Background

We have another crucial update on what has been characterized as “the greatest cryptographic migration in history.”

National Security Memorandum (NSM) 8, “Improving the Cybersecurity of National Security, Department of Defense and Intelligence Community Systems” was released in January, and was followed up by the April release of the Quantum Cybersecurity Preparedness Act.  We provided an initial analysis of NSM8, followed by a breakdown and analysis on April 29th of both NSM8 and the Quantum Cybersecurity Preparedness Act (including the 30, 60, 90, and 180-day deadlines from the date of the memorandum and the legislation).

The National Institute of Standards and Technology (NIST) is developing a post-quantum cryptography standard and partnered on a DHS roadmap as an interim document to prepare agencies for the transition.

We also included directives and deadlines related to zero trust architecture – as OODA Network members are proponents of the innovative architecture.  Also of interest (and encouraging):  commercial cloud technologies and commercial national security algorithms (CNSA) cropped up in a few places, complete with specific directives.

Pending research questions included:

• Do We Need a Joint Quantum Cybersecurity Collaborative?  Our point of reference is the CISA Joint Cyber Defense Collaborative (JCDC) – which was launched in 2021 and has made significant contributions to critical Joint Cybersecurity Advisories released in the last few weeks.  It seems logical that early, formal private sector collaboration would be productive in this space as well.
• Will OMB Reports Prove Adequate?  OMB is required to report annually on the state of this governmentwide transition.  Is the OMB report format enough for this behemoth, important initiative?  What are other organizations which should manage the information generated from this project? and what innovative taxonomies exist for the innovative structuring and dissemination of information throughout this cryptographic migration?

National Security Memorandum 10

Only days after our analysis in April, these core research questions (regarding a more formal role for the private sector in this quantum migration) were answered by the release on May 4th of National Security Memorandum (NSM) 10: “National Security Memorandum on Promoting United States Leadership in Quantum Computing While Mitigating Risks to Vulnerable Cryptographic Systems” – which includes:

• The Establishment of an Open Working Group with Industry, including critical infrastructure owners and operators, and other stakeholders…to further advance the adoption of quantum-resistant cryptography.”
• Establishing a “Migration to Post-Quantum Cryptography Project” at the National Cybersecurity Center of Excellence to work with the private sector to address cybersecurity challenges posed by the transition to quantum-resistant cryptography.  This project shall develop programs for the discovery and remediation of any system that does not use quantum-resistant cryptography or that remains dependent on vulnerable systems.

An Executive Order was also released on May 4th, establishing:

• The National Quantum Initiative (NQI), “which aims to ensure the continued leadership of the United States in quantum information science (QIS) and its technology applications, is a substantial and sustained national priority.  The NQI Program, established pursuant to section 101 of the NQI Act, encompasses contributions from across the Federal Government, as exemplified by the QIS research, development, demonstration, and training activities pursued by executive departments and agencies (agencies) with membership on either the National Science and Technology Council (NSTC) Subcommittee on Quantum Information Science (SCQIS) or the NSTC Subcommittee on Economic and Security Implications of Quantum Science (ESIX).
• The National Quantum Initiative Advisory Committee:  “…to ensure that the NQI Program and the Nation are informed by evidence, data, and perspectives from a diverse group of experts and stakeholders, the National Quantum Initiative Advisory Committee…is hereby established.  Consistent with the NQI Act, the Committee shall advise the President, the SCQIS, and the ESIX on the NQI Program.”

From NSM10

“The United States must pursue a whole-of-government and whole‑of‑society strategy to harness the economic and scientific benefits of QIS, and the security enhancements provided by quantum-resistant cryptography.  This strategy will require a coordinated, proactive approach to QIS research and development (R&D), an expansion of education and workforce programs, and a focus on developing and strengthening partnerships with industry, academic institutions, allies, and like-minded nations.

NSM10 identifies key steps needed to maintain the Nation’s competitive advantage in quantum information science (QIS), while mitigating the risks of quantum computers to the Nation’s cyber, economic, and national security.  It directs specific actions for agencies to take as the United States begins the multi-year process of migrating vulnerable computer systems to quantum-resistant cryptography.  A classified annex to this memorandum addresses sensitive national security issues.

Central to this migration effort will be an emphasis on cryptographic agility, both to reduce the time required to transition and to allow for seamless updates for future cryptographic standards.  This effort is an imperative across all sectors of the United States economy, from government to critical infrastructure, commercial services to cloud providers, and everywhere else that vulnerable public-key cryptography is used.

To promote the development of quantum technology and the effective deployment of quantum-resistant cryptography, the United States must establish partnerships with industry; academia; and State, local, Tribal, and territorial (SLTT) governments.  These partnerships should advance joint R&D initiatives and streamline mechanisms for technology transfer between industry and government.

The United States must seek to encourage transformative and fundamental scientific discoveries through investments in core QIS research programs.  Investments should target the discovery of new quantum applications, new approaches to quantum-component manufacturing, and advances in quantum‑enabling technologies, such as photonics, nanofabrication, and cryogenic and semiconductor systems.

The United States must promote professional and academic collaborations with overseas allies and partners.  This international engagement is essential for identifying and following global QIS trends and for harmonizing quantum security and protection programs.”

The Quantum Workforce of the Future

NSM10 also encourages the fostering of  “the next generation of scientists and engineers with quantum-relevant skill sets, including those relevant to quantum-resistant cryptography.  Education in QIS and related cybersecurity principles should be incorporated into academic curricula at all levels of schooling to support the growth of a diverse domestic workforce.  Furthermore, it is vital that we attract and retain talent and encourage career opportunities that keep quantum experts employed domestically.”

NSM10 Section 3A

Sec. 3.  Mitigating the Risks to Encryption.  (a) Any digital system that uses existing public standards for public‑key cryptography, or that is planning to transition to such cryptography, could be vulnerable to an attack by a CRQC.  To mitigate this risk, the United States must prioritize the timely and equitable transition of cryptographic systems to quantum-resistant cryptography, with the goal of mitigating as much of the quantum risk as is feasible by 2035.  Currently, the Director of the National Institute of Standards and Technology (NIST) and the Director of the National Security Agency (NSA), in their capacity as the National Manager for National Security Systems (National Manager), are each developing technical standards for quantum‑resistant cryptography for their respective jurisdictions.  The first sets of these standards are expected to be released publicly by 2024.

Cryptanalytically Relevant Quantum Computers (CRQC)

Alongside its potential benefits, quantum computing also poses significant risks to the economic and national security of the United States.  Most notably, a quantum computer of sufficient size and sophistication — also known as a cryptanalytically relevant quantum computer (CRQC) — will be capable of breaking much of the public-key cryptography used on digital systems across the United States and around the world.  When it becomes available, a CRQC could jeopardize civilian and military communications, undermine supervisory and control systems for critical infrastructure, and defeat security protocols for most Internet-based financial transactions.

In order to balance the competing opportunities and risks of quantum computers, it is the policy…(1) to maintain United States leadership in QIS, through continued investment, partnerships, and a balanced approach to technology promotion and protection; and (2) to mitigate the threat of CRQCs through a timely and equitable transition of the Nation’s cryptographic systems to interoperable quantum‑resistant cryptography.

What Next? National Security Memorandum 10:  Directives and Deadlines

Following are 90 day, 180 day and 1 year deadlines from the date of the memorandum, including additional benchmarks as far out as 2023, 2024, and 2035.

90 days (Deadline: August 4, 2022)

A Coherent National Strategy.  Within 90 days of the date of this memorandum, agencies that fund research in, develop, or acquire quantum computers shall coordinate with the Director of the Office of Science and Technology Policy to ensure a coherent national strategy for QIS promotion and technology protection, including for workforce issues.

QIS Open Working Group with the Private Sector to be Established. Within 90 days of the date of this memorandum, the Secretary of Commerce, through the Director of NIST, shall initiate an open working group with industry, including critical infrastructure owners and operators, and other stakeholders, as determined by the Director of NIST, to further advance adoption of quantum-resistant cryptography.  This working group shall identify needed tools and data sets, and other considerations to inform the development by NIST of guidance and best practices to assist with quantum‑resistant cryptography planning and prioritization.  Findings of this working group shall be provided, on an ongoing basis, to the Director of the Office of Management and Budget (OMB), the Assistant to the President for National Security Affairs (APNSA), and the National Cyber Director to incorporate into planning efforts.

“Migration to Post-Quantum Cryptography Project”. Within 90 days of the date of this memorandum, the Secretary of Commerce, through the Director of NIST, shall establish a “Migration to Post-Quantum Cryptography Project” at the National Cybersecurity Center of Excellence to work with the private sector to address cybersecurity challenges posed by the transition to quantum-resistant cryptography.  This project shall develop programs for the discovery and remediation of any system that does not use quantum-resistant cryptography or that remains dependent on vulnerable systems.

Standards for Quantum-resistant Cryptography. Within 90 days of the release of the first set of NIST standards for quantum-resistant cryptography referenced in subsection 3(a) of this memorandum, and on an annual basis thereafter, as needed, the Secretary of Commerce, through the Director of NIST, shall release a proposed timeline for the deprecation of quantum-vulnerable cryptography in standards, with the goal of moving the maximum number of systems off quantum-vulnerable cryptography within a decade of the publication of the initial set of standards.  The Director of NIST shall work with the appropriate technical standards bodies to encourage the interoperability of commercial cryptographic approaches.

180 days (November 4, 2022)

Annual Quantum Computing Risk Report  Within 180 days of the date of this memorandum, and annually thereafter, the Secretary of Homeland Security, through the Director of the Cybersecurity and Infrastructure Security Agency (CISA), and in coordination with Sector Risk Management Agencies, shall engage with critical infrastructure and SLTT partners regarding the risks posed by quantum computers, and shall provide an annual report to the Director of OMB, the APNSA, and the National Cyber Director that includes recommendations for accelerating those entities’ migration to quantum-resistant cryptography.

Inventory of all Currently Deployed Cryptographic Systems.  Within 180 days of the date of this memorandum, and on an ongoing basis, the Director of OMB, in consultation with the Director of CISA, the Director of NIST, the National Cyber Director, and the Director of NSA, shall establish requirements for inventorying all currently deployed cryptographic systems, excluding National Security Systems (NSS).  These requirements shall include a list of key information technology (IT) assets to prioritize, interim benchmarks, and a common (and preferably automated) assessment process for evaluating progress on quantum-resistant cryptographic migration in IT systems.

National Security Systems (NSS).  Within 180 days of issuance by the National Manager of its standards on quantum-resistant cryptography referenced in section 3(a) of this memorandum, and annually thereafter, the National Manager shall release an official timeline for the deprecation of vulnerable cryptography in NSS, until the migration to quantum-resistant cryptography is completed.

Within 1 Year (Deadline:  May 4, 2023)

Inventory of High-Value Assets and High Impact Systems.  Within 1 year of the date of this memorandum, and on an annual basis thereafter, the heads of all Federal Civilian Executive Branch (FCEB) Agencies shall deliver to the Director of CISA and the National Cyber Director an inventory of their IT systems that remain vulnerable to CRQCs, with a particular focus on High-Value Assets and High Impact Systems.  Inventories should include current cryptographic methods used on IT systems, including system administrator protocols, non-security software and firmware that require upgraded digital signatures, and information on other key assets.

Development of Plan to upgrade of non-NSS IT systems to quantum-resistant cryptography.  Within 1 year of the release of the first set of NIST standards for quantum-resistant cryptography referenced in subsection 3(a) of this memorandum, the Director of OMB, in coordination with the Director of CISA and the Director of NIST, shall issue a policy memorandum requiring FCEB Agencies to develop a plan to upgrade their non-NSS IT systems to quantum-resistant cryptography.  These plans shall be expeditiously developed and be designed to address the most significant risks first.  The Director of OMB shall work with the head of each FCEB Agency to estimate the costs to upgrade vulnerable systems beyond already planned expenditures, ensure that each plan is coordinated and shared among relevant agencies to assess interoperability between solutions and coordinate with the National Cyber Director to ensure plans are updated accordingly.

National Security Systems (NSS).   Within 1 year of the date of this memorandum, and annually thereafter, the Director of NSA, serving in its capacity as the National Manager, in consultation with the Secretary of Defense and the Director of National Intelligence, shall provide guidance on quantum-resistant cryptography migration, implementation, and oversight for NSS.  This guidance shall be consistent with National Security Memorandum/NSM-8 (Improving the Cybersecurity of National Security, Department of Defense, and Intelligence Community Systems).  The National Manager shall share best practices and lessons learned with the Director of OMB and the National Cyber Director, as appropriate.  Also:  Within 1 year of the date of this memorandum, and on an ongoing basis, and consistent with section 1 of NSM-8, the heads of agencies operating NSS shall identify and document all instances where quantum-vulnerable cryptography is used by NSS and shall provide this information to the National Manager.

Transition to quantum‑resistant cryptography in all NSS.  Within 1 year of issuance by the National Manager of its standards on quantum-resistant cryptography for referenced in subsection 3(a) of this memorandum, and annually thereafter, the heads of agencies operating or maintaining NSS shall submit to the National Manager, and, as appropriate, the Department of Defense Chief Information Officer or the Intelligence Community Chief Information Officer, depending on their respective jurisdictions, an initial plan to transition to quantum‑resistant cryptography in all NSS.  These plans shall be updated annually and shall include relevant milestones, schedules, authorities, impediments, funding requirements, and exceptions authorized by the head of the agency in accordance with section 3 of NSM-8 and guidance from the National Manager.

By October 18, 2023 (and on an annual basis thereafter)

Annual Progress Report Required:  the National Cyber Director shall,  based on the inventories described in…this memorandum and in coordination with the Director of CISA and the Director of NIST, deliver a status report to the APNSA and the Director of OMB on progress made by FCEB Agencies on their migration of non-NSS IT systems to quantum-resistant cryptography.  This status report shall include an assessment of the funding necessary to secure vulnerable IT systems from the threat posed by adversarial access to quantum computers, a description and analysis of ongoing coordination efforts, and a strategy and timeline for meeting proposed milestones.

By December 31, 2023

• Agencies maintaining NSS shall implement symmetric-key protections (e.g., High Assurance Internet Protocol Encryptor (HAIPE) exclusion keys or VPN symmetric key solutions) to provide additional protection for quantum-vulnerable key exchanges, where appropriate and in consultation with the National Manager.  Implementation should seek to avoid interference with interoperability or other cryptographic modernization efforts.
• The Secretary of Defense shall deliver to the Assistant to the President for National Security Affairs (APNSA) and the Director of OMB an assessment of the risks of quantum computing to the defense industrial base and to defense supply chains, along with a plan to engage with key commercial entities to upgrade their IT systems to achieve quantum resistance.

By 2024 and 2035

Mitigating the Risks to Encryption.  (a)  Any digital system that uses existing public standards for public‑key cryptography, or that is planning to transition to such cryptography, could be vulnerable to an attack by a CRQC.  To mitigate this risk, the United States must prioritize the timely and equitable transition of cryptographic systems to quantum-resistant cryptography, with the goal of mitigating as much of the quantum risk as is feasible by 2035.  Currently, the Director of the National Institute of Standards and Technology (NIST) and the Director of the National Security Agency (NSA), in their capacity as the National Manager for National Security Systems (National Manager), are each developing technical standards for quantum‑resistant cryptography for their respective jurisdictions.  The first sets of these standards are expected to be released publicly by 2024.

What Next?  IP Protection, and IT and Cybersecurity Innovation Opportunities

Protecting United States Technology.  (a)  In addition to promoting quantum leadership and mitigating the risks of CRQCs, the United States Government must work to safeguard relevant quantum R&D and intellectual property (IP) and to protect relevant enabling technologies and materials.  Protection mechanisms will vary, but may include counterintelligence measures, well-targeted export controls, and campaigns to educate industry and academia on the threat of cybercrime and IP theft.  All agencies responsible for either promoting or protecting QIS and related technologies should understand the security implications of adversarial use and consider those security implications when implementing new policies, programs, and projects.

The United States should ensure the protection of U.S.‑developed quantum technologies from theft by our adversaries.  This will require campaigns to educate industry, academia, and SLTT partners on the threat of IP theft and on the importance of strong compliance, insider threat detection, and cybersecurity programs for quantum technologies.  As appropriate, Federal law enforcement agencies and other relevant agencies should investigate and prosecute actors who engage in the theft of quantum trade secrets or who violate the United States export control laws.  To support efforts to safeguard sensitive information, Federal law enforcement agencies should exchange relevant threat information with agencies responsible for developing and promoting quantum technologies.

By December 31, 2022

Consistent with these goals…the heads of agencies that fund research in, develop, or acquire quantum computers or related QIS technologies shall develop comprehensive technology protection plans to safeguard QIS R&D, acquisition, and user access.  Plans shall be coordinated across agencies, including with Federal law enforcement, to safeguard quantum computing R&D and IP, acquisition, and user access.  These plans shall be updated annually and provided to the APNSA, the Director of OMB, and the Co-Chairs of the National Science and Technology Council Subcommittee on Economic and Security Implications of Quantum Science.

Related Reading:

Explore OODA Research and Analysis

Use OODA Loop to improve your decision-making in any competitive endeavor. Explore OODA Loop

Decision Intelligence

The greatest determinant of your success will be the quality of your decisions. We examine frameworks for understanding and reducing risk while enabling opportunities. Topics include Black Swans, Gray Rhinos, Foresight, Strategy, Stratigames, Business Intelligence, and Intelligent Enterprises. Leadership in the modern age is also a key topic in this domain. Explore Decision Intelligence

Disruptive/Exponential Technology

We track the rapidly changing world of technology with a focus on what leaders need to know to improve decision-making. The future of tech is being created now and we provide insights that enable optimized action based on the future of tech. We provide deep insights into Artificial Intelligence, Machine Learning, Cloud Computing, Quantum Computing, Security Technology, Space Technology. Explore Disruptive/Exponential Tech

Security and Resiliency

Security and resiliency topics include geopolitical and cyber risk, cyber conflict, cyber diplomacy, cybersecurity, nation-state conflict, non-nation state conflict, global health, international crime, supply chain, and terrorism. Explore Security and Resiliency

Community

The OODA community includes a broad group of decision-makers, analysts, entrepreneurs, government leaders, and tech creators. Interact with and learn from your peers via online monthly meetings, OODA Salons, the OODAcast, in-person conferences, and an online forum. For the most sensitive discussions interact with executive leaders via a closed Wickr channel. The community also has access to a member-only video library. Explore The OODA Community