“Unraveling” Executive Order on Quantum Security
Industry Perspective: “Unraveling” Executive Order on Quantum Security
Illustration from iStock
A White House executive order issued Jan. 19, “Memorandum on Improving Cybersecurity for National Security, Department of Defense, and Intelligence Community Systems,” outlines several short-term security guidelines.
Advances in classical and quantum computing are behind these mandates. The memo puts the quantum needs of nation states at the forefront, with very short-term deadlines for action. Leaders must adapt their security choices as quantum technology is implemented.
Simply put, the executive order states that government agencies must no longer use unsupported encryption and must transition to a zero-trust architecture, making way for quantum resilient cryptography and post-quantum communications. This is important because quantum computing is already a threat to national security. National data is currently being stolen and stored with the intention of decrypting it as soon as these powerful quantum computers come online.
At first glance, the conclusion of this memo is difficult to discern. But reviewing an earlier May 2021 memo from the White House, “Executive Order on Enhancing the Nation’s Cybersecurity,” helps clear things up. The 11 sections of this executive order do not mention quantum threats, but behind the scenes they provide for quantum computer threats. On pages 4, 5, and 18 of the May Executive Order, the security goals for the high-level government Zero Trust Architecture are defined, without announcing anything quantum.
Fast forward to the January memo and page 3 of the advisory ties the May 2021 zero-trust architecture requirement to quantum modernization needs. There is a discrete directive to counter advances in quantum computing.
The January memo from the White House states, “…review the modernization of cryptographic equipment, quantum-resistant protocols, and planning for the use of quantum-resistant cryptography if necessary. An important next step is to determine when quantum computing can decrypt stolen data. Estimates are as early as three years.
Thus, a modernization plan must take into account advances in quantum computing in government systems. The Zero Trust architecture will prove important in the fight against the post-quantum computing threat, as it enforces user access at the correct level to accomplish the mission.
This architecture also helps contain damage to national data if a device/user is compromised. Leaders know that data breaches are inevitable or have happened. This Zero Trust architecture therefore coordinates system security within this dynamic environment.
We need to plan with these impending quantum advancements in mind. Government leaders are balancing near-term needs, current classic cyber threats, fiscal year budget restraints, US global interests, and day-to-day government operations, while recognizing that this technological change is coming soon.
The January memo puts these changes on the agenda, and by March 19, national leaders are expected to have outlined a modernization plan that combines quantum-resilient protocols and quantum-resistant cryptography with critical zero-trust updates.
Leaders are currently gathering technical advice on how best to prepare for these advanced cyber changes. How they lay the groundwork for zero trust with quantum resilience in place for our nation is no easy task.
This framework is essential to help prevent dynamic threats from gaining full access to valuable national data. Using post-quantum protocols and quantum resilient cryptography offers a way to maintain bandwidth and latency.
National, commercial and personal security depends on obtaining this right. Basically, this next security framework should work on existing systems – backwards compatibility – but include protection against quantum computing systems. Securing U.S. government public keys is critically important to the nation’s banking, commerce, contracts, infrastructure, and logistics.
For example, public keys using asymmetric protocols are easy and vulnerable entry points to current and future quantum computing.
Technically minded observers may be skeptical. The bookends of skepticism are either “it’s too late” or “it’s too early”. Some claim it is too late since our already stolen data will be decrypted by adversaries. Others argue that this requirement is too early and that existing technical ciphers are advanced enough. Both perspectives can be discussed and must be technically weighed for correct decision making.
However, both may miss what these memos set in motion, as we will need to act soon.
We’ve covered the critical points by unraveling — or untangling… pardon the quantum pun — the quantum aspects of the recent White House January memo. Disentanglement in quantum work means that previous coherent particles are now decoherent. The 2022 memo as well as the May 2021 memo are worth reading. Both memoranda define “you must not” or “you must not” contributions for high-level government decision-makers, management, and budget officials.
What can organizations do in the short term? It is useful to know the software environment, including operating systems, languages, special libraries and communication protocols. Knowing this environment highlights any public symmetric key vulnerabilities, and it’s a good place to start looking for them.
This will help make room for zero-trust architecture and post-quantum protocols and realize the benefits of quantum resilient cryptography as bandwidth/latency trade-offs become apparent.
National data, information exchange and cybersecurity are solid foundations that we must protect. These government notes offer a path to guide the steps, as rapid breakthroughs in quantum computing take place almost daily. Exciting times are ahead.
Pete Ford is senior vice president of federal operations at QuSecure Inc.
Topics: Emerging technologies