How the NSA Is Moving Toward a Quantum-Resilient Future
The NSA has consistently held its door open for collaboration with the private sector which will be critical as the United States moves forward into a new generation of cybersecurity.
Quantum computing is a rapidly advancing technology that has the potential to transform industries by solving complex optimization problems that elude classical computers. But what happens when a quantum computer is used against the digital infrastructure that safeguards our nation’s most sensitive data? This is a question that the National Security Agency (NSA) is not waiting to find out, and neither should private organizations.
Quantum computers utilize the quantum properties of subatomic particles to perform countless calculations simultaneously and, in a matter of seconds, solve problems that even today’s most powerful supercomputers would take thousands of years to complete. Consider the uses for such a computer in optimizing financial investment portfolios, vehicle routing, manufacturing processes, energy resource allocation, and drug development, and the transformational potential of quantum computing becomes clear. However, the rapid development of these revolutionary supercomputers has caused alarm in the defense sector as adversarial nation-states are currently investing billions of dollars to weaponize quantum computers.
The Department of the Defense’s (DoD) primary concern is that a weaponized quantum computer could be used to break the encryption that protects sensitive government data and communications. There are thousands of scientists, mathematicians, and quantum programmers currently employed by adversarial nations to advance the quantum threat against the United States. A quantum computer that could disrupt vital digital systems and decrypt classified information presents an enormous national security threat. The United States has responded by developing technologies to counter the quantum threat and reinforce its digital infrastructure. In particular, the NSA has been tasked with ensuring the future security of the United States’ digital infrastructure by implementing quantum-resilient solutions on national security systems (NSS).
The NSA Recognizes the Quantum Threat
In 2015 the NSA announced a plan to transition NSS to a new quantum-resilient cipher suite. Though quantum computers were still in their embryonic state, the NSA explained that the threat of quantum computing was the primary consideration in the decision to withdraw the previous cipher suite, called Suite B, and prepare for the post-quantum era. The NSA stated in their announcement, “Unfortunately, the growth of elliptic curve use has bumped up against the fact of continued progress in the research on quantum computing, necessitating a re-evaluation of our cryptographic strategy.” The announcement also noted that the ultimate goal for the agency was to “provide cost-effective security against a potential quantum computer.”
This announcement was the first time that the NSA publicly recognized that quantum computing posed a serious threat to encryption and, more importantly, that it was time to act. It’s also important to note that the NSA seeks a cost-effective solution. This will undoubtedly be a key obstacle for organizations across the government and private sectors during the transition to Post-Quantum Cryptography (PQC). For a solution to be cost-effective it must be compatible with existing systems; replacing hardware presents significant challenges and expenses. The NSA has deferred to the National Institute of Standards Technology (NIST) to research PQC solutions and finalize a set of quantum-resilient algorithms for use in NSS. The cost-effectiveness of this approach will largely depend on each organization’s ability to implement the new algorithms with minimal disruption to existing systems.
What the NSA is Not Doing
The NSA has explored many options for quantum-resilient solutions, including Quantum Key Distribution (QKD). QKD primarily uses photonic channels (fiber optics) to send unique encryption keys generated through the quantum properties of photons. While keys used in QKD are strong, the technology is vulnerable to weak implementation which causes it to be susceptible to a variety of quantum and even classical attacks.
Aside from the security vulnerabilities, another fundamental issue plaguing QKD is the amount of specialized hardware required to secure a connection between two points. The NSA has stated that implementing QKD on NSS would require significant resourcing, and it did not qualify as a comprehensive quantum security solution. According to the NSA, QKD “only addresses some security threats and it requires significant engineering modifications to NSS communications systems. NSA does not consider QKD a practical security solution for protecting national security information.” The complexity of QKD undermines the goal of the NSA to provide cost-effective quantum cybersecurity as stated in the 2015 announcement. The NSA and NIST have both endorsed PQC as the superior and cost-effective quantum-resilient solution and, ultimately, PQC will become the standard for data encryption in both the government and private sectors.
Expediting the NSA’s Efforts
The timeline for the NSA’s effort to transition to PQC was shortened significantly when in January President Biden signed a National Security Memorandum (NSM-8) on “Improving the Cybersecurity of National Security, Department of Defense, and Intelligence Community Systems.” The memo specifically called upon the NSA and the Committee for National Security Systems (CNSS) to, within 180 days, identify instances of encryption used on NSS not in compliance with NSA-approved quantum-resistant algorithms, as well as to provide a plan and timeline to transition those systems to quantum-resistant standards.
The NSA can no longer wait until 2024 for NIST to finalize PQC standards and is now tasked with auditing the current NSS cyber infrastructure and providing a PQC transition plan immediately. This mandate marked the beginning of the biggest upcycle in cybersecurity history for the DoD. Private organizations would be wise to act with the same urgency as the NSA and begin exploring post-quantum solutions for their own systems.
A successful transition of the NSS to PQC will require the collaboration of multiple government authorities. Section 1(v) of NSM-8 requires the NSA to collaborate with the Department of Homeland Security (DHS) and other national security organizations on coordinating this transition process. Recently, the DHS released a roadmap outlining a step-by-step PQC transition strategy for government and commercial agencies to take inventory of their most sensitive information and prioritize the upgrade of their systems accordingly. This will be a useful tool for the NSA as the agency conducts a similar evaluation process for NSS. The DHS tool is open to the public and offers a valuable resource for private organizations to conduct similar audits on their own systems.
The Need for Public-Private Collaboration
The NSA has consistently held its door open for collaboration with the private sector which will be critical as the United States moves forward into a new generation of cybersecurity. The NSA’s Commercial Solutions for Classified (CSfC) Program is a platform that allows private commercial developers (i.e., vendors) to register cybersecurity components of Commercial Off The Shelf (COTS) products for use on NSS. These components are compiled into vendor-agnostic Capability Packages (CP) that are provided to CSfC clients, including DoD, intelligence communities, military services, federal agencies, and other NSS stakeholders. While the CSfC will not field commercial solutions for post-quantum algorithms until NIST completes its PQC standards research and recommendations, there are many resources available through CSfC designed to help clients, which include both government and private organizations using NSS, ease the upgrade process.
The National Cyber Center of Excellence (NCCoE) has launched a Post-Quantum Migration Project that brings together academic, industry, and government experts to develop a set of tools for organizations to audit their systems, assess risk, and prepare for the quantum upgrade. This type of public-private collaboration will be critical to ensuring that both the government and private sectors navigate the transition smoothly. The private sector must follow the lead of the NSA and other cyber authorities and begin preparing their systems for the transition to PQC to ensure that the digital infrastructure that supports the United States remains secure now, and into the quantum era.
Patrick Shore is a Program Manager at QuSecure.
Image: Flickr/U.S. Air Force.