The waiting game is over: The National Institute of Standards and Technology (NIST) Post-Quantum Cryptography algorithms (PQC) have been selected. Now is the time for your organization to decide whether to lead or get left behind. Establishing a foundation of trust and protecting your digital information and infrastructure with these new standards is crucial. Prepare to take the necessary steps.

Scientists have shown that quantum computers have the capacity to break public key cryptography, including algorithms such as RSA and ECC. These algorithms are crucial for securing communications and implementing digital signatures across the entire Internet and within countless organizations worldwide.

NIST collaborated with the world-wide cryptographic community for the past eight-years in the development of new cryptographic algorithms, known as the PQC standards. Throughout this extensive journey, NIST and the cryptographic community leveraged its deep technical understanding of mathematical principles and quantum computing to develop robust standards. During this process, several algorithms were broken, ultimately leaving only the most advanced and secure results for the standards to replace public key cryptography in use today.

While NIST should be applauded for laying the strong foundation for quantum resistant cryptography, this marks the initial phase for most organizations. Significant effort lies ahead to establish a cryptographic framework that ensures security and trust for information and infrastructure within organizations based on these standards.

This endeavor transcends technological challenges, encompassing leadership, governance, personnel, processes, operations, and supply chain considerations established through risk management decisions. This is also an opportunity to build resilience into an organization’s framework by eliminating algorithms and products that fail to meet requirements and supporting solutions rooted in organizational cryptographic governance.

The time for action is now, and the urgency to commence this extensive effort cannot be overstated. Embracing these new standards entails substantial work, but it is essential for maintaining the integrity and security of digital operations in an increasingly complex landscape.

There are steps organizations must take to become a leader. Like many other digital initiatives, it begins with robust risk management. It is crucial to understand which information is being protected by cryptography. Cryptography can be used to provide confidentiality for information whether it is in transit or when it is stored. Additionally, it provides integrity and supports digital signatures among other capabilities. Determining how long the information needs to be protected is also essential.

Setting up a governance program for cryptography may be new for many organizations. However, as cryptography is an indispensable cybersecurity capability and the number of cryptographic algorithms and related tools continues to grow, implementing a governance program will simplify management. Governance helps ensure consistency, enhances compliance with industry standards, mitigates risks associated with outdated or vulnerable algorithms, and supports the adoption of new and secure cryptographic solutions. It builds resilience into your framework by systematically evaluating and updating cryptographic practices.

Executive leadership is crucial to establishing effective risk management and governance for cryptographic changes. Cryptography touches all business functions within an organization, ensuring the security of communications, data storage, and transactions. Leaders must prioritize and drive the adoption of a robust cryptographic framework to protect their sensitive information and ensure organizational resilience. Their involvement is essential to foster a culture of security and compliance, allocation of necessary resources, setting clear policies, and guiding the organization through the complex landscape of cryptographic transformation.

From a technical perspective, it is crucial to identify the algorithms an organization uses across software, hardware, and firmware. This includes understanding the cryptographic protocols in use and other related tools through the entire infrastructure. Additionally, it is important to evaluate the strength and suitability of these algorithms, ensure proper key management practices, and assess the integration and configuration of cryptographic components to maintain security and performance standards.  

Working with industry, NIST’s National Cybersecurity Center of Excellence (NCCoE) has launched the Migration to Post-Quantum Cryptography: Preparation for Considering the Implementation and Adoption of Quantum Safe Cryptography project to help organizations identify where and how they are using cryptography. This project emphasizes the use of automated cryptographic discovery tools to identify quantum vulnerable algorithms used in sectors like the U.S. government, financial services, information technology and telecommunications. Moreover, it unites hardware, software, and cloud providers to conduct interoperability and performance testing of quantum-safe standard implementations, addressing any identified gaps to accelerate the adoption of PQC standards.

This is not only an introspective look at your organization. It is essential to collaborate with suppliers and other third parties. Communication with your software and hardware vendors and understanding the timing of their implementation is clearly important to create your plan, but this communication also goes one step further. In recent years, we have seen a major uptick in attacks aimed at the supply chains including attacks to outdated encryption products. The effort of protecting your own assets can be lost if your contractors and vendors do not also take adequate steps. Building PQC clauses into contracts will help ensure that everyone on your systems is taking the steps necessary to protect your systems.

In addition to planning for new PQC standards, this is a time to deprecate cryptography that does not meet today’s policy and regulatory requirements but somehow has managed to burrow into an organization’s infrastructure. It is also a time to plan for agility and resiliency in strong key management solutions. This resiliency can be achieved through a combination of robust PKI and other symmetric-based solutions or emerging technologies like quantum key distribution (QKD).

Donna Dodson is a Fellow with the Center for Cybersecurity Policy & Law. Ari Schwartz is coordinator for the Center. 

Donna Dodson & Ari Schwartz

Read Next

Risks Associated with IT Monoculture Needs Further Examination

IT concentration risk is a relatively new term but due to recent cyberattacks it has been front and center. To examine the issue the Center conducted an exercise to look at the threats of IT concentration risk and offer recommendations.

Addressing Concentration Risk in Federal IT

The Center conducted a multi-stakeholder tabletop exercise in April to explore a form of concentration risk where a single software, configuration, service, or hardware becomes dominant in an ecosystem.

Breaking the endless loop and reframing the encryption debate

Encryption advocates and law enforcement are stuck in an endless loop when it comes to debating encryption. It's time for industry and law enforcement to sit down, discuss challenges, listen to one another, and work together to create solutions.