Recently, the Biden White House issued an Executive Order about the new visibilities and actions required by US government departments within a 6-month window, for an inventory of cryptography that is currently not post-quantum ready.
Many have been calling for this preliminary action for some time, particularly in light of the ‘harvest and decrypt’ scenario that we discussed here. We expect that this US government initiative will be followed by other like-minded governments and industries around the world. We see the Biden Executive Order as a positive and necessary first step in creating an inventory of quantum-safe cryptography. We, like others, hope this necessary metric will serve to begin the measurement of the progress required to shore up the security and strength of this critical digital line of defense.
Technological Next Steps
But once the inventory and priority of operations list is compiled, an important next step is the selection and implementation of the technologies and capabilities required to meet this evolving front or theatre of concern.
Many may still regard this next step as premature and, in any event, one that the market will simply address in due course. We have spoken in prior blogs on the timelines and coordinated actions required for this to be a reliable, insurable, and reasonable approach. We continue to believe that proactivity is required by the demand side, as being early here is not a market failure, but being late will be.
As the pace of breakthroughs in the quantum-computing field accelerate; as each new stable qbit doubles computational power; and as stable run times for processing continue to increase, a specific and narrow target of cracking weakly implemented and defended public and private key pairs will continue to increase as an attack vector.
Software updates assured by digital roots of trust that are not seeded with prior post-quantum capabilities in their silicon are known and proven to be vectors of concern. Given the distributed and weakly-owned nature of our cryptographic infrastructures, we expect this aspect to be increasingly discussed – and hopefully hardened.
Our approach planned in advance for this.
We also expect that relentlessly increasing quantum-compute performance windows will intensify the need for additional updates, patches, and improvements to post-quantum algorithms. What was old needs to become new again.
Since we cannot afford constant cycles of like for like replacements similar to the current approaches used in our IT/OT stacks, a static silicon-based root of trust will quickly become part of new vulnerabilities if not carefully future-proofed.
Absent new approaches, we predict that current participants in our IT/OT ecosystems will each need to acquire new, expensive, and scarce cryptographic competencies to navigate and execute on these very critical challenges. To better understand the risks and costs of this predicament, just imagine if you couldn’t update your software infrastructures on a timely basis for new vulnerabilities (i.e. like those of the SolarWinds or the recent log4j vulnerabilities).
Priority: Planning Ahead
Cryptographic agility will be challenging enough for software stack infrastructures, but when it comes to uplifting the static silicon-based hardware all of this runs on, the challenge appears to be orders of magnitude more complex and time-consuming.
Careful planning for agilities in the new post-quantum capable digital roots of trust that underpin our software-dominated economies will be paramount.
Thanks for reading.