US cybersecurity legislation takes a quantum leap

Cybersecurity has been a core focus of the Biden administration. Motivated by a recognition of the widespread vulnerabilities evident in critical infrastructure, persistent cyber-attacks on government IT systems, and the role “cyber” plays in geo-political conflicts across the globe, significant steps have been taken to strengthen the government’s cybersecurity stance.

In May 2021 Executive Order 14028 laid out the cybersecurity requirements for Federal Information systems. It established that the Federal Government needed to improve its efforts to “identify, deter, protect against, detect and respond to malicious cyber campaigns”; calling for bold action and significant investment in cybersecurity.  In January 2022 the administration further signaled its intent with a Memorandum on Improving Cybersecurity  that specifically targeted national security, defense and intelligence community systems. The Memorandum set out additional requirements for National Security Systems, beyond those detailed in the previous Order.

The threat posed by the imminent arrival of a quantum computer has influenced much of the administration’s recent efforts. In May 2022, a further National Security Memorandum was issued, promoting US leadership in Quantum Computing whilst mitigating risks to vulnerable cryptographic systems. The Memorandum outlined the administration’s plan to migrate at-risk infrastructure to a quantum-resistant state. Later, in November 2022, a further Memorandum was issued by the Office of Management and Budget, providing direction for government agencies on how to move towards zero-trust architecture. Specifically, it prioritized an inventory of vulnerable cryptographic systems and a roadmap for transitioning to quantum-resilience.

In a rare example of cross-party unity, the Quantum Computing Cybersecurity Preparedness Act, passed by the House in July of last year, received the backing of the full Senate and was signed into law in December 2022.

The Act details four key findings:

  1. Cryptography is essential for national security and the proper functioning of the economy.
  2. Today’s encryption protocols rely on the limits of classical computing to provide security.
  3. Quantum computers pose a viable threat to current encryption security.
  4. The rapid development of quantum computing exposes data to harvest now, decrypt later attacks.

The Act goes on to set out timeframes for the inventory of systems that may be vulnerable to decryption by quantum computers and to provide guidance for the migration towards post-quantum cryptography (within 1 year of NIST publishing its standards for PQC). Importantly, the Act comes with funding attached and demands each agency submits a budget for the proposed migration.

Cryptographic agility

Whilst establishing and implementing the NIST standards will take time, there are things security-conscious organisations can do today. Cryptographic agility is a core principle of Senetas encryption solutions. In 2021 we introduced hybrid encryption – combining the best of today’s classical AES and emerging NIST candidate quantum-resistant (PQC) algorithms.

Useful links:

Quantum Computing and Quantum Safe Security

The impact of quantum computing on cryptography