President Joe Biden has signed into law the Quantum Computing Cybersecurity Preparedness Act, legislation to push the federal government to adopt technology designed to protect against potential data breach attempts by a future quantum computer.
The Dec. 21 signing of the bipartisan measure, also called H.R. 7535, comes amid a race with China in advancing quantum computing technology and amid concerns that China and other adversaries of the United States could one day be able to decrypt existing forms of secure encryption, which rely on classical computers and are thus limited in computational ability compared to quantum computers.
The newly-signed legislation requires the Office of Management and Budget (OMB)—the largest office within the White House—to prioritize the migration of federal agencies’ information technology systems to post-quantum cryptography.
“Post-quantum cryptography is encryption strong enough to resist attacks from quantum computers developed in the future,” according to a summary of the legislation. The text of the legislation defines post-quantum cryptography as “those cryptographic algorithms or methods that are assessed not to be specifically vulnerable to attack by either a quantum computer or classical computer.”
“There is a race to build a fully capable quantum computer that would be so powerful, it could break encryption and allow adversaries to steal valuable information,” the office of Rep. Ro Khanna (D-Calif.)—one of the lawmakers who introduced the bill—stated in a release back in April.
“It is believed that adversaries are conducting a practice called ’steal now, decrypt later' where they collect data to store for years until they possess a powerful enough quantum computer to decrypt it. To protect our country’s data, critical government systems must be secured with algorithms and encryption so difficult to crack that even a future quantum computer won’t be able to break the code. This can be done through post-quantum cryptography. ... Because of stealing now and decrypting later, the federal government must begin planning now for this migration, and Congress should play an oversight role in this process.”
The U.S. Department of Commerce’s National Institutes of Standards and Technology (NIST) is working on setting standards for post-quantum cryptography. In July, it introduced the first four “quantum-resistant cryptographic algorithms” it has chosen to become part of the standard. The standards are expected to be finalized in about two years—by 2024.
The bipartisan measure was first introduced in the House in April by Reps. Khanna and Nancy Mace (R-S.C.) and passed the chamber in July. It later passed the Senate in early December, and passed the House for a final time before heading to the president’s desk. The legislation is co-sponsored by Sens. Rob Portman (R-Ohio) and Maggie Hassan (D-N.H.).
“Cybersecurity is national security,” Mace said in a statement on Dec. 14. “After 11 federal agencies were hacked by agents of Russia and China in 2020, we must do all we can to strengthen and protect our nation’s systems and keep our data secure. Congress will now receive an annual report on the federal government’s strategy for facing post-quantum cybersecurity threats.”
“As cutting-edge quantum computing continues to develop, there is an increased risk that our adversaries can weaponize this technology to breach American data systems,” Hassan said in a statement. “We must proactively address cybersecurity challenges posed by quantum computing-enabled breaches.”
The legislation directs the OMB to send a report to Congress in 15 months to report on: its strategy to address areas of weakness in encryption across government networks, to protect against future assaults by quantum computers; an estimate of the funding needed for the effort; and a description of efforts by government agencies to develop standards for post-quantum cryptography.
The newly-enacted law furthermore gives the OMB 180 days to “issue guidance on the migration of information technology to post-quantum cryptography.” The guidance is to be developed in coordination with the national cyber director and in consultation with the director of the Cybersecurity and Infrastructure Security Agency (CISA).
Per the law, the guidance will require that each federal agency keep a current inventory of information technology currently in use that are vulnerable to decryption by quantum computers. The guidance will also have criteria to help the agencies prioritize information technology for migration to post-quantum cryptography.
Biden’s signing of the legislation comes after the White House on Nov. 18 issued a memorandum (pdf) pushing for the migration to post-quantum cryptography. The memo directs executive departments and agencies to, by May 4, 2023, provide “a prioritized inventory of information systems and assets” that contain cryptographic systems that are vulnerable to decryption by quantum computers.
“This global technology race holds both great promise and threats,” Chris DeRusha, the federal chief information security officer, told Nextgov back in November. “We are prioritizing our efforts to secure the Federal Government’s sensitive data against potential future compromise by quantum computers; this action signifies the start of a major undertaking to prepare our Nation for the risks presented by this new technology.”
Yet another agency has also been working to facilitate a migration to post-quantum cryptography—the National Security Agency (NSA) back in September issued a cybersecurity advisory outlining for owners, operators, and vendors of national security systems (NSS) of future requirements for quantum-resistant algorithms for the systems. NSS are networks that contain classified information or are otherwise critical to military and intelligence operations.
“NSA expects the transition to [quantum-resistant] algorithms for NSS to be complete by 2035,” the NSA said in the advisory (pdf), adding that vendors and NSS owners and operators should be prepared for the requirements.