How Federal Agencies Can Prep (Faster) for the Coming Quantum Threat

Mapping out a plan for cybersecurity in the seemingly distant era of quantum computing might be way down the to-do list for many companies right now, but federal agencies are already taking some critical steps to make the transition and comply with mandated reporting requirements.

Trouble is, those first steps toward quantum-resistant security have been pretty shaky, generally, and there’s a lot of encrypted data at stake – like financial data, government secrets,  and citizens’ personal information.

Stephen Harper, the quantum information science engineering lead for Accenture Federal Services, is ready for “Q-Day,” a term quantum watchers have coined for the moment when a quantum computer will be able to break today’s standard encryption used by computer networks. He is helping federal agencies transition to post-quantum cryptography – and he’s trying to get that process to move faster.

Gain visibility to vulnerable data – in real time and at scale – and meet regulatory compliance requirements.

Accenture Federal Services – a division of the global IT consulting firm Accenture – works with agencies within the U.S. federal government, assisting them in the adoption of new technologies, including cloud, AI, and cybersecurity systems. Harper, a seasoned security expert, holds a master’s in cybersecurity from Johns Hopkins Whiting School of Engineering and is a quantum computing enthusiast.

U.S. federal agencies had to start reporting potential system vulnerabilities to the Office of Management and Budget (OMB) in 2023, and so far they’ve been doing most of it manually, and not that accurately, says Harper.

Here’s his take on how we can speed up and improve that process. And by “we,” he means all of us. Public sector enterprises have to worry about compliance issues – and he has some tips on what agencies should be doing now. But his advice applies just as much to the private sector. Because the quantum threat is real and coming for all organizations, large and small.

(The following interview is adapted from a conversation with Harper and podcast host Chelsea Nelson on Tanium Podcast, produced by Tanium, which publishes this magazine. It has been edited for space and clarity.)

What impact is the advancement of quantum computers having on both the private and public sector? What’s the threat there?

In the early 1990s, professor Peter Shor [a mathematician then working at Bell Labs in New Jersey] published a paper that detailed an algorithm for a quantum computer that would work to factor … semi-prime numbers. And what that means is that our current public key crypto systems [used to keep computer network data private] can be broken by this algorithm given a sufficiently large quantum computer. We don’t have that quantum computer yet, but they’re being developed.

We have time now to start moving things over to non-vulnerable algorithms, but we have to get started.

We know it will [probably] be sometime in 10 to 20 years… So we have time now to start moving things over to non-vulnerable algorithms, but we have to get started. And that’s where the legislation and memos from the executive branch have come down for federal agencies to start this transition. The first one is National Security Memorandum/NSM-8, and then there was NSM-10.

[Read also: Quantum computing is advancing fast – a cybersecurity pocket guide]

And then there’s OMB’s Memorandum M-23-02. What do those memos require of federal agencies?

To make a long story short, what they require is that agencies start to capture their use of vulnerable asymmetric cryptography in their highly critical applications and report that back to OMB every year to start scoping what the transition needs to be. There’s an entire table of which algorithms are vulnerable and have to be reported on in the memo – and they have to submit this every year for the next 10 years.

We have a bit of a branding issue when we talk about post-quantum cryptography because it sounds a lot more complicated than it is.

And from what we’ve seen, most agencies are, at least for the first year or two, they’ve been doing all this manually and it’s very, very time-consuming and pretty inaccurate, to be honest.

Automating this kind of work should help with compliance. What does the time savings look like?

The initial investment [in setting up tools to automate and improve data collection] is a bit time-consuming. It’s hard to get a good handle on that because it depends on how large the system environments are, how many they have.

[Read also: How AI for automation will revolutionize today’s IT workflows]

But once everything is instrumented, not only are we going to be able to get the data in maybe an afternoon, if everything’s already in place, but it should be significantly more accurate as long as the reports and dashboards were designed correctly.

What’s a big misconception about quantum?

We have a bit of a branding issue when we talk about post-quantum cryptography because it sounds a lot more complicated than it is because of the word quantum.

Right.

Really we’re just talking about new encryption algorithms that run on your standard computers. Nothing quantum about that.

We’re not getting all the data we need and it’s not being reported accurately, so we don’t know the actual threat and the attack surface that’s there.

We’re just protecting against quantum computers. So that’s important for us to get across, because we have been working with agencies where we’ll start to work with the various system owners and groups that manage these systems and say, “Tell us what you’re using from this list of vulnerable algorithms.” And we will get answers back, like, “We use Windows; we don’t do any of that.” And that’s technically true, I guess, but it’s kind of missing the point.

We’re not getting all the data we need and it’s not being reported accurately, so we don’t know the actual threat and the attack surface that’s there.

[Read also: I almost fell for this online scam – why even tech pros can be taken]

And we also don’t have an accurate picture going into future migration operations to know what we need to do. So that’s going to affect the budget scope and the manpower scope in order to get all of this done.

What should federal agencies be doing right now?

Hopefully all of them have been working to improve their process of data collection. The critical thing for them to do in this next year or two is to make sure that that process is as accurate as possible and as automated as possible so that moving forward we can come in and help them transfer everything over to these new encryption algorithms and make sure we’re not missing anything.

How big is our procrastination problem when it comes to quantum?

People always ask me, well, we have 10 to 20 years… to migrate everything over to these new algorithms. Isn’t that plenty of time?

[Read also: The essential guide to slow patching – the reasons, the risks, the remedies]

CISA [the U.S. Cybersecurity and Infrastructure Security Agency] actually published a document [last year] imploring public-sector agencies, specifically in public service, for their radio communication devices – a lot of them are still using DES encryption [the outmoded “data encryption standard”] for those conversations, and that’s been deprecated for almost 20 years now. Moving over from DES to AES symmetric encryption [the updated and safer “advanced encryption standard”] is a much, much easier thing to do than moving all of our…asymmetric encryption systems over.

So it sounds like we have a lot of time, but… before we know it, we’re sitting out there with a bunch of systems that are vulnerable, and we’re asking ourselves what happened.

TO HEAR MORE:

Check out the whole interview with Harper at the link below, where he discusses the latest NIST standards on quantum cryptography and deep-dives into the ways agencies can capture data from digital certificates and other network components more efficiently and accurately to satisfy compliance requirements.

• Accenture’s Stephen Harper on how to speed up quantum compliance