As the largest information technology (IT) organization within the Department of Homeland Security (DHS), CBP's Office of Information and Technology (OIT) is integral in protecting and supporting national security and enabling our personnel to carry out their mission amidst ever-changing requirements.
CBP blocks approximately 100 million network cyber attempts each workday. These attacks are increasingly sophisticated, targeting government systems and critical infrastructure with the intent to intimidate targets, steal sensitive information, or disrupt operations. Given the criticality of our IT systems and the immense value of the data stored within them, this threat landscape requires constant vigilance and innovation.
To stay at the forefront of technology, CBP OIT is preparing for the advent of quantum computing and the significant risks it poses to our software, infrastructure, and communications, particularly in the realm of encryption. Quantum computing leverages the principles of quantum mechanics to perform complex calculations at potentially faster speeds than classical computers. This potential also presents a clear and present danger to current cryptographic practices.
Right now, encryption keeps personal and system data safe by transforming information or data into a code, making it impossible for others to read without the right “key.” Soon, quantum computers will be able to read coded/encrypted data easily without using a key. This will leave things like bank accounts, health records, private messages, and government data at risk.
“CBP is one of the first federal agencies to explore post-quantum cryptography to harden security within its systems,” noted CBP Chief Information Officer Sonny Bhagowalia. “It is necessary to strengthen our agency’s data through post-quantum cryptography encryptions now, in order to be prepared for the security threats of the future.”
The federal government first recognized the importance of post-quantum cryptography (PQC) with the Office of Management and Budget (OMB) Memorandum M-23-02 and the Quantum Computing Cybersecurity Preparedness Act. PQC addresses the “harvest now, decrypt later” threat, where adversaries may be collecting encrypted data now with plans to decrypt it once quantum computing becomes sufficiently advanced. In response to this threat, CBP has taken decisive action.
“Once previously protected data is made clear and readable through quantum decryption, it can be exposed, potentially leading to espionage, financial fraud, and other malicious activities with potential implications for national security and prosperity,” explains OIT Deputy Assistant Commissioner Dr. Ed Mays. “In light of this imminent challenge, it is imperative to stay ahead of forthcoming challenges that may need to be mitigated during the transition to quantum-resistant cryptography.”
In November 2022, CBP initiated a Quantum Safe Risk Framing Workshop to establish how we would inventory our cryptographic systems and chart a path forward for PQC as part of our broader Zero Trust Architecture implementation. This workshop included key personnel from CBP’s Chief Information Security Officer and Chief Technology Officer organizations, the Office of the National Cyber Director, and the DHS Office of the Chief Information Officer. The insights gained have been instrumental in identifying cryptographic systems that require transitioning and considering factors such as hybrid approaches, dependencies, and third-party libraries.
The workshop was also pivotal in generating a CBP PQC proof of concept, completed in November 2023 and documented in a PQC Exploration Final Report. The proof of concept focused on mitigating the threat to security, which allowed OIT to gain an understanding of the timeline and technical details of the transition to quantum-resistant algorithms, impacts to our operations, and necessary planning to fully transition the organization. Notably, in August 2024, the National Institute of Standards and Technology (NIST) approved the CRYSTALS-Kyber key encapsulation and the CRYSTALS-Dilithium digital signature algorithm—technologies that CBP had already tested as part of our proof of concept.
CBP remains at the forefront of the PQC effort because of the critical need to secure our data and ensure 24/7 support to our officers and agents. We are committed to leading the charge in protecting our nation’s borders against the emerging threats and technical challenges of tomorrow. We do this by delivering capabilities better, faster, more affordably, and more securely at every opportunity.