Federal Government Gets Serious About Post-Quantum Encryption Protection

hh5800/Getty Images

A Phase III PQE contractor talks about getting federal quantum protection deployed quickly. 

There is a Chinese proverb that states that the best time to plant a tree was 20 years ago, while the second best time to plant one is right now. Given the quantum arms race going on between the United States and its potential rivals, the same can probably be said about post-quantum computing cybersecurity. And the government is now doing everything it can to get a program in place as quickly as possible.

There have already been mandates, proposals and studies. Earlier this year the White House mandated post-quantum cybersecurity—or PQC—via the National Security Memorandum “Promoting United States Leadership in Quantum Computing While Mitigating Risks to Vulnerable Cryptographic Systems.” And in Congress, the Quantum Computing Cybersecurity Preparedness Act would direct the National Institute of Standards and Technology and the Office of Management and Budget to develop mitigation measures for post-quantum cryptography. Meanwhile, the Department of Homeland Security worked with NIST to develop a roadmap toward better agency protection.

Planning for a safer future is good, but action is better. That is why the federal government awarded a rare Small Business Innovation Research (SBIR) Phase III contract to post-quantum cybersecurity company QuSecure. The sole-source contract, the first and only one issued for PQC, calls for the company to develop an end-to-end solution for post-quantum cybersecurity that can be deployed to federal agencies as quickly as possible. 

Nextgov talked with QuSecure Co-Founder and COO Skip Sanzeri about the need for federal cybersecurity protections that can survive in a world where powerful quantum computers can shred today’s most advanced encryption.

Nextgov: Can you first explain what the awarding of a Phase III contract means for post-quantum protections?

Sanzeri: The Phase III award is a mechanism to allow a small technology company to move to the top of the heap and become a prime contractor, in order to supply vital technologies that can be used by the government without the typical bureaucracy or red tape. QuSecure sees this Phase III as an instance where the government recognizes the gravity of the coming situation where quantum computers will crack current encryption.

Nextgov: I am glad you brought up those dangers. One that has been talked about a lot here at NextGov is the fact that foreign governments are attempting to steal government data right now in hopes that they can store it and crack it later when better quantum computers are available. How important is it that we apply quantum resistant protections to government data right now?

Sanzeri: These “store now, decrypt later” attacks are the biggest reason to start upgrading networks and communications to post-quantum cybersecurity. Foreign nation states are stealing data every second of the day. That data is harvested and stored on computers waiting to be decrypted. And quantum computers will [one day] be able to crack that encryption.

For example, if a quantum computer with enough power to crack encryption is developed in five years, data stolen today would still be very valuable if it has 10, 20 or more years of shelf life. And national security secrets, bank account information, and electronic health records may have data security requirements of up to 75 years. Making matters worse, many experts estimate that changing our current encryption across an enterprise or government agency could take as long as 10 years. Adding this to the shelf life of data means that there are 10 more years of exposed data which attackers can weaponize or use against us. 

In many cases, we are already behind. 

Nextgov: Putting aside the “steal and store” attacks for a moment, how long do you think we have before quantum computers can crack AES-256 or other strong encryption?

Sanzeri: At this point, quantum computers are not strong enough to crack our current encryption. Via an algorithm written by Peter Shor, it was mathematically proven that in order to crack current RSA 2048 encryption, you would need about 4,100 qubits. We are in the 100-qubit era now, but advancing rapidly. Many believe that we will have a powerful enough quantum computer in the next three to five years to crack encryption. Some say it will take longer, but nonetheless most data needs to be protected for 25 years or more. IBM, Google, PsiQuantum, Rigetti, and IonQ all have 1,000 qubit computing roadmaps by 2025.

Nextgov: How does your technology work to protect data from quantum-based and encryption-breaking attacks?

Sanzeri: To protect against quantum computers, we need to change encryption and use quantum keys to ensure that data and communications are secure from quantum attacks. QuSecure has an end-to-end post-quantum cybersecurity orchestration platform called QuProtect, which enables organizations for the first time to leverage quantum resilient technology to help prevent today’s cyberattacks, while future-proofing networks and preparing for post-quantum cyberthreats. 

It provides quantum-resilient cryptography, anytime, anywhere and on any device. QuProtect uses an end-to-end, quantum-security-as-a-service (QSaaS) architecture that addresses the digital ecosystem’s most vulnerable aspects, uniquely combining zero-trust, next-generation post-quantum-cryptography, quantum-strength keys, high availability, easy deployment, and active defense into a comprehensive and interoperable cybersecurity suite. The end-to-end approach is designed around the entire data lifecycle as data is stored, communicated and used.

Nextgov: So government will be able to protect its data both in transit and at rest from quantum attacks?

Sanzeri: Yes. Our QuProtect software-only security architecture overlays current infrastructure and protects data in motion, in use, and at rest—on any system, anywhere—from existing and emerging cyber-threats. We utilize NIST algorithms, quantum random number generation and proprietary software applied to communications and data, in order to protect it against quantum attacks. We also have backwards compatibility with our own proxy which translates between TLS layers and post-quantum encrypted communications. This combination of tools enables us to protect communications, data in transit, and data at rest.

Nextgov: Not to be a skeptic, but given that quantum computers rely on various different kinds of technologiessome are mechanical, some are electricaland the fact that their capabilities are constantly expanding, how can you test your protections against that future threat and guarantee federal data protection?

Sanzeri: Very good question. At this point in time, no one has a quantum computer powerful enough to test encryption, and if we wait until we have that quantum computer, it will be too late. The best we can do at this point is to show how current classical cyberattacks can make data and communications vulnerable, then we can show the same classical attacks will not work against quantum resilient communications and data. 

Additionally, we must rely on organizations such as NIST, which spent over six years studying algorithms to find algorithm candidates that would withstand quantum computing attacks. Fundamentally, those algorithms have changed to be very complex, such as latticed-based infrastructures that mathematically can withstand quantum attacks. But that’s the best that anybody can do at this time.

Nextgov: Okay, so how long will it be before anti-quantum protection is widely available for deployment across the federal government?

Sanzeri: QuSecure will have this first production version of quantum resilience available for government purchase in less than six months. And we intend on adding many features to the initial system in future months that will make the system more robust and scalable. 

However, even with this rapid availability, it will still take years to deploy post-quantum cybersecurity across vast government networks—so that is the entire reason to start early. QuSecure’s solution is mostly software-based and can scale out to IoT and other end devices very quickly to create secure quantum communications. So once decisions are made, scalability and adoption will happen very quickly. 

We’re hoping that the federal government continues its rapid ascent towards a post-quantum world so that our nation’s most important data is protected. Our national security depends on it.

John Breeden II is an award-winning journalist and reviewer with over 20 years of experience covering technology. He is the CEO of the Tech Writers Bureau, a group that creates technological thought leadership content for organizations of all sizes. Twitter: @LabGuys

X
This website uses cookies to enhance user experience and to analyze performance and traffic on our website. We also share information about your use of our site with our social media, advertising and analytics partners. Learn More / Do Not Sell My Personal Information
Accept Cookies
X
Cookie Preferences Cookie List

Do Not Sell My Personal Information

When you visit our website, we store cookies on your browser to collect information. The information collected might relate to you, your preferences or your device, and is mostly used to make the site work as you expect it to and to provide a more personalized web experience. However, you can choose not to allow certain types of cookies, which may impact your experience of the site and the services we are able to offer. Click on the different category headings to find out more and change our default settings according to your preference. You cannot opt-out of our First Party Strictly Necessary Cookies as they are deployed in order to ensure the proper functioning of our website (such as prompting the cookie banner and remembering your settings, to log into your account, to redirect you when you log out, etc.). For more information about the First and Third Party Cookies used please follow this link.

Allow All Cookies

Manage Consent Preferences

Strictly Necessary Cookies - Always Active

We do not allow you to opt-out of our certain cookies, as they are necessary to ensure the proper functioning of our website (such as prompting our cookie banner and remembering your privacy choices) and/or to monitor site performance. These cookies are not used in a way that constitutes a “sale” of your data under the CCPA. You can set your browser to block or alert you about these cookies, but some parts of the site will not work as intended if you do so. You can usually find these settings in the Options or Preferences menu of your browser. Visit www.allaboutcookies.org to learn more.

Sale of Personal Data, Targeting & Social Media Cookies

Under the California Consumer Privacy Act, you have the right to opt-out of the sale of your personal information to third parties. These cookies collect information for analytics and to personalize your experience with targeted ads. You may exercise your right to opt out of the sale of personal information by using this toggle switch. If you opt out we will not be able to offer you personalised ads and will not hand over your personal information to any third parties. Additionally, you may contact our legal department for further clarification about your rights as a California consumer by using this Exercise My Rights link

If you have enabled privacy controls on your browser (such as a plugin), we have to take that as a valid request to opt-out. Therefore we would not be able to track your activity through the web. This may affect our ability to personalize ads according to your preferences.

Targeting cookies may be set through our site by our advertising partners. They may be used by those companies to build a profile of your interests and show you relevant adverts on other sites. They do not store directly personal information, but are based on uniquely identifying your browser and internet device. If you do not allow these cookies, you will experience less targeted advertising.

Social media cookies are set by a range of social media services that we have added to the site to enable you to share our content with your friends and networks. They are capable of tracking your browser across other sites and building up a profile of your interests. This may impact the content and messages you see on other websites you visit. If you do not allow these cookies you may not be able to use or see these sharing tools.

If you want to opt out of all of our lead reports and lists, please submit a privacy request at our Do Not Sell page.

Save Settings
Cookie Preferences Cookie List

Cookie List

A cookie is a small piece of data (text file) that a website – when visited by a user – asks your browser to store on your device in order to remember information about you, such as your language preference or login information. Those cookies are set by us and called first-party cookies. We also use third-party cookies – which are cookies from a domain different than the domain of the website you are visiting – for our advertising and marketing efforts. More specifically, we use cookies and other tracking technologies for the following purposes:

Strictly Necessary Cookies

We do not allow you to opt-out of our certain cookies, as they are necessary to ensure the proper functioning of our website (such as prompting our cookie banner and remembering your privacy choices) and/or to monitor site performance. These cookies are not used in a way that constitutes a “sale” of your data under the CCPA. You can set your browser to block or alert you about these cookies, but some parts of the site will not work as intended if you do so. You can usually find these settings in the Options or Preferences menu of your browser. Visit www.allaboutcookies.org to learn more.

Functional Cookies

We do not allow you to opt-out of our certain cookies, as they are necessary to ensure the proper functioning of our website (such as prompting our cookie banner and remembering your privacy choices) and/or to monitor site performance. These cookies are not used in a way that constitutes a “sale” of your data under the CCPA. You can set your browser to block or alert you about these cookies, but some parts of the site will not work as intended if you do so. You can usually find these settings in the Options or Preferences menu of your browser. Visit www.allaboutcookies.org to learn more.

Performance Cookies

We do not allow you to opt-out of our certain cookies, as they are necessary to ensure the proper functioning of our website (such as prompting our cookie banner and remembering your privacy choices) and/or to monitor site performance. These cookies are not used in a way that constitutes a “sale” of your data under the CCPA. You can set your browser to block or alert you about these cookies, but some parts of the site will not work as intended if you do so. You can usually find these settings in the Options or Preferences menu of your browser. Visit www.allaboutcookies.org to learn more.

Sale of Personal Data

We also use cookies to personalize your experience on our websites, including by determining the most relevant content and advertisements to show you, and to monitor site traffic and performance, so that we may improve our websites and your experience. You may opt out of our use of such cookies (and the associated “sale” of your Personal Information) by using this toggle switch. You will still see some advertising, regardless of your selection. Because we do not track you across different devices, browsers and GEMG properties, your selection will take effect only on this browser, this device and this website.

Social Media Cookies

We also use cookies to personalize your experience on our websites, including by determining the most relevant content and advertisements to show you, and to monitor site traffic and performance, so that we may improve our websites and your experience. You may opt out of our use of such cookies (and the associated “sale” of your Personal Information) by using this toggle switch. You will still see some advertising, regardless of your selection. Because we do not track you across different devices, browsers and GEMG properties, your selection will take effect only on this browser, this device and this website.

Targeting Cookies

We also use cookies to personalize your experience on our websites, including by determining the most relevant content and advertisements to show you, and to monitor site traffic and performance, so that we may improve our websites and your experience. You may opt out of our use of such cookies (and the associated “sale” of your Personal Information) by using this toggle switch. You will still see some advertising, regardless of your selection. Because we do not track you across different devices, browsers and GEMG properties, your selection will take effect only on this browser, this device and this website.