The Biden-Harris Administration released the National Cybersecurity Strategy to secure the full benefits of a safe and secure digital ecosystem for all Americans, according to a fact sheet on the report.
The strategy seeks to rebalance the responsibility to defend cyberspace, realign incentives, and use all tools of national power in a coordinated manner to protect national security, public safety and economic prosperity.
The administration reports that the strategy sets out a vision to make the digital ecosystem defensible resilient, and values-aligned.
The approach includes building and enhancing collaboration around five pillars: defending critical infrastructure, disrupting and dismantling threat actors, shaping market forces to drive security and resilience, investing in a resilient future, and forging international partnerships to pursue shared goals.
Post-Quantum is specifically covered in Strategic Objective 4.3.
The report states: “Strong encryption is foundational to cybersecurity and global commerce. It is the primary way we protect out data online. But quantum computing has the potential to break some of the most ubiquitous encryption standards deployed today. We must prioritize and accelerate investments in widespread replacement of hardware, software and services that can be easily compromised by quantum computers so that information is protected against future attacks.”
Quantinuum’s Chief Legal Officer Kaniah Konkoly-Thege commented on the strategy.
Konkoly-Thege, who also services as SVP government relations and chief compliance officer, writes: “The 2023 Cybersecurity Strategy makes clear that the Biden Administration will work with Congress and the private sector to create liability for software vendors, sketching out in broad terms what such legislation should entail, stating ‘we must begin to shift liability onto those entities that fail to take reasonable precautions to secure their software while recognizing that even the most advanced software security programs cannot prevent all vulnerabilities. The new landscape of quantum-related announcements and requirements from the federal government also creates urgency for many vendors and government contractors because those who are non-compliant will be named in reports and likely suffer reputational and economic consequences.’
Organizations should be preparing now, Konkoly-Thege added: “While the guidance does not go in-depth regarding steps to prepare for a post-quantum future, it is best practice to assess current cryptographic systems, inventory data, experiment with NIST’s post-quantum algorithms and develop plans to protect data, especially sensitive data (i.e., medical, financial, or personal data), by transitioning to these post-quantum (PQC) algorithms. NIST is currently in the process of standardizing these algorithms with final standards due to be released in 2024.”
Konkoly-Thege recommended the following initial steps to help organizations prepare for the post-quantum cybersecurity era:
- Begin inventorying cryptography systems that will be vulnerable to future quantum attacks
- Develop “Quantum IQ” across your organization by exploring the benefits and risks that quantum technologies will pose for your business
- Review the NIST post-quantum algorithms (four finalists were announced in July 2022) and create a strategy for cryptographic agility that will allow you to shift your systems to the final standards and protect your data with minimal disruption
- Identify partners established in the quantum ecosystem who can guide you through the transition to quantum-safe cybersecurity while protecting data from both classical and quantum cyberattack
The Administration has already taken steps to secure cyberspace and our digital ecosystem, including various executive orders and memoranda, such as the National Security Strategy, Executive Order 14028 (Improving the Nation’s Cybersecurity), National Security Memorandum 5 (Improving Cybersecurity for Critical Infrastructure Control Systems), M-22-09 (Moving the U.S. Government Toward Zero-Trust Cybersecurity Principles), and National Security Memorandum 10 (Promoting United States Leadership in Quantum Computing While Mitigating Risks to Vulnerable Cryptographic Systems).
You can find the full report here.