[Congressional Record Volume 168, Number 114 (Tuesday, July 12, 2022)]
[House]
[Pages H5952-H5955]
From the Congressional Record Online through the Government Publishing Office [www.gpo.gov]




           QUANTUM COMPUTING CYBER-SECURITY PREPAREDNESS ACT

  Mrs. CAROLYN B. MALONEY of New York. Mr. Speaker, I move to suspend 
the rules and pass the bill (H.R. 7535) to encourage the migration of 
Federal Government information technology systems to quantum-resistant 
cryptography, and for other purposes, as amended.
  The Clerk read the title of the bill.
  The text of the bill is as follows:

                               H.R. 7535

       Be it enacted by the Senate and House of Representatives of 
     the United States of America in Congress assembled,

     SECTION 1. SHORT TITLE.

       This Act may be cited as the ``Quantum Computing 
     Cybersecurity Preparedness Act''.

     SEC. 2. FINDINGS; SENSE OF CONGRESS.

       (a) Findings.--The Congress finds the following:
       (1) Cryptography is essential for the national security of 
     the United States and the functioning of the economy of the 
     United States.
       (2) The most widespread encryption protocols today rely on 
     computational limits of classical computers to provide 
     cybersecurity.
       (3) Quantum computers might one day have the ability to 
     push computational boundaries, allowing us to solve problems 
     that have been intractable thus far, such as integer 
     factorization, which is important for encryption.
       (4) The rapid progress of quantum computing suggests the 
     potential for adversaries of the United States to steal 
     sensitive encrypted data today using classical computers, and 
     wait until sufficiently powerful quantum systems are 
     available to decrypt it.
       (b) Sense of Congress.--It is the sense of Congress that--
       (1) a strategy for the migration of information technology 
     systems of the Federal Government to post-quantum 
     cryptography is needed; and
       (2) the Governmentwide and industrywide approach to post-
     quantum cryptography should prioritize developing 
     applications, hardware intellectual property, and software 
     that can be easily updated to support cryptographic agility.

     SEC. 3. INVENTORY OF CRYPTOGRAPHIC SYSTEMS; MIGRATION TO 
                   POST-QUANTUM CRYPTOGRAPHY.

       (a) Inventory.--
       (1) Establishment.--Not later than 180 days after the date 
     of the enactment of this Act, the Director of OMB shall 
     establish, by rule or binding guidance, a requirement for 
     each executive agency to establish and maintain an inventory 
     of each cryptographic system in use by the agency.

[[Page H5953]]

       (2) Additional content in rule or binding guidance.--In the 
     rule or binding guidance established by paragraph (1), the 
     Director of OMB shall include, in addition to the requirement 
     described under such paragraph--
       (A) a description of information technology to be 
     prioritized for migration to post-quantum cryptography;
       (B) a description of the information required to be 
     reported pursuant to subsection (b); and
       (C) a process for evaluating progress on migrating 
     information technology to post-quantum cryptography, which 
     shall be automated to the greatest extent practicable.
       (3) Periodic updates.--The Director of OMB shall update the 
     rule or binding guidance established by paragraph (1) as the 
     Director determines necessary.
       (b) Agency Reports.--Not later than 1 year after the date 
     of the enactment of this Act, and on an ongoing basis 
     thereafter, the head of each executive agency shall provide 
     to the Director of OMB, the Director of CISA, and the 
     National Cyber Director an inventory of all information 
     technology in use by the executive agency that is vulnerable 
     to decryption by quantum computers.
       (c) Migration and Assessment.--
       (1) Migration to post-quantum cryptography.--Not later than 
     1 year after the date on which the Director of NIST has 
     issued post-quantum cryptography standards, the Director of 
     OMB shall issue guidance requiring each executive agency to 
     develop a plan, including interim benchmarks, to migrate 
     information technology of the agency to post-quantum 
     cryptography.
       (2) Designation of systems for migration.--Not later than 
     90 days after the date on which the guidance required by 
     paragraph (1) has been issued, the Director of OMB shall 
     issue guidance for agencies to--
       (A) designate information technology to be migrated to 
     post-quantum cryptography; and
       (B) prioritize information technology designated under 
     subparagraph (A), on the basis of the amount of risk posed by 
     decryption by quantum computers to such technology, for 
     migration to post-quantum cryptography.
       (d) Interoperability.--The Director of OMB shall ensure 
     that the designations and prioritizations made under 
     subsection (c)(2) are assessed and coordinated to ensure 
     interoperability.
       (e) Report on Post-quantum Cryptography.--Not later than 15 
     months after the date of the enactment of this Act, the 
     Director of OMB shall submit to Congress a report on the 
     following:
       (1) A strategy to address the risk posed by the 
     vulnerabilities of information technology systems of 
     executive agencies to weakened encryption due to the 
     potential and possible capability of a quantum computer to 
     breach such encryption.
       (2) The amount of funding needed by executive agencies to 
     secure such information technology systems from the risk 
     posed by an adversary of the United States using a quantum 
     computer to breach the encryption of information technology 
     systems.
       (3) A description of Federal civilian executive branch 
     coordination efforts led by the National Institute of 
     Standards and Technology, including timelines, to develop 
     standards for post-quantum cryptography, including any 
     Federal Information Processing Standards developed under 
     chapter 35 of title 44, United States Code, as well as 
     standards developed through voluntary, consensus standards 
     bodies such as the International Organization for 
     Standardization.
       (f) Report on Migration to Post-quantum Cryptography in 
     Information Technology Systems.--Not later than 1 year after 
     the date on which the Director of OMB issues guidance under 
     subsection (c)(2), and annually thereafter until the date 
     that is 5 years after the date on which post-quantum 
     cryptographic standards are issued, the Director of OMB shall 
     submit to Congress, with the report submitted pursuant to 
     section 3553(c) of title 44, United States Code, a report on 
     the progress of executive agencies in adopting post-quantum 
     cryptography standards.
       (g) Definitions.--In this Act:
       (1) Classical computer.--The term ``classical computer'' 
     means a device that accepts digital data and manipulates the 
     information based on a program or sequence of instructions 
     for how data is to be processed and encodes information in 
     binary bits that can either be 0s or 1s.
       (2) Director of nist.--The term ``Director of NIST'' means 
     the Director of the National Institute of Standards and 
     Technology.
       (3) Director of omb.--The term ``Director of OMB'' means 
     the Director of the Office of Management and Budget.
       (5) Executive agency.--The term ``executive agency'' has 
     the meaning given the term ``Executive agency'' in section 
     105 of title 5, United States Code.
       (6) Information technology.--The term ``information 
     technology'' has the meaning given that term in section 3502 
     of title 44, United States Code.
       (7) Post-quantum cryptography.--The term ``post-quantum 
     cryptography'' means a cryptographic system that--
       (A) is secure against decryption attempts using a quantum 
     computer or classical computer; and
       (B) can interoperate with existing communications protocols 
     and networks.
       (8) Quantum computer.--The term ``quantum computer'' means 
     a computer that uses the collective properties of quantum 
     states to perform calculations.

     SEC. 4. DETERMINATION OF BUDGETARY EFFECTS.

       The budgetary effects of this Act, for the purpose of 
     complying with the Statutory Pay-As-You-Go Act of 2010, shall 
     be determined by reference to the latest statement titled 
     ``Budgetary Effects of PAYGO Legislation'' for this Act, 
     submitted for printing in the Congressional Record by the 
     Chairman of the House Budget Committee, provided that such 
     statement has been submitted prior to the vote on passage.

  The SPEAKER pro tempore. Pursuant to the rule, the gentlewoman from 
New York (Mrs. Carolyn B. Maloney) and the gentleman from Pennsylvania 
(Mr. Keller) each will control 20 minutes.
  The Chair recognizes the gentlewoman from New York.


                             General Leave

  Mrs. CAROLYN B. MALONEY of New York. Mr. Speaker, I ask unanimous 
consent that all Members may have 5 legislative days within which to 
revise and extend their remarks and include extraneous material on this 
measure.
  The SPEAKER pro tempore. Is there objection to the request of the 
gentlewoman from New York?
  There was no objection.
  Mrs. CAROLYN B. MALONEY of New York. Mr. Speaker, I yield myself such 
time as I may consume.
  I rise in support of H.R. 7535, the Quantum Computing Cybersecurity 
Preparedness Act.
  Today, the processes we use to encrypt data are incredibly reliable 
and can keep sensitive data secure from unauthorized users during 
storage or transmission. But tomorrow, that may no longer be the case.
  Researchers around the world are accelerating advances toward quantum 
computing, which refers to the application of quantum physics to 
computers. This will allow the computers of tomorrow to perform 
calculations many magnitudes faster and more powerfully than they do 
today.
  While quantum computers have the potential to provide considerable 
benefits to society through unimaginable innovation, they could also 
equip our adversaries with the ability to break the best encryptions 
available today.
  Capabilities of this magnitude are estimated to be a decade or more 
away, but China and other adversaries are expected to begin stealing 
sensitive encrypted data much sooner with the intent of unlocking it 
when they have the ability to do so. It is essential that the Federal 
Government prepare for this inevitability now while we still have time 
to protect data that is critical to our national and economic security.
  The process of migrating all Federal IT systems to post-quantum 
cryptography will be complex and costly, but putting the right steps in 
place now will help us stay at the forefront of this frontier.
  I applaud Representative Ro Khanna, as well as Representatives Nancy 
Mace and Gerry Connolly, for introducing this thoughtful bipartisan 
bill to establish this process.
  Within a year of enactment, the bill would require the Office of 
Management and Budget to submit a report to Congress containing a 
strategy for addressing the risk posed by quantum computing, the 
funding needed to secure Federal information technology systems from 
quantum computing threats, and a review of related coordination 
efforts. This will allow time for assessment of this strategy before 
the National Institute of Standards and Technology issues its post-
quantum cryptographic standards, which are expected in 2024.
  OMB would then be required to prioritize and designate Federal IT 
systems for migration to post-quantum cryptography using those 
standards and to submit an annual report to Congress on progress toward 
transitioning Federal agencies to the new standards.
  The bill has been carefully aligned with the national security 
memorandum released by the Biden-Harris administration in May, which 
made important strides to advance U.S. leadership in quantum computing 
by strengthening collaboration and partnerships with private-sector 
leaders, securing critical capabilities, and making strategic 
investments.
  I am grateful to Representative Ro Khanna for leading on this 
important issue and setting an ambitious but achievable framework to 
both maximize the benefits and minimize the threats of quantum 
computing for the U.S.

[[Page H5954]]

  Mr. Speaker, I urge support for this bill, and I reserve the balance 
of my time.
  Mr. KELLER. Mr. Speaker, I yield myself such time as I may consume.
  Mr. Speaker, as an emerging technology, quantum computing holds great 
promise and potential peril for our Nation. It has the potential to 
exponentially increase computing power and processing speeds, which 
will mean technological leaps for American research activities and 
business sectors.
  While such major advances are likely decades away, there is a clear 
risk that foreign adversaries like China are using early developments 
in quantum computing technology for malicious purposes.
  One immediate risk is that our foreign adversaries may use the first 
quantum computers to unlock data that has already been stolen from U.S. 
Federal agencies.
  Current data encryption methods protect the privacy, security, and 
integrity of underlying data and are nearly impossible to decrypt with 
today's computing capabilities. The computations required to unlock 
encrypted data require computing resources that we do not currently 
possess. However, as quantum computing matures, so does the possibility 
that sensitive information could be unlocked. This is a clear national 
security threat.
  The Quantum Computing Cybersecurity Preparedness Act will require a 
governmentwide strategy to better secure valuable government data.
  While the Federal Government already has initiatives underway to 
address such emerging threats, including the development of post-
quantum cryptography standards and a recent Presidential national 
security directive, H.R. 7535 makes this a clear congressional 
priority.
  The bill requires a governmentwide review of vulnerable agency 
information systems and consistent guidance to Federal agencies, and it 
seeks to ensure proper congressional oversight.
  Advancing a strategic approach to evaluating quantum computing risks 
to Federal IT and network cybersecurity is important given the 
significant potential risk to our public-sector data.

                              {time}  1445

  And since this bill only requires centralized guidance and reporting, 
the Congressional Budget Office found it would cost American taxpayers 
less than $1 million over 5 years. This is a reasonable investment.
  Mr. Speaker, I thank my House Oversight and Reform Committee 
colleagues, Representatives Ro Khanna and Nancy Mace for their work on 
this important bill.
  Mr. Speaker, I reserve the balance of my time.
  Mrs. CAROLYN B. MALONEY of New York. Mr. Speaker, I yield such time 
as he may consume to the gentleman from California (Mr. Khanna).
  Mr. KHANNA. Mr. Speaker, I thank Chairwoman Maloney and Chairman 
Connolly for their leadership, and I thank the bipartisan leadership 
with Representative Mace and the Republican committee.
  This is the most significant legislation to address the challenge 
that quantum computing poses to our security. The reality is that 
quantum computing is going to be much faster and can do many more 
things than regular computing.
  For example, if you have an iPhone and you have a pass code on the 
iPhone, now you have a computer that can do a billion different 
combinations to try your pass code in a matter of a few seconds. 
Chances are they can break through the pass code. The problem is that a 
lot of the bad actors--they have been stealing American data from our 
government in anticipation of having these quantum computers, these 
super-fast computers--try all the combinations to break through.
  I am proud that this committee, in a bipartisan basis, came together, 
and said: We need to make sure that our security in our critical 
agencies do not suffer from these computers that can try all these 
codes. Let's design that security in a way that will be safe, even with 
quantum computing.
  The bill directs the agencies to start having those algorithms now 
that are not vulnerable to these supercomputers. It is an example, with 
Representative Mace and the committee, of Congress actually working, of 
Congress being proactive, of Congress looking ahead on the horizon and 
anticipating problems to keep the American people safe.
  Mr. Speaker, I also appreciate the bipartisan spirit. I acknowledge 
Geo Saba, my staff, and all of the staff on the Oversight and Reform 
Committee, both the majority and minority, for helping make this 
possible.
  Mr. KELLER. Mr. Speaker, I yield 3 minutes to the gentlewoman from 
South Carolina (Ms. Mace).
  Ms. MACE. Mr. Speaker, I rise in support of H.R. 7535, the Quantum 
Computing Cybersecurity Preparedness Act, a truly bipartisan piece of 
legislation.
  I thank Congressman Ro Khanna from California for his leadership in 
this and Congressman Connolly and Congresswoman Maloney for working 
together across the aisle on an issue like this.
  I could never imagine 20 years ago--or further than that, 40 years 
ago, 35 years ago--playing with an Apple IIe in the 1980s, and fast-
forward to college as a cadet at the Citadel, learning and teaching 
myself how to code. We have seen leaps and bounds in technology and the 
advances over the last decades in technology.
  We see the risks to our national security here and abroad, and we are 
working together in this environment today where many of us are 
attacked for working together but looking forward and looking to the 
future and protecting our country and protecting our allies.
  Quantum computing is without a doubt the next frontier in technology. 
It will take our civilization forward by leaps and bounds. In many 
ways, it will turn conventional understanding of computing on its head. 
I am here to tell you that the quantum computing era is upon us.
  Just 3 years ago, an entry level quantum computer the size of a 
refrigerator was proven capable of outperforming a supercomputer the 
size of a football field. Imagine the advances in technology in that 
short a period of time and how quickly we are moving forward to the 
future.
  We are looking at a world not unlike the last few days of the 
Manhattan Project, knowing what is to come will alter the security of 
the world forever. Fortunately, as with the development of the atomic 
bomb, America is at the forefront of pioneering this kind of 
technology--no doubt by leadership from Congressman Khanna and others.
  We must inevitably face the reality that one day soon this technology 
may, in fact, be used against us by China and others that are against 
us today. The most significant threat of quantum computing is its 
ability to break through encryption with unprecedented speed.
  Currently, our sensitive data is usually encrypted and protected with 
a password. It might take a conventional computer years or even decades 
to try to break that password and eventually steal your data.
  In the next few years or decades, a computer will be created which 
will crack the last 20 years of encryption--not in years or months, but 
in minutes or seconds. To prevent any illicit use of this technology, 
we want to ensure that we are transitioning to a post-quantum 
cryptography future, to ensure Federal agencies that their sensitive 
information remains secure from any prying eyes. And we know that in 
2020 we had 11 Federal agencies that were hacked by those that aligned 
with China and with Russia--11 Federal agencies.
  Our bill prompts the Federal Government to begin taking the necessary 
steps to future proof current sensitive information and its databases. 
It will ensure the Federal Government will study the specific risks, 
draft a report on strategies to address these risks, and estimate the 
costs associated with securing our agencies and their IT systems.
  Mr. Speaker, I thank my colleagues across the aisle for their work 
and their leadership on this issue.
  Mrs. CAROLYN B. MALONEY of New York. Mr. Speaker, if the gentleman 
from Pennsylvania has no further speakers, I am prepared to close, and 
I reserve the balance of my time.
  Mr. KELLER. Mr. Speaker, I encourage my colleagues to support this 
bipartisan bill that addresses an emerging national security issue.

[[Page H5955]]

  Mr. Speaker, I yield back the balance of my time.
  Mrs. CAROLYN B. MALONEY of New York. Mr. Speaker, I urge passage of 
H.R. 7535, as amended, and I yield back the balance of my time.
  The SPEAKER pro tempore (Mr. Peters). The question is on the motion 
offered by the gentlewoman from New York (Mrs. Carolyn B. Maloney) that 
the House suspend the rules and pass the bill, H.R. 7535, as amended.
  The question was taken; and (two-thirds being in the affirmative) the 
rules were suspended and the bill, as amended, was passed.
  A motion to reconsider was laid on the table.

                          ____________________