Congress Starts to Address Post-Quantum Cybersecurity
October 27, 2022 | US Law Updates
Article by: Brian Beck
On July 13, 2022, the House of Representatives passed H.R. 7535, the “Quantum Computing Cybersecurity Preparedness Act.”
Because quantum computing has the capability to defeat the primary methods of encryption used by government and industry today, scientists and government officials have been working to develop a plan for post-quantum cybersecurity, as I discussed in my previous Dead Cat Live Cat article. H.R. 7535 is a short bipartisan bill, sponsored by Rep. Ro Khanna (D-CA) and co-sponsored by Reps. Nancy Mace (R-SC), Gerald Connolly (D-VA), Jamie Raskin (D-MD), and Tom Emmer (R-MN), aimed at requiring the entire federal government to begin preparing for a post-quantum future.
H.R. 7535 would require the Office of Management and Budget (“OMB”) to plan to migrate the federal government’s encryption standards to post-quantum cryptographic methods on the following timelines:
- 180 days after enactment: The Director of OMB must establish a rule requiring each executive agency to establish and maintain an inventory of cryptographic systems in use.
- 1 year after enactment, and on an ongoing basis thereafter: The head of each executive agency must provide to the Director of OMB, the Director of the Cybersecurity and Infrastructure Security Agency (“CISA”), and the National Cyber Director an inventory of all information technology in use that is vulnerable to decryption by quantum computers.
- 1 year after the Director of the National Institute of Standards and Technology (“NIST”) has issued post-quantum cryptography standards: The Director of OMB must issue guidance requiring each executive agency to develop a plan to migrate to post-quantum cryptography.
The bill goes on to require that the Director of OMB submit reports to Congress setting forth a strategy to address the risks posed by the power of quantum computing to break encryption and the amount of funding needed to secure IT systems from quantum computing, as well as annual reports on the progress in migrating executive agencies to post-quantum cryptography standards.
H.R. 7535 passed by voice vote, and its Senate counterpart, S. 4592, was introduced on July 21, 2022 by Sen. Margaret Hassan (D-NH), co-sponsored by Sens. Rob Portman (R-OH), Jacky Rosen (D-NV), and Thomas Tillis (R-NC). It was referred to the Committee on Homeland Security and Governmental Affairs, and was ordered to be reported without amendment favorably. There has been no substantial opposition to the bill, and it is expected to pass.
Cybersecurity experts have expressed concerns that the bill is at best a good start to addressing the problems posted by quantum computing attacks on current encryption methods, pointing out that adversaries can steal and store encrypted data now, with the intent of decrypting it once quantum computing advances to the point where it can be decrypted. However, before migrating to post-quantum cryptographic methods, NIST and scientists around the world need to be confident that the new methods actually cannot be defeated. The imminent passage of the Quantum Computing Cybersecurity Preparedness Act indicates that the federal government is at least starting to take the threat seriously and prepare for it.