Free Trial
Contact Us
Podcast

Root Causes 286: PKI and PQC in New White House Cybersecurity Initiative

Hosted by
Tim Callan
Tim Callan
Chief Compliance Officer
Jason Soroko
Jason Soroko
Fellow
Original broadcast date
March 16, 2023

A new White House cybersecurity initiative specifically calls out digital identity and post quantum cryptography (PQC) among its focal areas. We discuss what it says and the potential implications.

Podcast Transcript

Lightly edited for flow and brevity.
Tim CallanTim CallanWe want to talk about a meaningful announcement from the White House. I believe the news date was March 1, 2023. This was the White House revealed its new cybersecurity strategy and, we like to cover these things, especially U.S. Government, because it’s been such an important mover in these matters. Jay, what do we know about this new strategy?
Jason SorokoJason SorokoKeep in mind this has been tried before. That’s the caveat here and like all legislation, it’s gotta get passed and some of these earlier forms of it didn’t and sometimes for just political reasons. Sometimes things just fall off the plate. It’s not because it’s not important. I think for people listening to this podcast, I want to talk about two sections in this particular proposed legislation – Strategic Objective 4.3 and 4.5. So if you happen to be following along, that’s where to go look.

So the most important one, Tim, and I’m really glad to see it – support development of digital identity ecosystem.

And so, of course, as you know, the United States Government, the White House especially, is not gonna start getting all prescriptive and start to name names about vendors or technologies but I do like the fact that digital identity as a term shows up in legislation. So it’s a first-class citizen as a strategic objective. Hallelujah. Fantastic. What I think – there’s a couple things here.

There’s been so many attacks on the U.S. Federal Government, not the least of which X number of years ago the Office of Personnel Management and that gigantic breach and a number of other breaches that have happened after FISMA audits basically made it clear to the U.S. Federal Government, not only do you not have weak MFA, sometimes you don’t have any even though that has been - - like you’ve been told you gotta implement this. And then I think also we’ve now seen enough attacks on weak MFA which includes MFA that a lot of people use such as soft token OTPs, which is something that I use today to log into systems. It’s not surprising. It’s out there. And what was it? We just heard about that recent breach of Last Pass I think it was who, unfortunately, was the victim. Not picking on them, but they are the victim and I think one of their administrators who was using a soft token OTP, basically the bad guy had a key logger, key logged the password, key logged the OTP as it was being typed in and actually logged in as the administrator.

So, these are the kinds of things that have led to Strategic Objective 4.5 Support Development of Digital Identity Ecosystem and so what does that mean? Stronger forms of authentication. How long have we been calling for that, Tim?
Tim CallanTim CallanSo, let’s clarify something. When it says support development of this ecosystem, the technology already exists. So is this really about getting it implemented?
Jason SorokoJason SorokoIt is about their own procurement.

So investing in digital identity solutions and so obviously they are gonna support the industry but it’s really not for the White House to say. It’s not for the U.S. Federal Government to say we are gonna go in and start putting money into people’s vendors pockets to develop things that already exist.

This is about no, no, no guys. The U.S. Federal Government realizes it needs to make this investment.
Tim CallanTim CallanMaking it work.
Jason SorokoJason SorokoExactly. And this is tied to a lot of their other objectives, which I won’t go into, but basically what they are saying is they are gonna tighten up their procurement program. That’s what a lot of the other strategic objectives are. In other words, you want to sell into U.S. Federal Government you have to show that you have software development lifecycle. You have to show that you are legit. It's no longer a loosey-goosey kind of procurement program where you just have to have it labeled on the tin that you do x, y and z. You really do have to walk the walk and the U.S. Federal Government is trying to tighten that up.

The most important piece of this objective though, Tim, is they’re gonna be investing in PKI. That’s just the truth. And it’s not like the Federal Government hasn’t. I think though that if you’re a government department that has not standardized on some form of authentication technology that’s better than just weak MFA, you are gonna have to tie into this digital identity ecosystem that they are talking about. A lot of people will say to us, hey, what about the federal bridge program, the badge cards and all that? A lot of that is PKI ready but you wouldn’t believe the number of systems in the U.S. Federal Government that are not yet and so this is gonna be another poke in the butt to say, hey, guys, there’s no longer a choice and here are the dollars we will invest to make sure that we get there.
Tim CallanTim CallanGot it. Ok. Great. So that’s important and it’s important because of the certainly some of the high value secrets that need to be protected and the high value operations that could be shut down. It’s also important though just because of the sheer scope of the U.S. Government. It’s such a large employer.

I’ve heard it described as The Fortune 1 and so that just to have comprehensive use of digital identity and PKI across that many workers and that many functions is hugely impactful on the industry and the world as a whole.
Jason SorokoJason SorokoYou got it, Tim. And so a lot of the rest of that legislation has to do with using that Fortune 1 magnetic power to force the industry to be a certain way. And all of that will be positive.
Tim CallanTim CallanWe talked about this before also in the past how just by the sheer procurement power of the United States Government doing something that does affect industry because there is so much procurement power there that industry will actually modify its strategies based on an initiative like this if it really has legs and if it really has some capability to force behavior then you will see industry taking steps to accommodate and make it self-suitable to that particular target market.
Jason SorokoJason SorokoYou got it. Let’s talk about the next strategic objective here, Tim, that’s interesting to us and very, very good. The U.S. Federal Government here is calling out specifically prepare for our post-quantum future.

So that’s super because it really is legislation calling for future proofing. Even the people who are writing this proposed legislation see the future and it’s not used investing. Again, I see a lot of this legislation about directing a procurement program. That’s to my eyes it’s what it looks like and, in fact, previous legislation that’s what it looked like as well. But to actually call out in your procurement legislation program prepare for a post-quantum future, it’s really, really good because what it means is that U.S. Federal Government is now gonna be playing a front and center role as a major buyer of technologies. I guarantee that vendors are gonna have to have a post-quantum roadmap in order to be eligible for being a part of U.S. Federal Government digital identity programs.
Tim CallanTim CallanAnd this is great. A lot of it is, again, when you talk about the procurement, this isn’t necessarily that these agencies are going to do anything themselves. What it’s going to be is that they are going to demand that their vendors be post-quantum enabled and that’s going to put pressure on the vendors to get enabled as quickly as they possibly can which is important. You and I have talked about the steps. So now that the primitives are settled on the next step, is that standards bodies needs to their work and then the step after that is that vendors – software, hardware, services providers need to build it into their systems once the standards are settled and then lastly, the organizations that consume these technology products need to implement them. And so, as they are starting to insist we are going to want to implement them, that puts pressure on everybody upstream of them to do their work quickly and, again, because there’s so much procurement power from this one entity that that will be meaningful pressure that will actually change behavior.
Jason SorokoJason SorokoAnd it probably will, which is all good. So, anyway, that’s it, Tim. We read it so you didn’t have to folks. There’s a lot of good interesting things in there. Those are the two objectives that I wanted to call out.

Stay informed with expert insights

Subscribe to Root Causes for engaging discussions on PKI, digital security, and best practices for protecting your organization's critical assets. Don’t miss an episode!

Listen on Apple PodcastsListen on SpotifyListen on SoundCloud