The U.S. House of Representatives has passed the Quantum Computing Cybersecurity Preparedness Act, a bill whose passage comes as the U.S. federal government has begun to more aggressively support and act on the cybersecurity threats posed by quantum computers.
Those threats are expected to become an increasingly frequent risk factor in the years ahead for governments and corporate enterprises worldwide. The passage of this legislation comes just days after the National Institute of Standards and Technology (NIST) announced its initial choices for post-quantum cryptography (PQC) standards for encryption and digital signatures. Another recent action taken was the decision by the U.S. Cybersecurity and Infrastructure Security Agency to create its own PQC initiative to better organize and lead its efforts to better fight the quantum threat.
All of these moves come after the Biden White House in May urged federal government agencies to start planning their strategies to defend against these threats, and could represent a new phase in the government’s efforts to become a global leader in supporting quantum technology and quantum-safe solutions. It all comes after China has been much more aggressive up to this point in creating its own national strategy and vision for dealing with quantum technology.
Retired U.S. Navy Rear Admiral Mike Brown, a senior cybersecurity specialist formerly with the U.S. Departments of Defense and Homeland Security, told Fierce Electronics in the days leading up to the House bill approval, “What we don't have is a clear strategy [like China’s]. What we don't have is a clear partnership between the public and the private sector, which is leading technology innovation [without the government setting a tone and vision for innovation.] That's completely reversed from 40 years ago, when most of the innovation and the technology was led by the U.S. government, with response from and working with the private sector.”
Brown added, “When I say there's not a strategy that's both a negative and a positive. The negative is the fact that it would be really good if everybody understood what the United States is doing from a quantum computing technology perspective, similar to what China has clearly articulated, but on the flip side, there is an enormous amount of work that's been done in that private sector to lead in things like quantum encryption algorithm development.”
The Quantum Computing Cybersecurity Preparedness Act is one piece of the puzzle as the government looks to step up. According to a statement from Rep. Ro Khanna (D-Ca.), who introduced the bill back in April along with Rep. Nancy Mace (R-SC) and Rep. Gerry Connolly (D-Va.), the new Act would:
Require the Office of Management and Budget (OMB) in consultation with the Chief Information Officers Council to prioritize the migration to post-quantum cryptography and do an assessment of critical systems one year after the NIST standards are issued.
Instruct the director of OMB to send a report to Congress that includes a strategy on how to address this risk, the funding that might be necessary, and an analysis on the current efforts one year after the bill becomes law.
Direct OMB to provide a yearly report to Congress on the progress of the Federal Government in transitioning to post-quantum cryptography standards one year after the NIST standards are issued.
The full text of the House bill can be found here.
“It’s not just our personal lives that would be upended in a post-quantum future. Our U.S. national security and government agencies data could be exposed and exploited as well,” said Rep. Khanna. “I’m thrilled that the House has passed my bipartisan bill with Reps. Connolly and Mace to proactively protect consumer data and strengthen our national security. Next, I hope that the Senate will swiftly take up the bill and deliver it to the president’s desk.”
The bill was endorsed by several leading companies in the quantum computing and security markets, including Google, IBM, PQSecure Technologies, QuSecure, Maybell Quantum, and Quantinuum. All of these companies in one way or another already are helping U.S. government entities and private sector companies assess quantum-based security threats and move toward adoption of protection and mitigation strategies, which in most cases include deployment of the algorithms selected by NIST.
QuSecure, for example, just announced that its QuProtect solution already is protecting legacy IT systems at a combined Air Force, Space Force and NORAD location. The company’s platform enables a quantum tunnel supporting “quantum-resilient deployment with 100% uptime protecting data that previously used standard encryption, with no increased bandwidth or latency issues,” the company said in a statement. “Data currently being transmitted cannot be decrypted by others unless they have the QuProtect system, and any adversary collecting the protected data to store will be unlikely to decrypt it in the future, even with a quantum computer.”
Pete Ford, QuSecure Head of Federal Operations, added, “This is extremely significant because the U.S. government has not employed a post-quantum communications channel on premises before.”