The Biden administration has taken many hits for its policies, from the chaotic withdrawal of troops from Afghanistan to the highest inflation in 40 years to the humanitarian crisis at America’s southern border. But last month, it scored a major success in getting the government’s house in order in the cybersecurity domain and preparing the way for a safe and secure cyber future.
The White House has released a National Security Memorandum that, for the first time, focuses our national security concerns on the future threat of large-scale quantum computers to encrypted data, which means everything from government records and classified data to credit cards and banking transactions.
Instead of using digital bits to process data as a series of ones and zeros, as conventional computers do, quantum computers employ “qubits,” which can represent any combination of 0 and 1 simultaneously. This allows computing power to grow exponentially as the number of qubits expands. A 2,000- to 4,000-qubit quantum computer, for example, can quickly decrypt almost all public-key encryption architectures — the ones used for everything from banking and credit cards to the power grid. Those architectures rely on numbers too big for conventional computers to factorize, but a quantum computer can and will do so.
Experts disagree on how soon we will see quantum computers of that size and capability. A recent RAND report says it might take 15 years; the CEO of Google, however, has stated publicly he thinks it could happen as soon as five or 10 years from now. One thing is clear: the one country that has the resources to do this besides the United States is China, the same regime that has waged cyber war on America and democratic states for two decades.
With this threat in mind, the White House has issued a landmark document, National Security Memorandum 8 (NSM-8), that pushes the government’s cybersecurity into the post-quantum era: the first official step to making America’s national security apparatus quantum ready and quantum safe.
The memorandum gave the National Security Agency 30 days to begin updating the Commercial National Security Algorithm Suite (CNSA), a process that will include adding quantum-resistant cryptography, CNSA being the collection of secure algorithms approved for use by all encrypted data users, including the private sector.
Within 180 days, agencies that handle national security systems are supposed to identify any and all “instances of encryption not in compliance with NSA-approved Quantum Resistant Algorithms,” or the updated CNSA, and to draw up “a timeline to transition these systems to use compliant encryption, to include quantum resistant encryption.”
This document is the first I’m aware of coming out of the White House national security apparatus that specifically mentions quantum-resistant cryptography in the context of current federal cybersecurity planning. That’s a big victory for our Quantum Alliance Initiative here at Hudson Institute, which has been pushing the quantum security issue for the past four years, and for quantum information science generally.
At the same time, it’s important to realize the next and most vital step is execution.
Here’s where Congress has to step up, with oversight, funding and making sure that what needs to be done to confront a future quantum security threat gets done. That includes demanding a full briefing from the White House for key congressional committees, along with other federal agencies, on what the implications of NSM-8 are for our nation’s cyber future.
In the final analysis, we are going to need an all-of-government approach to dealing with the gravest cybersecurity threat of this generation — indeed, the greatest threat of this century.
This is particularly true for alerting the private sector, including our financial services sector and corporate sector where replacing the RSA-based systems will require years of work and continual updating. The preliminary study we’ve done at the Quantum Alliance Initiative estimates that a single quantum attack on one of the five largest financial institutions in the U.S. disrupting access to the Fedwire Funds Service payment system would cause a cascading financial failure costing anywhere from $730 billion to $1.95 trillion. Indeed, a quantum computer attack could impair nearly 60 percent of total assets in the banking system because of bank runs and endogenous liquidity traps.
Given the fact that the federal government finally admits this is a security threat grave enough to demand action from agencies within the next five months, that’s all the more reason why private industry needs to take this threat seriously — and to insist that Washington to put together a comprehensive plan to protect all of us from future quantum attack.
Arthur Herman is senior fellow at the Hudson Institute and director of the Quantum Alliance Initiative. He is the Pulitzer Prize-finalist author most recently of “The Viking Heart: How Scandinavians Conquered The World” (2021).