Officials urge a quick start migrating to post-quantum encryption

Following the Tuesday release of the National Institute of Standards and Technology’s first standardized post-quantum cryptographic algorithms, the Biden administration is angling for a swift migration effort featuring help from private sector partners. 

Officials within the Biden administration hosted a conference on Tuesday discussing the algorithms’ release and the crucial next steps public and private sector entities alike should prepare to take to secure their digital networks from a future with a viable quantum computer.

The main goal officials discussed was the importance of beginning to transition current encryption methods as soon as possible. 

“Given the potential for quantum computers and the ability they may have to bypass current encryption methodologies, if we start to protect this data in 10 to 20 years, we will be way too late to secure it,” said NIST Director Laurie Locascio. “So to protect our data into the future, we have to start now to secure it, in order to avoid a ‘store now decrypt later’ threat scenario.”

Locascio refers to what cybersecurity professionals have identified as “harvest-now, decrypt-later” tactics, where malicious cyber actors can access data encrypted by classical algorithms and save them for the potential advent of a quantum machine that can crack the code. 

Steve Welby, the deputy director for national security at the White House Office of Science and Technology Policy, said that many different types of sensitive data are vulnerable to this tactic and future hacks if data owners are unprepared.

“It's not just personal and financial information that's at risk,” he said. “It's also our nation's security capabilities. It's our critical infrastructure, our energy systems, our water supplies, our telecommunications, and it's also our intellectual property which is at risk of theft and misuse.”

Shifting public key encryption to the updated safeguards released Tuesday is what Welby called “our current quantum challenge” given the time and investment constraints it will require for all industries. 

Locascio added that while the standards are ready for implementation today, the research and development critical to further innovation in the larger quantum computing field will demand continuous updates on a cryptographic level, a task that requires global help.

“In the future, there will be cases, there will be use cases, edge cases and needs where these first three standards might not be sufficient,” she said. “And so NIST and this global community together will continue to brainstorm, to test, to generate the standards that aim to meet all of our needs.”

These needs will likely manifest as new standards and even alternate and backup algorithms for further resilience against the unknown quantum information science and technology future. 

On the private sector side, some entities that have aided in spearheading the first algorithms’ standardization have already begun implementation efforts. A new Google blog post discussed the search engine’s path forward in a total PQC migration. 

“Google takes these risks seriously, and is taking steps on multiple fronts. Google began testing PQC in Chrome in 2016 and has been using PQC to protect internal communications since 2022,” the post reads. “As we make progress on our own PQC transition, Google will continue to provide PQC updates on Google services, with updates to come from Android, Chrome, Cloud, and others.”

Experts anticipate this path to be less than linear. 

Andersen Cheng, the chairman of Post-Quantum, a software company specializing in transitioning classically-encrypted networks to a quantum-resilient standard, said that entities should not be deterred from mitigation efforts despite interoperability concerns between vendors and other engineering and network asset challenges. 

“It’s important for all organizations to realize that hybrid solutions exist, enabling migration to start immediately rather than waiting for updated Internet protocols like [Transport Layer Security], of which the timeline remains uncertain,” Cheng said in a statement to Nextgov/FCW.