Redirecting you to
Click if you are not redirected within 5 seconds
Search
USD
English
Contact Us
Free Trial
Podcast Feb 03, 2023

Root Causes 274: New Quantum Readiness Law

The U.S. government has a new law requiring that government agencies create plans for migrating to post-quantum cryptography in response to impending threats from quantum computers. In this episode we are joined by guest Bruno Couillard of Crypto4A to discuss the law and its implications.

  • Original Broadcast Date: February 3, 2023

Episode Transcript

Lightly edited for flow and brevity.

  • Tim Callan

    We are very fortunate to have a return of our excellent guest, Bruno Couillard. Bruno is the CEO and CTO at Crypto4A. Welcome back, Bruno. How are you today?

  • Bruno Couillard

    Very good, gentlemen. Thank you for having me once again. Appreciate it.

  • Tim Callan

    So Bruno is an expert. Bruno, you are an expert in the world of post quantum cryptography, PQC, which is something that Jason and I like to talk about a lot and I think you have an update for us today on the latest developments in U.S. legislation around post quantum crypto. Is that correct?

  • Bruno Couillard

    That’s correct. Gentlemen, when we last met, I was reflecting with you on very advancing development in 2022 with respect to the U.S. momentum regarding the notion of preparing to become quantum safe. After our meeting, President Biden signed an Executive Order to the effect and made that into a law actually. On December 21, all of these memos and all of the preparation were now a much more important thing and they became a law. So I think this is quite amazing that in a single year you have seen this momentum building with the seriousness that this deserves. I’m impressed.

  • Tim Callan

    Absolutely. And I think you’ve said several things there that we probably want to go back and touch on but let me start with the first one. Bruno, just like in a nutshell, what is the gist of what the new law is requiring?

  • Bruno Couillard

    It now puts a series of milestones, timelines, needs for departments to select heads of – think of each department having to elect a person that will be responsible to ensuring that each department gets a plan, gets moving on the plan, gets to report on their status on the plan to ultimately achieve quantum readiness. In essence, to migrate their cryptographic systems that they have and make sure that in the future all of these become quantum safe and this now is a law with dates. I think the first date is May 2023 where they are now asking for names, plans and, and you can sense a very strong desire to note allow for much slippage, I guess.

  • Tim Callan

    And so let me – just to make sure we clear – the actual implementation of these things will come later as another law. What this law is, is it’s telling people they have to put together a preparedness plan that basically meets muster. Is that right?

  • Bruno Couillard

    Yes. And I think the plan itself has multiple steps to it. The first date, which is May, indicates a person needs to be named but there are dates that are being further in the year describing bring a plan, start making your inventory, go do your discovery. Do the inventory, start to prioritize and, in fact, go and start assessing solutions. As I said last time, that last bit there has changed during the 2022 year timeframe and nowadays it’s not just enough to get ready. It’s get ready and start working on it kind of the word.

  • Tim Callan

    So and – I’m just gonna ambush you with this question. I hope I am not putting you on the spot. Do you know is the U.S. leading the globe in this regard? What are other nations doing from a legislation perspective compared to this?

  • Bruno Couillard

    I definitely believe, um – can I talk about the globe? I’d be hard-pressed to talk from a global point of view. But being on the Canadian side of the border, I have recently been privileged to see the Canadian announcing the national quantum strategy. So the national quantum strategy is something two weeks old and during the announcement it was made clear that the national quantum strategy had borrowed ideas and concepts from the U.S. legislation. In essence, the U.S. had led the Canadian and national quantum strategy to a certain degree in some areas and so I do believe that, from my perspective, the U.S. has been taking very definite steps and Canada is following and tracking these steps pretty closely but in that case, yes, the U.S. is ahead.

  • Tim Callan

    But, that’s not at all surprising, Bruno, because Jason and I have talked about this in past episodes. First of all, number one is, Canada is a cryptography leader that is outsized if you would just look at the size of the population. Like Canada has always been very advanced in the world of cryptography in general and Canada is very closely aligned on all kinds of initiatives – government initiatives, technology initiatives with your neighbors right to the south and so in that way it’s not really surprising to see that at all. And I think that’s a good sign. I think it’s just a proof point of what we would expect, which is we really want the whole globe to get on board. And when you watch this crossing borders that way and doing it so effectively, it’s an optimistic thing to observe.

  • Bruno Couillard

    Yes and I – by the way, I really did enjoy that podcast you guys had done. I was thrilled. I thought it was awesome. I had been thinking that way. One thing – maybe just a quick side note. One thing that you guys did not bring up was in Canada if you have people that love security and they are kind of geeks around security, they don’t have the big pull of attraction called NSA to go and work with. So in Canada, if you are geek and you love security, go start a company that’s - -

  • Tim Callan

    Or do it in an academic environment. And both of those places we see Canada is very strong. Both private industry and academics around this particular field.

  • Jason Soroko

    Hey, Bruno, I do have to ask you – it’s a little surprising to see U.S. Federal Government leading here and a couple reasons for that – number one is there is still in some areas perception, post quantum is enough ways away that we are just gonna let NIST do its thing and let everything else shake out. But, on the other hand, now it seems to me like the U.S. Government they either know something or they are somehow taking leadership position and now it’s interesting that industry is having to react, industry is having to listen and because of the fact that anything the size the U.S. Government starts doing everybody has to perk up their ears. And so it just doesn’t seem like the result of industry lobbying. Not that I know of. The usual things that will spark the U.S. Government to do something. So any thoughts on what’s going on here, Bruno?

  • Bruno Couillard

    I definitely have some thoughts. I do agree with you that I don’t think this is an industry lobbying the government because I don’t think industry was prepared. I think many in the industry got caught off guard by these acceleration and these more aggressive time schedules and timetables. I don’t think it’s an industry-driven effort. It may be but I don’t think it’s that case. Do they know something? I would tend to lean in that direction. I am not in the know. I am not in those circles but it’s nonetheless an interesting shift in momentum or sometimes I refer to as the DEFCON level has changed. I hate using that term but it’s how it feels. There seems to be a more, an increased overall alert.

  • Tim Callan

    There’s just more urgency and it feels like people are taking it seriously in a way that they just weren’t 12 months ago or even 6 months ago.

  • Bruno Couillard

    I fully agree. And that’s why, Jason, your question, I can only observe from afar that there has been a shift. It does not seem to have an industry driving that shift because I haven’t seen those signs. I was actually seeing quite a bit of the wait and see attitude was the prevailing industry feeling early last year and now everyone is quite scrambling to get their story straight and to figure out what the answers are going to be and I think the Government has decided to go ahead and it's a massive machine. If there were any folks doubting that quantum would ever come about, I think you’re less and less of those folks now.

  • Tim Callan

    Jason, you have brought this up in the past and you guys have both kind of hinted at this today. To some degree, just forcing that much infrastructure and that many employees and that much of the workforce to take an initiative on this has a spurring effect on other people. Like if you were in private industry and you were saying, well, I’d like to release a service but I’m not sure if there is a market here and then the U.S. comes out with this edict, you say, oh, there’s a market here. I’m going to go ahead and release my service. So just the scale of a U.S. Government initiative like this is big enough that it itself can be motivational for industry to move when otherwise just the risk/reward economics might have caused them not to.

  • Bruno Couillard

    And I couldn’t agree more, Tim. I think that indication and that movement that we are seeing at least is mammoth. It’s a humungous amount of resources that will now need to shift in that direction and there is a fairly aggressive timeline and, I had mentioned that on our previous call. Even after NIST announced in July of 2022, when NSA came out with their update to the cryptographic national security algorithm policy, so the NSA 2.0 came out I believe in August of 2022, they said in essence we are gonna use the list that NIST has selected. As we had said before, we will go with those but there are existing algorithms based on hash-based signatures and we expect vendors to have adopted these for code signing and firmware signing by 2025. I mean 2025 is only a couple years in the future. That’s today kind of thing. When that came out, I thought, whoa. That will be a surprise to a few and it seems like there’s this drumbeat and importance of seriousness that’s been injected by both NSA and the White House and the OMB memo and there’s a string now of events that if you want to not pay attention to it it’s fine, but there are too many now, too many of these signs, these flags to ignore is what I suggest.

  • Tim Callan

    And so that’s a real watershed moment. I think that’s one of the things that we are seeing and we are trying to communicate. When we look back on the history of postquantum crypto, there are gonna be a few events that seem to be very important and certainly the NIST round three is one of them but I think this is another one. Anything else on this topic?

  • Bruno Couillard

    Not from my end.

  • Jason Soroko

    So, Bruno, I think we are gonna have to have you on real soon again because since we now know it’s time to get off all of our hands. We all have to notice what you’ve just told us. This is important. It’s an industry leading signal that we all have to do something here because it’s big. I think we gotta have you on soon again to talk about where we really are in the industry and maybe some of that conversation could start with where we are with HSMs and postquantum. So something to can talk about real soon.

Root Causes - A PKI & Security Podcast

About Root Causes

Tim Callan and Jason Soroko explore the issues surrounding digital identity, PKI, and cryptographic connections in today's dynamic and evolving computing world.

View All