The Cybersecurity and Infrastructure Security Agency (CISA) on Wednesday identified three areas where stakeholders of the nation’s most vital functions must be engaged to begin securing digital communications ahead of the introduction of quantum computers, which will pose significant risks to current encryption capabilities.
The new CISA Insight, Preparing Critical Infrastructure for Post-Quantum Cryptography, outlines three National Critical Function (NCF) areas for the government and industry to prioritize.
One set of NCFs are those that will support the migration of quantum cryptographic capabilities to other critical infrastructures. Examples of these NCFs are companies that provide internet-based content and communications services, information technology products and services, and protect sensitive information.
A second set of priority critical functions are industrial control systems (ICS), which CISA says “will be a challenge because deployed cryptography-dependent ICS hardware is costly, and the associated equipment is often geographically dispersed.” The agency is urging organizations that are dependent on ICS to begin planning to account for post-quantum cryptography needs as they replace legacy equipment.
The third focus area involved NCFs that need to maintain long-term data confidentiality such as national security information, personally identifiable data, industrial trade secrets, and personal health information. CISA warns that stolen data that is protected by current encryption technology is susceptible to being compromised years from now when quantum computing puts it at risk.
The priority NCF areas were identified by the Homeland Security Operational Analysis Center, a federally-funded research and development center managed by the RAND Corp. under contract to the Department of Homeland Security.
In July, CISA launched its Post-Quantum Cryptography Initiative to help jolt the nation’s critical infrastructures to begin preparing for the time when quantum computing will be introduced, putting current security algorithms that protect digital data and communications at risk. CISA estimates that cryptographically relevant quantum computing could be ready by 2030.
Also in July, the National Institute of Standards and Technology announced the first four quantum resistant cryptographic algorithms. The agency plans to publish a post-quantum cryptography standard in 2024.
Current networks rely on public key encryption that is based on mathematical models that traditional computer systems can’t break. Quantum computing will have greater computing power and speed to crack these encryption formulas.
“While post-quantum computing is expected to produce significant benefits, we must take action now to manage potential risks, including the ability to break public key encryption that U.S. networks rely on to secure sensitive information,” Mona Harrington, acting assistant director for CISA’s National Risk Management Center, said in a statement. “Critical infrastructure and government leaders must be proactive and begin preparing for the transition to post-quantum cryptography now.”