White House tells agencies: upgrade your security to quantum era
The White House has condemned obsolescent encryption techniques to the waste bin in a simple eight-page memo, and told US Federal agencies to move to quantum encryption.
This major boost for quantum security came in an instruction from Shalanda Young (pictured), head of the Office of Management and the Budget (OMB), part of President Joe Biden’s executive office at the White House.
Federal agencies should “prepare now to implement post-quantum cryptography”, she says in her memo, because of the prospect of “a cryptanalytically relevant quantum computer” being able to decode messages and data that are being transmitted by current encryption techniques.
She also warns agencies that they should be aware of the dangers “that encrypted data can be recorded now and later decrypted by operators of a future [quantum computer]”.
Young tells agencies that they have until April 2023 “to submit a prioritized inventory of information systems and assets” that contain quantum-vulnerable cryptographic systems.
They then have to update that list in annual filings to the OMB, from now until 2035, she warns.
Each year they then have a month to submit “an assessment of the funding required to migrate information systems and assets inventoried under this memorandum to post-quantum cryptography during the following fiscal year”. The information will go to OMB and to the Office of the National Cyber Director (ONCD).
Young specifically excludes the Pentagon and US intelligence agencies: this is a rule for Federal agencies in the civilian sector.
She also sets out the procedure for testing post-quantum cryptography, including “web browsers, content delivery networks, cloud service providers, devices and endpoints, and enterprise devices that initiate or terminate encrypted traffic”.
And, in case of doubt, she appends a list of what the OMB considers to be vulnerable technology when quantum computing and communications arrives, including Diffie-Hellman key exchange and the RSA (Rivest-Shamir-Adleman) signature algorithm, technologies that telcos and internet service companies have trusted for decades.