Insight #1 – Quantum Computing is Coming

The mere existence of this FAQ means the NSA believes that quantum computing is coming – and that it’s now time to prepare systems to safeguard against it. It took the industry almost 20 years from the early 2000’s to switch to today’s cryptography – and today’s environments are way more extensive, integrated, connected, distributed, and innovative. I will go on record now as saying with certainty that we will have quantum computers or processing environments that break today’s cryptography within the next 20 years! Given that it will take at least 10 years to elevate to PQC, organizations should implement a crypto agile foundation.

Insight #2- NIST Will Lead, NSA Will Follow

A trend in the FAQ is that NSA will follow the NIST’s process and adoption of the upcoming new PQC algorithms, and so should you. Whether discussing cryptographic requirements, acceptable algorithms, or potential timelines, NSA defers to NIST and their post-quantum efforts. In particular, NSA is trusting NIST to select the algorithms that will be used to secure National Security Systems (NSS). We anticipate finalization of initial PQC standards in the 2023 timeframe.

Insight #3- Hash-based Signatures Provide Post-Quantum Readiness Now

NIST has stated that certain Hash-Based Signatures (HBS) are post-quantum ready. These signatures are based on very well understood algorithms and have been blessed by the cryptographic community as being quantum-resistant. Deploying these techniques to secure firmware now is one way to embark on the  quantum safe path. NSA agrees and supports the use of these algorithms in use cases such as signing firmware. Read more about what it means to be “Quantum safe now” here.

Insight #4 – Not Everything Needs to be Quantum

There are lots of things to do to prepare for a quantum safe state, but you do not necessarily have to adopt or deploy every “quantum” technology presented to you. For example, NSA thinks Quantum Key Distribution (QKD) is not there yet- and may never be realistically implemented at scale.

While some countries are assessing the QKD route for encrypting certain digital events, the NSA aligns with NIST in advising organizations to implement the use of PQC (post-quantum cryptography) to secure digital events instead. From a theoretical point of view, quantum mechanics should confer QKD an absolute security. But from a practical point of view, QKD is currently very far from having attained its theoretical security potential.

Insight #5 – Start with Where You Stand

We think a very practical first step is to first take stock of where your current cryptography is and how it is managed and used in your organization and supply chains.

In my next blog, I will talk about why this is an excellent first step, what information and control outcomes you will want to achieve, and how this provides a new foundation to elevate your digital trust for quantum preparedness.

Message Decrypted

The bottom line from NSA’s FAQ is that Quantum Computing is coming, and it’s time to start preparing for it.
Check back on this blog regularly as we will be talking about what work needs to be undertaken to be prepared for new advantages and new risks.