CISA Warns Critical Infrastructure to Prepare for Mass Post-Quantum Systems Migration

As public and private technology entities begin to explore how quantum computing can help––and disrupt––their industries, the Cybersecurity and Infrastructure Security Agency is advising critical infrastructure organizations to prepare to safeguard their systems from powerful quantum decryption algorithms.

In a new notice, CISA officials outline risks and mitigation techniques for organizations, asking them to begin to ready their systems for forthcoming post-quantum cryptography standards. The insight document released on Wednesday focuses on securing sensitive data stored on digital networks from future quantum computing.

“While quantum computing technology capable of breaking public key encryption algorithms in the current standards does not yet exist, government and critical infrastructure entities—including both public and private organizations—must work together to prepare for a new post-quantum cryptographic standard to defend against future threats,” the insight reads. 

Data encryption, the cornerstone of secure online communications, runs on a combination of public and private key encryption built into modern applications and communication devices. 

While a viable machine that can host quantum computing is still not widely available, experts note that once a quantum computer is successfully running, its algorithms will be capable of breaking standard public key encryption used by classical computers. CISA underscores that this is particularly detrimental to National Critical Functions, or systems that contribute to infrastructures like national security, manufacturing lines and public health. 

To prevent widespread quantum hacks before they are made possible by a viable quantum computer, CISA wants organizations working within critical infrastructures to begin their network migrations to post-quantum cryptography. 

Until more post-quantum algorithms arrive, the CISA notice says that networks employing symmetric key cryptography––which only allows one key between communicating devices––is less susceptible to a quantum algorithm hack. Utilizing longer key sizes is also recommended for critical infrastructure organizations. 

“While post-quantum computing is expected to produce significant benefits, we must take action now to manage potential risks, including the ability to break public key encryption that U.S. networks rely on to secure sensitive information,” said Mona Harrington, acting Assistant Director National Risk Management Center at CISA. “Critical infrastructure and government leaders must be proactive and begin preparing for the transition to post-quantum cryptography now.”

Officials note that the National Institute of Standards and Technology is on track to release its formal post-quantum cryptographic standards in 2024. With some malicious actors engaging in tactics like catch-and-exploit data hacks, CISA officials advised organizations that they should begin making plans to migrate their networks to quantum resistant cryptography. 

“Do not wait until the quantum computers are in use by our adversaries to act,” the notice reads. “Early preparations will ensure a smooth migration to the post-quantum cryptography standard once it is available.”

Experts concede that the update to quantum resistant technology is arduous. Dustin Moody, a mathematician with NIST, added that the cryptographic upgrade will be daunting due to costly, new specialized hardware as well as potential software updates to safeguard data stored on a variety of networks.

“It might be a trickier transition, but it will also be a required transition,” Moody told Nextgov. “And so we [NIST researchers] encourage people to start planning and preparing and finding out now as opposed to waiting.” 

The federal government has been monitoring developments in the quantum field for several years, peaking with the White House’s 2020 launch of quantum.gov, which has further spurred executive directives aimed at supporting American innovation in the burgeoning field.