Pentagon info officer’s top priority: Upgrading cryptography ahead of quantum-enabled hackers

WASHINGTON  — Of all the critical tasks under the remit of the Pentagon’s IT office, one has risen to the highest priority: finding vulnerabilities and then modernizing the DoD’s cryptographic algorithms to stay one step ahead of adversary hackers, especially in a coming post-quantum world.

“We’ve got to think ahead as to what the adversary might be working on and develop algorithms that are there in time to meet the adversary’s ability to crack those [older] algorithms,” David McKeown, who is dual hatted as the Pentagon’s Deputy CIO and the DoD’s senior information security officer, said during a keynote speech at the AFCEA Tech Summit today.

He said a vital part of protecting Pentagon data is building cryptographic systems that are resistant to quantum computing in what’s called Post-Quantum Cryptography (PQC).

Quantum computing techniques are so advanced that they could, in theory, crack just about any existing encryption. Most encryption for digital communication uses algorithms based on a security framework known as RSA, invented in 1977, that allows two parties to communicate securely without having to exchange secret keys beforehand. Scientists have theorized that quantum computing, when fully developed, could use an exponential jump in calculation speed and complexity to crack the code.

Creating specific quantum-hardened algorithms falls under the National Security Agency’s list of responsibilities since they handle cryptographic modernization as a whole, based on standards under development by the National Institute of Standards and Technology.

McKeown acknowledged that quantum computers are still probably “10 years away,” but, he said, the time is now for the Pentagon to do a sprawling review to determine where it might be vulnerable.

“There’s going to be a year where [quantum computing] is not going to be 10 years away, and it’s going to be nine years, and eight years and seven so we gotta work on this together,” McKeown said.

“We need to look through our whole inventory and look at all the encryption that we’re using on everything, and then figure out what needs to be replaced there, and then get to work with the vendors and our community to get the upgrades and field the upgrades so that that new quantum-resistant cryptography is employed throughout the department,” he later added.

Even after PQC algorithms come online, the Pentagon won’t be able to rest, McKeown said, as they’ll need to be updated constantly to fend off novel attacks.

“In some cases, we may have to use the old algorithms unencrypted or re-encrypted with the new stuff that we just came out with. So you see it’s an extremely long timeline. You can’t put your head in the sand thinking that our algorithms are going to be good forever, and so we constantly have to be working at this,” he said. “This is a gigantic life cycle of encryption algorithms and encryption of hardware that has to be maintained.”

After modernizing cryptographic algorithms, McKeown said the next biggest priority for the department is to implement zero trust, a security system in which a user’s activity on a network is regularly checked, rather than letting anyone who gets through a login/password screen run free. McKeown said that the Pentagon is still on track to move to a zero trust-based cybersecurity model by 2027.

“t doesn’t stop all attacks, and hopefully nobody thinks that that is the case, but what it does do is it’s limits the success of the attacker, and allows us to detect the attacks quicker and respond quicker and eradicate the bad guys from our network,” he said. “Lots of times before we had zero trust, the adversary could live on our network for long periods of time. I had one instance of 18 months before we discovered that [the adversaries] were on our network.”

The third priority for the CIO is to enhance the cybersecurity of the defense industrial base, McKeown said. This mainly includes enforcing the Cybersecurity Maturity Model Certification (CMMC) 2.0, which sets new standards for contractors who handle controlled unclassified information. (The final rule for CMMC 2.0 came out earlier this month.)

The number three priority also includes making production pipelines more “cyber resilient and survivable,” McKeown added, citing the Colonial Pipeline attack that occurred over three years ago.

“You remember the Colonial Pipeline, when it got shut down, no gas on the East Coast for like a week. You know, we didn’t want that to happen with some of these key weapon system manufacturing,” McKeown said.