U.S. House Passes Quantum Computing Cybersecurity Prevention Act
On July 12, the U.S. House of Representatives officially passed the Quantum Computing Cybersecurity Preparedness Act (H.R. 7535) (the Quantum Computing Cybersecurity Preparedness Act) [1]. This is the largest action taken by the U.S. in quantum security after NIST published the first batch of post-quantum cryptographic standard algorithms.
On April 18 of this year, California Democratic Rep. Ro Khanna joined with Republicans to sponsor the Quantum Computing Cybersecurity Preparedness Act, which aims to address the continued popularity of quantum computing and protect the security of government information.
After receiving House passage, Khanna said the bill includes authority for the Office of Management and Budget (OMB) to work with the Chief Information Officers Council and provide Congress with updates on the government's progress toward post-quantum cryptographic standards. "In the post-quantum era, it's not just our personal lives that are being disrupted. Our U.S. national security and government agency data could also be exposed and exploited."
Next, the bill needs to be passed by the Senate and signed by the U.S. president before it can become law. Once the legislation is completed, the sponsors said, the government will have the ability to crack down on people and cybercriminals who use emerging quantum computing tactics for nefarious purposes.
Another sponsor, Republican Rep. Nancy Mace, emphasized the transformative potential of quantum computing and its ability to "propel our civilization forward" and "upend our traditional understanding of computing. But she also stressed the need for appropriate protections in the bill to prevent innovation from inviting bold action on the part of hackers.
The bill would require the OMB director to submit a report to Congress within a year laying out a strategy to protect the federal government's data from threats posed by quantum computers capable of breaking some forms of classical encryption. It would also require an estimate of how much government funding would be needed to drive the shift and an analysis of ongoing efforts to coordinate with international standards bodies to ensure widespread adoption of the new algorithms chosen by NIST. After that, OMB will be responsible for submitting an annual report to Congress on the status of the transition, which is expected to continue for several years over the next decade.
Practical quantum computers may take 10 years or more to implement, but most organizations will need to switch to new encryption algorithms before that date to ensure smooth interoperability with agency systems and to prevent the possibility of foreign governments suddenly accessing encrypted federal data now and then cracking it in the future.
Rep. Carolyn Maloney, D-N.Y., who did not sponsor the bill, said on the House floor, "The federal government must prepare now for this inevitability, and we still have time to protect data that is critical to our national and economic security. The process of migrating all federal IT systems to post-quantum encryption will be complex and expensive, but taking the right steps now will help us stay at the forefront of this field."
Two months before the bill was passed, the Biden administration had issued a national security memo directing agencies to prioritize systems and plan to replace older encryption technologies on a large scale once NIST completes development of the new standard.
Article 1 Short title
This Act may be cited as the "Quantum Computing Cybersecurity Prevention Act".
Section 2 Findings, Opinion of Congress
a. Findings. Congress finds the following.
(1) Cryptography is critical to our national security and economic operations.
(2) that the most prevalent cryptographic protocols today rely on the computational limits of classical computers to provide cybersecurity.
(3) that quantum computers may one day have the ability to push the boundaries of computing, allowing us to solve hitherto intractable problems such as integer decomposition, which is important for encryption.
(4) The rapid advances in quantum computing suggest that it is possible for an adversary to use a classical computer to steal sensitive encrypted data today and wait for a sufficiently powerful quantum system to decrypt it.
b. Congressional Opinion. The views of Congress are.
(1) The need for a strategy for migrating the federal government's information technology systems to post-quantum cryptography.
(2) that the government's and industry-wide approach to post-quantum cryptography should prioritize the development of easily updatable applications, hardware intellectual property, and software to support the flexibility of cryptography.
Article 3 Migration to post-quantum ciphers
a. Migration and Evaluation.
(1) Migration to post-quantum cryptography. Within 1 year of the NIST Director's issuance of the post-quantum cryptography standard, the OMB Director, in consultation with the CIO Council, shall begin to prioritize migration to post-quantum cryptography and assess the information technology systems of administrative agencies that do not use post-quantum cryptography, including digital signatures.
(2) Designate systems to be used for monitoring. Within one year of the development of the post-quantum password standard by NIST and on an ongoing basis, the Director of OMB, in consultation with the CIO Committee, shall designate and prioritize the migration to post-quantum password systems for information technology systems at administrative agencies based on the risk of systems not using post-quantum passwords.
b. Report on Post-Quantum Ciphers. Not later than 1 year after the date of enactment of this section, the Director of OMB shall submit to Congress a report on
(1) A strategy to address the risk of weakened encryption in information technology systems of executive agencies due to the potential, and possibly the ability, of quantum computers to break such encryption.
(2) The funding necessary to ensure that these information technology systems are protected from the threat of adversary access to quantum computers.
(3) A description and analysis of ongoing coordination efforts with international standard-setting organizations and consortia, such as the International Organization for Standardization, including any framework and timeline for the development of post-quantum cryptographic standards. This includes any federal information processing standards developed under the U.S. Code section.
c. Report on the migration of information technology systems to post-quantum ciphers. Within 1 year after the NIST Director issues a post-quantum cryptography standard, and annually thereafter until 9 years after the standard is issued, the OMB Director shall submit a report to Congress.
d. Definition of Terms. For the purposes of this section.
(1) Classical computer. The term "classical computer" means a device that accepts digital data and processes the data according to a program or sequence of instructions, and encodes the information as binary bits, which may be 0 or 1.
(2) NIST Director. The term "NIST Director" means the Director of the National Institute of Standards and Technology (NIST).
(3) OMB Director. "Director of OMB" means the Director of the Office of Management and Budget.
(4) Administrative Agency. The term "administrative agency" has the meaning given to the term "administrative agency" in 5 U.S.C. § 105.
(5) Information Technology. "Information technology" has the meaning given that term in 40 U.S.C. § 11101.
(6) Post-Quantum Cipher (PQC). "Post-Quantum Cryptography" means a cryptographic system that is secure against decryption attempts using a quantum computer or a classical computer and that is interoperable with existing communication protocols and networks.
(7) Quantum computer. "Quantum computer" means a device for computing that uses quantum mechanics, such as superposition and entanglement, to perform computational operations on data.
(8) Superposition. "Superposition" refers to the ability of a quantum system to exist in two or more states simultaneously.
(9) Entanglement. "Entanglement" is the property that two or more quantum objects in a system can be intrinsically linked so that the measurement of one object determines the possible measurement of another object, regardless of the distance between them.
Reference links:
[1]https://www.congress.gov/bill/117th-congress/house-bill/7535/text
[2]https://executivegov.com/2022/07/bipartisan-quantum-computing-cybersecurity-bill-passes-in-house-awaits-action/
[3]https://www.scmagazine.com/analysis/emerging-technology/house-passes-bill-to-ensure-congress-is-in-the-loop-post-quantum-transition
