As if critical infrastructure weren’t facing enough cyber threats, the Cybersecurity and Infrastructure Security Agency (CISA) has alerted organizations in that sector to be prepared to protect their systems from the eventual development of quantum decrypting algorithms.
Their guidance explains that, while such quantum computing technologies don’t yet exist, both private and public-sector organizations involved in critical infrastructure “must work together to prepare for a new post-quantum cryptographic standard to defend against future threats.”
A colleague recently wrote about the long-range threat that quantum computing poses to the crown-jewel assets of organizations. That threat is especially grave for critical infrastructure, whose functions are the foundation of a well-ordered society. The threat primarily consists of “store now, decrypt later” (SNDL) campaigns, which CISA calls “catch-and-exploit” campaigns, in which bad actors exfiltrate encrypted data now with the goal of decrypting it once quantum computers are available.
On that point, the new CISA guidance says that “conducting an inventory of vulnerable critical infrastructure systems across the 55 National Critical Functions (NCFs) is the first step of this preparation.” The NCFs are cross-industry functions so vital to the country “that their disruption, corruption, or dysfunction would have a debilitating effect on security, national economic security, national public health or safety.”
Going deeper, the guidance specifically calls out the nine NCFs “with long-term confidentiality needs” for special consideration. These nine depend on data confidentiality over such long timeframes that they are uniquely vulnerable to “store now, decrypt later” strategies. The CISA guidance says that, while these organizations usually repose this kind of information on internal networks and rarely transmit it, “such security controls are not foolproof, and organizations should prioritize security for these NCFs to prevent catch-and-exploit operations.”
Nine National Critical Functions (NCFs) with Long-Term Confidentiality Needs
|3||Provide internet-based content, information, and communication services||Produce and provide technologies, services, and infrastructure that deliver key content, information, and communications capabilities via the Internet|
|7||Provide satellite access network services||Provide access to core communications network via a combination of terrestrial antenna stations and platforms orbiting Earth to relay voice, video, or data signals|
|8||Provide wireless access network services||Provide access to core communications network via electromagnetic wave-based technologies, including cellular phones, wireless hot spots (Wi-Fi), personal communication services, high-frequency radio, unlicensed wireless, and other commercial and private radio services|
|22||Enforce law||Operate Federal, State, local, tribal, territorial, and private sector assets, networks, and systems that contribute to enforcing laws, conducting criminal investigations, collecting evidence, apprehending suspects, operating the judicial system, and ensuring custody and rehabilitation of offenders|
|23||Maintain access to medical records||Maintain, use, and share actionable data (including personally-identifiable information and personal health information such as care history) effectively, appropriately, bi-directionally and in a timely fashion, for patient care, billing, and operational and clinical research|
|30||Protect sensitive information||Safeguard and ensure the integrity of information whose mishandling, spillage, corruption, or loss would harm its owner, compromise national security, or impair competitive or economic advantage|
|42||Support community health||Conduct epidemiologic surveillance, environmental health, migrant and shelter operations, food establishment inspections, and other community-based public health activities|
|52||Provide information technology products and services||Design, develop, and distribute hardware and software products and services (including security and support services) necessary to maintain or reconstitute networks and associated services|
|53||Provide materiel and operational support to defense||Develop, produce, and sustain defense systems and components and provide support to defense operations|
Adapted from CISA’s “Preparing Critical Infrastructure for Post-Quantum Cryptography (August 2022)” and “National Critical Functions: Status Update to the Critical Infrastructure Community (July 2020).”
Public and private organizations that rely on these nine critically sensitive NCFs include “those responsible for national security data, communications that contain personally identifiable information (PII), industrial trade secrets, personal health information (PHI), and sensitive justice system information.” Just reading the names and definitions of these nine functions drives home how essential it is that the information that fuels them be protected.
An effective way to safeguard such data at rest is through network obfuscation, which makes them invisible to adversaries and any other unauthorized party both on the public internet and within the enterprise environment. Critical assets such as those cited above – national security data, health records, intellectual property, and the rest – are hidden in a cloaked digital vault, unseen by and inaccessible to anyone but authorized users.
If you’re responsible for critical assets whose compromise would pose an existential threat to your organization and also jeopardize the nation’s economy and security, we invite you to learn more about how network obfuscation can protect them.