Major News Story!! US Government Just Pushed PQC Deadline from 2035 to ASAP! Hmm.
The Biden administration today released a sweeping Executive Order (https://www.whitehouse.gov/briefing-room/presidential-actions/2025/01/16/executive-order-on-strengthening-and-promoting-innovation-in-the-nations-cybersecurity/) that strongly promotes over a dozen major technologies (e.g., secure development, end-to-end encryption, encrypted DNS, PHISHING-RESISTANT MFA, threat hunting, and more).
But what caught my quantum eye were the following passages, which were submerged so deep in the document that I still can’t figure out which subsections they officially belong to. But if you read them, you will see a major quantum news story buried in the order. There they are:
(iii) ?Agencies shall implement PQC key establishment or hybrid key establishment including a PQC algorithm as soon as practicable upon support being provided by network security products and services already deployed in their network architectures.
(iv) ??Within 90 days of the date of this order, the Secretary of State and the Secretary of Commerce, acting through the Director of NIST and the Under Secretary for International Trade, shall identify and engage foreign governments and industry groups in key countries to encourage their transition to PQC algorithms standardized by NIST.
(g) ?The Federal Government should take advantage of commercial security technologies and architectures, such as hardware security modules, trusted execution environments, and other isolation technologies, to protect and audit access to cryptographic keys with extended lifecycles.
To quickly summarize, the US government is saying US government agencies and their allies need to be moving to post-quantum cryptography (PQC) as soon as possible.
To put this in perspective, the last official PQC deadline guidance by the US government was the US National Security Memorandum on Promoting United States Leadership in Quantum Computing While Mitigating Risks to Vulnerable Cryptographic Systems (https://www.whitehouse.gov/briefing-room/statements-releases/2022/05/04/national-security-memorandum-on-promoting-united-states-leadership-in-quantum-computing-while-mitigating-risks-to-vulnerable-cryptographic-systems/).
It said this:
Sec. 3.? Mitigating the Risks to Encryption.? (a)? Any digital system that uses existing public standards for public?key cryptography, or that is planning to transition to such cryptography, could be vulnerable to an attack by a CRQC.? To mitigate this risk, the United States must prioritize the timely and equitable transition of cryptographic systems to quantum-resistant cryptography, with the goal of mitigating as much of the quantum risk as is feasible by 2035.
This officially set the PQC deadline for 2035 (at the time over 10 years away). I was pretty incensed by this deadline (https://www.dhirubhai.net/pulse/i-think-2035-post-quantum-preparation-date-insane-roger-grimes-yotee/) because I think it’s both far too risky to wait that late and because a 10-year deadline means most organizations will not be doing anything PQC-related anytime soon.
The new order says, “…as soon as practicable..”
The US government has been telling organizations to start preparing for PQC since at least 2015. The US government has been telling organizations to prepare, report, and start working on PQC projects ever since.
This is the first time the language says…clearly…ASAP!!
领英推荐
That’s a lot different than 2035.
The new executive order also promotes isolation technologies, such as trusted execution environments, to protect cryptographic keys with extended lifecycles. This means that critical data needs to be isolated and prevented from being eavesdropped on by adversaries. The US government has long warned that our adversaries are already eavesdropping on our data streams and saving them for future decryption once sufficiently-capable quantum computers are available.
This is huge!!!
It’s not saying to wait. It’s not saying to study. It’s not saying to prepare some inventory list and reported it to some agency. It’s saying, government agencies need to isolate existing critical data NOW!! It’s saying that government agencies need to be moving to PQC (and hybrid protection) NOW!!
Unless I’ve missed something unintentionally, this is a change in tone and timing. I wonder if there is a particular new fact behind the more aggressive timing?
I apologize if I’ve missed the prior government orders telling all agencies that they need to be PQC ASAP! and done a little too much hyperbole in this post. I could have missed something. But I follow this sort of stuff fairly close and this seems like a distinct new tone.
And if the US govt saying they need PQC and data isolation ASAP is everyone else supposed to be cool to wait to 2035??
Hmm. Hmm.
?
?
?
?
Part time cyber security, researching next generation technology. Part time volunteer park ranger planting next generation trees. Part time contributor to Open Home Foundation projects.
1 个月Interesting that this Exec Order has now disappeared from whitehouse.gov. Does that mean is been withdrawn by the executive?
GTM @ Dataminr
1 个月The way section (iii) reads, ASAP is further awaye than 2035. ASAP here means “as soon as practicable upon support being provided by network security products and services already deployed in their network architectures….” Im interpreting that as “the speed of PQC adoption is only as fast as the governments incumbent vendors are willing to innovate”, unlike 2035, its not a point in time we can work towards How many FedRamp authorized PQC vendors are there today? In their architecture already? Seems like the options are a) incumbents figure out PQC at whatever speed is “practical”. A lot left to interpretation B) Fed fast track/subsidize FedRamp authorization for PQC vendors that aren’t incumbents, who can layer in with the existing infrastructure. Another layer of defense with purpose built products like Quantinuum I like option B. Subsidize the R&D to get us there faster. Strengthen the US cybersecurity industry as a whole in the process
Chief Executive Officer at Light Rider Inc
1 个月There is no security without Proof of Work (PoW). PQC is a waste of time and money. The U.S government and big business are in big trouble due to the huge mistakes of a few individuals.
Cyber Security Inventor
1 个月Some of Biden's parting actions like pardoning 2,500 criminals including 7 death row inmates and his son are irreversible, but this middle finger salute to his successor is not. Executive Orders loaded with trillions in unfunded mandates for agencies (which are a middle finger to his own government) can be quickly canceled with another E.O. Anybody taking odds that that's what will happen?
CISO, vCISO, M.S. in Cybersecurity, MBA, PMP, CISSP, CISA, SSCP, U.S. Air Force Veteran
1 个月#Yuge! Just completed a 2-day conference on #PQCMigrations . This is one of the slides. #KeyPoints 1). Strive for #CryptographicAgility 2). Create and use a #CBOM - #CryptographyBillOfMaterials.. 3). Automate everything you can. 4). Test everything and make sure your software and hardware 3rd party vendors are #PQCCompliant. 5). Don’t underestime the efforts and complexities. Example: The average #Windows #Laptop can have as many as 330,000 #Certificates. The average #MacBook can have as many as 260,000 ceremonies. 6). Time is not on anyone’s side for these people. #PlanWell and #GetBusy. Comment: In 1999, I did MANY #Y2K Projects and was always successful. Due to the nature of the ubiquitous usage of #Cryptography in the 2020s and beyond, I estimate #PQCProects will be more difficult than #Y2KProjects by a factor of 10 to 20. And of course, the stakes and risk of errors and omissions is also significantly higher. #HopeThisHelps. #GoodLuckEverybody and #Godspeed!