Just before Christmas, President Biden signed the Quantum Computing Cybersecurity Readiness Act. It more or less codifies his administration’s efforts to analyze and inventory federal information technology (IT) systems that will soon be vulnerable to quantum computers. This is an essential first step. Migrating his entire federal IT to a new encryption system is no easy task. Action must be taken now to resolve implementation issues. Next, federal officials must take the lead and be willing to share what they learn.
For the uninitiated, quantum computing is a technology that is not yet fully realized and has many potential advantages. And its unique ability to circumvent time-consuming mathematics threatens to break many of the most common forms of security for cryptography-based computers. Current quantum computers are not yet powerful enough to pose a threat, but future iterations could quickly turn into a security nightmare. Most private communications, financial transactions, and other security-sensitive applications are vulnerable. Thankfully, we have a solution.
In June, the US National Institute of Standards and Technology (NIST) announced a set of quantum-safe cryptography algorithms. The imperative of the new law is that the government is preparing to implement it. Armed with the tools, federal officials are tasked with analyzing when, where, and how NIST’s algorithms are used.
What is lacking in both deeds and administration notes is a sense of opportunity. Today’s legislation targets federal IT, but ultimately the private sector must follow suit. There are so many unknowns that the private sector needs all possible help.
To these ends, federal efforts are underway to bring together best practices from the private sector. However, these are based solely on industry insider feedback and not actual experience. This information is invaluable, but these stakeholders have yet to go through the process. Recommendations are speculation at best.
As a former IT project manager, I’ve learned that IT migrations are plagued by the unexpected. Only by running can you know for sure what will break, what will be affected, and what challenges you will face.
Instead of continuing to speculate, we should recognize the shift in government. It’s a great opportunity to learn by doing.
Today, the federal government makes up a quarter of the economy. This suggests that about a quarter of IT systems are preparing for post-quantum cryptography and will eventually move to post-quantum cryptography. Such a large sample alone can undoubtedly provide many lessons for the private sector.
Importantly, however, this sample is not just large, it is incredibly diverse. In its 2021 quantum transition white paper, NIST noted that perhaps the biggest challenge is adapting algorithms to the bespoke needs of each application and industry. Federal IT diversity helps expose these industry-specific challenges. Customized experiences from US Global Media Agency can be shared with broadcasters using similar technology. Migration of USDA inspector equipment may support migration of many similar ground service providers. Service Academy can support private universities. Veterans Administration hospitals can provide information to private health care providers. The list goes on.
Governments must therefore embrace their role as guinea pigs for quantum security. To maximize lessons learned, administrations need to specifically promote laboratory approaches. As institutions begin this process, they should compare results, report challenges, and encourage testing of different practices and solutions. Only through variations can you know what works.
Careful documentation is critical to success. First, agencies should document common implementation best practices. This means documenting how the system was evaluated, how problems were resolved, how users were educated, and other planned details. Second, we must be aware of technology-specific challenges. Agencies need to track the specific systems that are affected, the systems that have difficulty adapting to the changes, and the performance issues caused by these changes. Finally, when it comes time to make an update, agencies should take note of a beneficial approach to code and system design. Not all methodologies are created equal and institutions should recommend the most effective methods.
Naturally, this process will not work without coordination. Following the model of the National Infrastructure Protection Plan (a federal plan to manage cyber and other risks to critical infrastructure), the cybersecurity and infrastructure security agencies will establish quantum transition management agencies for each affected industry. Must be specified. This agency compiles reports and best practices with industry needs in mind. This division of labor spreads the administrative burden while baking the idiosyncrasies of the industry into the results.
Based on both new legislation and executive memos, neither Congress nor the Biden administration are aware of the immense opportunities. If the federal government accepts the role of quantum security her guinea pig, there are myriad lessons to be learned.
Otherwise, the process of mitigating this potential security nightmare can become a nightmare in itself. Let’s seize this moment to learn what can be done to ease the often heavy burden of security.
Matthew Mittelsteadt is an engineer and research fellow at the Mercatus Center at George Mason University.