FB pixel

CBP exploring post-quantum cryptography to protect sensitive data

CBP exploring post-quantum cryptography to protect sensitive data
 

U.S. Customs and Border Protection (CBP) is proactively addressing the challenges posed by advancements in quantum computing, particularly concerning the security of personally identifiable information (PII) and biometric data within its IT systems. Recognizing the potential for quantum computers to compromise current cryptographic methods, CBP is implementing several key strategies to enhance data protection.

“Right now,” CBP said, “encryption keeps personal and system data safe by transforming information or data into a code, making it impossible for others to read without the right key. Soon, quantum computers will be able to read coded/encrypted data easily without using a key. This will leave things like bank accounts, health records, private messages, and government data at risk.”

Consequently, CBP is among the first federal agencies to explore and integrate Adoption of Post-Quantum Cryptography (PQC) into its systems. This initiative aims to strengthen data security against future quantum threats.

CBP said, “PQC addresses the ‘harvest now, decrypt later’ threat, where adversaries may be collecting encrypted data now with plans to decrypt it once quantum computing becomes sufficiently advanced. In response to this threat, CBP has taken decisive action.”

CBP’s Chief Information Officer, Sonny Bhagowalia, emphasized the necessity of this proactive approach, stating, “It is necessary to strengthen our agency’s data through post-quantum cryptography encryptions now, in order to be prepared for the security threats of the future.”

“Once previously protected data is made clear and readable through quantum decryption, it can be exposed, potentially leading to espionage, financial fraud, and other malicious activities with potential implications for national security and prosperity,” added CBP Office of Information and Technology (OIT) Deputy Assistant Commissioner Dr. Ed Mays. “In light of this imminent challenge, it is imperative to stay ahead of forthcoming challenges that may need to be mitigated during the transition to quantum-resistant cryptography.”

The federal government first recognized the importance of post-quantum cryptography with the Office of Management and Budget (OMB) Memorandum M-23-02 and the Quantum Computing Cybersecurity Preparedness Act.

CBP is aligning its cryptographic practices with the National Institute of Standards and Technology (NIST) standards. In August 2024, NIST finalized three encryption algorithms designed to withstand quantum cyberattacks. CBP said its “adherence to these standards ensures that its encryption methods remain robust against emerging quantum computing capabilities.”

To safeguard PII and biometric data, CBP is conducting thorough audits of its IT infrastructure. These audits identify components vulnerable to quantum attacks and facilitate timely updates and the integration of PQC algorithms. This proactive stance is crucial for maintaining the integrity of sensitive information.

CBP said it also employs facial recognition technology for traveler verification, ensuring that biometric data is protected through strong technical safeguards. For instance, new photos of U.S. citizens are deleted within 12 hours, and photos of most foreign nationals are stored securely within Department of Homeland Security systems. These measures are designed to limit the amount of PII used in the facial biometric process and to comply with privacy obligations.

CBP also is investing in training programs to educate its personnel about the implications of quantum computing on data security. By fostering a culture of awareness, CBP ensures that its workforce is equipped to implement and maintain PQC measures effectively.

Through these initiatives, CBP is actively fortifying its IT systems to protect PII and biometric data against the evolving landscape of quantum computing threats.

CBP said it “blocks approximately 100 million network cyber attempts each workday,” and emphasized that “these attacks are increasingly sophisticated, targeting government systems and critical infrastructure with the intent to intimidate targets, steal sensitive information, or disrupt operations. Given the criticality of our IT systems and the immense value of the data stored within them, this threat landscape requires constant vigilance and innovation.”

In November 2022, CBP initiated a Quantum Safe Risk Framing Workshop to “establish how we would inventory our cryptographic systems and chart a path forward for PQC as part of our broader Zero Trust Architecture implementation.”

The workshop included key personnel from CBP’s Chief Information Security Officer and Chief Technology Officer organizations, the Office of the National Cyber Director, and the DHS Office of the Chief Information Officer.

“The insights gained have been instrumental in identifying cryptographic systems that require transitioning and considering factors such as hybrid approaches, dependencies, and third-party libraries,” CBP said.

The workshop was also pivotal in generating a CBP PQC proof of concept, which was completed in November 2023 and documented in a PQC Exploration Final Report.

CBP said “the proof of concept focused on mitigating the threat to security, which allowed OIT to gain an understanding of the timeline and technical details of the transition to quantum-resistant algorithms, impacts to our operations, and necessary planning to fully transition the organization. Notably, in August 2024, the National Institute of Standards and Technology (NIST) approved the CRYSTALS-Kyber key encapsulation and the CRYSTALS-Dilithium digital signature algorithm – technologies that CBP had already tested as part of our proof of concept.”

Related Posts

Article Topics

 |   |   |   |   |   |   | 

Latest Biometrics News

 

Emerging biometrics markets draw a crowd

Biometrics startups and giant multinationals collide as each tries to navigate emerging markets in the most-read stories of the week…

 

Laxton to supply hundreds of biometric kits to Honduras under $1.9M UNDP contract

The United Nations Development Programme has selected Laxton to provide hundreds of Biometric Citizen Registration (BCR) kits for Honduras. The…

 

Leadership change at IBIA follows layoffs at Thales

A major leadership change has been kicked off at Thales Digital Identity & Security and the International Biometrics and Identity…

 

Reusable ID for AML acquired by global fintech as compliance costs rise

Global fintech platform iCapital has entered a definitive agreement to acquire U.S.-based Parallel Markets, which provides reusable identity tools for…

 

Services Australia to run Trust Exchange pilot with largest Australian bank

A pilot with Commonwealth Bank will test the Australian government’s digital identity exchange scheme, Trust Exchange (TEx), using digital medical…

 

COPPA changes specify children’s biometrics and government IDs for protection

The Federal Trade Commission (FTC) Thursday issued notice that it finalized substantial changes to the Children’s Online Privacy Protection Act…

Comments

Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.

Most Viewed This Week

Featured Company

Biometrics Insight, Opinion

Digital ID In-Depth

Biometrics White Papers

Biometrics Events