Officials emphasize early preparedness in post-quantum cryptography migration

Bartlomiej Wroblewski/Getty Images

Some of the recommended approaches are “immediately actionable,” according to a member of the committee.

Leading officials spearheading the policy on migration to post-quantum cryptography took the stage at the Quantum World Congress in Virginia on Tuesday, discussing federal efforts to protect digital networks from future threats in anticipation of an eventual fault-tolerant quantum computer.

Florence Lewine, a policy advisor with the Department of Homeland Security's Office of Cyber, Infrastructure, Risk and Resilience Policy, said that the PQC migration should begin with evaluating what systems are most vulnerable to consequential cyber attacks. 

“Right now our focus is really on the inventory, identification and prioritization of vulnerable systems,” she said. “So understanding which systems are at highest risk within your organization will help to best prepare for the new algorithms.”

These systems are broadly defined as digital network components that are deemed “highly valuable” based on the information they store or the operations they govern. Officials said that databanks containing sensitive information or more legacy systems that take longer to update should be atop a given entity’s migration priority list. 

Lily Chen, a lead mathematician at the National Institute of Standards and Technology, added that replacing classic public key encryption needs to begin soon, though the agency isn’t due to release final, standardized PQC algorithms until 2024. 

“Cryptography has been the cornerstone for cybersecurity,” she said. 

Lewine agreed and added that critical infrastructure and supply chain operators need to begin laying the groundwork for the transition to quantum-resistant standards even before the finalized algorithms and standards are due to come out next year. 

Looking at vulnerabilities within supply chains in particular can help certain entities gauge where they need to modernize their systems first and consult with technology vendors on necessary steps, Lewine explained. 

“We're encouraging early planning and preparedness now to mitigate a lot of progress before it arrives,” she said.