US Agency Customs and Border Protection (CBP)  Leads Charge on Post-Quantum Cryptography Migration

The US Customs and Border Protection agency is taking a proactive approach to preparing for the advent of quantum computing, which is expected to render current encryption methods obsolete within the next decade.

Dubbed “Q-Day,” this event will introduce critical systems vulnerabilities unless agencies adopt post-quantum cryptography. CBP began its migration two years ago and has already seen returns on its investment, with lessons learned that can benefit other agencies.

According to CBP CIO Sonny Bhagowalia, the agency is strengthening its data security through post-quantum cryptography encryptions to prepare for future threats. Ed Mays, CBP IT Deputy Assistant Commissioner, notes that the agency’s data cataloging effort revealed unexpected complexity in its systems, including third-party tools and non-human entity communication.

The National Institutes of Science and Technology has also played a key role in this effort. Mathematician and Fellow Lily Chen highlight the importance of collaboration between industry, government, and academia to develop new standards for post-quantum cryptography.

Preparing for a Post-Quantum Cryptography Future

Customs and Border Protection (CBP) has taken a proactive approach to preparing for the potential security threats posed by advanced computing power, commonly called “Q-Day.” This term denotes the point at which current encryption methods will become vulnerable to being broken, introducing critical system vulnerabilities. Technology experts predict this milestone will be reached within 10 years.

To address this challenge, CBP has been an early adopter of post-quantum cryptography standards released by the National Institutes of Science and Technology (NIST). The agency’s Chief Information Officer, Sonny Bhagowalia, emphasized the importance of strengthening data security through post-quantum cryptography encryptions to prepare for future security threats. CBP’s efforts serve as a proof of concept for other agencies, demonstrating the value of early adoption in mitigating potential risks.

The agency’s initial work involved creating inventories and migration plans, which complemented its work on zero-trust architecture. Through its data cataloging effort, begun in 2022, CBP gained valuable insights into its complex data systems. This exercise revealed unexpected complexities, including third-party dependencies and non-human entity communication. According to Ed Mays, CBP IT Deputy Assistant Commissioner, these discoveries will benefit the agency and potentially other organizations.

The Imperative of Post-Quantum Cryptography Migration

The migration to post-quantum cryptography is a pressing concern, as it will be challenging to catch up once advanced computing power becomes a reality. Ed Mays emphasized that this challenge cannot be addressed with a long lead time; rather, it requires immediate attention from a software, hardware, and architecture perspective.

CBP’s proactive approach is noteworthy, as the agency began its migration even before the Office of Budget and Management directed agencies to do so in a 2022 memo. This underscores the importance of prioritizing post-quantum cryptography preparation to ensure the security of sensitive data.

The Role of Collaboration in Developing Post-Quantum Cryptography Standards

Developing post-quantum cryptography standards requires collaboration among industry, government, and academia. NIST’s National Cybersecurity Center of Excellence (NCCoE) has played a crucial role in CBP’s journey, mainly through its “Migration to Post-Quantum Cryptography” project. This initiative brings together public and private sector stakeholders to research and develop ways to facilitate migration.

Lily Chen, NIST Mathematician, and Fellow highlighted the need for demystification regarding the widespread reliance on public-key cryptographic algorithms in various systems, services, and products. This is particularly important when considering third-party tools, where the underlying algorithms may not be transparent. Collaboration will be essential in addressing these complexities and ensuring a smooth transition to post-quantum cryptography.

CBP’s Post-Quantum Cryptography Roadmap

CBP published its post-quantum cryptography roadmap in 2021, outlining its plan to complete migration by 2030. This roadmap serves as a guiding document for the agency’s efforts, ensuring that it remains on track to secure sensitive data against potential quantum computing threats.

By sharing the CBP’s lessons learned and experiences, it aims to facilitate the adoption of post-quantum cryptography standards across other federal agencies. As the agency continues to navigate this complex landscape, its proactive approach will likely serve as a valuable model for others seeking to prepare for the challenges posed by advanced computing power.