US Lacks Clear Strategy to Counter Quantum Cyber Threats Says Government Accountability Office.

The future of cybersecurity hangs in the balance as experts predict that a quantum computer capable of breaking current cryptography may exist within 10-20 years, putting sensitive data and systems at risk. Federal agencies, banks, utilities, and others rely on cryptography to secure their systems, but a cryptographically relevant quantum computer (CRQC) could render these measures useless.

To address this threat, various federal entities have developed documents that inform a national strategy for mitigating the risks posed by CRQCs. However, the plan lacks details and leadership, with no organization responsible for coordinating efforts. The Government Accountability Office recommends that the National Cyber Director take the lead on coordinating the national quantum computing cybersecurity strategy and ensure that it fully addresses the desirable characteristics of a national strategy.

The Future of Cybersecurity: Addressing the Quantum Threat

The advent of quantum computers poses a significant threat to the security of sensitive data and systems, as they can potentially break particular cryptography used to protect them. This article explores the current state of the US national strategy for addressing this threat and identifies key areas that require improvement.

The Importance of Cryptography in Securing Systems and Data

Cryptography is a set of mathematical processes that enable the secure transmission and storage of data. It involves using algorithms to “lock,” “unlock,” or authenticate information, thereby protecting it from unauthorized access. Federal agencies, banks, utilities, and other organizations rely heavily on cryptography to secure their systems and data. However, the emergence of quantum computers capable of breaking particular cryptography has raised concerns about the long-term security of these systems.

The Threat of Quantum Computers

Experts predict that a quantum computer capable of breaking particular cryptography, a cryptographically relevant quantum computer (CRQC), may be developed within the next 10-20 years. This poses a significant threat to sensitive data and systems’ security, as it could allow unauthorized access to encrypted information. Quantum computers leverage the properties of qubits (the quantum equivalent of classical computer bits) to solve selected problems significantly faster than classical computers.

The capabilities of a quantum computer pose a significant threat to the US’s cryptography. Specifically, they pose a threat to the confidentiality, integrity, and availability of systems and data that rely on cryptography for protection.

For example:

• Confidentiality. An adversary could use a quantum computer to break cryptographic methods and gain access to sensitive government information stored or communicated on a federal agency system (e.g., tax records, emails of senior department and agency leadership).
• Integrity. An adversary could target cryptographic methods that authenticate the source of information or data, allowing them to create and distribute fake communications that appear legitimate (e.g., a fake email from the head of a department or agency with a legitimate digital signature).
• Availability. An adversary could use a quantum computer to target critical infrastructure and disrupt the availability of important systems that provide essential services (e.g., electricity, water and wastewater, healthcare).

The Emerging US National Strategy for Addressing the Quantum Threat

Various federal entities have developed documents that contribute to an emerging US national strategy for addressing the quantum threat. This strategy has three central goals: (1) understanding and mitigating the risks associated with CRQCs, (2) developing and deploying post-quantum cryptography standards, and (3) ensuring the resilience of critical infrastructure and federal systems.

While these documents partially address the desirable characteristics of a national strategy, they lack details and do not fully define a CRQC. Additionally, there is no single federal organization responsible for coordinating the strategy, which has hindered its development and implementation.

The Need for Leadership and Coordination

The Office of the National Cyber Director is well-positioned to lead the efforts to develop and implement a comprehensive national strategy for addressing the quantum threat. However, it lacks clear objectives, activities, milestones, and performance measures for achieving the three central goals. To address this, the National Cyber Director should take the lead on coordinating the national quantum computing cybersecurity strategy and ensure that the strategy’s various documents address all the desirable characteristics of a national strategy.

Conclusion

The development of a comprehensive national strategy for addressing the quantum threat is critical. This is essential for ensuring the long-term security of sensitive data and systems. While progress has been made, there is still much work to be done to fully define and implement a strategy that addresses the desirable characteristics of a national strategy.

The Office of the National Cyber Director must take a leadership role in coordinating these efforts and ensuring that the nation has a well-defined roadmap for allocating resources and holding participants accountable.