There’s an arms race underway to develop the next generation of computers—known as “quantum” computers—and there’s no guarantee that the United States is going to win.
It’s a positive sign that Congress is taking initial steps on legislation to accelerate development of this technology. The House and Senate are poised to consider the National Quantum Initiative Act (S.3143, H.R. 6227), which would establish a federal program to accelerate quantum-computing research for economic and national security and create a 10-year pilot program to advance quantum development. The bills await floor votes in both chambers.
Yet the proposed legislation contains a serious oversight. It focuses exclusively on developing quantum computers themselves but ignores the national-security risks they will cause. The proposal is all offense, no defense, and our national quantum strategy needs to take defense very seriously.
Here’s why: Quantum computers are expected to be the most powerful codebreaking tools ever developed. It’s highly probable that quantum computers will be able to break even the strongest encryption algorithms and systems currently in use to protect data in areas as varied as consumer finance, corporate intellectual property, top secret government archives and Pentagon military plans. If we don’t address this risk—and plan now to protect our most secure assets—the U.S. will become vulnerable to exactly the kind of new tools we are racing to build.
If quantum computers can be built at a large enough scale, they will change the underlying assumptions about how computing works and how computers perform math. Digital computers are based on transistors that require data to be encoded into binary states—either a 1 or a 0. Quantum computers however, use “qubits” that can exist in several states at once, which makes it possible for them to work on multiple calculations at the same time. What a traditional single-core classical computer might take 10,000 years to calculate, a quantum computer can process in mere seconds. As soon as quantum computing is viable, our most secure codes could start failing overnight.
Any technological advantage in using quantum computers to access adversarial encrypted data would significantly improve the United States’ intelligence capabilities versus its cyber adversaries. But the same works in reverse: When our adversaries build quantum computers, they’ll be able to crack our codes. Given the strategic and national security implications, many nation states, including China, Iran and Russia are actively researching quantum capabilities. It is safe to assume these nations will use this technology to read protected data throughout the public and private sectors. As a result, even though quantum computers are years away from being viable, the problem is more urgent than many people realize. Encrypted data can be collected now, before quantum cryptanalysis capabilities exist, and then decoded later once the technology comes of age.
The good news is there are U.S. efforts underway today to develop quantum-resistant algorithms. The National Institute of Standards and Technology has a program in place that aims to evaluate and select quantum-resistant public-key cryptographic algorithms with the goal of developing cryptographic systems that are secure against both quantum and classical computers. The selected algorithms must work with existing communications protocols and networks to be useful and effective. This process will take many years to complete.
We shouldn’t wait until quantum-resistant algorithms are selected and approved to begin the process of planning for their deployment. We need to refine our policy response now and begin to triage our systems to determine where we need to focus first to protect our critical systems from quantum vulnerabilities.
There are several things we should start doing now:
First, Congress should pass legislation addressing cybersecurity risks by calling them out and pushing the executive branch to act. The legislative process can be lengthy, so we need to start working soon. If more funding is needed to accelerate the development and selection of quantum-resistant algorithms, then more should be appropriated by Congress to ensure that NIST has all the resources it needs.
Second, NIST should be directed to establish an effort, parallel to their existing post-quantum cryptography algorithm project, to plan for deployment. The problem is that retooling our networks and data protection systems will take time—not only to develop the technology, but also to roll it out throughout the nation’s computers and networks. Being the first nation to define quantum-resistant algorithms won’t protect critical encrypted data if we can’t implement them quickly in products, protocols and throughout critical systems. It would help if the Department of Homeland Security put this issue on the top of its cybersecurity agenda. The Office of Management and Budget should also issue a directive to NIST, in the form of an action memo, underscoring the importance of acting now and redirecting whatever funds in the budget are needed to ensure success.
Third, the private sector must help solve the quantum security challenge. Industry is doing what it is good at—creating new technologies and building new markets. But that is not enough. The quantum computing and cybersecurity market leaders have an obligation to work with NIST to develop and bring to market quantum-resistant algorithms to protect the integrity and safety of the internet. Only a combination of the best minds from both the public and private sectors can address this historic encryption challenge. Additionally, internet service providers, the security industry, network operators and infrastructure owners need to evaluate their own needs to replace the existing quantum-unsafe cryptographic algorithms with the new quantum-resistant versions. Waiting until we have the selected algorithms in hand will be too late.
There are really three separate races the U.S. must win. First is the effort to develop viable quantum computing technology, second is the ability to develop and select quantum-resistant public-key cryptographic algorithms, and third is to achieve rapid and thorough deployment of quantum-resistant encryption and key management throughout the United States’ digital infrastructure.
The U.S. must lead in quantum computing, but that’s not enough. Every day that we continue using quantum-unsafe algorithms is another day our adversaries can collect critical data for later decryption, analysis and use. We must invest not only in being the first nation to operationalize quantum computing and the first to develop quantum-resistant algorithms, but also the first to successfully deploy the selected quantum-resistant public-key cryptographic algorithms throughout our nation’s communications infrastructure. Without winning all three races, we endanger national security and even American lives.