Quantum computing is coming — and there’s more the Biden administration can do to prepare

Just before Christmas, President Biden signed the Quantum Computing Cybersecurity Preparedness Act, more or less codifying his administration’s effort to analyze and inventory the federal information technology (IT) systems that will soon be vulnerable to quantum computers. This is an essential first step. Transitioning the whole of federal IT to new cryptographic systems is no easy task, and ironing out the implementation kinks demands action today. Next, federal officials must take the lead and proactively share what they learn.

For the uninitiated, quantum computing is a yet-to-be fully realized technology with many potential benefits. It also threatens to break many of the most common forms of cryptography-based computer security with its unique ability to skirt time-intensive mathematics. While today’s quantum computers aren’t yet powerful enough to be a threat, future iterations could quickly create a security nightmare. Most private communications, financial transactions and other security-sensitive applications would be defenseless. Thankfully, we have a solution.

In June, the National Institute of Standards and Technology (NIST) debuted a set of quantum-resistant cryptographic algorithms. The charge of the new legislation is preparing the government for implementation. Tools in hand, federal officials are now tasked with analyzing when, where and how to put NIST’s algorithms to use.

What’s missing in both the act and the administration’s memo is a sense of opportunity. While the legislative target today is federal IT, the private sector will eventually have to follow. And with so many unknowns, the private sector needs all the help it can get.

To these ends, there are federal efforts underway to compile best practices from the private sector. But these are based solely on industry stakeholder feedback, not real-world experience. While this information is invaluable, these stakeholders haven’t yet been through the process. Any recommendations are at best speculation.

As a former IT project manager, I’ve learned that IT transitions are plagued by the unexpected. Only by doing can you say for certain what will break, what will be impacted and what challenges will be faced.

Rather than continuing to speculate, we should recognize the government’s transition for what it is: a golden opportunity to learn by doing.

Today, the federal government represents a quarter of the economy. This suggests that roughly a quarter of IT systems will be preparing for and ultimately transitioning to quantum-resistant cryptography. On its own, such a sizeable sample could undoubtedly provide many lessons for the private sector.

Crucially, however, this sample is not just large but incredibly diverse. In a 2021 quantum transition white paper, NIST noted that perhaps the greatest challenge will be adapting algorithms to the bespoke needs of each application and industry. The diversity of federal IT can help uncover these industry-specific challenges. The tailored experiences of the U.S. Agency for Global Media can be shared with broadcasters who use similar technology. Transitioning USDA inspector equipment could support the transitions of many similar on-the-ground service providers. Service academies can support private colleges. Veterans Administration hospitals can inform private health care. The list goes on.

The government should therefore embrace a role as a quantum-security guinea pig. To maximize lessons learned, the administration should specifically promote a laboratory approach. As each agency begins this process, they should be encouraged to test a diversity of practices and solutions, comparing results and reporting challenges. Only through variation can we learn what works.

Crucial to success will be careful documentation. First, agencies should record general implementation best practices. This means documenting how they assessed systems, solved problems, educated users, and other plan-based details. Second, they should note tech-specific challenges. Agencies should track which specific systems are impacted, which had difficulty adapting to the changes and any performance problems these changes created. Finally, when it comes time to make updates, agencies should note any beneficial approaches to code and system design. Not all methodologies are created equal, and agencies should recommend what works best.

Naturally, this process cannot function without coordination. Following the model of the National Infrastructure Protection Plan (the federal government’s plan for managing cyber and other risks to critical infrastructure), the Cybersecurity and Infrastructure Security Agency should designate a quantum transition management agency for each affected industry. This deputized agency will compile reports and best practices with the needs of its industry in mind. This division of labor will spread out the administrative burden while baking industry-specificity into results.

Based on both the new legislation and executive memos, neither Congress nor the Biden administration realizes the immensity of this opportunity. There are countless lessons to be learned if the federal government embraces a quantum-security guinea pig role.

If it does not, the process of mitigating this potential security nightmare could become a nightmare of its own. Let’s seize this moment, learn what we can and ease the often-heavy security burden.

Matthew Mittelsteadt is a technologist and research fellow with the Mercatus Center at George Mason University.