DOD braces for time, scale needed to modernize defenses against quantum hacking

The Pentagon’s Chief Information Office has become laser focused on migrating the entire department to using stronger cryptographic algorithms that will keep its networks and operations secure.

Among all of the cybersecurity modernization efforts underway at the Defense Department, cryptography has recently moved to the top of Deputy CIO for Cybersecurity David McKeown’s list of priorities. Speaking at AFCEA DC’s annual Tech Summit on Thursday, McKeown said the effort will likely be a big lift for the department given its timeline and scale.

“The hardware and software that we use for securing our nation’s secrets takes a long time to develop and test and field. It is scattered throughout many, many platforms and weapon systems,” he said. “We’ve got to think ahead as to what the adversary might be working on and develop algorithms that are there in time to meet the adversary’s ability to crack those algorithms.”

Cryptography is the process of developing and using coded algorithms to protect data so that only those with specific permissions are able to decrypt and read it. Cryptographic algorithms protect the Defense Department’s critical information from being hacked by adversaries like China, which has been looking to develop a quantum computer able to break military-grade encryptions.

The Defense Department currently uses decades-old cryptographic algorithms to secure both its non-classified and secret classification networks. The National Security Agency is the lead for the Pentagon’s cryptographic modernization efforts, and the department heavily relies on algorithms developed by the National Institute of Standards and Technology (NIST). 

In August, NIST released the final versions of three new post-quantum encryption algorithms and plans to release additional algorithms in the future. The organization is looking to migrate all high-priority systems to quantum-resistant cryptography by 2035 — a deadline that could be challenging for organizations as large as the Defense Department.

Once a new cryptographic algorithm is developed — a process that takes around a decade — the NSA conducts testing to certify both the hardware and software components, McKeown said. Then, the Pentagon will need to conduct operational tests and validation with each of the military services and components, he noted.

“Even then, [there is] the scope and scale of replacing this crypto — we’re talking hundreds of thousands of endpoints, perhaps millions in some cases — that have to be touched, and the algorithms updated and replaced,” McKeown said. “In some cases, we may have to use the old algorithms, un-encrypt data and then re-encrypt it with the new stuff that we just came out with. So you can see, it’s an extremely long timeline.”

McKeown emphasized that even when the Pentagon fields new cryptographic algorithms, it will have to continuously work to ensure both the hardware and software components are up-to-date.

In addition, the department’s CIO has been trying to find innovative and efficient ways to do encryption — such as by using double-wrapping encryption techniques to add extra layers of security, McKeown said. There is also a lot of work yet to be done on enumerating the Pentagon’s algorithms that are vulnerable to quantum hacking so that they can be fixed, he noted.

“We need to look through our whole inventory and look at all the encryption that we’re using on everything, and then figure out what needs to be replaced there and then get to work with the vendors and our community to get the upgrades, and then field the upgrades so that new quantum-resistant cryptography is employed throughout the department,” McKeown said.