FINDING 2.1: Stateful digital signatures based on hash functions are practical today and will remain secure even if large-scale quantum computers are practical or if new number theoretic attacks are developed that affect other quantum-resistant signature algorithms. These algorithms may be appropriate for use in specific scenarios such as firmware signing. While their wide application would pose some difficulties for system implementers, they would provide a viable digital signature option for some use cases in the event that a cryptanalytic breakthrough rendered other digital signature algorithms vulnerable.

FINDING 2.2: For smaller-scale applications within a single sophisticated organization with little tolerance for the possible risks to public-key cryptography (whether from a mathematical advance or quantum computers), it may be possible to use key distribution centers (KDCs) to replace or augment some uses of public-key cryptography. Because of the different trust models and attack surface, deploying KDCs to replace public-key cryptographic functions in open settings like Hypertext Transfer Protocol Secure (HTTPS) would be difficult technically, politically, and logistically.

FINDING 2.3: If an organization has encrypted information in the past using keys negotiated with an algorithm that later becomes vulnerable to cryptanalysis by a quantum or classical computer, there is little that the organization can do at the cryptographic level to prevent future decryption of ciphertexts that have already been intercepted and stored by an adversary. Organizations in that situation may be best served by understanding their risks from decryption of previously encrypted information, assembling an inventory of such information, and taking measures to limit the damage in the event that information is decrypted in the future.

FINDING 2.4: The research community continues to make improvements in the technology of computation on encrypted data. Such improvements can be expected to enable new ways of securely sharing both government and private-sector information.

FINDING 4.1: Most of the current public scientific expertise in algorithm design, cryptanalysis, and other areas of applied cryptography is outside the United States, largely in Europe. In contrast, within the United States, cryptography is taught as an area of theoretical computer science. The specific areas of expertise necessary to guide and facilitate the transition to post-quantum cryptography are relatively new and will require a more robust educational pipeline to train new talent.¹ Public research investment, through the National Science Foundation and other organizations, would encourage this process, while strict U.S. export control regulations have historically discouraged talent from locating in the United States.

FINDING 4.2: An improvement in asymmetric cryptanalysis algorithms could have a significant effect on the security of public key encryption algorithms that are in wide use today. Such an improvement would enable more efficient attacks on encrypted information using conventional computers rather than requiring the construction of a quantum computer. Furthermore, it could potentially be exploited in secret and with little or no advance notice.

FINDING 4.3: It is difficult to predict what mix will occur of low or high levels of government regulation of cryptocurrencies. Low levels of regulation will be subject to criticism for facilitating criminal activity. High levels of regulation will be subject to criticism for excessive surveillance. Market and technological factors further make it difficult to predict future growth in the sector. Of this uncertainty, it is also uncertain the extent to which intelligence agencies will retain, increase, or decrease their access to financial, transactional information.

FINDING 4.4: Forces for both globalization and fragmentation will be present. Even if the committee were in a position to predict whether globalization or fragmentation were more likely to prevail, these trends are complex and interrelated. Some trends reinforce themselves and others prompt opposite reactions. Thus, it is difficult to determine which forces are likely to prevail on any given issue. In theory, this means that the Intelligence Community will need to be prepared for alternative extremes—for example, a world in which authoritarian governments weaken or ban encryption in ordinary communications, and a world in which governments support pervasive use of encryption citing privacy and security concerns. Because that preparation is impossible to sustain over any meaningful period, there will be a premium on accurate detection of trends at the earliest possible stage and managing the risk of an incorrect assessment.

FINDING 4.5: The Internet and increasing technological interdependence promotes globalization. The shared experience of individuals around the globe owing to information and communications being instantly and ubiquitously available is a powerful cause of international commonality. That factor, along with convergence of technologies, ever-increasing global interdependence on all levels and across economic and political sectors, the continued growth of world trade and the likely ongoing increase in the role of the private sector, with

its constant drive for efficiency and common standards, will tend to powerfully mold the world in a unified way, increasing the likelihood that nations around the world will take similar approaches to issues relevant to encryption.

FINDING 4.6: Governmental regulation, for better or worse, of communications technology may lead to fragmentation on national lines. National security concerns have the effect, whether specifically intended or not, of creating competing national technologies—by limiting the exports of sensitive technology or by curtailing imports of equipment that may permit surreptitious surveillance by a foreign manufacturer or its government. Potent forces are present, for both beneficial and malicious reasons, that could predispose the global arrangement toward individual nationalistic or regional solutions to issues bearing on encryption. In many countries, there is growing support for “digital sovereignty,” a term that can mean various things ranging from having regulatory decisions made nationally instead of by Silicon Valley, and support for protectionist trade policies, to segmenting the Internet by blocking communications with other countries. In addition, national regulations to promote online competition, enhance cybersecurity, curtail hate speech, and protect citizens’ data privacy might well vary significantly around the globe and even in geopolitical regions where there might otherwise be commonality. A rise in citizens’ mistrust of governments (especially in the area of surveillance) might lead to a corresponding growth in the use of encrypted communications (both to avoid government surveillance and in response to general privacy concerns). Moreover, individual countries or blocs of like-minded countries might impose (or continue to impose) substantive communications content requirements enabled by technological distinctions at national levels, including, for example, banning or discouraging end-to-end encryption (so as to permit government surveillance), or mandating a variety of governmental access to otherwise encrypted communications (perhaps through required turnover of encryption keys to authorities or insisting on the use of specified encryption schemes).

FINDING 4.7: In most cases, a common set of security protocols and cryptographic algorithms are used globally, and systems and networks today are largely interoperable. This may not remain the case; the factors that led to this interoperability are weakening, and pressures to create national and regional differences are growing.

FINDING 4.8: In every scenario, bugs in software and operational errors are the weakest links in security.²

FINDING 4.9: Communications and storage depend on a software stack: hypervisor (a program that allows a computer to run several operating systems simultaneously), operating system, libraries, and application. While quantum computers or mathematical advances are important research topics, bugs or operational mistakes in this stack are the biggest source of system insecurity. Exploiting these errors is, and likely will remain, the biggest opportunity for offense, and minimizing them the highest priority for defense.

FINDING 4.10: The United States needs far more data security expertise than is currently available, and these needs are growing substantially. The failure to meet these needs could have significant and widespread ramifications both for national security and the private sector. All software developers and computer scientists require basic competence in computer security. In addition, a growing number of people will require deep expertise in security. The required skills are not easy to teach, as students need both security-focused knowledge and a deep technical knowledge across multiple subjects and layers of abstraction. If the U.S. educational system does not meet these needs, or if the United States becomes a less attractive destination for students, researchers, and entrepreneurs born in other countries, the shortage will be much worse. Technological changes

may rapidly increase demand for rare skills or may reduce demand by enabling tasks that currently require exceptionally skilled individuals to be performed by a broader range of people.

FINDING 4.11: Practical knowledge about the security of cryptographic systems will continue to be widely disseminated across the globe. Effective work (offensive or defensive) can be performed by a few skilled individuals. As a result, unlike areas where a country can obtain dominant capabilities by incurring costs that other countries cannot afford, many countries will have significant data security capabilities and none will be dominant.

FINDING 4.12: The transition to post-quantum cryptography is likely to be prolonged over many years. It may also provide a rationale for replacing obsolete systems that have other security problems.

FINDING 4.13: The complexity of the transition to post-quantum cryptography will likely introduce a range of new security vulnerabilities.

FINDING 4.14: A new classical cryptanalysis algorithm or quantum computing development could result in rushed and disorganized efforts to replace widely used public key algorithms or other cryptographic standards. Such a breakthrough would require mitigation efforts that would be more complex than fixing typical software bugs, such as the coordinated deployment of major protocol updates across implementations and services.

FINDING 4.15: 5G may introduce a number of new systems issues in practice, owing to both complex new suites of software and operator inexperience in distributed cloud environments.

FINDING 4.16: Many Internet of Things (IoT) components are poorly secured and easy to subvert, with an extremely wide range of consequences that are difficult to predict but potentially very high impact for the Intelligence Community and broader society. Because IoT will likely bring significant improvements to many aspects of life, however, more money and energy may be devoted to securing such devices going forward.

FINDING 6.1: With more adversary nations (especially China) seeking and making advances in encryption and as academic researchers (especially in Europe) continue to invest in cryptography and advance the theory and practice of encryption, the advantage that the Intelligence Community enjoyed in this area will diminish if not disappear.