In my last column I predicted that quantum would be one of the three most important and disruptive technologies we’d all be facing in 2022, alongside cryptocurrencies and hypersonics.
Sure enough, barely a week has passed and the White House has confirmed that prediction.
On Wednesday President Biden signed a National Security Memorandum “on Improving the Cybersecurity of National Security, Department of Defense, and Intelligence Community Systems,” which will have huge implications for quantum technology and quantum security for the United States and for the world.
This document (NSM-8) is the first I’m aware of coming out of the White House national security apparatus that specifically mentions quantum-resistant cryptography in the context of current federal cybersecurity planning. That’s a big victory for the Quantum Alliance Initiative, which has been pushing the quantum security issue for the past four years, and for quantum information science generally.
The document instructs the National Security Agency to release to Chief Information Officers any relevant documents relating to “quantum resistant protocols, and planning for use of quantum resistant cryptography where necessary.”
The key provision is here:
Within 180 days of the date of this memorandum, agencies shall identify any instances of encryption not in compliance with NSA-approved Quantum Resistant Algorithms or CNSA, where appropriate in accordance with section 1(b)(iv)(A) and (B) of this memorandum, and shall report to the National Manager, at a classification level not to exceed TOP SECRET//SI//NOFORN.
Recommended For You
These sections of a memorandum devoted to protecting the federal government from cybersecurity attack are a big score for those of us who’ve been pressing the government to at least adopt a timeline for identifying which agency systems will be vulnerable to a quantum computer attack: which is just about every agency from Treasury and the Pentagon on down.
This has been a major goal we at the Quantum Alliance Initiative at the Hudson Institute have been fighting for we started in 2018, i.e. getting someone in the American national security apparatus to take the quantum computer threat seriously as a cybersecurity priority.
Still, NSM-8 leaves a huge gap in raising awareness of the need to defend against the quantum threat: namely, the private sector.
Given the fact that the federal government finally admits this is a security threat grave enough to demand action from agencies within the next 180 days, that’s all the more reason why private industry needs to take this threat seriously as we’ve been urging in these columns, without waiting for the slow-moving bureaucratic machinery of Washington to put together a plan to protect the rest of us.
That means the private sector, especially our biggest companies and our highly vulnerable financial sector, need to make plans to take on the quantum threat at least as systematically as the federal government now does, and to be ready well before 2030, when the threat of large-scale quantum computers starts to become real.
But there’s more that NSM-8 doesn’t explain.
The first is that there are right now safe ways to protect data and networks from future quantum intrusion but also existing cyber attackers and hackers, using quantum resistant cryptography that private companies in the United States and Canada have developed and deployed. There’s no reason to wait until the NSA or the National Institute of Standards and Technology (NIST) make their final selection of quantum-resistant algorithms, and federal agencies finally respond.
In addition, there are companies here in the U.S. and other countries that are already providing customers with quantum-based cryptographic solutions such quantum key distribution (QKD) for protecting vital communications and links, which are particularly appropriate for certain systems, e.g. industrial systems like SCADA and the power grid—and again which protect users from current cyber threats as well as future quantum threats.
Finally, getting us quantum-ready and quantum-secure needs to be an international effort, involving partners in Europe, Asia, and the Middle East to develop and deploy quantum-safe solutions. Otherwise, what we’ll discover well before 2030 is that a single U.S. ally whose government or corporations aren’t ready to face a quantum computer attack puts us all at risk—a risk that borders on the catastrophic.
All the same, NSM-8 is a landmark document and the Biden administration deserves praise for releasing it. Consider it a long-awaited wake-up call for understanding how important quantum technology is going to be for our country, and for the world. Our major quantum computer companies like IBM and Google and Microsoft, now also need to embrace the importance of quantum readiness, since their future is as much as at stake as the rest of us.
We all have to make sure that quantum information science, including computing and networking, is able to advance without causing major disruptions in our national security, our lives, or the prospects of freedom around the world.