Home Civilian based defense Closing the barn door on “store now, decrypt later” attacks

Closing the barn door on “store now, decrypt later” attacks


The Biden administration’s new national security strategy and national defense strategy highlight how competitors are undermining the operational, logistical, and informational advantages of the U.S. military. The main technology risks facing the United States are the continued need to build national cyber resilience, such as the use of zero-trust architecture and quantum systems; creating secure technology supply chains that promote global interoperability and supplier diversity; and escalation risk management in cyber operations and information operations. Of these three strategic areas, increasing national cyber resilience is arguably the most critical, especially to defend against “store now, decrypt later” or SNDL attacks.

Opponents are launching SNDL attacks against the United States, exfiltrating and storing encrypted data today to decrypt it in the future using post-quantum cryptography (PQC) algorithms. PQC refers to a technological stage when advanced quantum computers reach “sufficient size and level of sophistication” and can break the classic public-key encryption methods that secure our communications and financial transactions over the Internet.

By their very name, SNDL attacks focus on long-playing and exploiting delays with the implementation of more advanced security protocols. Imagine this: even if Country A manages to switch 100% of its protocols to PQC algorithms in 2023, all of Country A’s data stolen in previous years during Country B’s SNDL campaign remains vulnerable. In other words, upgrading the barn door lock can help protect the horses still inside, but it won’t make the horses stolen.

Some scholars are skeptical of the likelihood of states developing cryptanalytically relevant quantum computers and criticize the so-called quantum hype as a “funding frenzy”. The White House’s Quantum Technologies Fact Sheet refutes this, however, noting that this technological milestone is achievable “at some point in the not-too-distant future.”

Additionally, the Biden administration’s May 2022 executive order and two national security memoranda on quantum computing describe post-quantum systems as “cryptanalytically relevant quantum computers,” meaning they could pose risks. important national, economic and cybersecurity issues in the United States by weakening the current public. key cryptography. The memorandum on promoting American leadership in the quantum field warns that PQC poses a significant security risk to cryptographic systems that protect critical infrastructure supervision and control systems, and also secure military and civilian communications.

Besides the United States, the European Union is also concerned about the risks of PQC. In October, the European Union Agency for Cybersecurity (ENISA) published a report on the need to create cryptographic protocols and prepare for post-quantum resilient systems. ENISA explains that even if the transition to new quantum resistant cryptographic algorithms takes years, perhaps due to financial and technological obstacles, “we still have to anticipate this. [transition] and be prepared to face all possible consequences.

Preparation is an essential part of success. As Anne Neuberger, Deputy Assistant to the US President and Deputy National Security Advisor for Cyber ​​and Emerging Technologies, announced during a panel at CSIS: “The process of deploying new encryption capable of self-defense against a potential quantum computer is not a year-long process. effort; it is a long effort.

Transitioning critical infrastructure to federally approved PQC standards is no small feat. Rather, it is a complex and delicate challenge that cuts across the public and private sectors. From a design thinking perspective, the main barriers to transitioning to PQC algorithms can be summarized into technical, cost, schedule, and programming risks. As an initial planning framework, policymakers should focus on these four considerations when engaging with stakeholders and building trust around upgrading vulnerable systems and infrastructure.

For example, under the auspices of the National Quantum Initiative program, policymakers could push industry to adopt, at a minimum, the first set of PQC algorithms developed by the National Institute of Standards and Technology last summer. According to Susan M. Gordon, former Senior Deputy Director of National Intelligence, and Adms. Mike Rogers and John Richardson, “Major global banks, telecoms, healthcare providers and other enterprises have already begun the transition to PQC,” reports Cyberscoop.

While it may not be technologically possible to bring stolen “horses” back to the barn, enhancing our locks with PQC algorithms is essential to defending against SNDL attacks and promoting national cyber resilience. .

Zhanna L. Malekos Smith is a Senior Partner at Strategic Technologies Program and the Aerospace Security Project at the Center for Strategic and International Studies in Washington and an assistant professor in the Department of Systems Engineering at the United States Military Academy at West Point, where she is also a member of the Army Cyber ​​Institute and an affiliate professor at the Modern War Institute. Opinions expressed here are his own.