U.S. White House releases ambitious agenda to mitigate the risks of quantum computing

Since at least the early 1990s, computer scientists have warned that quantum computing, despite its potential to provide exponentially more powerful computing capabilities, can break traditional encryption methods and expose digital assets to prying eyes and malicious actors. As the era of quantum computing comes into view, the Biden administration announced it is taking steps to advance the field of quantum computing while mitigating the risks quantum computers pose to national and economic security.

Last week the White House issued two directives on quantum information science (QIS). The first is an executive order (EO) to “ensure continued American leadership in quantum information science and its technology applications.”

The second is a national security memorandum that spells out “key steps needed to maintain the nation’s competitive advantage in quantum information science (QIS) while mitigating the risks of quantum computers to the nation’s cyber, economic, and national security.” The EO and the memo represent a “third line” of effort beyond the administration’s already existing efforts to modernize cybersecurity efforts and improve American competitiveness, an administration official said.

Enhancing the National Quantum Initiative Advisory Committee

The first directive, the executive order, seeks to advance QIS by placing the National Quantum Initiative Advisory Committee, the federal government’s main independent expert advisory body for quantum information science and technology, under the authority of the White House. The National Quantum Initiative, established by a law known as the NQI Act, encompasses activities by executive departments and agencies (agencies) with membership on either the National Science and Technology Council (NSTC) Subcommittee on Quantum Information Science (SCQIS) or the NSTC Subcommittee on Economic and Security Implications of Quantum Science (ESIX).”

Under the new executive order, the NQI Advisory Committee, consisting of up to 26 members, will advise the president, the SCQIS, and the ESIX on the NQI Program. The committee will have two co-chairs and meet twice a year. The White House plans to announce the members of the committee over the coming weeks.

Promoting U.S. quantum computing leadership and mitigating risk

The national security memorandum (NSM) plans to tackle the risks posed to encryption by quantum computing. It establishes a national policy to promote U.S. leadership in quantum computing and initiates collaboration among the federal government, industry, and academia as the nation begins migrating to new quantum-resistant cryptographic standards developed by the National Institute of Standards and Technology (NIST). The NSA is also separately developing technical standards for quantum‑resistant cryptography. The first sets of these standards are expected to be released publicly by 2024. 

The NSM provides a detailed roadmap for agencies to inventory their IT systems for quantum-vulnerable cryptography and sets requirements to establish and meet specific milestones for cryptographic migration, including the following list of deadlines:

• By August 2, 2022, agencies that fund research in, develop, or acquire quantum computers must coordinate with the director of the Office of Science and Technology Policy “to ensure a coherent national strategy for QIS promotion and technology protection, including for workforce issues.”
• By August 2, 2022, the director of NIST must establish a “Migration to Post-Quantum Cryptography Project” at the National Cybersecurity Center of Excellence to “work with the private sector to address cybersecurity challenges posed by the transition to quantum-resistant cryptography.”
• By October 31, 2022, and annually after that, the secretary of Homeland Security, through the director of the Cybersecurity and Infrastructure Security Agency (CISA), and in coordination with sector risk management agencies, must engage with critical infrastructure and state, local, tribal and territorial (SLTT) partners regarding the risks posed by quantum computers. The head of Homeland Security must also provide an annual report to the director of OMB, the APNSA assistant to the president for national security affairs (APNSA), and the national cyber director that includes recommendations for accelerating those entities’ migration to quantum-resistant cryptography.
• By October 31, 2022, and on an ongoing basis after that, the director of OMB, in consultation with the director of CISA, the director of NIST, the national cyber director, and the director of NSA, must establish requirements for inventorying all currently deployed cryptographic systems, excluding national security systems (NSS). These requirements must include “a list of key information technology (IT) assets to prioritize, interim benchmarks, and a common (and preferably automated) assessment process for evaluating progress on quantum-resistant cryptographic migration in IT systems.”
• By May 4, 2023, and on an annual basis after that, the heads of all Federal Civilian Executive Branch (FCEB) agencies must deliver to the director of CISA and the national cyber director an inventory of their IT systems that remain vulnerable to CRQCs, with a particular focus on high-value assets and high-impact systems
• By October 18, 2023, and on an annual basis after that, the national cyber director, based on the vulnerable inventories and in coordination with the director of CISA and the director of NIST, must deliver a status report to the APNSA and the director of OMB on progress made by FCEB agencies on their migration of non-NSS IT systems to quantum-resistant cryptography.
• Within 90 days of the release of the first set of NIST standards for quantum-resistant cryptography, and on an annual basis after that, as needed, the secretary of commerce, through the director of NIST, must release a proposed timeline for the deprecation of quantum-vulnerable cryptography in standards. The timeline aims to move the maximum number of systems off quantum-vulnerable cryptography within a decade of publishing the initial set of standards.
• Within one year of the release of the NIST standards, the director of OMB, in coordination with the director of CISA and the director of NIST, must issue a policy memorandum requiring FCEB agencies to develop a plan to upgrade their non-NSS IT systems to quantum-resistant cryptography.
• By May 4, 2023, and annually after that, the director of NSA, serving as the national manager, in consultation with the secretary of defense and the director of national intelligence, must provide guidance on quantum-resistant cryptography migration, implementation, and implementation, and oversight for NSS. 
• By May 4, 2023, and on an ongoing basis, the heads of agencies operating NSS must identify and document all instances where quantum-vulnerable cryptography is used by NSS and must provide this information to the national manager.
• By October 31, 2023, and annually after that, the NSA must release an official timeline for depreciating vulnerable cryptography in NSS until the migration to quantum-resistant cryptography is completed.
• Within one year of the NSA releasing its quantum-resistant cryptography and annually after that, the heads of agencies operating or maintaining NSS must submit to the national manager and, as appropriate, the Department of Defense CIO or the Intelligence Community CIO, depending on their respective jurisdictions, an initial plan to transition to quantum-resistant cryptography in all NSS.
• By December 31, 2023, agencies maintaining NSS must implement symmetric-key protections (such as High Assurance Internet Protocol Encryptor (HAIPE) exclusion keys or VPN symmetric key solutions) to provide additional protection for quantum-vulnerable key exchange.
• By December 31, 2023, the secretary of defense shall deliver to the APNSA and the director of OMB an assessment of the risks of quantum computing to the defense industrial base and defense supply chains, along with a plan to engage with crucial commercial entities to upgrade their IT systems to achieve quantum resistance.

Protecting U.S. quantum computing IP

The NSM also spells out provisions to secure U.S. intellectual property on quantum computing. It notes that some protective mechanisms may include “counterintelligence measures, well-targeted export controls, and campaigns to educate industry and academia on the threat of cybercrime and IP theft.”

It encourages agencies to “understand the security implications of adversarial use and consider those security implications when implementing new policies, programs, and projects.” Consistent with this goal, the memo says that by December 31, 2022, the heads of agencies that fund research in, develop, or acquire quantum computers or related QIS technologies must develop comprehensive technology protection plans to safeguard QIS R&D, acquisition, and user access.