily endorsed by Homeland Security Today, which welcomes a broad range of viewpoints in support of securing our homeland. To submit a piece for consideration, email [email protected].
