Preparing for Y2Q: The Quantum Computing Cybersecurity Preparedness Act and Other Measures to Brace for Q-Day
If you were building a house, you would likely put some thought into securing it, whether through cameras, alarms, or the family’s beloved German Shepherd. But what if I told you that in a matter of years, none of these security measures would be effective?
That’s the case with our computer-stored data right now.
Almost everything that is stored or transmitted on computers is encrypted. Encryption takes a block of readable data and makes it unreadable to everyone but those who hold the cryptographic key capable of decrypting it. This makes it a cornerstone of modern cybersecurity. But today’s encryption methods are now threatened by the development of quantum computers.
While large-scale quantum computers are yet to be fully realized, their development is advancing quickly. Quantum computers, which operate at a higher level than current computers, would be able to break through our current cryptography-based security methods. In this way, they have the potential to be unstoppable lock-pickers. Your German Shepherd doesn’t stand a chance.
This would be a grave threat to the confidentiality and integrity of our digital lives. This risk reaches private information, national secrets, healthcare data, financial and banking information, and access to infrastructure such as energy grids, satellite communications, and water supplies. The cybersecurity world has begun to refer to this doomsday event as Q-Day or Y2Q, the latter a reference to the year 2000 scare where many worried about the possible collapse of global infrastructures due to fears that computers were unable to distinguish dates correctly.
As a result of this impending threat, the federal government has made post-quantum cybersecurity a focal point of its policy agenda. Among the Biden administration’s points of pride in securing America’s cybersecurity has been developing quantum-resistant encryption. Last July, the National Institute of Standards and Technology selected its first batch of quantum-resistant encryption tools. The Department of State issued its own memoranda on improving national cybersecurity, requiring federal agencies to identify any instances of encryption not in compliance with NSA-approved quantum resistant algorithms. And the Director of the Office of Management and Budget laid out steps for federal agencies to take as they transition to post-quantum cybersecurity.
Just last December, the federal government passed the Quantum Computing Cybersecurity Preparedness Act (HR 7535). The Act requires federal agencies to adopt quantum-resistant technology. It mandates the migration of data to cryptography systems and the use of tools that are resilient to quantum computer attacks. Underscoring the importance of acting hastily before quantum technology is fully developed, the Act commands these strategies to be developed within six months. It also directs federal agencies to inventory their current information technology systems that might be vulnerable to quantum decryption within 180 days.
I commend the federal government in pushing forcefully ahead with its post-quantum cybersecurity efforts, but whether it is doing enough, and fast enough, is difficult to determine.
The arms race to quantum computing is global. China has invested tens of billions of dollars in programs to develop the first industrially-accessible quantum computers. Adding to the threat, as time passes, state-sponsored hackers and cybercrime syndicates are already stealing huge amounts of data with the intention of decrypting it later once quantum technology is developed. Whether we’ll experience a Y2Q moment of dystopian catastrophe remains unclear, and the subject of a sci-fi movie ripe for pitching to Hollywood.
The steps that the government is taking now can certainly mitigate whatever damage may be done by minimizing the data up for grabs in “Steal Now, Decrypt Later” schemes, as well as providing for remediation for the data that does get decrypted. This could be as simple as designing programs and websites to require the regular changing of passwords so that a decrypted username and password list won’t necessarily hand over the keys to the kingdom.
What else can be done? I believe it is imperative that any battleplans by the federal government involve (1) an assessment of current cryptography; (2) the installation of quantum-resistant cryptography into an organization’s IT infrastructure; and (3) the testing of quantum-resistant cryptographically agile solutions. These three components should ideally comprise a cycle of constant evaluation, installation, and testing as computers get more powerful and get closer to quantum sophistication.
Further, we must allow for adequate time to get this right. For context, while the NIST selected its first batch of quantum-resistant encryption tools last summer, this was seven years after it began developing these tools with cryptographers. Considering that analysts believe it’ll take at least a decade to develop quantum computing that can break current encryption methods, it’s good to start now.
Lastly, Congress and the executive branch should work more closely together in enacting and prioritizing these initiatives. Through a mix of laws and executive orders, we can ensure that steps are being taken in cybersecurity that are both comprehensive and swift.
This is the only way that any new cybersecurity regime can be made quantum-proof. In the meantime, we’ll have to be extra vigilant in guarding our cyber doors, and hope that for now our current cybersecurity systems are enough to protect us and our data.
Alyanna Pauline Apacible
GLTR Assistant Editor; Georgetown Law, LL.M. expected 2023; University of the Philippines, J.D. 2016. © 2023, Alyanna Pauline Apacible