Cryptography is a foundational security technology used to protect digital information by providing the underpinnings for confidentiality, authentication and integrity. Today’s cryptographic algorithms may soon be undermined by emerging attacks, including the realization of a cryptographically relevant quantum computer (CRQC). Such attacks pose a very real and increasingly urgent threat across virtually all industries and their technologies, including broadband network infrastructure.
With cryptography and public key infrastructure being foundational to the security of cable networks, the broadband industry is uniquely positioned to rise to this challenge and seize the opportunity to future-proof networks to be robust, flexible and responsive to any cryptographic threat — quantum or otherwise. In this blog, we’ll review the threats against cryptography on the horizon, the solution to mitigate those threats and actions to start migration to new cryptographic paradigms. Many organizations, including network operators, have started taking action to plan for and execute cryptographic migrations.
The Threat: Attacks Against Cryptography
So, what exactly is the risk? To put it simply, quantum computers will one day be powerful enough to crack the asymmetric cryptography that is the basis of confidentiality, authenticity and integrity of data at all layers for virtually all devices deployed today. The current timeline for the potential development of a CRQC is 10–30 years — with increasing probability. That estimate isn’t certain, and recent research advancements suggest that it could be sooner.
While that time frame is wide, the risk of compromise is relevant today, thanks to the “harvest now, decrypt later” style of attack. In this scenario, adversaries may capture encrypted data today and retain it, planning to decrypt it once they have access to a CRQC. Any sensitive data generated today that will remain sensitive in the future (such as health records) is therefore at risk today.
The Solution: Cryptographic Agility and Post-Quantum Cryptography
So, how can the industry future-proof itself against these threats? The solution is twofold:
- Enabling cryptographic agility: Cryptographic agility is the ability to switch cryptographic systems quickly and efficiently. It’s a forward-looking design principle and capability that helps security interfaces stay flexible and adaptable in the face of all future threats.
- Post-quantum cryptography (PQC): Also called quantum-safe cryptography, these new encryption algorithms are designed to resist attacks from quantum computers. Their standardization, primarily driven by the National Institute of Standards and Technology in the United States, is a global effort that’s been ongoing for the last decade.
PQC aims to be the replacement for today’s vulnerable cryptography. Cryptographic agility is the framework by which systems will be migrated to PQC (and future iterations of cryptographic algorithms). Together, these strategies offer a path forward.
Migrating to PQC and Leveraging Existing Guidance
From existing guidance on cryptographic migrations, the CableLabs Future of Cryptography Working Group — a collaborative initiative bringing together operators, vendors and security experts to prepare for and to navigate changes to evolving cryptography — has identified certain “no-regret” actions, which can benefit network security posture regardless of whether or when the threat of a CRQC is realized. Some of these no-regret actions include:
- Establishing a cryptographic inventory: A comprehensive inventory of what cryptography is deployed is a critical artifact for any organization to compile as a first step towards cryptographic migrations.
- Assessing and estimating cryptographic agility enablement: Cryptographic agility is a deceptively simple concept; effectively enabling it begins with quantifying how cryptographically agile security interfaces are today. Tools exist today to aid in that effort.
- Discussions with vendors: Vendors play a critical role in cryptographic migrations, providing the implementation of security interfaces and concretely enabling cryptographic agility. Therefore, early and ongoing engagement with vendors on their roadmaps for enabling cryptographic agility and migrations to new cryptographic paradigms is key.
- Risk assessments and defining risk tolerance: Migration of cryptography at full organization scale is an optimization problem; undertaking risk assessment activities to identify the devices, services and interfaces that are at highest risk and should be prioritized for migration is crucial.
Taking Action Through Collaboration
Over the next decade, regulatory bodies around the world expect critical infrastructure — including broadband networks — to adopt quantum-safe cryptography. That makes the next five years crucial for operators looking to future-proof their networks and enable cryptographic agility as a key security capability. Reaching that goal will require deep collaboration, not just between network operators, but across the entire ecosystem of equipment manufacturers, software developers and standards organizations.
To ensure a smoother transition, the CableLabs Future of Cryptography Working Group is continuing to drive the foundational work to adapt current crypto migration and agility guidance to cable networks, identifying gaps therein and developing strategies to address those gaps. The working group’s mission is to develop practical, industry-specific guidance for enabling cryptographic agility as a new capability and migrating operator networks to post-quantum cryptography.
The threat may be complex, but the goal for the cable broadband industry is simple: Keep our networks — and the people who rely on them — secure for the future. To learn more or if you’re interested in contributing, the Future of Cryptography Working Group is open to CableLabs members and our vendor community. Join us here.