De todas las tareas cr\u00edticas bajo la responsabilidad de la oficina de TI del Pent\u00e1gono, una ha alcanzado la m\u00e1xima prioridad: encontrar vulnerabilidades y luego modernizar los algoritmos criptogr\u00e1ficos del Departamento de Defensa para estar un paso adelante de los piratas inform\u00e1ticos adversarios, especialmente en un mundo post-cu\u00e1ntico que se avecina. Las t\u00e9cnicas de computaci\u00f3n cu\u00e1ntica son tan avanzadas que, en teor\u00eda, podr\u00edan descifrar pr\u00e1cticamente cualquier cifrado existente.<\/p>\n
WASHINGTON\u00a0 \u2014 Of all the critical tasks under the remit of the Pentagon\u2019s IT office, one has risen to the highest priority: finding vulnerabilities and then modernizing the DoD\u2019s cryptographic algorithms to stay one step ahead of adversary hackers, especially in a coming post-quantum world.<\/p>\n
\u201cWe\u2019ve got to think ahead as to what the adversary might be working on and develop algorithms that are there in time to meet the adversary\u2019s ability to crack those [older] algorithms,\u201d\u00a0David McKeown<\/a>, who is dual hatted as the Pentagon\u2019s Deputy CIO and the DoD\u2019s senior information security officer, said during a keynote speech at the AFCEA Tech Summit Thursday.<\/p>\n He said a vital part of protecting Pentagon data is building cryptographic systems that are resistant to\u00a0quantum computing<\/a>\u00a0in what\u2019s called\u00a0Post-Quantum Cryptography<\/a>\u00a0(PQC).<\/p>\n Quantum computing techniques are so advanced that they could, in theory, crack just about any existing encryption. Most encryption for digital communication uses algorithms based on a security framework known as RSA,\u00a0invented in 1977<\/a>, that allows two parties to communicate securely without having to exchange secret keys beforehand. Scientists have theorized that quantum computing, when fully developed, could use an exponential jump in calculation speed and complexity to crack the code.<\/p>\n Creating specific quantum-hardened algorithms falls under the National Security Agency\u2019s list of responsibilities since they handle cryptographic modernization as a whole, based on standards\u00a0under development<\/a>\u00a0by the National Institute of Standards and Technology.<\/p>\n McKeown acknowledged that quantum computers are still probably \u201c10 years away,\u201d but, he said, the time is now for the Pentagon to do a sprawling review to determine where it might be vulnerable.<\/p>\n \u201cThere\u2019s going to be a year where [quantum computing] is not going to be 10 years away, and it\u2019s going to be nine years, and eight years and seven so we gotta work on this together,\u201d McKeown said.<\/p>\n \u201cWe need to look through our whole inventory and look at all the encryption that we\u2019re using on everything, and then figure out what needs to be replaced there, and then get to work with the vendors and our community to get the upgrades and field the upgrades so that that new quantum-resistant cryptography is employed throughout the department,\u201d he later added.<\/p>\n Even after PQC algorithms come online, the Pentagon won\u2019t be able to rest, McKeown said, as they\u2019ll need to be updated constantly to fend off novel attacks.<\/p>\n \u201cIn some cases, we may have to use the old algorithms unencrypted or re-encrypted with the new stuff that we just came out with. So you see it\u2019s an extremely long timeline. You can\u2019t put your head in the sand thinking that our algorithms are going to be good forever, and so we constantly have to be working at this,\u201d he said. \u201cThis is a gigantic life cycle of encryption algorithms and encryption of hardware that has to be maintained.\u201d<\/p>\n After modernizing\u00a0cryptographic algorithms, McKeown said the next biggest priority for the department is to implement\u00a0zero trust<\/a>,\u00a0a\u00a0security system in which a user\u2019s activity on a network is regularly checked, rather than letting anyone who gets through a login\/password screen run free.\u00a0McKeown said that the Pentagon is still on track to move to a zero trust-based cybersecurity model by 2027.<\/p>\n \u201ct doesn\u2019t stop all attacks, and hopefully nobody thinks that that is the case, but what it does do is it\u2019s limits the success of the attacker, and allows us to detect the attacks quicker and respond quicker and eradicate the bad guys from our network,\u201d he said. \u201cLots of times before we had zero trust, the adversary could live on our network for long periods of time. I had one instance of 18 months before we discovered that [the adversaries] were on our network.\u201d<\/p>\n The third priority for the CIO is to enhance the cybersecurity of the defense industrial base, McKeown said. This mainly includes enforcing the\u00a0Cybersecurity Maturity Model Certification (CMMC) 2.0<\/a>, which sets new standards for contractors who handle\u00a0controlled unclassified information<\/a>. (The final rule for CMMC 2.0 came out earlier this month.)<\/p>\n The number three priority also includes making production pipelines more \u201ccyber resilient and survivable,\u201d McKeown added, citing the\u00a0Colonial Pipeline<\/a>\u00a0attack that occurred over three years ago.<\/p>\n \u201cYou remember the Colonial Pipeline, when it got shut down, no gas on the East Coast for like a week. You know, we didn\u2019t want that to happen with some of these key weapon system manufacturing,\u201d McKeown said.<\/p>\n