Start your day with intelligence. Get The OODA Daily Pulse.

“The Greatest Cryptographic Migration in History”: The Quantum Cybersecurity Preparedness Act to be Signed into Law

The Quantum Cybersecurity Preparedness Act passed the Senate last week (on Friday, December 16th) and is ready for the President’s signature.  The bill is an outgrowth of National Security Memorandum 8 (NSM8):  “Improving the Cybersecurity of National Security, Department of Defense and Intelligence Community Systems”.  NSM8 appeared to have been inspired by Project Warp Speed – specifically, the elimination of layers of reportage and bureaucracy when trying to innovate with unprecedented speed and scale.  With NSM8 and National Security Systems (NSS), the goal was not so much the acceleration of innovation, but the ability to “defend forward” at speed and scale – with a tight OODA Loop between the White House and the NSA.

The legislation was introduced into the House in April and passed the House in July.  In April, based on the introduction of the bill, we returned to  NSM8 for further analysis as we promised at the end of our analysis back in January. Our coda back in January:  “This memorandum is a wildly interesting national security development” and there were major Quantum Cybersecurity strategic directives in NSM 8 which were not a part of our initial analysis.

Once signed, the legislation represents the codification into law of the NSM8 strategic directives for what will be “the greatest cryptographic migration in history” (1).

OODA Loop research and analysis on Quantum Cybersecurity preparedness can be found below, including resources from our general research and analysis over the course of 2022 on Post-Quantum Cryptography  – along with additional OODA Loop resources for your quantum technologies business strategy and risk mitigation efforts.

https://oodaloop.com/archive/2022/04/29/the-quantum-cybersecurity-preparedness-act-builds-on-national-security-memorandum-8/

The Quantum Cybersecurity Preparedness Act

Back in April, FEDSCOOP captured the top line very well:

“Proposed legislation that would give agencies a year to begin migration to post-quantum cryptography is a recognition that transitioning from legacy to new algorithms will require significant planning and funding, say industry experts.  The Quantum Cybersecurity Preparedness Act would give the Office of Management and Budget a year from the day the National Institute of Standards and Technology issues post-quantum cryptography standards to prioritize the migration of agencies’ IT systems based on cybersecurity risk. Reps. Nancy Mace, R-S.C.; Ro Khanna, D-Calif.; and Gerry Connolly, D-Va., introduced the bill.” (1)

Alexandra Kelley, at NextGov adds:  Largely in response to the “harvest now, decrypt later” strategy among some hacking organizations, the bill calls on the director of OMB to work with the Chief Information Officers Council to plan and assess current information technology networks and related risks within federal agencies, and advocate migration to post-quantum cryptography, pursuant to mandated NIST standards.  Major private tech firms have supported the bill, including IBM, Google, QuSecure, and Maybell Quantum.” (2)

What Next?

Overall, these efforts are on the right track based solely on the metric of taking the threat very seriously with adequate strategic lead time.  In an OODAcast conversation, OODA CTO Bob Gourley captured the nature of the challenge ahead:  “What scares me is the fact that after two decades of working in security, we didn’t fix security for the old architectures. There are still challenges. So why should anybody think security will be fixed for the new world of quantum computing and space communications, space remote sensing, and the biotech revolution?  It’s not going to be fixed. There will always be issues of trust and risk and risk mitigation and optimization in a world where the adversary can be observing all your actions. So that is what worries me. I’m still an optimist. This is going to be a great and wonderful tech-enabled future, but there will always be a need for professionals to assess risk and mitigate risk when it comes to cybersecurity.”

Do We Need a Joint Quantum Cybersecurity Collaborative?  Building on Bob’s perspective about the role of private professionals in assessing and mitigating risk, as far as we can tell, there is not a clear public/private collaborative organization charged with engaging the private sector and distributing time-sensitive findings from the NSM8. There is what seems like an archived website for an organization called the Committee on National Security Systems.  We will take a look as soon as we are granted access. Our point of reference is the CISA Joint Cyber Defense Collaborative (JCDC) – which was launched in 2021 and has made significant contributions to critical Joint Cybersecurity Advisories released in the last few weeks.  It seems logical that early, formal private-sector collaboration would be productive in this space as well.

The DHS Roadmap – Post-Quantum Cryptography:   The National Institute of Standards and Technology is developing a post-quantum cryptography standard and partnered on a DHS roadmap as an interim document to prepare agencies for the transition.

Will OMB Reports Prove Adequate?  As previously mentioned, OMB would also be required to report annually on the state of the governmentwide transition.  Is the OMB report format enough for this behemoth, important initiative?  What are other organizations which should manage the information generated from this project? and what innovative taxonomies exist for the innovative structuring and dissemination of information throughout this cryptographic migration?

OODA 2022:  Quantum Cybersecurity and Post-Quantum Cryptography

https://oodaloop.com/archive/2022/07/08/the-so-what-of-the-nist-quantum-resistant-cryptographic-algorithms-announcement/

https://oodaloop.com/archive/2022/09/27/nsa-sets-2035-post-quantum-cryptography-deadline-joint-advisories-with-cisa-and-fbi/

https://oodaloop.com/archive/2022/08/01/nist-selects-12-companies-for-implementing-quantum-resistant-cryptographic-algorithms/

https://oodaloop.com/archive/2022/07/11/cisa-and-quantum-security-industry-leaders-react-to-recent-nist-post-quantum-announcement/

Further OODA Loop Resources

Quantum Computing and Quantum Security Sensemaking

https://oodaloop.com/archive/2019/09/12/the-executives-guide-to-quantum-computing-what-you-need-to-know-for-your-strategy-today/

https://oodaloop.com/archive/2021/03/19/updated-executives-guide-to-quantum-safe-security-take-these-steps-to-make-your-enterprise-quantum-proof/

https://oodaloop.com/archive/2021/12/15/is-taiwans-five-year-quantum-computing-and-talent-initiative-the-wrong-strategy-for-the-island-nation/

https://oodaloop.com/archive/2021/09/07/cybersecurity-sensemaking-usg-initiatives-and-updates-a-pilot-alpha-ooda-loop-research-effort/

Stay Informed

It should go without saying that tracking threats are critical to inform your actions. This includes reading our OODA Daily Pulse, which will give you insights into the nature of the threat and risks to business operations.

Related Reading:

Explore OODA Research and Analysis

Use OODA Loop to improve your decision-making in any competitive endeavor. Explore OODA Loop

Decision Intelligence

The greatest determinant of your success will be the quality of your decisions. We examine frameworks for understanding and reducing risk while enabling opportunities. Topics include Black Swans, Gray Rhinos, Foresight, Strategy, Strategies, Business Intelligence, and Intelligent Enterprises. Leadership in the modern age is also a key topic in this domain. Explore Decision Intelligence

Disruptive/Exponential Technology

We track the rapidly changing world of technology with a focus on what leaders need to know to improve decision-making. The future of tech is being created now and we provide insights that enable optimized action based on the future of tech. We provide deep insights into Artificial Intelligence, Machine Learning, Cloud Computing, Quantum Computing, Security Technology, and Space Technology. Explore Disruptive/Exponential Tech

Security and Resiliency

Security and resiliency topics include geopolitical and cyber risk, cyber conflict, cyber diplomacy, cybersecurity, nation-state conflict, non-nation-state conflict, global health, international crime, supply chain, and terrorism. Explore Security and Resiliency

Community

The OODA community includes a broad group of decision-makers, analysts, entrepreneurs, government leaders, and tech creators. Interact with and learn from your peers via online monthly meetings, OODA Salons, the OODAcast, in-person conferences, and an online forum. For the most sensitive discussions interact with executive leaders via a closed Wickr channel. The community also has access to a member-only video library. Explore The OODA Community.

Emilio Iasiello

About the Author

Emilio Iasiello

Emilio Iasiello has nearly 20 years’ experience as a strategic cyber intelligence analyst, supporting US government civilian and military intelligence organizations, as well as the private sector. He has delivered cyber threat presentations to domestic and international audiences and has published extensively in such peer-reviewed journals as Parameters, Journal of Strategic Security, the Georgetown Journal of International Affairs, and the Cyber Defense Review, among others. All comments and opinions expressed are solely his own.