Future of Cybersecurity: Leadership Needed to Fully Define Quantum Threat Mitigation Strategy

Cryptography is a set of mathematical processes that can "lock," "unlock," or authenticate information. Agencies, banks, utilities, and others rely on cryptography—e.g., data encryption algorithms—to secure systems and data.
Experts predict that a quantum computer capable of breaking such cryptography may exist within 10-20 years.
Various federal entities have developed documents that inform a national strategy for addressing this threat. But the strategy lacks details and nobody's in charge of implementing it. We recommended the National Cyber Director coordinate the national strategy and use our guidelines for effective national strategies.
GAO was asked to examine the federal government’s strategy to address the threat that quantum computers pose to our nation’s cryptography. This report provides information on, among other things, how cryptographic methods protect systems and data, the threat quantum computers pose, and the extent to which the U.S. national quantum computing cybersecurity strategy addresses the desirable characteristics of a national strategy.
Federal agencies and the nation's critical infrastructure—such as energy, transportation systems, communications, and financial services—rely on cryptography (e.g., encryption) to protect sensitive data and systems. However, some experts predict that a quantum computer capable of breaking certain cryptography—referred to as a cryptographically relevant quantum computer (CRQC)—may be developed in the next 10 to 20 years, putting agency and critical infrastructure systems at risk. Quantum computers leverage the properties of a qubit (the quantum equivalent of classical computer bits) to solve selected problems significantly faster than classical computers.
To address this threat, various documents developed over the past eight years have contributed to an emerging U.S. national strategy. Based on its review of these documents, GAO identified three central goals.
The strategy partially addresses the desirable characteristics of a national strategy identified in prior GAO work. For example:
- Problem definition and risk assessment. Several documents defined the problem as the threat of a CRQC to cryptography, but did not fully define a CRQC. In addition, although the executive branch conducted a comprehensive risk assessment on systems with vulnerable cryptography supporting critical infrastructure, it has not conducted such an assessment for systems used by federal agencies.
- Purpose, scope, and methodology. Several documents identified purpose and scope. With regard to methodology, three post-quantum cryptography standards documents provided information on how they were developed. However, the remaining documents did not describe the methodology or process used to develop them for the other two goals.
- Objectives, activities, milestones, and performance measures. The strategy documents identified objectives and activities for the first two goals but did not do so for the third. In addition, the strategy documents did not fully identify milestones for the second and third goals and did not identify performance measures for any of the three goals.
These desirable characteristics have not been fully addressed, in part, because no single federal organization is responsible for coordinating the strategy. In January 2021, Congress established an organization that is well-positioned to lead these efforts: the Office of the National Cyber Director. If the office embraces this role and ensures that the strategy fully addresses the desirable characteristics, the nation will have a better-defined roadmap for allocating resources and holding participants accountable.

Weather Ready Pacific charts the way on Early Warnings for All

Weather Ready Pacific - a major ten-year programme – aims at reducing the human and economic cost of severe weather events, protecting Pacific Island communities and livelihoods on the frontline of climate change.

WMO Deputy Secretary-General Ko Barrett stressed WMO’s commitment to the initiative in a high-level event at COO29 on “Early Warnings For All in the Pacific: Starting our journey to navigate through the challenges of a climate change world.”

Ministers and their representatives from Tonga, Fiji and Samoa highlighted the importance of the programme in building resilience to hazards such as tropical cyclones and coastal inundation in an era of rising sea levels and more extreme events.

Tiofilusi Tiuete, Minister for Finance and National Planning of Tonga, said there were already tangible improvements in forecasts thanks to a new weather radar which will increase the accuracy of advance warnings of high-impact events.

The Weather Ready Pacific Program was developed with the support of the Secretariat of the Pacific Regional Environment Programme (SPREP), WMO and the Government of Australia through the Australian Bureau of Meteorology (BOM). It is administered by SPREP and has a target to raise US $ 191 million over 10 years to strengthen the capacity of National Meteorological and Hydrological Services in the Pacific.

“We are committed to supporting sustainable capacity enhancement efforts wherever they occur and we stand ready to support with technical tools and guidance. National Meteorological and Hydrological Services are at the centre of all these efforts,” Ko Barrett told the high-level event.

“We are happy to leverage funding through the Systematic Observations Financing Facility (SOFF) and the Climate Risk and Early Warning Systems Initiative (CREWS) and other investment instruments to support the aims of the Weather Ready Pacific Programme and more generally of the Early Warnings for All initiative.”

Climate change ambassadors from Australia and New Zealand, two of the main financial backers, stressed how the programme is intended to foster long-term investment in sustainability. The aim is to bring different funding initiatives from a variety of partners under one roof and within a 10-year time frame, thus easing the administrative burden on Small Island Developing States.

“We have had so many projects that stop and start, stop and start. We spent more time writing reports than we do forecasting the weather,” said ‘Ofa Fa’ Anunu, the coordinator of the Weather Ready Pacific Programme. He was formerly the head of Tonga’s NMHS and president of WMO’s Regional Association for Asia-Pacific.

Systematic Observation Financing Facility (SOFF)
The Pacific represents 15 % of the world surface, but it has only six upper air stations which are compliant with the Global Basic Observing Network. This is a major gap that needs to be filled, given that a chain is only as strong as its weakest link.

SOFF seeks to fill this gap through long-term, grant based investments in infrastructure and enhancing the capacity of National Meteorological and Hydrological Services (NMHS).

Within the Pacific, Kiribati and the Solomon Islands have been approved for an amount of USD 20 million. Nauru and Samoa have been provisionally approved for an amount of USD 12 million.

Climate Risk and Early Warning Systems Initiative
Climate Risk and Early Warning Systems initiative seeks to bridge the early warnings capacity gap. Ko Barrett said CREWS is a textbook example of people-centred, community-based projects that are making a tangible difference to people’s lives.

WRP and CREWS share common programming frame and principles of country/regional driven programmes, people-centered approaches, and gender-responsiveness, said Gerard Howe, Head of Energy, Climate and Environment Directorate, UK Foreign, Commonwealth and Development Office (FCDO) and Chair of CREWS.

“CREWS is committed to support Weather Ready Pacific as a vehicle for more effective programming and financing,” he said.

Pacific Island countries benefited from one of the very first CREWS financing decisions in 2017. The CREWS Steering Committee recently initiated the consultations for a third phase of this regional project bringing the total contribution to the region to USD 25 million.

In Papua New Guinea, with the support of the Australian meteorological services, a new drought early warning system was established. In PNG, nearly eight in ten people rely on subsistence farming. Food insecurity is mostly due to crop failures from drought and frost.

Support to develop similar drought advisories has been received from 5 additional Island States and an additional US$ 5 million committed to support these.

Two countries (Tonga and Vanuatu) have accessed financing through the CREWS Accelerated Support Window a fast-track provider of technical assistance. This has led to the development of a smart weather app.

Groundbreaking Framework for the Safe and Secure Deployment of AI in Critical Infrastructure Unveiled by Department of Homeland Security

The Department of Homeland Security (DHS) released a set of recommendations for the safe and secure development and deployment of Artificial Intelligence (AI) in critical infrastructure, the “Roles and Responsibilities Framework for Artificial Intelligence in Critical Infrastructure” (“Framework”). This first-of-its kind resource was developed by and for entities at each layer of the AI supply chain: cloud and compute providers, AI developers, and critical infrastructure owners and operators – as well as the civil society and public sector entities that protect and advocate for consumers. The Artificial Intelligence Safety and Security Board (“Board”), a public-private advisory committee established by DHS Secretary Alejandro N. Mayorkas, identified the need for clear guidance on how each layer of the AI supply chain can do their part to ensure that AI is deployed safely and securely in U.S. critical infrastructure. This product is the culmination of considerable dialogue and debate among the Board, composed of AI leaders representing industry, academia, civil society, and the public sector. The report complements other work carried out by the Administration on AI safety, such as the guidance from the AI Safety Institute, on managing a wide range of misuse and accident risks.
America’s critical infrastructure – the systems that power our homes and businesses, deliver clean water, allow us to travel safely, facilitate the digital networks that connect us, and much more – is vital to domestic and global safety and stability. These sectors are increasingly deploying AI to improve the services they provide, build resilience, and counter threats. AI is, for example, helping to quickly detect earthquakes and predict aftershocks, prevent blackouts and other electric-service interruptions, and sort and distribute mail to American households. These uses do not come without risk, and vulnerabilities introduced by the implementation of this technology may expose critical systems to failures or manipulation by nefarious actors. Given the increasingly interconnected nature of these systems, their disruption can have devastating consequences for homeland security.
“AI offers a once-in-a-generation opportunity to improve the strength and resilience of U.S. critical infrastructure, and we must seize it while minimizing its potential harms. The Framework, if widely adopted, will go a long way to better ensure the safety and security of critical services that deliver clean water, consistent power, internet access, and more,” said Secretary Alejandro N. Mayorkas. “The choices organizations and individuals involved in creating AI make today will determine the impact this technology will have in our critical infrastructure tomorrow. I am grateful for the diverse expertise of the Artificial Intelligence Safety and Security Board and its members, each of whom informed these guidelines with their own real-world experiences developing, deploying, and promoting the responsible use of this extraordinary technology. I urge every executive, developer, and elected official to adopt and use this Framework to help build a safer future for all.”
If adopted and implemented by the stakeholders involved in the development, use, and deployment of AI in U.S. critical infrastructure, this voluntary Framework will enhance the harmonization of and help operationalize safety and security practices, improve the delivery of critical services, enhance trust and transparency among entities, protect civil rights and civil liberties, and advance AI safety and security research that will further enable critical infrastructure to deploy emerging technology responsibly. Despite the growing importance of this technology to critical infrastructure, no comprehensive regulation currently exists.
DHS identified three primary categories of AI safety and security vulnerabilities in critical infrastructure: attacks using AI, attacks targeting AI systems, and design and implementation failures. To address these vulnerabilities, the Framework recommends actions directed to each of the key stakeholders supporting the development and deployment of AI in U.S. critical infrastructure as follows:
- Cloud and compute infrastructure providers play an important role in securing the environments used to develop and deploy AI in critical infrastructure, from vetting hardware and software suppliers to instituting strong access management and protecting the physical security of data centers powering AI systems. The Framework encourages them to support customers and processes further downstream of AI development by monitoring for anomalous activity and establishing clear pathways to report suspicious and harmful activities.
- AI developers develop, train, and/or enable critical infrastructure to access AI models, often through software tools or specific applications. The Framework recommends that AI developers adopt a Secure by Design approach, evaluate dangerous capabilities of AI models, and ensure model alignment with human-centric values. The Framework further encourages AI developers to implement strong privacy practices; conduct evaluations that test for possible biases, failure modes, and vulnerabilities; and support independent assessments for models that present heightened risks to critical infrastructure systems and their consumers.
- Critical infrastructure owners and operators manage the secure operations and maintenance of key systems, which increasingly rely on AI to reduce costs, improve reliability and boost efficiency. They are looking to procure, configure, and deploy AI in a manner that protects the safety and security of their systems. The Framework recommends a number of practices focused on the deployment-level of AI systems, to include maintaining strong cybersecurity practices that account for AI-related risks, protecting customer data when fine-tuning AI products, and providing meaningful transparency regarding their use of AI to provide goods, services, or benefits to the public. The Framework encourages critical infrastructure entities to play an active role in monitoring the performance of these AI systems and share results with AI developers and researchers to help them better understand the relationship between model behavior and real-world outcomes.
- Civil society, including universities, research institutions, and consumer advocates engaged on issues of AI safety and security, are critical to measuring and improving the impact of AI on individuals and communities. The Framework encourages civil society’s continued engagement on standards development alongside government and industry, as well as research on AI evaluations that considers critical infrastructure use cases. The Framework envisions an active role for civil society in informing the values and safeguards that will shape AI system development and deployment in essential services.
- Public sector entities, including federal, state, local, tribal, and territorial governments, are essential to the responsible adoption of AI in critical infrastructure, from supporting the use of this technology to improve public services to advancing standards of practice for AI safety and security through statutory and regulatory action. The United States is a world leader in AI; accordingly, the Framework encourages continued cooperation between the federal government and international partners to protect all global citizens, as well as collaboration across all levels of government to fund and support efforts to advance foundational research on AI safety and security.
President Biden directed Secretary Mayorkas to establish the Board to advise the Secretary, the critical infrastructure community, other private sector stakeholders, and the broader public on the safe and secure development and deployment of AI technology in our nation’s critical infrastructure. Secretary Mayorkas convened the Board for the first time in May 2024, and Board Members identified a number of issues impacting the safe use and deployment of this technology, including: the lack of common approaches for the deployment of AI, physical security flaws, and a reluctance to share information within industries.
The Framework is designed to help address these concerns and complements and advances existing guidance and analysis from the White House, the AI Safety Institute, the Cybersecurity and Infrastructure Security Agency, and other federal partners.

CISA Releases Insights from Red Team Assessment of a U.S. Critical Infrastructure Sector Organization

The Cybersecurity & Infrastructure Security Agency (CISA) has released Enhancing Cyber Resilience: Insights from CISA Red Team Assessment of a U.S. Critical Infrastructure Sector Organization in coordination with the assessed organization. This cybersecurity advisory details lessons learned and key findings from an assessment, including the Red Team’s tactics, techniques, and procedures (TTPs) and associated network defense activity.
This advisory provides comprehensive technical details of the Red Team’s cyber threat activity, including their attack path to compromise a domain controller and human machine interface (HMI), which serves as a dashboard for operational technology (OT).
CISA encourages all critical infrastructure organizations, network defenders, and software manufacturers to review and implement the recommendations and practices to mitigate the threat posed by malicious cyber actors and to improve their cybersecurity posture.
For more information on the most common and impactful threats, tactics, techniques, and procedures, see CISA’s Cross-Sector Cybersecurity Performance Goals.

TSA announces proposed rule that would require the establishment of pipeline and railroad cyber risk management programs

The Transportation Security Administration (TSA) has published a Notice of Proposed Rulemaking that proposes to mandate cyber risk management and reporting requirements for certain surface transportation owners and operators.
“TSA has collaborated closely with its industry partners to increase the cybersecurity resilience of the nation’s critical transportation infrastructure,” said TSA Administrator David Pekoske. “The requirements in the proposed rule seek to build on this collaborative effort and further strengthen the cybersecurity posture of surface transportation stakeholders. We look forward to industry and public input on this proposed regulation.”
This rule proposes to continue TSA’s commitment to performance-based requirements. Building on the performance-based cybersecurity requirements TSA previously issued via annual Security Directives since 2021, the proposed rule leverages the cybersecurity framework developed by the National Institute of Standards and Technology and the cross-sector cybersecurity performance goals developed by the Cybersecurity and Infrastructure Security Agency (CISA).
Consistent with these requirements and standards, this rule proposes:
- To require that certain pipeline, freight railroad, passenger railroad and rail transit owner/operators with higher cybersecurity risk profiles establish and maintain a comprehensive cyber risk management program;
- To require these owner/operators, and higher-risk bus-only public transportation and over-the-road bus owner/operators, currently required to report significant physical security concerns to TSA to report cybersecurity incidents to CISA; and
- To extend to higher-risk pipeline owner/operators TSA’s current requirements for rail and higher-risk bus operations to designate a physical security coordinator and report significant physical security concerns to TSA.
TSA asserts that maintaining an effective cybersecurity posture is critically important to ensuring that the surface transportation sector is prepared for, and able to manage, cyber risks. The requirements contained in this proposed rule would strengthen cybersecurity resilience across the surface transportation systems sector.

CISA Launches #PROTECT2024 Election Threat Updates Webpage

The Cybersecurity and Infrastructure Security Agency (CISA) has launched a new one-stop shop website for election threat updates from CISA and its federal government partners. As foreign actors continue their efforts to influence and interfere with the 2024 elections, CISA is ensuring that information about the election threat environment is readily accessible.
Part of the larger #Protect2024 site launched in January, the page aims to make it easier to find specific threat related products that the American public can use to stay informed and the election community can use to prepare, including:
- Joint Statements from CISA, ODNI and FBI on threats to the 2024 election
- ODNI Election Threat Updates
- FBI and CISA “Just So You Know” Joint PSA Series
Since its initial launch, #Protect2024 has quickly grown and serves as the central point for critical resources, training lists and security services to support more than 8,000 election jurisdictions for the 2024 election cycle.

Plurilock and CrowdStrike Partner to Secure Critical Infrastructure and Organizations

Plurilock Security Inc., a global cybersecurity services and solutions provider, and CrowdStrike are pleased to announce a new partnership to secure critical infrastructure in democratic nations and economies against modern threats. Plurilock will provide sales and support of the AI-native CrowdStrike Falcon® cybersecurity platform to help power Plurilock’s Critical Services business unit.
Through the partnership, Plurilock will collaborate with CrowdStrike to deploy the Falcon platform and related Plurilock Critical Services to key Plurilock customers that are seeking to modernize or optimize their security operations for today’s surging threat environment. Both companies have deep expertise in AI and cybersecurity, with Plurilock having been founded on AI as a cybersecurity research spin-out, and CrowdStrike providing the world’s most advanced AI-native cybersecurity platform.
“Plurilock Critical Services secures enterprise customers that are of key importance to the world’s democracies—and that are increasingly targeted by sophisticated attacks,” said Ian L. Paterson, CEO of Plurilock. “The CrowdStrike Falcon platform enables our Critical Services team to consolidate point products, remove complexity, and deliver comprehensive visibility and real-time protection across the enterprise. This partnership enables us to provide some of the most demanding customers in existence with the solution best able to address the threats they currently face.”
“Collaborating with innovative partners like Plurilock is core to CrowdStrike’s mission of stopping breaches,” said Daniel Bernard, chief business officer, CrowdStrike. “Plurilock customers are targeted by the world’s most sophisticated adversaries, and require the most advanced technology and elite services to safeguard their critical assets. We look forward to leveraging the power of the Falcon platform to achieve our shared objectives and stop advanced threats.”

2nd E.DSO Digital Award

Are you the creator of a pioneering solution or technological innovation that will facilitate the energy transition and leave a significant impact for society?
E.DSO, the Association of Distribution System Operators (DSOs), is launching the ‘2nd E.DSO Digital Award’ in recognition of the most meaningful and relevant digital innovations contributing to the shaping of DSOs roles. This award wants to highlight the importance of digitalisation in the energy sector and to acknowledge those who are leading the way in creating a more efficient, resilient, and consumer-centric energy system.
This opportunity is reserved for start-ups that have developed an innovative, revolutionary and relevant technological tool and digital solution for a future energy system.
Candidates are invited to send a brief description plus a video of their invention and its contribution by 21 October 2024.
The Award will be announced during E.DSO 1st FutureGrid Innovation Summit scheduled in Brussels on 6 February 2025.

UK Data centres to be given massive boost and protections from cyber criminals and IT blackouts

Technology Secretary Peter Kyle, has announced the government has now classed UK data centres – the buildings which store much of the data generated in the UK – as ‘Critical National Infrastructure’. It is the first Critical National Infrastructure (CNI) designation in almost a decade, since the Space and Defence sectors gained the same status in 2015.
It means the data housed and processed in UK data centres - from photos taken on smartphones to patients’ NHS records and sensitive financial investment information - is less likely to be compromised during outages, cyber attacks, and adverse weather events. Putting data centres on an equal footing as water, energy and emergency services systems will mean the data centres sector can now expect greater government support in recovering from and anticipating critical incidents, giving the industry greater reassurance when setting up business in UK and helping generate economic growth for all.
CNI designation will, for example, see the setting up of a dedicated CNI data infrastructure team of senior government officials who will monitor and anticipate potential threats, provide prioritised access to security agencies including the National Cyber Security Centre, and coordinate access to emergency services should an incident occur.
It comes as the government welcomes a proposed £3.75 billion investment in Europe’s largest data centre, as plans have been submitted to Hertsmere Borough Council for construction in Hertfordshire by data company DC01UK which will directly create over 700 local jobs and support 13,740 data and tech jobs across the country.
Critical National Infrastructure status will also deter cyber criminals from targeting data centres that may house vital health and financial data, minimising disruption to people’s lives, the NHS and the economy.
In the event of an attack on a data centre hosting critical NHS patients’ data, for example, the government would intervene to ensure contingencies are in place to mitigate the risk of damage or to essential services, including on patients’ appointments or operations.
The new protections will also boost business confidence in investing in data centres in the country, an industry which already generates an estimated £4.6 billion in revenues a year.

FBI, CISA, NSA, and US and International Partners Release Advisory on Russian Military Cyber Actors Targeting US and Global Critical Infrastructure

The Federal Bureau of Investigation (FBI )— in partnership with CISA, the National Security Agency (NSA), and other U.S. and international partners — have released a joint Cybersecurity Advisory Russian Military Cyber Actors Target U.S. and Global Critical Infrastructure.
This advisory provides overlapping cybersecurity industry cyber threat intelligence, tactics, techniques, and procedures (TTPs) and Indicators of Compromise (IOCs) associated with Russian General Staff Main Intelligence Directorate (GRU) 161st Specialist Training Center (Unit 29155) cyber actors, both during and succeeding their deployment of the WhisperGate malware against Ukraine.
These cyber actors are responsible for computer network operations against global targets for the purposes of espionage, sabotage, and reputational harm since at least 2020. The authoring agencies encourage organizations to review this advisory for recommended mitigations against such malicious activity.
1 2 3 53