A Legal View of New NIST Quantum-Resistant Algorithms

How to lose your business in a data breach:

  • Step 1: experience a data breach (which almost every business has or will experience);
  • Step 2: Get sued by the plaintiff’s lawyers waiting to pounce or, worse, an attorney general or regulator;
  • Step 3: be found not to have met the applicable “standard of care”; »
  • Step 4: Pay and eventually lose your business.

“Standard of care? you say. What is it and why should I care? And where is the NIST located?

“Standard of Care” is legalese for the minimum an organization must do to have acted “reasonably” in a lawsuit. In most cases of data breach, if it turns out that you did not act reasonably, for example by not using strong enough encryption, you will probably have to pay economic damages, sometimes reaching the territory of the company. Damages and penalties in a cyber breach case will likely reach $1 billion this decade.

But what is “reasonable” when it comes to meeting the applicable data protection standard of care? In my two decades of practicing data protection and cybersecurity law, there has never been a universally accepted data protection standard. A widely accepted requirement is that a company must use reasonably secure encryption for data in transit and at rest. Easy, just define “reasonably secure encryption” and we’ll know how to meet the standard of care and protect our businesses and customers.

For most of this century, several encryption algorithms have been approved by the US National Institute of Standards and Technology (NIST) for specific uses. Although without direct legal authority over private sector entities, NIST approves encryption standards for much of the US government and NIST’s encryption standards have been adopted by much of the private sector. As such, most courts would likely conclude that compliance with NIST requirements meets the standard of care.

But recognizing the existential threat to current encryption posed by advances in quantum computing, NIST in 2016 launched a competition for new “quantum-resistant” algorithms. In July 2022, NIST announced new encryption algorithm candidates and backups (“Candidate Algorithms”), predicting a final decision for 2024. Great! All we have to do is adopt what NIST decides and we’re good, aren’t we?

Not so fast. First, candidate algorithms are likely to be broken by our adversaries. How does a simple country lawyer (neither a mathematician nor a cryptographer) know this? Two of NIST’s selected algorithms have already been broken, just weeks after they were announced. And certainly many nation states and other adversaries are devoting massive resources to smashing them all.

More importantly, none of the candidate algorithms are intended to address the greatest threat to corporate and customer secrets – the massive amounts of sensitive data stored “at rest” by nearly every company. The candidate algorithms are intended to replace those currently used for: (1) data in transit over the public internet; and (2) digital signatures used for authentication. They are not intended to deal with the encryption schemes of data stored by companies. And, as Willy Sutton said of banks, that’s where the money is. Think about it: ransomware vendors don’t usually lock your data in transit to cripple your business; they target all the data you store.

NIST’s new candidate algorithms do not address this threat at all. The current standard for storing data encryption is widely accepted as a version of the so-called Advanced Encryption Standard (AES), developed by NIST in the late 1990s and used by much of the US government. But AES is also likely to become vulnerable to quantum-based attacks (though experts can’t agree whether such threats are days or decades away or already here).

So, how to anticipate quantum threats to stored data? First, make sure the stored data is currently protected with the strongest encryption reasonably possible for your business operations and needs. Second, consider a transition to One-Time Pad (OTP) based encryption. OTP is widely accepted as the gold standard for encryption of data at rest. OTP has been used by intelligence agencies for at least a century and is considered unbreakable if properly deployed, even by future quantum computers. Important caveat: As with all encryption schemes, OTP-based encryption is only as strong as the technical, personnel, and administrative measures deployed around it, e.g., strong key management, rigorous personnel vetting , as well as security training and awareness. Until recently, OTP-based encryption was considered insufficiently scalable for enterprise-wide deployment, but recent advances in math and technology are changing that.

None of the candidate #encryption algorithms to counter the threat of #quantum computing are intended for data stored “at rest”, nor for data in transit over the public internet; and digital signatures used for authentication. #cybersecurity #respectdataClick to tweet

The bottom line for CPOs, CISOs, and C-suite managers who need to ensure the security of their enterprise and customer data: NIST’s quantum-resistant algorithm development efforts are necessary, useful, and worthy of support. be monitored, but not enough to protect your business. . Meanwhile, time is running out for quantum encryption attacks and out-of-the-box thinking, including OTP-based solutions, is warranted.

Sharon D. Cole