Encryption and key management, government, industry specific
Federal agencies should prepare to act quickly once standards are identified
Rashmi Ramesh (rashmiramesh_) •
December 23, 2022
US President Joe Biden has signed legislation to ensure federal agencies migrate to IT systems that resist decryption by quantum computers.
See also: Find a password management solution for your business
The Quantum Computing Cybersecurity Preparedness Act is designed to “encourage the migration of federal government IT systems to quantum-resistant cryptography.”
The law was introduced to the House of Representatives in April and passed by the House of Representatives in July. Backed by Sens. Rob Portman, R-Ohio, and Maggie Hassan, DN.H., the Senate Homeland Security and Governmental Affairs Committee unanimously supported the bill earlier this month, as did the entire Senate. Biden signed it on Wednesday.
The text of the law aims to ensure that there is a strategy for government and industry that will “prioritize the development of applications, hardware intellectual property and software that can be easily updated to support cryptographic agility.”
Within 180 days will be the White House National Cyber Director – currently Chris Inglis, although he is scheduled to step down in early 2013 – as well as the directors of the Cybersecurity and Infrastructure Security Agency and the Office of Management and Budget – Jen Easterly and Shalanda Young obliged to provide advice to federal agencies on IT migration of quantum cryptography. These agencies, in turn, must provide them with an annual report on their efforts.
Separately, the White House last month directed federal agencies to provide it with a list of quantum-prone cryptographic systems in use by May 2023.
Does not apply to national security systems
According to the text of the new law, it “does not apply to a national security system”. Under federal law, the term national security system refers to any system operated by government agencies or their contractors that relates to intelligence activities, “cryptological activities related to national security,” and “command and control of military forces.”
However, owners and operators of national security systems are already subject to requirements published by the National Security Agency in September that require them to start using post-quantum algorithms by 2035. This was followed by President Biden signing a national security memorandum in May directing U.S. government agencies to move to quantum-resistant cryptography.
Some scientists predict that by 2030, a quantum computer will be able to crack a 2,000-bit RSA key in several hours.
“A cryptanalytically relevant quantum computer could endanger civilian and military communications, as well as undermine surveillance and control systems for critical infrastructure,” Gen. Paul M. Nakasone, commander of the US Cyber Command and director of the NSA, said earlier this year. “The #1 defense against this quantum computing threat is to implement quantum-resistant cryptography on our most critical systems.”
NIST seeks standards
The search for such cryptography is underway.
In July, the National Institute of Standards and Technology announced a shortlist of four post-quantum computing encryption models and said it was studying another four. Within the next two years, NIST expects the US government to establish post-quantum computing encryption standards (see: The US government opts for quantum-resistant encryption algorithms).
Once post-quantum cryptography standards are issued, the new law directs the OMB to require federal agencies to begin adopting the standards and to report annually to Congress on its efforts.
