NIST just released three new encryption standards. Security teams are already moving out to implement them in government and certain parts of industry. But there are things all business and government executives, including the non-technical leaders, should know about these new algorithms and what they mean for our collective future. This post captures what you need to know.

NIST is known for their ability to coordinate with a broad range of informed stakeholders. It is their superpower. Good coordination on standards can and should take a long time, and this new effort for new standards for Public-Key Post-Quantum Cryptographic Algorithms certainly took a long time. NIST was contemplating and conceptualizing the best action for about a decade, then in 2016 launched a formal call for nominations for new quantum safe algorithms. Now 8 years after the official launch of the effort, after extensive coordination and collaboration with security experts, academia, industry leaders and government experts domestically and internationally, the first of three new quantum safe algorithms have been announced.

The Most Important Point

The most important thing all executives should understand about the new algorithms just announced is that your organization will be required to run them. Government directives are mandating all government agencies transition to them, and soon all who contract with government will as well. Most large corporations are already poised to being their transition, and soon all in highly regulated industries will be required to comply by government regulation. Eventually every organization that partners with those other companies will also have to run them. And before long the compliance requirements will hit every company that holds data on any citizen. We will all have to comply.

The fact that your organization will comply means you can get a leg up on the competition by complying smartly. Do it efficiently, effectively and faster than the competition and use that to bring glory to your brand. It just takes a bit of planning to do this. We offer tips below that will help you do this.

Why Will This Transition Be Mandated

With continued breakthroughs in quantum computing research and development including breakthrough’s in error correction, nation’s will soon have access to computers powerful enough to break current forms of encryption. Data encrypted in old ways is already being collected by adversaries because they know one day they will be able to break it using quantum computers. It may be 5 years or more before computers can break current forms of encryption. But many types of data for many organizations will still have value 5 years from now and needs protection. NIST puts it this way:

In recent years, there has been a substantial amount of research on quantum computers – machines that exploit quantum mechanical phenomena to solve mathematical problems that are difficult or intractable for conventional computers. If large-scale quantum computers are ever built, they will be able to break many of the public-key cryptosystems currently in use. This would seriously compromise the confidentiality and integrity of digital communications on the Internet and elsewhere.  The goal of post-quantum cryptography (also called quantum-resistant cryptography) is to develop cryptographic systems that are secure against both quantum and classical computers, and can interoperate with existing communications protocols and networks. 

The question of when a large-scale quantum computer will be built is a complicated one. While in the past it was less clear that large quantum computers are a physical possibility, many scientists now believe it to be merely a significant engineering challenge. Some engineers even predict that within the next twenty or so years sufficiently large quantum computers will be built to break essentially all public key schemes currently in use. Historically, it has taken almost two decades to deploy our modern public key cryptography infrastructure.  Therefore, regardless of whether we can estimate the exact time of the arrival of the quantum computing era, we must begin now to prepare our information security systems to be able to resist quantum computing.

What are the new algorithms and what do they do? These are Federal Information Processing Standards (FIPS). Specifically they are

• FIPS 203 Module-Lattice-Based Key-Encapsulation Mechanism Standard
• FIPS 204 Module-Lattice-Based Digital Signature Standard
• FIPS 205 Stateless Hash-Based Digital Signature Standard

One of these, FIPS 203, provides a way to wrap other encryption keys to keep them from being broken. The other two provide ways to sign data in ways that can reduce the threat of fraud in digital signatures. A fourth standard for key encryption is expected in the coming months.

Our Recommendations:

• Ensure you are up on the vocabulary of quantum computing by reviewing our Executive’s Guide to Quantum Computing. This no-nonsense guide presents key concepts at just the right level for a busy executive and will better enable you to have serious conversations with your technical team and external business partners on this topic. 
• Ask your CIO and CISO what they know about NIST’s activities in post quantum cryptography. There are many technical topics they will want to track. Doing this will help prepare your organization to move fast when NIST announces their pick for the best algorithms to use.
• Initiate a discovery and mapping effort for your organization to ensure your team knows everywhere that encryptions being used in your organization and what types of algorithms are being used in those solutions. This will enable better planning for replacing those algorithms.
• Start conversations with your service provider ecosystem, including your cloud providers. You now have quantum safe solutions and approaches available for traffic to and from AWS and Microsoft and Google, but you need to have the conversation to ensure you are suing them. 
• Accelerate your move to the Cloud (meaning using highly reliable, hyperscale providers like Amazon and Google). Doing so will help you offload many responsibilities for engineering solutions to the engineering teams of hyperscale providers. You will still have to configure your solutions well and will still have to know how your on-prem data is protected, but the cloud move will help tremendously.
• Ask your technical team to not just put quantum safe measures in place, but to test them. Good CIOs and CISOs will periodically check security by red teaming. This needs to be done for your quantum safe approaches as well (this, by the way, is the sweet spot of OODA LLC).
• Consider the importance of trust in your business relationships and how quantum safe preparations can help ensure that. No matter what your line of business, you have customers, suppliers and partners in the ecosystem that want to do business with organizations that will protect their data now and in the future. Likewise, you will want those organizations to protect your data now and in the future. Starting your own preparations to be quantum safe is key, but when you do, ensure you are letting your customers, suppliers and partners know you are on this journey so they know you are to be trusted long term.

Looking for a succinct video overview of these and other related topics? See our OODAcast with Vikram Sharma of QuintessenceLabs (and see their Guide to Quantum Risk).