Quantum computing processor showing encryption algorithms

A Legal View of New NIST Quantum-Resistant Algorithms

Insufficient – Even If They Work

How to lose your company in a data breach:

  • Step 1: Suffer a data breach (which almost all companies have or will);
  • Step 2:  Get sued by plaintiff’s lawyers waiting to pounce or, worse, an Attorney General or regulator;
  • Step 3:  Be found not to have met the applicable “standard of care;”
  • Step 4:  Pay up, and possibly lose your business.

“Standard of Care?”, you say. What’s that and why should I care? And where does NIST fit in?

“Standard of Care” is legalese for the minimum an organization must do to have acted “reasonably” in a lawsuit. In most data breach cases, if you are found not to have acted reasonably, e.g., by not employing sufficiently strong encryption, you likely will have to pay economic damages, sometimes reaching bet-the-company territory. Damages and penalties in a cyber breach case likely will reach $1 billion this decade.

But what is “reasonable” when it comes to meeting the applicable data-protection standard of care? Over my two decades practicing data protection and cybersecurity law, there has never been a universally accepted standard of care for data protection. One requirement that is widely accepted is that a company must use reasonably secure encryption for data in transit and at rest. Easy, just define “reasonably secure encryption” and we’ll know how to meet the standard of care and protect our companies and customers.

For most of this century, several encryption algorithms have been blessed by the U.S. National Institute of Standards and Technology (NIST) for specific uses. Though without direct legal authority over private-sector entities, NIST approves encryption standards for much of the U.S. Government and NIST’s encryption standards have been adopted by much of the private sector. As such, most courts likely would find that compliance with NIST requirements meets the standard of care.

But recognizing the existential threat to current encryption posed by advances in quantum computing, NIST in 2016 initiated a competition for new “quantum-resistant” algorithms. In July 2022, NIST announced new encryption algorithm candidates and backups (“candidate algorithms”), planning a final decision for 2024. Great! All we have to do is adopt what NIST decides and we’re good, right

Not so fast. First, it is likely the candidate algorithms will be broken by our adversaries. How does a simple country lawyer (neither mathematician or cryptographer) know this? Two of the NIST-selected algorithms already have been broken, mere weeks after being announced. And it is certain that numerous nation-states and other adversaries are devoting massive resources to break them all.

More importantly, none of the candidate algorithms are intended to address the biggest threat to corporate and customer secrets – the massive amounts of sensitive data stored “at rest” by almost every company. The candidate algorithms are intended to replace those currently used for: (1) data in transit over the public internet; and (2) digital signatures used for authentication. They are not intended to address encryption schemes for data stored by businesses. And, as Willy Sutton said about banks, that’s where the money is. Think about it: ransomware purveyors generally don’t lock up your data in transit to cripple your enterprise; they target all the data you are storing.

The new NIST candidate algorithms do not address this threat at all. The current standard for stored-data encryption is widely accepted to be a version of the so-called Advanced Encryption Standard (AES), developed by NIST in the late 1990s and used by much of the U.S. Government. But AES, too, is likely to be become vulnerable to quantum-based attacks (though experts can’t agree if such threats are days or decades away or are already here).

So, how to get ahead of quantum threats to stored data? First, ensure stored data is currently protected by the strongest encryption reasonably feasible for your company’s operations and needs. Second, consider a transition to “One-Time Pad”-based encryption (OTP). OTP is widely accepted as the gold standard for encryption of data at rest. OTP has been used by intelligence agencies for at least a century and is thought to be unbreakable if properly deployed, even by future quantum computers. Important Caveat: As with all encryption schemes, OTP-based encryption is only as strong as the technical, personnel, and administrative measures deployed around it, e.g., strong key management, rigorous personnel vetting, and security training and awareness. Until recently, OTP-based encryption has been considered insufficiently scalable for enterprise-wide deployment, but recent advances in mathematics and technology are changing this.

The bottom line for CPOs, CISOs, and C-Suite officers on the hook to ensure the security of their company’s and customer’s data: NIST’s quantum-resistant algorithm development efforts are necessary, helpful, and bear watching, but not sufficient to protect your enterprise. Meanwhile, the clock towards quantum-based encryption attacks is ticking and out-of-the-box thinking, including about OTP-based solutions, is warranted.