Navigating the Transition to Post-Quantum Cryptography: Insights from Federal Cyber Experts

As the digital landscape evolves, so too do the threats that organizations face. A recent survey conducted by General Dynamics Information Technology (GDIT) reveals that while many federal agencies are actively planning their transition to post-quantum cryptography (PQC), they are grappling with significant challenges, primarily due to a lack of formal guidance. This article delves into the findings of the survey, the implications of quantum computing on cybersecurity, and the steps agencies are taking to prepare for a post-quantum future.

The Current State of Post-Quantum Readiness

According to GDIT’s survey of 200 federal cybersecurity experts, half of the respondents reported having a strategy in place for PQC readiness. Additionally, 22% are currently engaged in pilot projects, and 12% are focused on workforce preparation for the impending quantum era. However, a notable 37% of respondents identified a "lack of planning, guidance, and strategy" as a critical barrier to effective transition.

Matthew McFadden, vice president of cyber at GDIT, emphasized the need for clearer roadmaps to facilitate actionable progress. "Agencies are looking for more clear roadmaps to make them actionable and make better progress, as well as resourcing their teams, budgets, and all those things," he stated during a media roundtable.

The Quantum Threat Landscape

While no quantum computer currently exists that can break existing encryption methods, cybersecurity experts are increasingly concerned about the potential for "record-now-decrypt-later" attacks. This threat arises from the possibility that adversaries could capture sensitive data today and decrypt it once quantum computers become operational. A White House report released in July underscored the urgency of transitioning to PQC, stating that migration must begin well before a quantum computer capable of breaking current encryption is known to be operational.

The Role of NIST Standards

In mid-August, the National Institute of Standards and Technology (NIST) finalized three encryption standards designed to withstand quantum attacks. NIST encourages organizations to adopt these standards immediately. McFadden noted that the release of draft standards a year prior provided agencies and industry ample time to prepare for the transition. The finalization of these standards serves as a "forcing function," establishing compliance thresholds that agencies must meet.

Federal agencies have been working on guidance from the Office of Management and Budget (OMB) to inventory systems vulnerable to quantum decryption. Following the finalization of NIST standards, OMB Chief Information Officer Clare Martorana announced that guidance would soon be issued, directing agencies to develop prioritized migration plans for PQC.

Key Challenges in the Transition

Despite the proactive steps being taken, the GDIT survey highlighted several challenges that agencies face in integrating PQC into their operations. Key issues include:

• Integration into the Cybersecurity Supply Chain (24%): Ensuring that PQC is seamlessly incorporated into existing cybersecurity frameworks.
• Managing Enterprise-Wide Cryptography (17%): Coordinating cryptographic practices across diverse systems and departments.
• Insufficient Automation for Cryptographic Management (14%): The need for automated tools to manage cryptographic processes effectively.
• Impact on Legacy Systems (48%): Many agencies are concerned about how PQC will affect their existing infrastructure.
• Operational Technology Implications (29%): Understanding how PQC will interact with operational technologies.
• Non-Centralized Systems (17%): Addressing the complexities of decentralized systems during the transition.

Pilot Projects and Future Steps

Despite these challenges, the survey revealed that 22% of agencies are already engaged in pilot projects related to PQC. McFadden explained that these pilots often focus on manageable areas, allowing agencies to test new algorithms and assess their effectiveness before broader implementation. For instance, a pilot project might involve automating the discovery of high-value asset systems to evaluate the integration of new cryptographic methods.

In August, the Cybersecurity and Infrastructure Security Agency (CISA) also finalized plans to incorporate automated PQC discovery and inventory tools into government-wide programs, such as the Continuous Diagnostics and Mitigation (CDM) capability.

The Financial Implications of Transitioning to PQC

Transitioning to PQC is not without its financial burdens. The White House report estimated that migrating prioritized information systems will cost the government approximately $7.1 billion between 2025 and 2035, excluding classified systems operated by defense and intelligence agencies. Alarmingly, GDIT’s study found that only 11% of respondents had a budget allocated for the PQC transition, while 35% reported that their planning and budget were "undefined."

McFadden pointed out the uncertainty surrounding budget allocations, stating, "We don’t know how that budget is initially being allocated. Are they from current IT investments, or is it from those HVA system budgets? There hasn’t been that top-level funding yet allocated."

Conclusion

As federal agencies embark on their journey toward post-quantum cryptography, the findings from GDIT’s survey underscore the importance of clear guidance, strategic planning, and adequate funding. While many agencies are making strides in their preparations, the challenges they face are significant and multifaceted. As the quantum threat looms on the horizon, the urgency for a coordinated and well-resourced approach to PQC becomes increasingly clear. The future of cybersecurity may depend on how effectively these agencies can navigate this complex transition.