CBP Leads Federal Post-Quantum Cryptography Work

Customs and Border Protection (CBP) is already seeing some returns on its post-quantum cryptography preparation work that included being an early adopter for NIST’s first quantum-related standards released this year.

CBP has dubbed the work a proof of concept for other agencies in their preparation for “Q-Day,” or when computing power will become so advanced that it breaks current encryption methods and introduces critical vulnerabilities in systems. Technology experts say this time will come over the next 10 years.

“CBP is one of the first federal agencies to explore post-quantum cryptography to harden security within its systems,” noted CBP CIO Sonny Bhagowalia in a recent update. “It is necessary to strengthen our agency’s data through post-quantum cryptography encryptions now, in order to be prepared for the security threats of the future.”

Some of the agency’s initial work included creating initial inventories and plans for the migration that also complemented its work around zero trust architecture.

Through the agency’s data cataloging effort that began in 2022, it learned more about its numerous and complex data systems.

“It turns out there’s a whole bunch of third-party stuff that’s out there where you have systems calling other systems, non-human entity communication, and a whole lot more complexity,” said CBP IT Deputy Assistant Commissioner Ed Mays at an October webinar. “We discovered something that we did not expect, but I think that discovery is going to help us and potentially other agencies.”

The agency has long been a leader adapting to emerging technology. CBP and its parent agency, the Department of Homeland Security, began the migration to post-quantum cryptography even before the Office of Budget and Management directed agencies to do so in a 2022 memo.

For Mays, it was an imperative.

“It’s not like challenges that we’ve had in the past where you had a long time to get ready. Once this occurs, it’s going to be very difficult for us to catch up … from a software perspective, from a hardware perspective, from an architecture perspective,” said Mays.

Quantum Standards Require Collaboration

National Institutes of Science and Technology (NIST) Mathematician and Fellow Lily Chen added during the webinar that previous encryption standards weren’t as complex as current ones. Its first cryptographic standards were created in 1977. Now with modern systems, post-quantum cryptography requires a new set of standards.

Industry, government and academia have worked together to research and develop ways to make the migration process easier. Chen discussed the role of NIST’s National Cybersecurity Center of Excellence (NCCoE) in CBP’s own journey, citing its “Migration to Post-Quantum Cryptography” project that brings together both public and private sector.

She also noted there might be some demystification needed as many people don’t grasp how much systems, services or products rely on public-key cryptographic algorithms. This is especially true when many agency systems like CBP include a lot of third-party tools.

“With a third-party software, you don’t know which algorithm they used. That kind of [collaboration] will help the enterprise,” said Chen.

CBP’s post-quantum cryptography roadmap was published in 2021 and aims to complete migration by 2030.