The Implications of Post Quantum Cryptography for Software Supply Chain Security
By Judith Furlong, Dell Technologies; Janet Jones, Microsoft Corporation; Matthew Lyon, Dell Technologies; with Souheil Moghnie, NortonLifeLock; Juan Ramon Rivera, Dell Technologies; Brian Rosenberg, Raytheon Technologies
Software supply chain security involves identifying, analyzing, monitoring, and mitigating security risks, vulnerabilities, and compliance issues presented by third-party software components and suppliers. As quantum computers become a reality, third-party software components that contain implementations of cryptographic algorithms and capabilities will require additional scrutiny. Organizations will need to employ new methods to verify post-quantum cryptography (PQC) capabilities within these third-party components. The objective will be to enable the selection of third-party cryptographic software components that align with an organization’s PQC adoption and migration strategy.
Assuring the security of the software supply chain must be an inclusive effort across the entire ecosystem. This effort requires all organizations along the way to do their part to ensure the chain stays secure. Industry bodies and governments are increasing their efforts to define software supply chain security requirements and, in some cases, introducing new mandates for securing the software supply chain. For example, the United States Office of the President recently issued Executive Order 10428 for Improving the Nation’s Cybersecurity, reiterating that “cybersecurity requires more than government action. Protecting our Nation from malicious cyber actors requires the Federal Government to partner with the private sector”.
As we outlined in our initial post in this series, the race is on to deploy post-quantum algorithms before there is a large-scale quantum computer capable of breaking the cryptographic algorithms in widespread use today. The use of quantum-resistant key exchange and encryption is a crucial element of industry efforts to develop systems that resist attacks by quantum computers. Organizations should at their earliest opportunity begin to evaluate post-quantum cryptography security and performance characteristics in software and firmware components. In addition to evaluating the aforementioned quantum-resistant key exchange and encryption capabilities, organizations will also need to analyze the performance and functionality of secure communications protocols that their suppliers deliver (such as TLS) to assess their impacts on overall system behavior.
Organizations should follow sound due diligence practices that have been adapted to encompass PQC requirements as part of their supplier component sourcing. These practices will enable organizations to identify and select third-party cryptographic software components that support PQC capabilities as and when they become available At a minimum, organizations should consider the following criteria when selecting third-party cryptographic software components, whether commercial or open-source:
- The component should be under active development and should already be updated to address PQC requirements or have a planned roadmap to do so. We will address the issues associated with PQC and Open Source Software (OSS) components in a future blog.
- Ideally, the component should provide hybrid algorithm (i.e., classic and quantum-safe) support to enable PQC migration.
- The reputational health of the component should be evaluated (e.g., maturity, adoption footprint).
- The stability of the supporting organization should be assessed (e.g., number of contributors, update cadence).
- The supplier must monitor the component for emerging security vulnerabilities (including those identified in PQC algorithms and implementations) and address them with prompt updates.
Organizations should seek to engage software suppliers that will be prepared for post-quantum cryptography. Where possible, organizations should use contractual language as a vehicle to obligate supplier delivery of post-quantum cryptography capabilities. This approach of demanding post-quantum cryptographic readiness should also be extended to cover partnerships and acquisitions.
To drive these behavioral shifts, organizations need to update relevant policies and standards to extend post-quantum cryptography requirements to their supply chain. To ensure proper governance, it is important to ensure these requirements are clearly stated. Organizations also need to consider emerging requirements. For example, Federal Information Processing Standard Publication 140–3 (FIPS 140–3), is likely to change, but what will some of the other impacts be?
As the Executive Order 10428 for Improving the Nation’s Cybersecurity states, “The United States faces persistent and increasingly sophisticated malicious cyber campaigns that threaten the public sector, the private sector, and ultimately the American people’s security and privacy.” Additional mandates are being created to help address securing the software supply chain. On January 19, 2022, the Executive Office of the President issued a follow-on memorandum focused on the security of National Security Systems. That memorandum directed the National Security Agency to issue guidance on quantum-resistant protocols and planning for the use of -quantum-resistant cryptography. It also directs agencies to identify instances where they are using encryption that does not comply with NSA guidance on quantum-resistant algorithms and to report their plans for transition to compliant and quantum-resistant algorithms. SAFECode will continue to monitor for new mandates and standardization updates to provide members and the industry with knowledge and expertise to help with the PQC migration.