The Federal Data Most at Risk: Defense, Intelligence and Long-Lived Citizen Records
To understand what data is at risk, it’s helpful to know who’s looking to quantum-exploit federal data.
First, “they’re going to be the adversaries who can get their hands on some of that encrypted data in the first place,” Smith says. “Second, they’ve got the means to store such large quantities of data for a long time.”
This points to nation-state adversaries, who will be looking to exploit a range of federal data.
“Most people tend to think the most valuable data at risk are related to defense, intelligence or citizen records,” Touhill says. And while that may be true, those organizations are also “among the most mature and proactive organizations in migrating to a post-quantum cryptography capability.”
Other less well-funded departments and agencies may have a higher degree of risk, including those holding data “related to financial and economic information, regulatory deliberations, law enforcement, intellectual property, market trends, agriculture, strategic materials [and] citizen privacy,” he says.
That puts virtually every federal agency in the crosshairs.
GET IT RIGHT: Zero-trust architecture for security and governance.
The Policy Landscape: NSM-10 and CISA’s Push Toward Post-Quantum Readiness
There’s urgency around achieving quantum-resistant encryption. “We know what the worst-case scenario looks like and are in a race to reduce our national risk exposure,” Touhill says. “Now is the time to act with velocity and precision.”
To that end, various federal entities have begun issuing guidance to steer agencies toward a safer place in the face of the HNDL threat.
National Security Memorandum 10, or NSM-10, spelled out “a big, broad policy directive around building out a cryptographic inventory, regularly reporting on cryptographic posture, and starting to then do that migration on a prioritized basis, with a goal of achieving as much migration as possible by 2035,” Smith says.
Beyond that general directive, “we see more specific guidance, more technical guidance, coming out from the likes of CISA and NIST,” he says. In particular, the NIST post-quantum strategy looks to phase out some current algorithms by 2030, fully disallowing them by 2035.
