Governance, Risk and Compliance, Asset Management, Risk Assessments/Management, Security Program Controls/Technologies, Security Strategy, Plan, Budget

Congress wants a plan for post-quantum hacking threats for federal IT systems


Congress wants the federal government to have a plan in place for protecting federal IT systems and assets from future hacks carried out by quantum computers.

To be clear, computer scientists at the National Institute for Standards and Technology believe the tangible threat of quantum codebreaking is still years away, but the widespread replacement of much of the older, classical encryption underpinning systems and data is likely to come during the next few years.

The Quantum Computing Cybersecurity Preparedness Act, sponsored by Reps. Ro Khanna, D-Calif.; Nancy Mace, R-S.C.; and Gerry Connolly, D-Va., would force the civilian federal government to develop a concerted strategy to tackle this replacement. The bill, which Khanna first referenced during a January House Oversight Committee hearing, would give the Office of Management and Budget a year from the time NIST finalizes its post-quantum encryption standards (expected later this year) to begin prioritizing the migration of devices and systems at civilian federal agencies. It also requires OMB to begin developing a list of high-risk systems and assets that will be prioritized for replacement.

The director of OMB would be responsible for delivering a report updating Congress on the government’s progress, the potential cybersecurity risks posed by quantum computers, the amount of estimated funding needed to replace encryption for government systems and devices and U.S. coordination on post-quantum encryption with other international standards bodies.

“Even though classical computers can’t break encryption now, our adversaries can still steal our data in the hopes of decrypting it later," Khanna said in a statement. "That’s why I believe that the federal government must begin strategizing immediately about the best ways to move our encrypted data to algorithms that use post-quantum cryptography."

Mace said that while she was "optimistic" about the potential benefits of quantum computing "we must take preemptive steps to ensure bad actors aren't able to use this technology in more sinister ways."

Any such strategy, the bill posits in a sense of Congress, should involve the government and private sector coming together to develop software, hardware and applications that facilitate what is known as “crypto agility" — or the ability to easily switch out one post-quantum encryption algorithm for another — with minimal loss to performance or interoperability. This capability is critical because so much of quantum computing — and code breaking — is still largely theoretical at this point.

Until a working quantum computer advanced enough to break classical encryption comes along, officials at NIST working on the next wave of encryption are basing their algorithmic choices, in part, on mathematical estimations of what those computers might do.

That means that the algorithms we think will protect us may actually fall short — and, in fact, NIST official Dustin Moody told SC Media last year that each round of their post-quantum cryptography selection process has revealed a previously unknown or unforeseen weakness in one of the algorithms.

The work required to switch out such algorithms and implement crypto agility, where possible, is expected to be a long, grueling multi-year process. While the threat of quantum codebreaking mostly applies to public key encryption, most organizations don’t have good visibility over the kinds of encryption they rely on.

“A lot of people don’t have any real sense of where [their public key encryption] are deployed in their systems,” Bill Newhouse, a NIST cybersecurity engineer said last year to the Information Security and Privacy Advisory Board. “The non-technical folks that rely on them probably just don’t really recognize that it's all going to be rather complicated.”

Derek B. Johnson

Derek is a senior editor and reporter at SC Media, where he has spent the past three years providing award-winning coverage of cybersecurity news across the public and private sectors. Prior to that, he was a senior reporter covering cybersecurity policy at Federal Computer Week. Derek has a bachelor’s degree in print journalism from Hofstra University in New York and a master’s degree in public policy from George Mason University in Virginia.

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.