Researchers are trying to develop encryption algorithms for computers that don’t yet exist
The U.S. government is readying a game plan to protect encryption against a super-powerful new generation of computers that don’t exist yet and aren’t expected for another 15 to 20 years.
The project, run by the Commerce Department’s National Institute of Standards and Technology (NIST), represents one of the longest-range efforts in cybersecurity — a discipline that typically measures threats in days and weeks rather than decades.
But, even with the long head start, cryptographers will be racing against the clock to ensure as much encrypted information as possible remains hidden from prying eyes — including highly sensitive government communications.
The new forms of encryption are designed to resist decoding by quantum computers — which researchers expect will be developed within the next few decades and which can theoretically harness the power of quantum physics to perform functions that are exponentially more complicated than current computers can handle.
Quantum computers could allow massive breakthroughs in science and engineering, but they’ll also make it comparatively simple to crack the current generation of encoding that keeps emails and other communications secret as they travel over the Internet.
The challenge for post-quantum cryptographers is to encode messages and other data using math problems so complex that even quantum computers can’t solve them.
Government intelligence services are almost certainly scooping up their adversaries’ encrypted communications now so they might be able to decode them in the quantum future. That means the more quickly researchers can develop quantum-resistant encryption, the less likely that hoarded information is to be useful by the time quantum computers arrive.
“That’s a vulnerability that already exists today even if we don’t have quantum computers for another 15 years,” Dustin Moody, a NIST mathematician who’s leading the project, told me. “So, the sooner we have these standards, the better off we’ll be.”
NIST researchers plan to release a list of encryption algorithms they believe can withstand decoding by quantum computers within the next few weeks, Moody told me. The exact date isn’t set yet.
But it will take another year or two of testing and analysis before NIST releases the final versions of those algorithms. And it will probably be five or 10 more years before those algorithms are fully adopted by industry.
Even after the algorithms are final, there’s still a risk.
- It could turn out once quantum computers are developed that they are capable of decoding encryption algorithms that developers believed they wouldn’t be.
- Or there could simply be a hackable flaw in one of the algorithms that it takes years to discover.
“The state of cryptography today is there’s no guarantee some brilliant person won’t find a new attack to break the system,” Moody said. “The best we can say is that a lot of really smart people have worked on this and there are no avenues that seem likely where a quantum computer would be able to solve this particular hard problem.”
A lengthy testing and adoption process lowers those risks. But it also prolongs the time when adversaries can scoop up information that’s encrypted to a lower standard.
- Government secrets generally lose value for adversaries over time as they become less reflective of current priorities. So, a gap of just several years between when U.S. government agencies use upgraded encryption and when quantum computers in China and elsewhere can crack the old communications, could make a big difference for U.S. national security.
- But: Some information definitely retains its value for a long time and the government routinely opts to keep information classified that’s more than two decades old.
- Government information is the prime target for such decryption efforts, but there could be other targets, too — such as companies’ trade secrets or even health and financial information about individuals that could be used for blackmail.
“It’s hard to know for sure, because we just don’t yet know how expensive quantum computers will be or how fast they will run,” Moody told me.
Some lawmakers are pushing to get government encryption updated as rapidly as possible.
A bipartisan bill introduced this month would require the government to prioritize shifting to quantum-resistant encryption as soon as standards are available. It’s sponsored by Reps. Ro Khanna (D-Calif.), Gerry Connolly (D-Va.) and Nancy Mace (R-S.C.).
But, because government uses commercially purchased software for most of its work, government agencies will still be heavily reliant on industry to make the transition.
Might Musk make DM’s public?
Cybersecurity pros weighed in — along with everyone else — on Tesla chief executive Elon Musk’s $44 billion acquisition of Twitter. Much of the conversation revolved around direct messages on the platform, which aren’t currently end-to-end encrypted even though they’re often used for very private communications.
That means they could be disclosed with legal warrants in various countries. And some feared they might be made public based on the whims of a fickle owner.
MIT Technology Review’s Patrick Howell O’Neill:
The replies are a good exploration of the considerable obstacles Twitter would face in making DMs secure. For me and a lot of the people I interact with, they probably can’t make DMs a very good UX without making it e2ee, so the two questions are intimately connected in that way.
— Patrick Howell O’Neill (@HowellONeill) April 25, 2022
But as many people smarter than me are repeatedly pointing out in this thread, it’s a difficult problem without easy solutions that cover everyone.
— Patrick Howell O’Neill (@HowellONeill) April 25, 2022
If the U.S. had a privacy law with teeth, or if Twitter encrypted DMs like I urged years ago, Americans wouldn’t be left wondering what today’s sale means for their private information. The protection of Americans’ privacy must be a condition of any sale.
— Ron Wyden (@RonWyden) April 25, 2022
The Electronic Frontier Foundation’s Eva Galperin:
I bet there are a lot of people at Twitter who wish they’d gone through with their plan to e2e encrypt DMs right about now.
I bet there are plenty of people who are going through their DMs and deleting things, too.
— Eva (@evacide) April 25, 2022
Security expert Runa Sandvik:
Eh, Meta figured it out for both Instagram and Facebook. Surely Twitter can do it as well.
— Runa Sandvik (@runasand) April 25, 2022
Cybersecurity experts also pondered whether Musk’s pledge to publish the site’s algorithms would have security implications. Matt Tait:
Source code related to automated abuse (eg bots) detection is perhaps a higher risk, to the extent that it reveals how to bypass it, depending on how it is implemented. But for the most part that’ll come out in the wash.
— Pwn All The Things (@pwnallthethings) April 25, 2022
Cyber budget hearings are up on the Hill this week
Cybersecurity and Infrastructure Security Agency Director Jen Easterly will pitch the Biden administration’s $2.5 billion budget request for CISA to congressional appropriators on Thursday. That’s a 19 percent increase over President Biden’s request last year, but it’s slightly less than the $2.6 billion that Congress ultimately approved for CISA.
The request may actually face some pushback for being too light. Rep. John Katko (N.Y.), the top Republican on the House Homeland Security Committee, has said that CISA should get more funding.
Homeland Security Secretary Alejandro Mayorkas could also face cyber questions when he testifies before House appropriators Wednesday.
Some highlights from the budget request:
- CISA wants to boost its workforce by about 300 people to 2,758 full-time employees.
- The administration also wants to boost funding for the Joint Cyber Defense Collaborative and to “fully operationalize” other initiatives, like the Cybersecurity Advisory Committee and Cyber Safety Review Board.
- Biden wants Congress to fund a 10-year, $10 billion grant program run out of the Election Assistance Commission that would “enable crucial election-related capital investments.”
- The administration also wants $22 million for National Cyber Director Chris Inglis’s office, a boost in funding for the FBI’s cyber investigations teams and $300 million for the Technology Modernization Fund, which helps federal agencies get new IT infrastructure.
European wind sector hit with three cyberattacks since Russia’s invasion of Ukraine
The hacked companies haven’t blamed a particular group or country for the attacks, but the timing suggests they’re linked to supporters of Russia in its war with Ukraine, industry group WindEurope spokesman Christoph Zipf told the Wall Street Journal’s Catherine Stupp.
All three companies are based in Germany and are part of Europe’s strategy to wean countries off Russian energy and to promote renewable alternatives.
- Nordex, which makes wind turbines, shut down its systems after discovering a security incident on March 31. Ransomware group Conti, which initially pledged allegiance to Russia before changing its tune, has claimed responsibility.
- Turbine maker Enercon said it was “collateral damage” after a cyberattack hit a satellite communications provider at the outset of the war. U.S. intelligence officials have concluded that Russia’s military spies were responsible for the hack, my colleague Ellen Nakashima previously reported.
- Deutsche Windtechnik’s IT systems were hit by ransomware on April 11, and cybersecurity experts are investigating whether the hackers used malware from the Conti gang.
Iranian hackers claim they’ve hit the Bank of Israel – but ‘no proof,’ cyber authority says (Haaretz)
Mexico’s top court strikes down controversial cellphone registry with biometric data (Reuters)
State TV says Iran foiled cyberattacks on public services (Associated Press)
Report: Fake Twitter accounts spread Chinese propaganda (Associated Press)
U.S. joins ‘historic’ global group focused on data privacy (NextGov)
Bored Ape Yacht Club Instagram hacked, NFTs worth millions stolen (Motherboard)
Opinion | The Biden White House’s Cyberwarfare Power Grab (Wall Street Journal)
- Bob Lord is joining CISA as a senior technical adviser. Lord previously worked as the Democratic National Committee’s chief security officer and was chief information security officer at Yahoo.
- The Pentagon announced that Craig Martell will be its new chief digital and artificial intelligence officer. Martell previously worked as head of machine learning for Lyft.
- CISA Executive Assistant Director for Infrastructure Security David Mussington, CISA Chief Information Officer Bob Costello and other cybersecurity officials speak at the AFCEA Technet Cyber 2022 conference today through Thursday.
- The Atlantic Council hosts an event on supply chain risk management today at 12:30 p.m.
- Clearview AI founder and chief executive Hoan Ton-That speaks at a Washington Post Live event Wednesday at 11 a.m.
- CISA Executive Assistant Director for Cybersecurity Eric Goldstein speaks at the State-of-the-Field Conference on Cyber Risk to Financial Stability on Thursday at 9 a.m.
- The Committee on House Administration holds a hearing on the effects of disinformation on communities of color Thursday at 10 a.m.
- CISA Director Jen Easterly testifies before a House Appropriations Committee panel on Thursday at 1:30 p.m.
Thanks for reading. See you tomorrow.