Automating cryptographic assets, assessing tools, and shifting to data-centric inventories are among the top strategies that Federal government agencies should be pursuing to protect their data in the run-up to maturity of quantum computing, according to Garfield Jones, associate chief of strategic technology at the Cybersecurity and Infrastructure Security Agency (CISA).
Speaking at MeriTalk’s 2024 Innovation Intersection event on Oct. 3, Jones said that adoption of zero trust security architectures, among other protective steps, are helping to prepare the government for the adoption of post-quantum cryptography (PQC) which increasingly will become necessary because maturing quantum computing technologies will be able to break many forms of encryption in use today.
Jones said that a big mindset change CISA is helping agencies make is the shift away from a system-centric inventory and toward a data-centric inventory.
“Data inventory is another piece we are really looking at, talking to the agencies, of shifting more towards a data-centric inventory versus a system-centric inventory,” said Jones. “The adversary is really after the data, not the system. The system is just a way to get the data. So, we have to be able to protect our data and encrypt our data so that is not anywhere that it should be.”
In addition to that shift, agencies should be performing related risk analyses, with Jones noting that adversaries may already be gathering encrypted data with plans to decrypt it later with the assistance of quantum tech.
“They’re taking our data as we speak, and so that is something that [we] look at how we can slow down and stop,” said Jones.
Other PQC-related safety measures include helping agencies fully assess tools before integrating them into their systems to ensure that they’re the right fit and using automation for cryptographic assets – which has previously been a manual process.
When adopting zero trust architecture (ZTA) to protect against threats, Jones also recommended focusing on individual zero trust pillars to start, instead of undertaking an immediate and complete overhaul.
“We talk a lot about ZTA as almost a whole apple, but I think you have to understand that you have to slice it up into pieces so that you can eat a slice at a time, because that whole apple is just too much,” said Jones.
“And there are going to be balance issues, so, identity is definitely one of those areas. And of course, that other super important pillar is that data pillar, which is focusing on protecting your data,” Jones said.