Post-Quantum Encryption
Compliance and Regulatory

Congress Moving To Push Agencies To Embrace Post-Quantum Encryption

Short on time? Listen instead.

In January 2022, President Biden signed a National Memorandum on Improving the Cybersecurity of National Security, Department of Defense, and Intelligence Community Systems. This memorandum has enormous implications for the security of agencies in the US and beyond as new cyber threats appear with the advent of quantum computing. Since then, the entire governmental apparatus has pushed the issue further up the agenda. On July 13, the House passed the Quantum Computing Cybersecurity Preparedness Act, driving agencies into identifying systems and devices necessary for the transition. But what effect does the advent of quantum computing have on cybersecurity, and what changes are needed within the governmental infrastructure to meet the challenges?

Quantum computing is the next step in information technology evolution, and we’re all used to thinking of it as five to ten years away. However, in recent research, management consultants McKinsey and Company noted that they expect around 2,000 to 5,000 quantum computers globally by 2030. And with this new revolution in computing comes increased threats from hackers and cyber-terrorists.

Why Does Quantum Computing Increase the Potential of Cyber Threats?

Quantum computers work on a very different principle from traditional computers. Rather than using 0 and 1s, a quantum computer runs calculations based on the probability of an object’s state before they are measured. This allows processing calculations exponentially faster than anything a classical computer can manage. It also enables computers to perform complex mathematical operations and — crucially — crack codes and encryptions that might otherwise take years to break.

As most IT systems are protected with security that’s not designed with quantum processing in mind, governmental agencies safeguarding critical information and data vital to national security now need to get ahead of the game. Over the coming decade, hostile foreign agencies and bad actors bent on causing destruction or gaining from ransomware or data sale are almost certain to gain access to quantum computers, making urgent adoption of post-quantum computing protocols an urgent priority.

What Provisions Are in the Quantum Computing Cybersecurity Preparedness Act?

The first provision of the bill gives the director of the Office of Management and Budget (OMB) one year to submit a report to Congress outlining a strategy to protect the federal government’s data. It also asks how much the switch to post-quantum computing will cost the federal government. In addition, there’s a requirement for an analysis of the current work liaising with international standards bodies on ensuring new algorithms chosen by the National Institute for Standards and Technology (NIST) are adopted across all levels of government. After these initial reports, the OMB would be required to submit further annual reports containing details of its progress on the transition, expected to take up to a decade.

An equivalent bill was placed before congress on 21 July, co-sponsored by Senators Maggie Hassan (D-NH) and Rob Portman (R-OH). Senator Hassan is also involved in efforts to promote federal research into quantum computing to further national security goals. She was also a key player in securing $2.76 million in federal funding for Dartmouth College to support its quantum genome mapping project.

Is the US Losing the Quantum Computing Race?

Rivalries primarily drive the Biden administration’s focus on the challenges posed by quantum computing in this field with China. Although it’s not sure how reliable the data is, China has made significant advances in quantum computing in recent years, and many fear this technology proliferating uncontrollably.

Jian-Wei Pan, often called China’s “Father of Quantum,” led a team in 2021 that reportedly demonstrated what they called ” quantum supremacy” with a superconducting quantum computer, Zuchongzhi. This follows several reported breakthroughs, including demonstrating the first space-based quantum communications. This involved creating an ultra-secure data link between two ground stations over 1,000 miles apart using the Micius satellite.

Chinese teams have also reported using a light-based processor known as Jiuzhang 2 to complete a task that a conventional computer would take 30 trillion years to finish in one millisecond. This results from the Chinese government’s $10 billion investment in the field, compared to the US committing only $1.2 billion in the same period. However, another Senate Bill is committing to a $29 billion investment in quantum computing, although this is currently bogged done in reconciliation.

What Will Happen When Quantum Computers Become Widespread?

The effects could be dire when the first powerful quantum computer goes online. Any data, even that stored under the highest possible encryption protocols, will be decrypted with ease. Some hackers are already storing data in anticipation of being able to decrypt it later with a quantum computer. The data concerned could concern control systems that keep the national grid running, armed forces systems up to the nuclear arsenal, and banking systems worldwide. Scientists consider this scenario so severe that they have dubbed it the “Quantum Apocolypse.” Given the number of resources being poured into this field by the US, China, and other powers, it’s a matter of when, not if, quantum computers become powerful enough.

Fortunately, provisions in the Quantum Computing Cybersecurity Preparedness Act and other legislation in progress or already passed are working to avert this nightmare scenario. NIST is already working on solutions using quantum-resistant algorithms as alternatives to those already in place. They are collaborating toward this goal with organizations from all parts of the world, including government agencies, private companies, and organizations in academia and technological spheres.

NIST is coordinating these efforts and anticipates that by 2024 they will have identified and vetted potential next-generation cryptographic schemes. The provisions of the Quantum Computing Cybersecurity Preparedness Act are intended to codify this implementation and ensure that it’s rolled out effectively with quantum-safe PKI (public key infrastructure) certificates.

Of course, the risks and opportunities posed by the post-quantum computing world are open to more than just the public sector and infrastructure. Every organization, public or private, must keep up with the latest advances in post-quantum cryptography or risk being caught up in their own Quantum Apocalypse.