Recently, US President Biden signed the No. 8 National Security Memorandum of Understanding, "On Improving The Cybersecurity of National Security, The Department of Defense, and Intelligence Systems", which mentions quantum-resistant cryptography (PQC) for the first time. This will have a huge impact on quantum technology and quantum security in the United States and the world.
According to Forbes, this document (NSM-8) is the first document by the U.S. national security agency to specifically mention quantum cryptography (PQC) in the current federal cybersecurity program. This is a huge victory for the Quantum Alliance initiative, which has been pushing for quantum safety for 4 years, and for quantum information science as a whole.
Image from the Official White House website
The document instructs the National Security Agency (NSA) to issue any documents related to "quantum-resistant protocols and, if necessary, planned use of quantum-resistant cryptography" to the company's CIO.
The relevant provisions are as follows:
Within 180 days from the date of publication of this document, each agency shall, in accordance with Sections 1(b)(iv)(A) and (B) of this Memorandum of Understanding, identify any instance of encryption that does not comply with NSA-approved quantum-resistant algorithms or CNSA, and report to the National Security Officer without a top-level secret (Top Secret/SI//NOFORN) level of confidentiality.
Arthur Herman, director of the U.S. Quantum Alliance Initiative Agency, said it was the agency's goal since 2018 to get the U.S. national security agency to take the threat of quantum computer attacks seriously as a cybersecurity priority.
Still, NSM-8 is deficient in raising awareness of the need for people (i.e., the private sector) to protect against the threat of quantum attacks.
Given that the U.S. government acknowledges that the quantum attack threat is a security threat serious enough to require agencies to act within the next 180 days, the private sector needs to take the threat seriously.
This means that private companies, especially large corporations and the highly vulnerable financial sector, need to have plans in place to combat the threat of quantum systems and be fully prepared by 2030, when the threat of large-scale quantum computer attacks will become a reality.
But Herman believes there are many more details that NSM-8 overlooked.
First, while secure methods exist to protect data and networks from future quantum attacks, there are also cyber attackers and hackers who use quantum-resistant cryptography developed and deployed by private companies in the United States and Canada. Therefore, the threat of quantum attacks is imminent and should not wait for the relevant government departments to make a final response before taking action.
In addition, some companies in the U.S. and other countries have offered customers quantum-based cryptographic solutions, such as quantum key distribution (QKD) to secure vital communications and links. QKD is well suited for industrial systems such as surveillance, data acquisition systems, and power grids, so users under these systems must be protected from current cyber threats and future quantum attacks.
Finally, Herman called for quantum security to require international efforts and partners in Europe, Asia and the Middle East to develop and deploy quantum security solutions. Otherwise, people will find out before 2030 that if governments or companies are not prepared to face quantum computer attacks, they will be in danger of being catastrophic.
Still, the National Security Memorandum No. 8 is a landmark document.
"This is a long-awaited wake-up call for us to understand how important quantum technology will be to countries and the world." Major U.S. quantum computer companies, such as IBM, Google, and Microsoft, now also need to recognize the importance of quantum readiness. "We all have to make sure that quantum information science, including computing and networking, can move forward without causing significant damage to national security, people's lives, or the prospects for freedom around the world." ”
Previously, some companies and institutions have taken note of the threat of future quantum attacks to cybersecurity and have taken active action. For example, two quantum companies in the United States, SurpriseWorks, cooperated with Quantinuum to launch the world's first quantum encryption key service generated by a quantum computer, using quantum randomness to ensure network security and protect the system from quantum attacks in the future.
The World Economic Forum (WEF) recently released the world's first quantum computing guide, the "Principles of Quantum Computing Governance", proposing that quantum computing brings great opportunities to the world today, but also brings new challenges to socio-economic, political and ethical aspects.
Among the seven core values proposed by the World Economic Forum, the values of "non-malice", "common interest", "accountability" and "transparency" are all designed to ensure that quantum computing can benefit humanity and is not used for evil purposes or abused. The "privacy" principle proposes to reduce potential data privacy violations through the theft and handling of quantum computers.