Federal Government Gets Serious About Post-Quantum Encryption Protection
A Phase III PQE contractor talks about getting federal quantum protection deployed quickly.
There is a Chinese proverb that states that the best time to plant a tree was 20 years ago, while the second best time to plant one is right now. Given the quantum arms race going on between the United States and its potential rivals, the same can probably be said about post-quantum computing cybersecurity. And the government is now doing everything it can to get a program in place as quickly as possible.
There have already been mandates, proposals and studies. Earlier this year the White House mandated post-quantum cybersecurity—or PQC—via the National Security Memorandum “Promoting United States Leadership in Quantum Computing While Mitigating Risks to Vulnerable Cryptographic Systems.” And in Congress, the Quantum Computing Cybersecurity Preparedness Act would direct the National Institute of Standards and Technology and the Office of Management and Budget to develop mitigation measures for post-quantum cryptography. Meanwhile, the Department of Homeland Security worked with NIST to develop a roadmap toward better agency protection.
Planning for a safer future is good, but action is better. That is why the federal government awarded a rare Small Business Innovation Research (SBIR) Phase III contract to post-quantum cybersecurity company QuSecure. The sole-source contract, the first and only one issued for PQC, calls for the company to develop an end-to-end solution for post-quantum cybersecurity that can be deployed to federal agencies as quickly as possible.
Nextgov talked with QuSecure Co-Founder and COO Skip Sanzeri about the need for federal cybersecurity protections that can survive in a world where powerful quantum computers can shred today’s most advanced encryption.
Nextgov: Can you first explain what the awarding of a Phase III contract means for post-quantum protections?
Sanzeri: The Phase III award is a mechanism to allow a small technology company to move to the top of the heap and become a prime contractor, in order to supply vital technologies that can be used by the government without the typical bureaucracy or red tape. QuSecure sees this Phase III as an instance where the government recognizes the gravity of the coming situation where quantum computers will crack current encryption.
Nextgov: I am glad you brought up those dangers. One that has been talked about a lot here at NextGov is the fact that foreign governments are attempting to steal government data right now in hopes that they can store it and crack it later when better quantum computers are available. How important is it that we apply quantum resistant protections to government data right now?
Sanzeri: These “store now, decrypt later” attacks are the biggest reason to start upgrading networks and communications to post-quantum cybersecurity. Foreign nation states are stealing data every second of the day. That data is harvested and stored on computers waiting to be decrypted. And quantum computers will [one day] be able to crack that encryption.
For example, if a quantum computer with enough power to crack encryption is developed in five years, data stolen today would still be very valuable if it has 10, 20 or more years of shelf life. And national security secrets, bank account information, and electronic health records may have data security requirements of up to 75 years. Making matters worse, many experts estimate that changing our current encryption across an enterprise or government agency could take as long as 10 years. Adding this to the shelf life of data means that there are 10 more years of exposed data which attackers can weaponize or use against us.
In many cases, we are already behind.
Nextgov: Putting aside the “steal and store” attacks for a moment, how long do you think we have before quantum computers can crack AES-256 or other strong encryption?
Sanzeri: At this point, quantum computers are not strong enough to crack our current encryption. Via an algorithm written by Peter Shor, it was mathematically proven that in order to crack current RSA 2048 encryption, you would need about 4,100 qubits. We are in the 100-qubit era now, but advancing rapidly. Many believe that we will have a powerful enough quantum computer in the next three to five years to crack encryption. Some say it will take longer, but nonetheless most data needs to be protected for 25 years or more. IBM, Google, PsiQuantum, Rigetti, and IonQ all have 1,000 qubit computing roadmaps by 2025.
Nextgov: How does your technology work to protect data from quantum-based and encryption-breaking attacks?
Sanzeri: To protect against quantum computers, we need to change encryption and use quantum keys to ensure that data and communications are secure from quantum attacks. QuSecure has an end-to-end post-quantum cybersecurity orchestration platform called QuProtect, which enables organizations for the first time to leverage quantum resilient technology to help prevent today’s cyberattacks, while future-proofing networks and preparing for post-quantum cyberthreats.
It provides quantum-resilient cryptography, anytime, anywhere and on any device. QuProtect uses an end-to-end, quantum-security-as-a-service (QSaaS) architecture that addresses the digital ecosystem’s most vulnerable aspects, uniquely combining zero-trust, next-generation post-quantum-cryptography, quantum-strength keys, high availability, easy deployment, and active defense into a comprehensive and interoperable cybersecurity suite. The end-to-end approach is designed around the entire data lifecycle as data is stored, communicated and used.
Nextgov: So government will be able to protect its data both in transit and at rest from quantum attacks?
Sanzeri: Yes. Our QuProtect software-only security architecture overlays current infrastructure and protects data in motion, in use, and at rest—on any system, anywhere—from existing and emerging cyber-threats. We utilize NIST algorithms, quantum random number generation and proprietary software applied to communications and data, in order to protect it against quantum attacks. We also have backwards compatibility with our own proxy which translates between TLS layers and post-quantum encrypted communications. This combination of tools enables us to protect communications, data in transit, and data at rest.
Nextgov: Not to be a skeptic, but given that quantum computers rely on various different kinds of technologies—some are mechanical, some are electrical—and the fact that their capabilities are constantly expanding, how can you test your protections against that future threat and guarantee federal data protection?
Sanzeri: Very good question. At this point in time, no one has a quantum computer powerful enough to test encryption, and if we wait until we have that quantum computer, it will be too late. The best we can do at this point is to show how current classical cyberattacks can make data and communications vulnerable, then we can show the same classical attacks will not work against quantum resilient communications and data.
Additionally, we must rely on organizations such as NIST, which spent over six years studying algorithms to find algorithm candidates that would withstand quantum computing attacks. Fundamentally, those algorithms have changed to be very complex, such as latticed-based infrastructures that mathematically can withstand quantum attacks. But that’s the best that anybody can do at this time.
Nextgov: Okay, so how long will it be before anti-quantum protection is widely available for deployment across the federal government?
Sanzeri: QuSecure will have this first production version of quantum resilience available for government purchase in less than six months. And we intend on adding many features to the initial system in future months that will make the system more robust and scalable.
However, even with this rapid availability, it will still take years to deploy post-quantum cybersecurity across vast government networks—so that is the entire reason to start early. QuSecure’s solution is mostly software-based and can scale out to IoT and other end devices very quickly to create secure quantum communications. So once decisions are made, scalability and adoption will happen very quickly.
We’re hoping that the federal government continues its rapid ascent towards a post-quantum world so that our nation’s most important data is protected. Our national security depends on it.
John Breeden II is an award-winning journalist and reviewer with over 20 years of experience covering technology. He is the CEO of the Tech Writers Bureau, a group that creates technological thought leadership content for organizations of all sizes. Twitter: @LabGuys