The Cybersecurity and Infrastructure Security Agency (CISA) published guidelines that critical infrastructure organizations should adopt for a smooth migration to post-quantum cryptography standards. The National Institute of Standards and Technology (NIST) will publish these standards in 2024.
Meanwhile, CISA’s advisory enumerates the potential impact of quantum computing and recommends actions that critical infrastructure and government network operators should take.
CISA made the recommendations after analyzing 55 National Critical Functions (NCFs), their quantum vulnerabilities, and steps to mitigate the security weaknesses to facilitate a smooth transition to post-quantum cryptography.
Quantum computers are devices with higher computing capabilities recorded up to 158 million times faster than today’s most powerful supercomputers. Their extreme computing capabilities would allow them to solve complex mathematical functions used by modern encryption algorithms.
Experts predict quantum computers will break asymmetric encryption algorithms, such as RSA, that rely on public key exchange between communicating applications. However, symmetric encryption algorithms, such as AES, that depend on a single secret key known by both the sender and receiver can weather quantum computing by using longer secrets.
While quantum computing power will be economically beneficial, it also threatens the safety and integrity of data protected with public key algorithms.
“While post-quantum computing is expected to produce significant benefits, we must take action now to manage potential risks, including the ability to break public key encryption that U.S. networks rely on to secure sensitive information,” said Mona Harrington, acting Assistant Director National Risk Management Center, CISA.
Quantum computing threatens critical infrastructure and national security
Given its immense computing power, quantum computing will break public key cryptography algorithms that protect sensitive data related to NCFs.
Private companies and nation-state actors, including those interested in cyber espionage, seek dominance in quantum computing.
“In the hands of adversaries, sophisticated quantum computers could threaten U.S. national security if we do not begin to prepare now for the new post-quantum cryptographic standard,” CISA wrote.
However, CISA states, “quantum computing technology capable of breaking public key encryption algorithms in the current standards does not yet exist.” Thus, businesses and critical infrastructure operators can conveniently transition to post-quantum cryptography before this emerging technology proliferates.
“Critical infrastructure and government leaders must be proactive and begin preparing for the transition to post-quantum cryptography now,” Mona said.
CISA identified 55 NCFs connecting, distributing, managing, or supplying critical goods or services. Each entity faces specific risks from quantum computing’s ability to break modern encryption standards.
“NCFs are the functions of government and the private sector so vital to the United States that their disruption, corruption, or dysfunction would have a debilitating effect on security, national economic security, national public health or safety, or a combination thereof,” CISA wrote.
Post-quantum cryptography transition bottlenecks
CISA stated that the dependence on geographically dispersed and vulnerable industrial control systems would challenge the post-quantum cryptography transition process. This situation would affect many critical infrastructure organizations that depend on IoTs, including ICS.
CISA listed 18 NCFs that depend on ICS, including water supply, electricity generation, distribution, and transmission entities, transportation, and management of hazardous materials.
NFCs with long secrecy lifetimes face huge risks from quantum computing and would require continued support in the post-quantum computing universe. Such organizations operate on confidential data stored over long periods, such as trade secrets and personal and health information.
The agency enumerated nine NCFs dealing with long secrecy lifetime information, including law enforcement, community health, internet communications, wireless access networks, defense support, and medical records access systems.
CISA warned that threat actors used “catch-and-exploit campaigns” involving collecting encrypted data and storing it for future exploitation when quantum computers break current cryptography algorithms.
However, CISA noted that migrating some priority NCFs to post-quantum cryptography standards would support the migration of others, thus mitigating the risk posed by quantum computing.
U.S. legislators also introduced the Quantum Computing Cybersecurity Preparedness Act in the House in April and passed it in July 2022. The bill seeks to address the migration of executive agencies’ information systems to post-quantum cryptography.