Closing the barn door on ‘store now, decrypt later’ attacks

The Biden administration’s new National Security Strategy and National Defense Strategy highlight how competitors are undermining the U.S. military’s operational, logistical and information advantages. The leading technological risks the United States faces are the ongoing need to develop national cyber resiliency, such as employing zero-trust architecture and quantum systems; building secure technological supply chains that promote global interoperability and vendor diversity; and managing the risk of escalation in cyber and information operations. Of these three strategic areas, augmenting national cyber resiliency is arguably the most critical — especially in defending against “store now, decrypt later,” or SNDL, attacks.

Opponents are waging SNDL attacks against the United States, exfiltrating and storing encrypted data today to decrypt it in the future using post-quantum cryptography (PQC) algorithms. PQC refers to a technological milestone when advanced quantum computers attain “a sufficient size and level of sophistication” and can break classical public-key encryption methods that secure our internet-based communications and financial transactions. 

By its very name, SNDL attacks focus on playing the long game and exploiting delays with implementing more advanced security protocols. Imagine this: Even if Country A manages to transition 100 percent of its protocols to PQC algorithms in 2023, all of Country A’s data stolen in the years prior during Country B’s SNDL campaign remain vulnerable. In other words, upgrading the lock on the barn door may help protect the horses still inside, but it won’t return the stolen horses.    

Some scholars are skeptical of the likelihood of states developing cryptanalytically relevant quantum computers and criticize the so-called quantum hype as a “funding frenzy.” The White House’s fact sheet on quantum technologies rebuts this, however, by noting this technological milestone is attainable “at some point in the not-too-distant future.”

Further, the Biden administration’s May 2022 executive order and two national security memorandums on quantum computing describe post-quantum systems as “cryptanalytically relevant quantum computers,” meaning they could pose significant national, economic and cybersecurity risks to the United States by weakening present public-key cryptography. The memorandum on promoting U.S. leadership in quantum warns that PQC is a significant security risk to cryptographic systems that safeguard supervisory and control systems to critical infrastructure, and also secure military and civilian communications.

Apart from the United States, the European Union is also concerned about the risks of PQC. In October, the European Union Agency for Cybersecurity (ENISA) published a report on the need to create cryptographic protocols and prepare for post-quantum resilient systems. ENISA reasons that even if the transition to new quantum resistant cryptographic algorithms takes years, perhaps due to financial and technological barriers, “we still need to anticipate this [transition] and be prepared to deal with all possible consequences.” 

Preparation is a quintessential element of success. As Anne Neuberger, deputy assistant to the U.S. president and deputy national security adviser for cyber and emerging technology, announced during a panel at CSIS, “The process of rolling out new encryption that can defend against a potential quantum computer is not a one-year effort; it’s a lengthy effort.”

Transitioning critical infrastructure toward federally approved PQC standards is not a minor undertaking. Rather, it is a complex and delicate challenge that cuts across the public and private sectors. From a design thinking perspective, the major hurdles to transitioning to PQC algorithms can be distilled down to technical, cost, schedule and programmatic risk. As an initial planning framework, policymakers should focus on addressing these four considerations in engaging with stakeholders and building trust around upgrading vulnerable systems and infrastructure.  

For example, under the auspices of the National Quantum Initiative program, policymakers could incentivize industry to adopt, at a minimum, the first set of PQC algorithms developed by the National Institute of Standards and Technology last summer. According to Susan M. Gordon, former principal deputy director of national intelligence, and Adms. Mike Rogers and John Richardson, “Major global banks, telecoms, health care providers and other enterprises are already beginning the transition to PQC,” reports Cyberscoop.

While it may not be technologically feasible to return the stolen “horses” to the barn, improving our locks with PQC algorithms is essential for defending against SNDL attacks and promoting national cyber resilience.

Zhanna L. Malekos Smith is a senior associate with the Strategic Technologies Program and the Aerospace Security Project at the Center for Strategic and International Studies in Washington and an assistant professor in the Department of Systems Engineering at the U.S. Military Academy at West Point, where she also serves as a fellow with the Army Cyber Institute and affiliate faculty with the Modern War Institute. The views expressed here are hers alone.