Quantum security experts are in step with NSA’s PQC timeline
In recent months there has been a growing sense of urgency in the U.S. around post-quantum cryptography (PQC), with the Biden White House and groups like the National Security Agency (NSA) and the Cybersecurity and Infrastructure Security Agency (CISA) urging government agencies and other organizations to prepare to protect themselves from the security threats posed by quantum computers.
Into that environment the NSA recently issued an advisory, the Commercial National Security Algorithm 2.0 (CNSA 2.0), that might have seemed like a head-scratcher at first. It included, among other preparation requirements, a timeline to complete the transition to PQC for “national security systems (NSS) and related assets” by 2035. Setting a deadline that is more than 12 years off may seem like the opposite of urgency (and initially a few industry watchers privately expressed their surprise to IQT regarding this particular detail). However, in the weeks since the early September NSA announcement, IQT has spoken to security experts at several companies who indicated that the timeline is entirely appropriate, given the amount of work that lies ahead for a proper migration from legacy encryption, and given that new technology deployment by government agencies rarely moves swiftly.
“It is understandable that the U.S. government has instituted such long timelines to transition to PQC because it is one of the largest and most complex organizations in the world with elaborate processes to define their strategies, budgets, requirements, and priorities,” said Jen Sovada, President of the Public Sector at SandboxAQ, and also a retired U.S. Air Force Colonel. “They also have some of the most intricate and interconnected global networks that must be available continuously. Despite the extended adoption timeline, the U.S. government is starting to transition now to PQC to defend against catch and exploit campaigns, also known as store now decrypt later attacks, so that as fault-tolerant, error-corrected quantum computers emerge, they will be protected.”
She added that the NSA CSNA 2.0 document has not slowed agencies in the federal government that already were working to be early adopters of PQC. “We are already working with many early adopters while also helping to educate those who are unfamiliar with the technology. If anything, the timeline has helped align our priorities and push for early adoption of
PQC migration strategies across the federal government.”
Duncan Jones, Head of Cybersecurity at Quantinuum, agreed, saying, “There are no major surprises here. On the whole, the guidance is sensible and in keeping with similar guidance from CISA and related organizations. The NSA’s 2035 deadline is consistent with the requirements in the national security memos issued earlier this year.”
Jones added that even if 2035 sounds a long way off, the most critical NSS assets will have the highest priority as migration efforts begin. “Thirteen years may sound like a long time, but it will arrive very quickly. Migration cannot happen all at once, so critical systems should be migrated well ahead of that date. In short, the 2035 deadline will not slow down adoption.”
Instead, the CNSA 2.0 document and its stated timeline should lend more focus to the whole effort to migrate government systems to PQC, and highlight the critical need for it. Skip Sanzeri, Founder, Chairman, COO and Chief Revenue Officer at QuSecure, said, “The fact that the NSA has now declared the date means that they have balanced between something very important that needs to get done and the capabilities of federal agencies to comply.”
He explained, “What I mean by that is it may take 10 years for many of these agencies to complete an upgrade so we are sure the NSA would have liked to push things faster, but if an agency is not capable of upgrading more quickly then this is about the best that can be done.” Sanzeri said the NSA essentially has mandated PQC, and stated that the migration should be approached with a sense of urgency, but with the understanding it should be completed “by 2035 at the latest. Cryptography is complex, and many agencies don’t have a comprehensive account of all of the cryptography that they’re using. Ten years is a minimum time for a large government agency to upgrade. So again, the NSA really could not force federal agencies to move faster even if they wanted to.”
Meanwhile, Helena Handschuh, Security Technology Fellow, explained how focusing too much on the 2035 deadline overlooks what will actually happen during the transition. Early on there are likely to hybrid approaches–”one regular algorithm in combination with one PQC algorithm,” she said, which makes systems more agile and gets them in position to switch the algorithms they use when needed.
During the next 3-5 years, as NIST completes work on the initial PQC encryption and digital signature standards it announced in July, the focus will be on picking a PQC solution and beginning the migration, Handschuh said. “For hardware this can mean start looking at IP selection and integration now as it can take a few years for new hardware to be built and to hit the market. It will be key to have a deprecation strategy for regular algorithms in 5-7 years from now, and completely switch over and remove today’s public key algorithms in 7-10 years in the future. The NSA has such a timeline, and other agencies across Europe and Asia have similar approaches and timelines.”
She concluded that this timeline puts “the horizon for dropping today’s public key algorithms… somewhere between 2030 and 2035.”
It is understandable if government agencies and corporate enterprises remain unsure about how quickly to proceed in adopting PQC, as there are not yet a lot of publicly-celebrated role models and case studies covering successful PQC implementations. In fact, the history of security technology transitions suggests they can take decades and still have less than total migration. Also, NIST will still be finalizing the recently chosen standards for about another year and a half to two years, so there still could be changes or updates to those algorithms.
Johannes Lintzen, managing director at Cryptomathic, noted, “Generally speaking, rushing towards becoming an early adopter has its risks. But so does inaction. Many organizations are finding themselves at this challenging crossroad. For one, the chosen algorithms will take another 24 months or so to be fully implemented and available in broad commercial applications.”
He added, “Furthermore, community evaluation and analysis of the chosen cryptosystems is ongoing, and it is entirely possible that in the time it takes to finalize the standardization process, other methods of breaking the candidate algorithms will be found and published by researchers. Keep in mind that updates and changes to algorithms and how they are being implemented and used have been going on for a long time. Take changes to symmetric algorithms as an example. Over time the industry has migrated from DES to 3DES and eventually AES. There are other examples in hashing algorithms as well as asymmetric algorithms. Organizations in the field of commercially available cryptographic solutions have long been able to provide tools to manage the process of constantly upgrading and managing evolutions in cryptographic algorithm change–the term broadly used is ‘cryptographic agility.’ This approach will help organizations balance the need to take early action with being able to maintain flexibility around changes as and when they happen.”
While the NSA mentioned a PQC migration deadline that lies more than years off, it sounds like it is going to be a busy and eventful 12 years or so to come.
For more commentary from these sources and others about key issues related to the PQC transition, watch for my next IQT Pro story in mid-October.
Dan O’Shea has covered telecommunications and related topics including semiconductors, sensors, retail systems, digital payments and quantum computing/technology for over 25 years