Agencies look to automation software to usher in next phase of post-quantum security

Agencies beginning the process of preparing their systems for future quantum threats are investigating how automated cryptography software can be incorporated into existing capabilities, the first step in a series of assessments to marry legacy systems with quantum-resilient technology.

Leadership at participating agencies spoke with Nextgov/FCW about the path towards creating quantum-resilient networks. Following the release of the first standardized post-quantum cryptography algorithms, the National Institute of Standards and Technology and the Cybersecurity and Infrastructure Security Agency are working with industry partners to spearhead the algorithms’ adoption within federal agencies. 

Crucial to this effort is the harmonization of legacy technologies embedded in the federal government with newer software solutions, namely automated cryptography discovery and inventory — or ACDI — tools.

“There's a lot going on in that space,” Garfield Jones, the associate chief of strategic technology for CISA, told Nextgov/FCW. “We're working with NIST on some assessments for ACDI tools to possibly go into any of the agencies.”

ACDI software –– a starring component in CISA’s September guidance on migrating to an effective post-quantum standard –– is slated to be leveraged in agencies’ efforts to secure their networks from a future fault tolerant quantum computer. Jones said that the strategy is to initially conduct manual inventories of assets within CISA’s existing continuous diagnostic and monitoring framework to get full visibility into agencies’ vulnerabilities.

Next, agencies will begin leveraging ACDI tools in partnership with vendors.  

“What we're doing is trying to leverage those legacy tools to … cover the gaps that are there for PQC, and then as we go along we're going to get those new ACDI tools,” Jones said. 

The Department of Energy is one of the agencies participating in the early migration assessments with CISA, particularly due to the sheer size of the organization’s network. It plans to use existing endpoint detection and response tools in conjunction with ongoing manual inventory assessments to gauge how compliant current cryptographic schemes are. 

“The goal is to be able to use your EDR tools and those sorts of things to go in and … say, ‘oh, okay, this is the cryptography capability that's in this application’,” a spokesperson from Energy told Nextgov/FCW. “What we found is that we don't have a lot of stuff that is compliant right now. Not surprisingly, anything that's using asymmetric encryption is not going to be compliant.”

Another agency participating early in the migration efforts, the Department of Education, also confirmed that it is exploring ACDI tools as technology stopgaps for inventories currently performed on a manual basis. 

Challenges abound as the PQC migration process continues. Jones noted his agency is focused on ensuring new ACDI softwares harmonize and work effectively alongside older legacy tools.

“If you … put another antivirus tool on top of an existing antivirus tool, they tend to battle against each other. So we don't want that,” he said. “We don't want tools having conflicts between each other.”

Within Energy’s networks, the goal is to focus on seamless integration. 

“You want architecture built [so that] in the future, so you can swap out the cryptographic module without having to do a massive application upgrade,” the Energy spokesperson said. “And the question becomes: ‘Do we have to replace this product? Do we have to upgrade it?’”

“Minor challenges include implementing cryptographic agility throughout the enterprise technology portfolio and transitioning workloads from vendors/technologies unable/unwilling to transition to PQC,” a spokesperson from the Department of Education said. 

Jones added that part of the inventory and discovery process will be ensuring all of these tools –– newer ACDIs and legacy softwares –– can function well alongside existing cybersecurity frameworks and won’t hinder agency operations. 

“We don't want to burden any of the systems down with any of the performance elements of these tools,” he said. “We don't know necessarily if they’ll work well together. The interoperability issue is another piece to that. So those are things that we're definitely looking at.”

Private vendors will play an important role here. While agencies like Energy and Education have yet to deploy software products in the PQC migration process, larger vendors will be called upon to ensure their tools are quantum-ready as well.

“What we don't want is for the communications to be decrypted in the future. The bigger vendors are very rapidly going to be figuring out how to solve this problem,” the Energy spokesperson said. “We're going to be pushing our biggest vendors to do it faster, and we're going to anticipate our biggest vendors are going to be there faster.”

With President Joe Biden setting the deadline for total quantum cryptographic readiness at 2035, officials are confident this broad aim won’t change as President-elect Donald Trump prepares to be sworn in.

“Regardless of who's in charge, we're going to continue forward on encryption,” the Energy spokesperson said. “I mean, that's a no brainer. We need to be able to encrypt our sensitive data. We need it to be quantum safe.”

Jones agreed, even as his agency faces an uncertain future with the departure of its Director Jen Easterly ahead of the second Trump administration. He further noted that advancing the role of ACDI tools in the government’s PQC migration will likely appear in an anticipated executive order on cybersecurity. 

“Some folks probably see it as, you know, this administration versus that administration,” he said. “This is about the nation's security. It's not about Republican and Democrat.”