Hello,
October brings with it National Cybersecurity Awareness Month, a yearly pause where the cybersecurity community recommits to basic principles and takes stock of the big picture. It’s a welcome ritual that reminds us that security is a shared responsibility. That being said, if this month is about awareness, it should also be about perspective, the kind that zooms out from point fixes to patterns, from parts to the whole.
Holistic, systems thinking is not a luxury in cybersecurity; it’s table stakes. Our work touches people, protocols, products, and policy, all interacting in ways that can amplify either resilience or fragility. Nowhere is that more evident than in our preparations for the coming quantum era. Quantum computing will not politely ask our permission before rendering today’s public‑key cryptography obsolete. It will simply arrive on its own timeline and when it arrives, data protected by RSA and ECC today becomes readable tomorrow to anyone with access to a quantum computer. The “harvest‑now, decrypt‑later” threat model isn’t speculative; U.S. government agencies have been urging planning for years.
There is good news. At the algorithm level, real progress has been made. NIST has issued FIPS 203 (ML‑KEM) for key establishment and FIPS 204/205 (ML‑DSA and SLH‑DSA) for signatures. Other algorithms are in the process of being added to this first wave of standardized post‑quantum building blocks. Across the public sector, calls to inventory cryptographic dependencies and build crypto‑agility into architectures are growing louder.
Unfortunately, there’s also bad news. Focusing on the field of view on algorithms has led to a familiar myopia. Inventories and agility are necessary; they are not sufficient. If we prepare algorithms without preparing protocols, we are swapping the engine while leaving the transmission untouched. Internet security is instantiated in network protocols like TLS, IPsec, IKE for VPNs, and QUIC. Without standardized and broadly deployed post‑quantum variants of these protocols, the post-quantum confidentiality of communications remains at risk, no matter how elegant our chosen KEM or signature. Work is underway; hybrid key exchange for TLS 1.3, KEM integration into IKEv2, and HPKE as a versatile primitive, but there is still significant friction between key stakeholders, drafts and pilots are not deployments, and interoperability at scale takes time.
This is not a call‑out of any company, agency, or practitioner. Quite the opposite. The NIST standards, CISA guidance on discovery and inventories, and NSA road‑mapping have moved the ball downfield significantly. Instead, think of it as a call‑in, a reminder that effective cybersecurity is a systems discipline. Algorithms, protocols, products, and operational playbooks must evolve together, or the strongest component will inherit the fragility of the weakest link.
So, what does holistic action look like this month?
- Elevate protocols to first‑class migration artifacts. Demand that PQ‑TLS, PQ‑IKE/IPsec, and related protocols be treated as scoped deliverables with timelines, test plans, and vendor engagement, right alongside algorithm upgrades.
- Make crypto‑agility real, not rhetorical. Inventories are the map; agility is the route. Define update paths, lifecycles, and rollback strategies that acknowledge the messiness of production reality.
- Bias for interoperability. Pilot hybrid modes and cross‑vendor interop now; the curve from draft to durable takes practice in the wild.
- Plan for longevity. Prioritize data and systems with long secrecy lifetimes where harvest‑now, decrypt‑later is most damaging.
National Cybersecurity Awareness Month should do more than remind us to update software; it should remind us to update ourselves and to prioritize systems thinking. Let’s resist the comfort of narrow victories and pursue the harder win of end‑to‑end designs that carry privacy, resilience, and quantum‑safety across the layers where people actually live and work.
The aim isn’t to build systems that fear the future; it’s to build systems ready for it, that are coherent from math to middleware to mission. That is how we keep today’s progress from becoming tomorrow’s surprise.
Build it right, America.
Adam Firestone
Editor-in-Chief
Leave a Comment