The Biden Administration formally unveiled its National Cybersecurity Strategy for the U.S., which broadly calls for tougher cybersecurity standards and regulations for government and commercial firms to follow, and also sets a course for adoption of post-quantum cryptography and related measures by government and commercial firms.
The strategy replaces the 2018 National Cyber Strategy, and builds on policies and goals that grew out of that document and the 2008 Comprehensive National Cybersecurity Initiative. It also follows a number of memoranda and missives that have been issued by the Biden White House over the last two years that highlighted the quantum threat and post-quantum solutions, as well as Congress’ passage of the Quantum Computing Cybersecurity Preparedness Act, which President Biden signed into law last December.
After those earlier statements and actions, the new National Cybersecurity Strategy issued this week contains relatively little detail about quantum, with only a short section titled, “Prepare for Our Post-Quantum Future,” among the numerous objective laid out in the strategy (Objective 4.3 on page 25 of the full document).
The strategy document states, “We must prioritize and accelerate investments in widespread replacement of hardware, software, and services that can be easily compromised by quantum computers so that information is protected against future attacks. To balance the promotion and advancement of quantum computing against threats posed to digital systems, NSM 10, ‘Promoting United States Leadership in Quantum Computing While Mitigating Risks to Vulnerable Cryptographic Systems,’ establishes a process for the timely transition of the country’s cryptographic systems to interoperable quantum-resistant cryptography. The Federal
Government will prioritize the transition of vulnerable public networks and systems to quantum-resistant cryptography-based environments and develop complementary mitigation strategies to provide cryptographic agility in the face of unknown future risks. The private sector should follow the government’s model in preparing its own networks and systems for our post-quantum future.”
Several quantum technology companies offered reaction to the new strategy document, with Quantinuum among the first to contact IQT via email. The company’s statement, attributed to Kaniah Konkoly-Thege, Chief Legal Officer, SVP Government Relations, Chief Compliance Officer, Quantinuum, read in part:
“…The 2023 Cybersecurity Strategy makes clear that the Biden Administration will work with Congress and the private sector to create liability for software vendors, sketching out in broad terms what such legislation should entail, stating ‘we must begin to shift liability onto those entities that fail to take reasonable precautions to secure their software while recognizing that even the most advanced software security programs cannot prevent all vulnerabilities.’ The new landscape of quantum-related announcements and requirements from the federal government also creates urgency for many vendors and government contractors because those who are non-compliant will be named in reports and likely suffer reputational and economic consequences… While the guidance does not go in-depth regarding steps to prepare for a post-quantum future, it is best practice to assess current cryptographic systems, inventory data, experiment with NIST’s post-quantum algorithms and develop plans to protect data, especially sensitive data (i.e., medical, financial, or personal data), by transitioning to these post-quantum (PQC) algorithms…”
Dan O’Shea has covered telecommunications and related topics including semiconductors, sensors, retail systems, digital payments and quantum computing/technology for over 25 years.