Root Causes 219: New Quantum Cryptography Legislation Introduced

Episode Transcript

Lightly edited for flow and brevity.

• 

  Tim Callan

  As regular listeners will know, we have been following the quantum-resistant cryptography trend in quantum computers and the imminent destruction of our current cryptographic algorithms for a few years now. There’s some new proposed legislation in the U.S. Congress that is directly relevant to this.

• 

  Jason Soroko

  That’s right, Tim. Some proposed legislation, I think it’s called The Quantum Computing Security Preparedness Act and basically this sounds to me – we’ll get into some of the details here and really what’s going on, but it does sound to me like the Federal Government is saying, hey, we can’t wait to start to do things by the time either NIST is ready or with cryptographic standards that are being chosen, and we can’t also choose to wait until the apocalypse itself. We need to do something now. So this is their first step.

• 

  Tim Callan

  Let’s clarify a couple things. This is proposed legislation that is in the House right now, so obviously, that would have to pass both houses of the Senate for that to come in, maybe it doesn’t but at least this is – we haven’t seen anything of this type before, and um, Jay, I believe that it’s pegging the action it’s requiring to the actual release of new cryptographic primitives from NIST. Is that correct?

• 

  Jason Soroko

  That is correct. They’re using that as some timing. In other words, once that event happens from NIST, there’s a one-year window in which there are some things that need to be produced, specifically by the Chief Information Officers Council, who is consulting with the OMB. So that is who basically this legislation is being aimed at, which is a kind of a horizontal organization across a lot of U.S. Government. They get to look at all the information systems and dictate and make reports upon and things like that.

• 

  Tim Callan

  I’m not sure if you mentioned this. OMB is the Office of Management and Budget. What are those things? What do they have to do?

• 

  Jason Soroko

  Basically, backing up towards what the real reasoning is, I think that the government very specifically pointed out a problem that we pointed out, Tim, on our previous podcast. In their preamble, I just wanted to kind of give the quote – “the potential for adversaries to steal sensitive encrypted data today using classical computers and wait until sufficiently powerful quantum computers are available to decrypt it, is a problem.”

  Therefore, they’re recognizing you can’t start too late. You have to – everybody needs to be starting now.

• 

  Tim Callan

  You can’t wait until ten years and you say, ah, people can crack my stuff, I’m going to switch over to these new primitives because someone might have been just intercepting encrypted blobs and storing them on platters, and once they have the computing power they need, they’re just going to open them up and see what they say.

• 

  Jason Soroko

  Exactly right. As you said, Tim, there is some timing to this, which is good. I mean, there always needs to be target. It can’t really kind of be open-ended, but what’s going on here is that that the OMB and the Chief Information Officers Council will have one year after the release of the NIST standards to accomplish what looks to me like a prioritization of designated systems that will require migration to post-quantum technologies. In other words, what are the systems that run websites? What are the systems using authentication? What are the systems where we see RSA and ECC certificates being used? And, as well as that prioritization designation of systems, this - which to me sounds a lot like, hey, let’s take inventory. They also as part of the legislation will be including a report. The report will be a strategy, proposal for funding, and coordination of efforts from industry. They almost copied and pasted that from a lot of other legislation that involved computer systems in the Federal Government. Basically, in order to get anything done, you do need to have a proposal that includes how you going to fund this, how are you going to coordinate with industry? To me it looked like very, very standard wording, but it’s all very, very positive. So, I would say the biggest, biggest take away in terms of what they’re really legislating here is, hey, we need to start by taking inventory, and to me, that’s, I think we’ve repeated that a few times or maybe several times in this podcast. Any cybersecurity effort, whether it’s in an enterprise or in government, you’ve got to take inventory first of your risks, inventory of your systems. Inventory. If you don’t have an inventory, you don’t really have a plan.

• 

  Tim Callan

  Of course, the U.S. Federal Government is such a massive consumer of compute resources that you have to imagine that’s not trivial.

• 

  Jason Soroko

  Absolutely. That’s why they’re giving them a full year after NIST drops the standards. So, therefore, it’s going to be a chunk of work.

• 

  Tim Callan

  Let me go back to something I think I heard you say earlier, Jay, which is, one of the outcomes of this is going to be a prioritization. So, they're going to say, these systems are the most critical. If someone could see what was in there, we’d be in deep trouble. These systems aren’t all that important, and they’re going to then - presumably that’s going to govern how the process of switching over actually occurs. Is that right?

• 

  Jason Soroko

  That is correct, Tim. And one piece that I left out was, not surprisingly, the government will always give themselves or typically will give themselves a bit of an out, basically. As part of the inventory, there may be legacy systems that will never be able to be mitigated. They’re also asking for exceptions lists as part of the inventory.

• 

  Tim Callan

  Which, of course, is scary because as you and I have discussed on a number of occasions, very frequently those very, very old systems. If they’re still in production, there is a reason they’re still in production. It’s because they are mission critical.

• 

  Jason Soroko

  That’s typically true, Tim. We’ve seen this time and time again indeed.

• 

  Tim Callan

  There’s a couple interesting things here. One is, this is, of course, only the U.S. Federal Government, which is in the grand scheme of things a small part of what needs to be switched over. But it is among the largest, if not the largest, users of digital processes in the world, number one. Number two, it is an important – this is from a guidance perspective – this is very important. If legislation like this passes and an effort comes about, it sends a strong signal not only to state and local, which pays rapt attention to what the Federal Government does in this regard, not only to other nations but to industry everywhere. Like, every company is going to have to consider their plan once something earnest is going on in the U.S. Federal Government. For all those reasons, this is more important than just its own impact or its own scope, its own footprint, which in and of itself is very important.

• 

  Jason Soroko

  I think everybody with a computing system should ask themselves, hey, if the U.S. Federal Government is planning on at least taking serious inventory, then everybody should. That includes state and municipal governments, that includes all enterprises big and small. If the big ole Federal Government can do it, and usually they’re sometimes last to the party, you really all should be doing it right now.

• 

  Tim Callan

  The other thing is the Federal Government can be a force in function for industry. So, vendors who may not bother to build solutions or features to do certain things because they don’t believe that market need is there, can be pushed over the tipping point if they perceive that there is the opportunity to sell this into the U.S. Federal Government. I could also see this aiding in the development of tools, processes, services that the rest of industry and the world will be able to take advantage of because, if I’m going to build out my service to go in with my consultants and help you to this because I want to sell this to Federal Government agencies, you can rest assured I’m going to try to sell it to everyone else as well.

• 

  Jason Soroko

  Absolutely. I mean sometimes just the State of California alone has enough heft to be able to do that. I would say this, Tim - As part of the strategy report that’s going to be part of the outcome of this, I would say that a procurement plan for, hey, if you’re a vendor and you’re offering us systems that have the inventory is going to be ongoing. Therefore, if we’re going to be procuring something that would appear on this list, you as a vendor need to be able to give us a plan, a way to be able to move forward to being quantum resistant. That would include the https://www.sectigo.com/resour..., therefore, I think you're going to see that as part of the strategy report in a year or two from now.

• 

  Tim Callan

  I haven’t read this spiel in and of itself. I think this concept is a good one, I’m hopeful and optimistic that this is a good bill. And, of course, again, to reiterate, this is just being brought forward as a bill. This isn’t the force of law at this time and may never be. But even when things come out of committee, that’s a significant step and most things don’t, so I’d say there’s a real chance that this bill or something that comes out of it becomes a real law that people have to follow.

• 

  Jason Soroko

  Exactly right, Tim. I think it’s good in the sense that they’re calling out something specific because of the risks. Just like we’ve been calling this out as a risk for, as you say, a couple years. They’re calling out the right first step. I mean, I think if there’s any criticism to be made, it’s like, well, why isn’t there more? Why isn’t it earlier? Why isn’t there more in here? Why doesn’t it have more teeth? But if you follow any of these types of federal legislation, it has to start this way, and I don’t think it’s a bad place to start. It’s a call to action. They’re pointing to the real risk, and they’re starting with the right first step. So, nothing bad there.

• 

  Tim Callan

  I was just thinking about a point I should have made on my last point. This actually is a bipartisan bill. It’s introduced by a combination of Democrats and Republicans. That always bodes well for something making it through. So, this is a real thing to really watch. Alright, so this once again, this is called The Quantum Cybersecurity Preparedness Act. It has been introduced to the House and we’ll keep an eye on it, and if there are any interesting developments we’ll make sure we come back and tell you about them.