Zhanna L. Malekos Smith
The Biden administ-ration’s new Nati-onal Security Strat-egy and National Defense Strategy highlight how competitors are undermining the U.S. military’s operational, logistical and information advantages. The leading technological risks the United States faces are the ongoing need to develop national cyber resiliency, such as emp-loying zero-trust architecture and quantum systems; building secure technological supply ch-ains that promote global interoperability and vendor diversity; and managing the risk of escalation in cyber and information operations. Of these three strategic areas, augmenting national cyber resiliency is arguably the most critical — especially in defending against “store now, decrypt later,” or SNDL, attacks.
Opponents are waging SNDL attacks against the United States, exfiltrating and storing encrypted data today to decrypt it in the future using post-quantum cryptography (PQC) algorithms. PQC refers to a technological milestone when advanced quantum computers attain “a sufficient size and level of sophistication” and can break classical public-key encryption methods that secure our internet-based communications and financial transactions.
By its very name, SNDL attacks focus on playing the long game and exploiting delays with implementing more advanced security protocols. Imagine this: Even if Country A manages to transition 100 percent of its protocols to PQC algorithms in 2023, all of Country A’s data stolen in the years prior during Country B’s SNDL campaign remain vulnerable. In other words, upgrading the lock on the barn door may help protect the horses still inside, but it won’t return the stolen horses.
Some scholars are skeptical of the likelihood of states developing cryptanalytically relevant quantum computers and criticize the so-called quantum hype as a “funding frenzy.” The White House’s fact sheet on quantum technologies rebuts this, however, by noting this technological milestone is attainable “at some point in the not-too-distant future.”
Further, the Biden administration’s May 2022 executive order and two national security memorandums on quantum computing describe post-quantum systems as “cryptanalytically relevant quantum computers,” meaning they could pose significant national, economic and cybersecurity risks to the United States by weakening present public-key cryptography. The memorandum on promoting U.S. leadership in quantum warns that PQC is a significant security risk to cryptographic systems that safeguard supervisory and control systems to critical infrastructure, and also secure military and civilian communications.
Apart from the United States, the European Union is also concerned about the risks of PQC. In October, the European Union Age-ncy for Cybersecurity (EN-ISA) published a report on the need to create cryptographic protocols and prepare for post-quantum resil-ient systems. ENISA reasons that even if the transition to new quantum resistant cryptographic algorit-hms takes years, perhaps d-ue to financial and technological barriers, “we still need to anticipate this [transition] and be prepared to deal with all possible consequences.”
Preparation is a quintessential element of success. As Anne Neuberger, deputy assistant to the U.S. president and deputy national security adviser for cyber and emerging technology, announced during a panel at CSIS, “The process of rolling out new encryption that can defend against a potential quantum computer is not a one-year effort; it’s a lengthy effort.”
Transitioning critical infrastructure toward federally approved PQC standards is not a minor undertaking. Rather, it is a complex and delicate challenge that cuts across the public and private sectors. From a design thinking perspective, the major hurdles to transitioning to PQC algorithms can be distilled down to technical, cost, schedule and programmatic risk. As an initial planning framework, policymakers should focus on addressing these four considerations in engaging with stakeholders and building trust around upgrading vulnerable systems and infrastructure.
For example, under the auspices of the National Q-uantum Initiative program, policymakers could incentivize industry to adopt, at a minimum, the first set of PQC algorithms developed by the National Institute of Standards and Technology last summer. According to Susan M. Gordon, former principal deputy director of national intelligence, and Adms. Mike Rogers and J-ohn Richardson, “Major gl-obal banks, telecoms, heal-th care providers and other enterprises are already beginning the transition to PQC,” reports Cyberscoop.
While it may not be te-chnologically feasible to return the stolen “horses” to the barn, improving our lo-cks with PQC algorithms is essential for defending against SNDL attacks and promoting national cyber resilience.