Encryption & Key Management
,
Security Operations
‘As Soon as Practicable’ No Longer Federal Policy
A Friday White House executive order on cybersecurity has created uncertainty for federal agency efforts to prepare for the coming era of post-quantum computing encryption by scrapping Biden-era requirements.
See Also: OnDemand | Cryptographic Control in a Zero Trust World: Mastering Machine-to-Machine Trust
The order directs the U.S. Cybersecurity and Infrastructure Security Agency to maintain and regularly update a list of product categories where post-quantum cryptography is commercially available. The directive stops short of a procurement mandate and steps back from former President Joe Biden’s call for agencies to adopt quantum-resistant encryption “as soon as practicable” (see: Trump Rewrites Cybersecurity Policy in Executive Order).
The Trump executive order lays groundwork for post-quantum readiness but it does not compel agencies or vendors to adopt post-quantum encryption.
Quantum cryptography has become a high-stakes challenge with global implications. Breakthroughs in quantum switching, advanced algorithms and high-performance computing are narrowing the timeline for a quantum computer capable of breaking nearly every encryption algorithm in use today, said Crick Water, CEO of the quantum secure cryptographic solutions firm Patero.
“Classical encryption is facing an accelerating risk of being broken by a combination of advancing technologies,” Water said. “The removal of mandates for U.S. agencies to adopt PQC may have a chilling effect on technology development and funding, ultimately jeopardizing the U.S. government’s ability to secure its data while Europe and Asia move ahead without us.”
National security experts warn that competitor nations likely are deploying “harvest now, decrypt later” strategy of hoarding currently unbreakable encrypted messages for retroactive decryption with a quantum computer. Most experts anticipate that a “cryptanalytically relevant quantum computer” – as it is known – will likely come online in the first years of the coming decade.
The Trump order rolls back a number of policies put in place by the Biden administration through an eleventh-hour cybersecurity order signed just days before then-President Joe Biden. A White House official told reporters at the time that the order aimed to give the Trump administration “the best possible foundation” for national cybersecurity (see: Final Biden Cybersecurity Order Will Face Political Hurdles).
Quantum resilience experts warned that walking back the mandate for federal agencies to adopt these post-quantum solutions could also leave the nation more exposed. Some defense and intelligence agencies have made headway on post-quantum cryptography planning, though most civilian agencies lack the resources or expertise to move forward. Vendors are further along, especially in cloud and hardware, but legacy system integration and shifting federal guidance continue to slow adoption, said Vahid Behzadan, associate professor of cybersecurity, data and computer science at University of New Haven.
“Overall, we’re seeing meaningful progress, but largely among mission-critical actors with stronger cybersecurity mandates and clearer risk assessments,” said Behzadan.
The next major step the federal government can take to promoting post-quantum encryption is certifying an additional algorithm for digital signatures dubbed Falcon (see: US NIST Formalizes 3 Post-Quantum Algorithms).
Analysts said they will be watching how agencies respond to the order and how industry adjusts to the shift from mandatory to discretionary post-quantum cryptography procurement requirements.
