State Dept. official says post-quantum transition plans will outlive current leadership
A cybersecurity official at the State Department called for the public and private sector to more tightly coordinate plans to transition their systems, devices and data to quantum-resistant encryption algorithms.
Gharun Lacy, Deputy Assistant Secretary for the Cyber and Technology Security Directorate at the Department of State, issued a challenge for cybersecurity defenders to view their own individual “post-quantum” encryption plans as a small part in a greater collective project to make the entire digital ecosystem more resilient against longer-term threats like quantum-enabled cyberattacks.
With adversaries like China able to target “entire ecosystems” for digital compromise, Lacy argued for the industries and sectors being plundered to come together in shared interest and create strong and consistent protections across society. In that context, modernization is about more than upgrading your technology or encryption.
“We have to defend holistically as an ecosystem,” said Lacy while speaking at CyberTalks, presented by CyberScoop, in Washington D.C. Thursday. “The organization that goes by themselves in modernization will not succeed.”
The State Department is exploring the potential for predictive attack chain analysis, using historical telemetry and planning to predict “where we’re going to be in the future.” Other countries are doing the same, he said, underscoring how challenges like data harvesting must be addressed for national security purposes.
Modernization plans must do more than update technology to perform the same security functions more effectively. They should also reshape the threat surface while “breaking some of the tendencies that are predictable from our historical data.”
“It’s not just about modernizing hardware, it’s not just about implementing AI faster,” said Lacy. “It’s about injecting that little segment of randomness that means the adversary that’s reading, 10, 20 years of our history cannot use that to deduce” our plans.
U.S. federal agencies and the private sector are working broadly towards the goal of having most or all high-risk systems, data and devices transitioned to newer post-quantum algorithms by 2035. This reflects the long-term nature of the threat, as no one can say for certain when a quantum computer capable of breaking some classical forms of encryption will arrive.
But the Trump administration and private sector cybersecurity officials have been mulling whether the risks around data harvesting and recent advances in quantum computing may merit faster timelines.
Lacy said the risk organizations face around data harvesting – or foreign nations collecting encrypted data today to break later with a quantum computer — will be “like an accordion,” presenting a threat that stretches across time. Individual organizations will need to do more than work with each other to execute their post quantum cryptographic plans. They will have to do it across generations, meaning “we cannot shift priority just because our leadership changes.”
“When you look at long horizon priorities of a nation state actor like China, that means that your data and the risk it poses to you will now outlive leadership cycles,” said Lacy.
