The Quantum Computing Conundrum and NIST Cybersecurity Framework Training

Have you ever been in a situation where you thought, “This could be amazing, if it doesn’t blow up in my face”? It seems that’s where we are headed with quantum computing. Let’s build a bit of a foundation.

According to Intel, “Quantum computing employs the properties of quantum physics like superposition and entanglement to perform computation. Traditional transistors use binary encoding of data represented electrically as “on” or “off” states. Quantum bits or “qubits” can simultaneously operate in multiple states enabling unprecedented levels of parallelism and computing efficiency.

What this means is that quantum computers, when they eventually move from generally experimental to commercial usage, will be able to solve complex problems beyond the practical capability of traditional (also known as classical) computers. Quantum computers have incredible benefits over traditional computers.

With all the reasons why we should be excited about the coming quantum computer revolution, there is at least one major area of concern. You see, our current methods of encryption may soon be susceptible to being broken in just a few hours.

That’s the bad news. And security professionals in both the private and public sphere have been aware of it for some time. Here is the good news. This is a solvable problem. Enter the concept of Post-Quantum Cryptography.

The White House recently issued the National Security Memorandum on Promoting United States Leadership in Quantum Computing While Mitigating Risks to Vulnerable Cryptographic Systems. In this document, the president states that it, “identifies key steps needed to maintain the Nation’s competitive advantage in quantum information science (QIS), while mitigating the risks of quantum computers to the Nation’s cyber, economic, and national security.” In fact, the memorandum specifically calls out the fact that NIST is currently developing standards for quantum-resistant cryptography.

All the above information leads us to the question. How does this affect us today? Let’s answer that question in two ways:

As someone who regularly presents NIST cybersecurity training, part of my job is to keep up to date on the latest information and trends in cybersecurity. When the quantum computing memo from the White House was released, we at LRS Education Services took notice. Quantum computing was already on our radar, and we (like you most likely) were aware of the potential cybersecurity ramifications. But the memorandum caused us to start to dig much deeper into what the federal government was doing.

Let’s talk about some of the work NIST as an organization has been doing in relation to post-quantum cryptography. To start, they put together an entertaining and engaging short Q&A and video about the topic. Also, NIST has been working on new standards since 2015, and those are expected to be released in 2024. In the meantime, organizations need to get an accurate inventory of all their information, and get it documented in order of priority. Ask yourself which data would be of the most value to cyber criminals? Next, put together a plan to transition that data to the new standards, with the eventual goal to move all your encryption to those standards. One of benefits of NIST conducting this process in the open is that we can see some of what’s coming before it’s officially released.

As part of our ongoing process of keeping our NIST Cybersecurity Framework courses up to date, we will continue to follow the progress of NIST in the area of post-quantum computing. It’s certainly possible that the information on the updated standards will be integrated into one of our existing NIST framework courses, or that we will develop a new course (as we did for the ransomware profile) related to the post-quantum computing standards.

Watch this space for future updates!

–Troy Stoneking, Certified NIST Cybersecurity Framework Professional Trainer and Cybersecurity Assessor