Proposed legislation that would give agencies a year to begin migration to post-quantum cryptography is a recognition transitioning from legacy to new algorithms will require significant planning and funding, say industry experts.
The Quantum Cybersecurity Preparedness Act would give the Office of Management and Budget a year from the day the National Institute of Standards and Technology issues post-quantum cryptography standards to prioritize the migration of agencies’ IT systems based on cybersecurity risk. Reps. Nancy Mace, R-S.C.; Ro Khanna, D-Calif.; and Gerry Connolly, D-Va., introduced the bill.
While quantum computers are thought to be a decade or more off, foreign adversaries plan to use the technology to crack encrypted data they’ve already exfiltrated from U.S. systems.
“What I like about this act is it’s recognizing the risk of the hack now, decrypt later threat,” Duncan Jones, head of cybersecurity at Quantinuum, told FedScoop. “And I think that’s really important to focus on.”
Assuming the data China exfiltrated in the 2015 Office of Personnel Management breach was encrypted with traditional, public key encryption, those files will be vulnerable to quantum computers once the nation-state develops them.
Quantinuum was one of six tech companies to endorse the legislation, despite its work developing quantum-powered technology to address global challenges across a number of disciplines, because it recognizes the risk quantum computers pose to public key encryption, Jones said.
That’s a threat that needs to be taken “very seriously” considering the amount of money foreign adversaries like China are spending to beat the U.S. to quantum computers, said Eddy Zervigon, CEO of quantum-safe security company Quantum Xchange.
He added: “They’re also much more pronounced in terms of their successes, [for example] you can look at some of the stuff they’ve done in space with their satellite QKD system.”
According to Zervigon, the government’s lack of quantum-resistant ways to deliver data is a particularly pressing issue for public and private satellite operators that need cryptography to protect telemetry, tracking and control and data in transit.
NIST’s forthcoming algorithms will be quantum resistant, and the Quantum Cybersecurity Preparedness Act would give OMB a year to provide Congress with its strategy for protecting agencies’ vulnerable IT systems by migrating to those standards, the cost of the effort and its analysis of ongoing efforts around post-quantum cryptography. OMB would also be required to report annually on the state of the governmentwide transition.
“These algorithms that are being standardized right now by NIST, it’s not too long before those are ready,” Jones said. “That’s not the moment to start acting.”
The proposed legislation builds on National Security Memorandum-8 issued in January, which required agencies to identify all instances of encryption that wasn’t quantum resistant but also allowed them to obtain waivers for such systems.
A governmentwide approach to post-quantum cryptography should involve developing not only algorithms but agile hardware and software, according to the bill text.
The only thing the legislation lacks is “real hammers” around migration and technology adoption deadlines for agencies to ensure there are consequences for not having post-quantum cryptography in place, Zervigon said.
“This is going to be the greatest cryptographic migration in history,” he said. “So let’s make sure the architecture, the foundation is set right before we start applying all these different new technologies and products onto something that might not be able to support what we’re trying to do here over the long haul.”