The Biden administration is already requiring agencies to develop concrete plans to migrate their systems and devices to “post-quantum” encryption, but Congress is moving to put its own stamp on the process.
The House on Tuesday passed the Quantum Computing Cybersecurity Preparedness Act, which would press agencies to identify specific systems and devices for the transition, and require the executive branch to provide regular updates to Congress.
The bill would require the director of the Office of Management and Budget to submit a report to Congress within one year laying out a strategy to protect the federal government’s data from threats posed by quantum computers capable of cracking some forms of classical encryption. It would also require an estimate of how much funding the government will need to facilitate the switch and an analysis of ongoing efforts to coordinate with international standards bodies to ensure that new algorithms selected by the National Institute for Standards and Technology (NIST) are widely adopted.
After that, OMB would be on the hook for annual reports to Congress on the state of the transition, which is expected to take years, over the next decade.
Such computers are likely a decade or more away from reality, but experts have said that most organizations will need to switch to new encryption algorithms well in advance of that day, both to ensure smooth interoperability with agency systems and to guard against the potential that foreign governments could swoop up encrypted federal data now to break later down the line.
“It is essential that the federal government prepare for this inevitability now while we still have time to protect data that is critical to our national and economic security,” said Rep. Carolyn Maloney, D-N.Y., on the House floor July 12 while speaking in support of the bill. “The process of migrating all federal IT systems to post-quantum cryptography will be complex and costly, but putting the right steps in place now will help us stay at the forefront of this frontier.”
The legislation was sponsored by Reps. Ro Khanna, D-Calif., Gerry Connolly, D-Va., Nancy Mace, R-S.C., Jamie Raskin, D-Md., and Tom Emmer, R-Minn. The Senate has not yet passed its own version.
Passage of the bill comes two months after the Biden administration issued a national security memo instructing agencies to prioritize systems and plan for large-scale replacement of older encryption once NIST has finished developing new standards.
The memo places the Office of Management and Budget, the national cyber director, the directors of the Cybersecurity and Infrastructure Security Agency (CISA), NIST and the National Security Agency (NSA) in charge of inventorying all federal systems and assets that rely on public-key algorithms, the form of classical encryption most likely to be broken by a future quantum computer.
That will clear the way for prioritizing the replacement of high-value or critical government systems, and individual agencies will have a year to submit their own inventories to CISA and the national cyber director, who must scope out budget and funding needs surrounding the transition by October 2023. Agencies will need to update these inventories on a yearly basis and provide periodic reports on efforts to replace high value systems.
It would also put the Department of Commerce in charge of a working group of companies and other stakeholders to identify tools and datasets that will help NIST develop similar post-quantum guidance for critical infrastructure entities.
Maloney said the House bill was crafted to be “closely aligned” with the Biden memorandum, while Rep. Fred Keller, R-Pa., said it would ensure that as agencies transition, Congress will also have its say.
“While the federal government already has initiatives underway to address such emerging threats, including the development of post-quantum cryptography standards and a recent Presidential national security directive, [this legislation] makes this a clear congressional priority,” Keller said.
