Skip Sanzeri is the founder, board chair and COO of QuSecure, a top post-quantum cybersecurity company.
On December 21, 2022, President Biden signed into law H.R.7535, the Quantum Computing Cybersecurity Preparedness Act, which encourages “federal government agencies to adopt technology that will protect against quantum computing attacks.”
This marks a major milestone in the global effort to develop and deploy quantum-resilient cybersecurity. It’s important that the U.S. moves quickly against the coming quantum computing threat since it takes significant effort and years to upgrade existing federal and commercial technology and cryptography. Meanwhile, quantum computers are rapidly developing, with some adversarial nation-states putting tens of billions of dollars toward programs to create these very powerful machines which will break the encryption we use today.
H.R.7535 requires federal agencies to “migrate systems to post-quantum cryptography, which is resilient against attacks from quantum computers and standard computers.” To illustrate the bullish progress our federal representatives have made, H.R.7535 follows three major initiatives from earlier last year outlining how we should create a quantum-resilient U.S.
1. On January 19, 2022, the State Department issued a key initiative called the “Memorandum on Improving the Cybersecurity of National Security, Department of Defense, and Intelligence Community Systems,” stating that “Within 180 days of the date of this memorandum, agencies shall identify any instances of encryption not in compliance with NSA-approved Quantum Resistant Algorithms.”
2. On May 4, 2022, the State Department published a follow-on memo called the National Security Memorandum 10 (NSM-10), “Promoting United States Leadership in Quantum Computing While Mitigating Risks to Vulnerable Cryptographic Systems.”
3. On November 18, 2022, M-23-02 was issued from Shalanda D. Young, the Director of the Office of Management and Budget. This memorandum describes steps for federal agencies to take as they transition to Post-Quantum Cybersecurity (PQC) by building a prioritized inventory of their cryptographic systems.
H.R.7535 now codifies that within six months, federal agencies must develop a strategy for migrating to post-quantum cryptography. In addition, it compels federal agencies to address the risk posed by weakened encryption due to the capability of a quantum computer to breach that encryption. Within 180 days of the memo (by May of 2023), the law outlines a requirement for “each agency to establish and maintain a current inventory of information technology in use by the agency that is vulnerable to decryption by quantum computers.”
Most importantly, this new law has funding attached as it requires each agency to submit an estimate of the amount of money it will take for the move to quantum-safe systems.
What are quantum computers?
Quantum computers are very powerful machines that operate differently than the standard computers we use today. Standard computers struggle with certain sets of problems, one of which happens to be the base of the current cryptography that currently protects our data. The data that makes up this article and the internet it traveled across uses encryption protected by a mathematical equation using large numbers and the factors that go into those numbers. Also called prime factorization, this math problem is unbelievably difficult for classical computers to solve.
Quantum computers operate differently. Using a subatomic property called superposition, quantum computers can process problems like prime factorization and multivariate problems due to how they process data and the way they can be programmed. Unlike our classical computers, where the base elements must be zero or one, superposition allows quantum computers to take advantage of a base element being zero, one and anything in between, all at the same time.
Why do we need to act now?
It is widely understood that adversarial nation-states are building quantum computers to use as weapons. To put it as clearly as possible, the first nefarious nation-state that brings a quantum computer online with enough power to crack encryption could have unprecedented global control at its fingertips. All the private and secret information traveling over the internet will be available to anyone who has this power. This includes national secrets, healthcare data, financial and banking information, as well as access to infrastructure like energy grids, satellite communications and water supplies.
Worse yet, it is heavily documented that some nations are stealing vast amounts of data that is currently encrypted but will be decrypted when a quantum computer with enough power is available. Sometimes called “Steal Now, Decrypt Later” (SNDL), this describes stealing and storing data for a future date when there are systems that can decrypt, view and operationalize that data.
Most of these data sets need to remain secret for 25 to 75 years and would be valuable if cracked sooner. But if stolen now and decrypted within a few years by a quantum computer, an adversary would then have the capability to operationalize that data to disrupt society, steal intellectual property, gain financially or increase the chances of winning a war.
What can be done?
Most government agencies and commercial enterprises will need to take three main steps to prepare their digital infrastructure for quantum-resilient cybersecurity.
1. Start by evaluating and documenting current cryptography, which is vulnerable to quantum attacks.
2. Develop a plan to add quantum-safe cryptography where appropriate in your network, including servers, edge devices and IoT.
3. Test a quantum-safe, cryptographically agile solution in your IT infrastructure.
Selecting suitable cryptographic algorithms can be done quickly with help from a qualified consultant or vendor. However, deploying a quantum-safe security solution will take longer, depending on the size and complexity of your enterprise network.
According to Congressman Ro Khanna, who sponsored H.R.7535, “As quantum computing continues to progress, we must take steps now to protect America’s national security and economy…we have to plan ahead for potential vulnerabilities it may create.”
It is imperative that we continue this rapid progress toward a quantum-resilient technology in the U.S. as outlined by H.R.7535 so that when (not if) a bad actor has access to sufficient quantum computing power, our data, communications, systems and future will be protected.
Forbes Technology Council is an invitation-only community for world-class CIOs, CTOs and technology executives. Do I qualify?