US Quantum Computing Cybersecurity Preparedness Act: The Quantum Computing Cybersecurity Preparedness Act, which U.S. President Joe Biden signed into law last month, addresses the transition of federal agency systems to post-quantum cryptography (QPC), which is more resistant to attacks from quantum computers.
The law mandated that the post-quantum cryptography migration be given top priority by the Office of Management and Budget (OMB) no later than a year following the publication of post-quantum cryptography standards by the National Institutes of Standards and Technology (NIST), which is anticipated to happen by 2024.
It also asked OMB to report on ongoing coordination efforts with international standards development organizations for QPC standards and to submit a plan to address the security risk posed by agency information technology systems’ susceptibility to a quantum computer’s potential power.
The act noted the potential dangers posed by “harvest now, decrypt later” attacks and said that Congress finds cryptography essential for national security and the economy’s operation.
According to the act, “quantum computers might one day be able to push the limits of computation, allowing us to solve problems that have been intractable up until now, such as integer factorization, which is crucial for encryption.”
The White House memo from last November, which aimed to strengthen American leadership in quantum computing and reduce risks to weak cryptographic systems, was followed by this legislative action.
Federal agencies were asked in the memo to submit a cryptographic system inventory by May 4, 2023, and to name a lead for cryptographic lists and migrations the following year and report testing of pre-standardized PQC.
Private Sector Should Also Start the Quantum Security Preparedness
The Quantum Computing Cybersecurity Preparedness Act supports both security and quantum computing providers.
Since it takes a lot of work to upgrade current systems, QuSecure co-founder and COO Skip Sanzeri said in a statement that it is crucial for the U.S. to take action against the looming quantum threat as soon as possible. Meanwhile, many unfriendly nation-states are investing billions of dollars in projects in producing mighty machines that can crack the current encryption.
Quantum computers won’t be available now but will be in the upcoming years. Sanzeri continued, “However, it will take more than a few years for our federal agencies and private organizations to upgrade their systems to post-quantum cybersecurity.”
According to Kaniah Konkoly-Thege, chief legal and compliance officer at Quantinuum, the legislation also indicates that the commercial sector needs to prepare for security risks in the age of quantum computing.
“The Quantum Cybersecurity Preparedness Act signals that the U.S. government views post-quantum cryptography as a critical national security threat. This threat is not limited to the federal government. The private sector is also impacted as bad actors looking to steal customer data and IP to decrypt when fault-tolerant quantum computers arrive, also known as ‘hack now, decrypt later.’
The private sector should take its cue from the federal government’s direction and begin preparing for this massive new cybersecurity challenge,” Konkoly-Thege wrote.