Just before Christmas, President Biden signed the Quantum Computing Cybersecurity Preparedness Act, more or less codifying his administration’s efforts to scan and inventory federal information technology (IT) systems that will soon be vulnerable to quantum computers. This is an essential first step. Transitioning all of federal computing to new cryptographic systems is no easy task, and ironing out implementation issues requires action today. Next, federal officials must take the lead and proactively share what they learn.
For the uninitiated, quantum computing is an yet-to-be-realized technology with many potential benefits. It also threatens to break many of the most common forms of cryptography-based computer security with its unique ability to circumvent time-consuming math. While today’s quantum computers aren’t yet powerful enough to pose a threat, future iterations could quickly create a security nightmare. Most private communications, financial transactions, and other security-sensitive applications would be defenseless. Fortunately, we have a solution.
In June, the National Institute of Standards and Technology (NIST) launched a set of quantum-resistant cryptographic algorithms. The burden of new legislation prepares the government for its implementation. Tools in hand, federal officials are now tasked with analyzing when, where and how to use NIST algorithms.
What’s missing in both the law and the administration memo is a sense of opportunity. While the legislative target today is federal IT, eventually the private sector will have to follow. And with so many unknowns, the private sector needs all the help it can get.
To these ends, federal efforts are underway to compile best practices from the private sector. But these are based solely on feedback from industry stakeholders, not real-world experience. While this information is invaluable, these stakeholders have yet to go through the process. All recommendations are speculation at best.
As a former IT project manager, I learned that IT transitions are rife with the unexpected. Only by doing can you tell with certainty what will break, what will be impacted, and what challenges will be encountered.
Rather than continuing to speculate, we should recognize the transition of government for what it is: a golden opportunity to learn by doing.
Today, the federal government represents a quarter of the economy. This suggests that around a quarter of computing systems will prepare for and eventually transition to quantum-resistant cryptography. On its own, such a large sample could undoubtedly provide many lessons to the private sector.
But above all, this sample is not only vast, but incredibly diverse. In a 2021 quantum transition white paper, NIST noted that perhaps the biggest challenge will be tailoring algorithms to the tailored needs of each application and industry. The diversity of Federal IT can help uncover these industry-specific challenges. The US Agency for Global Media’s tailored experiences can be shared with broadcasters who use similar technology. The USDA Inspector Equipment Transition could support the transitions of many similar service providers in the field. Service academies can support private colleges. Veterans Administration hospitals can inform private health care. The list continues.
The government should therefore assume the role of quantum security guinea pig. To maximize lessons learned, management should specifically promote a laboratory approach. As each agency begins this process, it should be encouraged to test a diversity of practices and solutions, comparing results and reporting difficulties. It is only through variation that we can learn what works.
Careful documentation will be critical to success. First, agencies should record general implementation best practices. This means documenting how they assessed systems, resolved issues, trained users, and other details based on the plan. Second, they should note the technology-specific challenges. Agencies should track the specific systems that are impacted, those that have had difficulty adapting to the changes, and the performance issues these changes have created. Finally, when it comes time to make updates, agencies should note any beneficial approaches to code and system design. Not all methodologies are created equal and agencies should recommend the one that works best.
Of course, this process cannot work without coordination. Following the model of the National Infrastructure Protection Plan (the federal government’s plan for managing cyber and other risks to critical infrastructure), the Agency for Cybersecurity and Infrastructure Security should designate a quantum transition for each affected industry. This delegated agency will compile reports and best practices taking into account the needs of its industry. This division of labor will distribute the administrative burden while incorporating industry specificity into the results.
Based on both the new legislation and executive memos, neither Congress nor the Biden administration realize the vastness of this opportunity. There are countless lessons to be learned if the federal government adopts a guinea pig role in quantum security.
If not, the process of mitigating this potential security nightmare could become a nightmare in itself. Let’s seize this moment, learn what we can, and ease the often heavy security burden.
Matthew Mittelsteadt is a technologist and researcher at the Mercatus Center at George Mason University.