Cybersecurity is a major national security concern for the United States. Currently, adversaries are conducting "store now, decrypt later" (SNDL) attacks against the United States, in which they are exfiltrating and storing sensitive encrypted data critical to national security, critical infrastructure, corporate enterprises, and others. When quantum computers can decrypt this information, the plan is to steal it in order to decrypt it.
It is critical that US government agencies and private-sector corporations begin migrating vulnerable cybersecurity protocols to post-quantum cryptography as soon as possible (PQC). PQC could protect sensitive government and critical industry data from cyber-attacks.
The government has taken proactive measures to combat this national security threat. President Biden recently issued an executive order as well as two national security memorandums (NSM-8 and NSM-10) directing the United States to accelerate its quantum computing initiatives, including quantum-resistant cybersecurity. To that end, the House of Representatives passed the Quantum Computing Cybersecurity Preparedness Act (H.R.7535) on July 12, and the bill now awaits Senate consideration. Industry is ready to assist the United States government following Senate approval and implementation.
This is a big step in the right direction, but the proposed law doesn't do enough to deal with the current threat that SNDL attacks pose to important government, military, and infrastructure systems that use public key cryptography. Much of the encrypted data will remain classified for decades. There is nothing that can be done once this data has been exfiltrated to keep it from being exploited by adversaries. PQC protocols can protect against SNDL attacks, but the transition to PQC will take time, so we must start now.
The National Institute of Standards and Technology (NIST) has released the first four of their planned PQC algorithms, and major global banks, telecoms, healthcare providers, and other enterprises have already begun the transition to PQC. Due to the complexity of federal IT networks, the PQC vulnerability assessment process will take several months to finish.
While waiting for legislation to be approved, the Office of Management and Budget, which assists the president in meeting policy, budget, management, and regulatory requirements, could make funding available now to allow the federal government to begin assessing current cryptographic uses and developing migration strategies. And, in order to be ready when standards are established and funding is available, agencies and organizations must take the necessary first foundational steps of this transition, specifically inventorying their networks to understand what they have and conducting a risk-based assessment of their protection priorities.
We can attest to what is at stake as the world enters the quantum era as former defense and intelligence officers. Current SNDL attacks pose an existential threat to our government, military, and commercial enterprises, as well as to our citizens' prosperity, privacy, and safety.
Washington should work hard to establish itself as the dominant power in the quantum information sciences. This includes starting the PQC enterprise migration process right away. We cannot afford to be late.
Admiral John Richardson retired from the United States Navy after 37 years of service as the Chief of Naval Operations (CNO), the Navy's highest ranking officer. Since his retirement, he has served on the boards of several major corporations and has worked in the field of leadership development. Richardson served in the submarine force while in the Navy. In Pearl Harbor, Hawaii, he commanded the attack submarine USS HONOLULU, for which he received the Vice Admiral James Bond Stockdale Inspirational Leadership Award. Richardson is also an advisor to SandboxAQ.
Mike Rogers left the United States Navy in 2018 after nearly 37 years of service, rising to the rank of four-star admiral. He ended his career as Commander of the United States Cyber Command and Director of the National Security Agency for four years. In those roles, he collaborated with the leadership of the United States government, the Department of Defense, and the United States Intelligence Community, as well as their international counterparts, in the conduct of cyber and intelligence activity around the world. Admiral Rogers is currently assisting private-sector companies by serving on various boards or as a senior advisor. Rogers is also an advisor to SandboxAQ.