How NSA plans to shield high-impact systems against quantum threats
The National Security Agency started the clock on a long-planned transition to quantum-resistant algorithms in key national security systems.
The National Security Agency will require National Security System owners to implement quantum-resistant algorithms for all networks critical for military and intelligence activities by 2030 under new directives featured in the Commercial National Security Algorithm Suite 2.0.
The directive is meant to "assure sustained protection of NSS and related assets" and to prepare for an ever-changing landscape of quantum computing threats, like cryptanalytic attacks, according to a NSA statement published Sept. 7.
The cybersecurity advisory instructs NSS owners, operators and vendors to immediately begin transitioning to software and firmware signing in order for the new software and firmware to use CNSA 2.0 signing algorithms by 2025. Software and firmware that has already been deployed but is not yet in compliance with the previous CNSA 1.0 requirements must also implement the new 2.0-compliant algorithms by 2025.
President Joe Biden signed a national security memorandum earlier this year instructing federal agencies to transition to quantum-resistant cryptography. Experts are concerned that powerful quantum computers, still in development, could easily defeat existing algorithmic encryption standards.
In July, the National Institute of Standards and Technology rolled out the first four quantum-resistant cryptographic algorithms following a six-year effort.
NSA wants CSNA 2.0 to be exclusively used by NSS owners by 2030 for software and firmware signing. Web browsers and cloud services should support CSNA 2.0 by 2025 and exclusively use the new algorithm suite by 2033. Other milestones are in place for networking equipment, operating systems, legacy applications, custom software and other speciality equipment.
NSA Cybersecurity Director Rob Joyce acknowledged the major effort the transition will take for NSS owners to become compliant with the new directive, saying in a statement accompanying the press release that the transition to quantum-resistant technology "will require collaboration between government, National Security System owners and operators and industry."
"We want people to take note of these requirements to plan and budget for the expected transition, but we don’t want to get ahead of the standards process," he said.