OMB’s call for manual network scans during PQC transitions is ‘undoable,’ industry officials say

A discrepancy over how organizations should monitor their expansive digital networks following implementation of the three new post-quantum cryptographic algorithms has emerged with the release of a report from the executive branch advocating for manual efforts over automated ones. 

In anticipation of the release of the first three post-quantum algorithms ready for implementation across networks, the Office of Management and Budget issued a post-quantum cryptography migration report to Congress in July intended for entities preparing to transition to the new cryptographic standards. The push to overhaul networks across sectors stems from the threat of a potential fault-tolerant quantum computer that could overpower current encryption methods.

Among its guidelines lies a key recommendation: conducting manual network assessments on an annual basis in lieu of an automated scan. Network scans are a pillar of good cyber hygiene, requiring a review of code to gauge any misconfigurations or vulnerabilities in software.

For entities with a large organization that contains multiple assets, this task becomes more daunting, as the scan would require a solid understanding of the software running on every computer or device attached to a given network. As organizations work to shift its cryptography to code that is resilient against a future quantum computer, catching every flaw in a network matters to correctly debug and safeguard digital assets from intrusion. 

Jen Sovada, president of Global Public Sector operations at SandboxAQ, told Nextgov/FCW that OMB’s document serves as a step in the right direction, but casts doubt on the ability of network security administrators to conduct an effective scan manually. 

“It's a really great start to a document that really outlines steps that the government needs to take, and then also companies can follow in order to really start their journey on to [post-quantum cryptography],” Sovada said. “My concern primarily is based off of the requirement to have a manual inventory, and the fact that they're stating that an automated inventory isn't as comprehensive.”

Sovada added that manual inventories, unlike automated, software-aided ones, are highly dependent on who is conducting them and what the network looks like at a given moment. Some networks, such as those within national security operations, are more streamlined and consolidated. Other government systems, she said, can be a more diverse medley of applications built, deployed and monitored by agency employees and contractors. 

“Unless you know every single piece of software that is on your system, everything that is on your file systems, in your networks and the [application program interfaces] that are on there, it's very difficult to do a manual inventory,” Sovada said. 

Other industry experts agreed. Vladimir Soukharev, vice president of cryptographic research and development at InfoSec, said that solid automated scanning software is an important tool in finding crypto assets across a network.

“Talking about the manual approach, I would say that's pretty much undoable. Even if they do it manually, [it will] take a lot of time,” he told Nextgov/FCW. “Second of all, even if [network security analysts] invest amounts of time and effort to do this, there's still going to be things they're not going to catch.”

When discussing automated scanning tools, Sovada and Soukharev refer to a category of software broadly called automated cryptographic discovery inventory — or ACDI — tools. Soukharev said that ideally, OMB’s report would include more coverage of automated tools to help analysts conduct inventories in an automated, or hybrid, approach. 

Including these tools could be on the horizon in future. Garfield Jones, the associate chief of strategic technology for the Cybersecurity and Infrastructure Security Agency, told Nextgov/FCW that his agency contributed to OMB’s report and that federal agencies are working to add more documentation and guidance surrounding ACDI tools. 

For now, however, the need for correct, manual inventory of network cryptography is crucial to establishing a level of trust in ACDI softwares, per the OMB report. 

“The reason we're doing it manually initially is because we had to lay the baseline and to see if the automated cryptographic discovery inventory tools are working,” he said. “As we get more faith and fidelity into the ACDI tools, we will slowly transition over. But we will still need the manual tools. We will still need the manual method, because there will always be that need to make sure that everything's working.”

Jones defends the government’s initial approach to PQC migration as an iteration of the “trust but verify philosophy.” He said that conducting network scans at a fully automated level in a dynamic environment won’t always catch flaws that need to be patched with updated code. 

“Those tools don't always work well in that federated environment,” he said. “We have to do some manual [inventories] to supplement what we can't see or do with the automated tools.”

He also noted that CISA’s forthcoming PQC strategy doubles down on starting with a manual network analysis, but has an end goal of delegating the majority of surveillance to an ACDI.

“It's not that we don't trust the tools, we just have to make sure they're giving the right information to us to do the right actions for transition,” Jones said. “This is not something that we can afford too many mistakes on.”

Soukharev noted that he does see merit in OMB’s manual analysis provision. He underscored, however, that it is still not tenable to do a manual network scan across an entire environment, due to its inherent complexity.

Adding to Jones’s point, Soukharev said that manually surveying a single, smaller environment as a representative sample and comparing its results to those of an ACDI for verification would be more doable. 

“After that, you would really deploy the tool, trusting that it’s going to scale similarly to what you've seen in your sandbox environment as you were playing with the tool initially,” he said. 

The report authors also noted that this is purely a report from the government to Congress –– not mandated guidance. 

“With regards to the inventory requirement, a comprehensive inventory requires both manual and automated efforts,” an OMB spokesperson told Nextgov/FCW. “Automated inventories reduce workload and allow agencies to identify gaps they may have missed in their manual inventories. However there are some devices and parts of the network that can’t be captured by automation, so a manual inventory is still essential.”

To Sovada, however, the semantics are inconsequential. 

“When I talk to agencies and departments, they see it as guidance they need to follow and it doesn't specify a manual inventory for those devices and parts of the network you can't catch with an automated inventory,” she said.