US President Joe Biden looks at a quantum computer as he tours the IBM facility in Poughkeepsie, New York, on October 6, 2022. (Photo by MANDEL NGAN/AFP via Getty Images)

WASHINGTON — This morning the National Institute of Standards & Technology officially released the long-awaited final versions of three new post-quantum encryption algorithms, with additional, more specialized algorithms on the way. They’re all designed to defend against future hacks carried out by quantum computers, an unproven but rapidly developing threat that could quickly crack the kinds of encryption used almost universally today, including those used in the most sensitive Pentagon systems.

While implementing the NIST standards is voluntary for most private companies (albeit strongly recommended), they’re mandatory for national security agencies, including the entire Defense Department. The official deadline set by the White House is not until 2035. But because the vulnerable algorithms have been so widely used for so many years, and are so deeply embedded in often obscure chunks of code, it may well take that long to root them all out and replace them.

RELATED: Transparent Sea: AUKUS looks to AI, quantum in hunt for Chinese submarines

“This is the starting gun for what may be the single largest overhaul of US government communication systems since the adoption of the Internet, as ordered by the President in National Security Memorandum 10,” said RAND scientist Edward Parker. “It will probably go on for decades and will cost billions of dollars: OMB estimated $7.1 billion over the next decade for civilian federal government agencies alone, not including national security systems. It will cost even more time and money from the private sector.”

“There’s no time to waste,” Parker told Breaking Defense. “Any organization that handles sensitive data should get moving on migrating to PQC [post-quantum cryptography] as soon as possible.”

Duncan Jones, the head of quantum cybersecurity at vendor Quantinuum, put it even more bluntly: “The release of the standards is a wake-up call to any organization that has been dragging its heels on quantum.”

In fact, many federal agencies and private companies have been at work for months or years. They haven’t been implementing the actual algorithms, which were only formally finalized today after years of extensive testing that saw many promising candidates discarded along the way as NIST, NSA, or independent researchers found hidden weak points. Instead, they’ve been laying the groundwork by taking inventory of their existing systems, hunting through deeply buried subroutines to find all the instances of oldschool encryption they’ll have to replace.

So, on the bright side, the three NIST standards formally released today — and a fourth expected to release by New Year’s — are familiar to cybersecurity professionals and thoroughly tested after almost a decade of often highly publicized development. On the dark side, though, there are plenty of nasty surprises lurking in networks, internet-of-things devices, and possibly even weapons systems, all of which will take time and technical talent to fix.

“I’m sure that organizations will discover plenty of practical surprises as they migrate their systems over to PQC — for example, discovering that certain devices have traditional cryptography algorithms unexpectedly hard-coded in,” Parker said. “But these issues should all be fixable. I don’t think there are any true deal-breakers lurking out there.”

Of course, “fixable” does not mean “easily” or “cheaply.”

Now For The Hard Part

“The quantum community has waited a long time for these standards, more than eight years,” said Arthur Herman, director of the Quantum Alliance Inititiative at the Hudson Institute. “After some initial problems with some of the algorithm nominees — one was hacked by someone using a conventional laptop — it looks like NIST engineers have finally arrived at a set of standards and related algorithms that can bear the brunt of a future quantum computer attack, but also provide full protection against a conventional hack.”

This need for a double-sided defense, against both near-future quantum hacks and existing “classical” ones, is one further complicating factor for cybersecurity teams. It’s possible to have separate PQC and conventional cybersecurity systems running side by side, but some experts argue for combining them.

Quantinuum, for instances, recommends a “hybrid” and “layered” defense. They aim to combie established cybersecurity protocols, the newly announced PQC algorithms, and novel quantum technologies, such as using quantum computers to generate random numbers as “seeds” for encryption calculations. The NSA has declined to mandate a hybrid approach [PDF] but Germany’s BSI, among others, has endorsed it [PDF].

Some experts, like Hudson’s Herman, go yet further and argue for using quantum phenomena directly to send small amounts of crucial data, such as encryption keys. The best-known techniques rely on the so-called quantum entanglement connecting pairs of quantum particles even after they’re physically separated, a phenomenon Einstein famously derided as “spooky action as a distance,” but which has now proven practicable in experiments. While US agencies have been publicly and profoundly skeptical that this “quantum key distribution”will prove practical, China has invested heavily in QKD, including one earth-to-satellite demonstration.

“Both NIST and NSA have been resistant… even though the Chinese and Europeans and South Koreans have been pushing ahead with Q [quantum] cryptography for years,” Herman said.

In the near term, though, there’s a lot of hard work ahead just to implement the algorithms announced today. On the government side, defense and intelligence agencies will have to issue binding regulations and promote best practices, both for their own subordinates and for the companies with which they do business. On the industry side, cybersecurity companies will need to build PQC software, and perhaps even new hardware, that fulfills those federal requirements.

“We’ll need firm guidance by our national security agencies, not just NIST and the Department of Commerce, to get the standards implemented,” said Herman, who helped draft the Quantum Security Preparedness Act passed in 2022. “That’s going to be a tough assignment, including at DoD. At a time when CMMC [the Pentagon’s troubled Cybersecurity Maturity Model Certification process] has struggled just to get minimum standards for conventional cybersecurity adopted by defense companies, shifting attention to quantum security standards will require heroic, I’d even say super-heroic, efforts.”

Overall, the experts argued, it’s not safe for agencies and companies to handwave the quantum threat as something their favorite cybersecurity vendor will take care of (for a price). They’ll have to be, at least, informed consumers in the face of a bewildering variety of new products.

“I suspect that vendors of communication and cybersecurity systems will be the ones doing most of the legwork,” Parker said. “But every organization that handles sensitive information should now be asking their cybersecurity vendors for their plans and timelines for transitioning to PQC.”

So this is going to take a while, and it might be a wild ride as hackers discover new technologies and defenders rush to counter them. “There are no surprise changes in the released standards [themselves],” said Jones. “It is still prudent, however, to plan for rapid algorithm changes. We simply don’t know what the future may hold.”