Encryption & Key Management , Government , Industry Specific
Biden Signs Law to Safeguard IT Against Quantum ComputingFederal Agencies Told to Prepare to Move Quickly Once Standards Get Identified
U.S. President Joe Biden has signed into law legislation designed to ensure federal agencies migrate to IT systems that will resist being decrypted by quantum computers.
See Also: Rule Life Cycle Management
The Quantum Computing Cybersecurity Preparedness Act is designed "to encourage the migration of federal government IT systems to quantum-resistant cryptography."
The legislation was introduced in the House of Representatives in April and passed by the House in July. Backed by Sens. Rob Portman, R-Ohio, and Maggie Hassan, D-N.H., the Senate Committee on Homeland Security and Governmental Affairs unanimously backed the bill earlier this month, as did the full Senate. Biden signed it into law Wednesday.
Per the text of the law, its aim is to ensure that there is a strategy for both government and industry that will "prioritize developing applications, hardware intellectual property and software that can be easily updated to support cryptographic agility."
Within 180 days, the White House National Cyber Director - currently Chris Inglis, although he's due to step down in early 2023 - as well as the directors of the Cybersecurity and Infrastructure Security Agency and the Office of Management and Budget - respectively, Jen Easterly and Shalanda Young, are required to issue quantum cryptography IT migration advice to federal agencies. Those agencies, in turn, must provide them with an annual update on their efforts.
Separately, the White House last month instructed federal agencies to share with it a list of quantum-vulnerable cryptographic systems in use, by May 2023.
Not Applicable to National Security Systems
Per the text of the new law, it "shall not apply to any national security system." Under federal law, the term national security system refers to any system operated by agencies or their contractors that touches on intelligence activities, "cryptologic activities related to national security," as well as "command and control of military forces."
But owners and operators of national security systems are already subject to requirements released by the National Security Agency in September, which call for them to start using post-quantum algorithms by 2035. That followed President Biden in May signing a national security memorandum directing U.S. government agencies to migrate to quantum-resistant cryptography.
By 2030, some scientists predict, a quantum computer will be able to crack a 2,000-bit RSA key in several hours.
"A cryptanalytically relevant quantum computer could jeopardize civilian and military communications as well as undermine supervisory and control systems for critical infrastructure," Gen. Paul M. Nakasone, commander of U.S. Cyber Command and director of the NSA, said earlier this year. "The No. 1 defense against this quantum computing threat is to implement quantum-resistant cryptography on our most important systems."
NIST Seeks Standards
The search is underway for such cryptography.
In July, the National Institute of Standards and Technology announced a shortlist of four post-quantum computing encryption models and said it was investigating another four. Within the next two years, NIST expects to set U.S. government post-quantum computing encryption standards (see: US Government Picks Quantum-Resistant Encryption Algorithms).
Once post-quantum cryptographic standards are issued, the new law directs the OMB to require federal agencies to begin adopting the standards and to provide Congress with annual updates on its efforts.