[Congressional Record Volume 168, Number 114 (Tuesday, July 12, 2022)]
[House]
[Pages H5952-H5955]
From the Congressional Record Online through the Government Publishing Office [www.gpo.gov]
QUANTUM COMPUTING CYBER-SECURITY PREPAREDNESS ACT
Mrs. CAROLYN B. MALONEY of New York. Mr. Speaker, I move to suspend
the rules and pass the bill (H.R. 7535) to encourage the migration of
Federal Government information technology systems to quantum-resistant
cryptography, and for other purposes, as amended.
The Clerk read the title of the bill.
The text of the bill is as follows:
H.R. 7535
Be it enacted by the Senate and House of Representatives of
the United States of America in Congress assembled,
SECTION 1. SHORT TITLE.
This Act may be cited as the ``Quantum Computing
Cybersecurity Preparedness Act''.
SEC. 2. FINDINGS; SENSE OF CONGRESS.
(a) Findings.--The Congress finds the following:
(1) Cryptography is essential for the national security of
the United States and the functioning of the economy of the
United States.
(2) The most widespread encryption protocols today rely on
computational limits of classical computers to provide
cybersecurity.
(3) Quantum computers might one day have the ability to
push computational boundaries, allowing us to solve problems
that have been intractable thus far, such as integer
factorization, which is important for encryption.
(4) The rapid progress of quantum computing suggests the
potential for adversaries of the United States to steal
sensitive encrypted data today using classical computers, and
wait until sufficiently powerful quantum systems are
available to decrypt it.
(b) Sense of Congress.--It is the sense of Congress that--
(1) a strategy for the migration of information technology
systems of the Federal Government to post-quantum
cryptography is needed; and
(2) the Governmentwide and industrywide approach to post-
quantum cryptography should prioritize developing
applications, hardware intellectual property, and software
that can be easily updated to support cryptographic agility.
SEC. 3. INVENTORY OF CRYPTOGRAPHIC SYSTEMS; MIGRATION TO
POST-QUANTUM CRYPTOGRAPHY.
(a) Inventory.--
(1) Establishment.--Not later than 180 days after the date
of the enactment of this Act, the Director of OMB shall
establish, by rule or binding guidance, a requirement for
each executive agency to establish and maintain an inventory
of each cryptographic system in use by the agency.
[[Page H5953]]
(2) Additional content in rule or binding guidance.--In the
rule or binding guidance established by paragraph (1), the
Director of OMB shall include, in addition to the requirement
described under such paragraph--
(A) a description of information technology to be
prioritized for migration to post-quantum cryptography;
(B) a description of the information required to be
reported pursuant to subsection (b); and
(C) a process for evaluating progress on migrating
information technology to post-quantum cryptography, which
shall be automated to the greatest extent practicable.
(3) Periodic updates.--The Director of OMB shall update the
rule or binding guidance established by paragraph (1) as the
Director determines necessary.
(b) Agency Reports.--Not later than 1 year after the date
of the enactment of this Act, and on an ongoing basis
thereafter, the head of each executive agency shall provide
to the Director of OMB, the Director of CISA, and the
National Cyber Director an inventory of all information
technology in use by the executive agency that is vulnerable
to decryption by quantum computers.
(c) Migration and Assessment.--
(1) Migration to post-quantum cryptography.--Not later than
1 year after the date on which the Director of NIST has
issued post-quantum cryptography standards, the Director of
OMB shall issue guidance requiring each executive agency to
develop a plan, including interim benchmarks, to migrate
information technology of the agency to post-quantum
cryptography.
(2) Designation of systems for migration.--Not later than
90 days after the date on which the guidance required by
paragraph (1) has been issued, the Director of OMB shall
issue guidance for agencies to--
(A) designate information technology to be migrated to
post-quantum cryptography; and
(B) prioritize information technology designated under
subparagraph (A), on the basis of the amount of risk posed by
decryption by quantum computers to such technology, for
migration to post-quantum cryptography.
(d) Interoperability.--The Director of OMB shall ensure
that the designations and prioritizations made under
subsection (c)(2) are assessed and coordinated to ensure
interoperability.
(e) Report on Post-quantum Cryptography.--Not later than 15
months after the date of the enactment of this Act, the
Director of OMB shall submit to Congress a report on the
following:
(1) A strategy to address the risk posed by the
vulnerabilities of information technology systems of
executive agencies to weakened encryption due to the
potential and possible capability of a quantum computer to
breach such encryption.
(2) The amount of funding needed by executive agencies to
secure such information technology systems from the risk
posed by an adversary of the United States using a quantum
computer to breach the encryption of information technology
systems.
(3) A description of Federal civilian executive branch
coordination efforts led by the National Institute of
Standards and Technology, including timelines, to develop
standards for post-quantum cryptography, including any
Federal Information Processing Standards developed under
chapter 35 of title 44, United States Code, as well as
standards developed through voluntary, consensus standards
bodies such as the International Organization for
Standardization.
(f) Report on Migration to Post-quantum Cryptography in
Information Technology Systems.--Not later than 1 year after
the date on which the Director of OMB issues guidance under
subsection (c)(2), and annually thereafter until the date
that is 5 years after the date on which post-quantum
cryptographic standards are issued, the Director of OMB shall
submit to Congress, with the report submitted pursuant to
section 3553(c) of title 44, United States Code, a report on
the progress of executive agencies in adopting post-quantum
cryptography standards.
(g) Definitions.--In this Act:
(1) Classical computer.--The term ``classical computer''
means a device that accepts digital data and manipulates the
information based on a program or sequence of instructions
for how data is to be processed and encodes information in
binary bits that can either be 0s or 1s.
(2) Director of nist.--The term ``Director of NIST'' means
the Director of the National Institute of Standards and
Technology.
(3) Director of omb.--The term ``Director of OMB'' means
the Director of the Office of Management and Budget.
(5) Executive agency.--The term ``executive agency'' has
the meaning given the term ``Executive agency'' in section
105 of title 5, United States Code.
(6) Information technology.--The term ``information
technology'' has the meaning given that term in section 3502
of title 44, United States Code.
(7) Post-quantum cryptography.--The term ``post-quantum
cryptography'' means a cryptographic system that--
(A) is secure against decryption attempts using a quantum
computer or classical computer; and
(B) can interoperate with existing communications protocols
and networks.
(8) Quantum computer.--The term ``quantum computer'' means
a computer that uses the collective properties of quantum
states to perform calculations.
SEC. 4. DETERMINATION OF BUDGETARY EFFECTS.
The budgetary effects of this Act, for the purpose of
complying with the Statutory Pay-As-You-Go Act of 2010, shall
be determined by reference to the latest statement titled
``Budgetary Effects of PAYGO Legislation'' for this Act,
submitted for printing in the Congressional Record by the
Chairman of the House Budget Committee, provided that such
statement has been submitted prior to the vote on passage.
The SPEAKER pro tempore. Pursuant to the rule, the gentlewoman from
New York (Mrs. Carolyn B. Maloney) and the gentleman from Pennsylvania
(Mr. Keller) each will control 20 minutes.
The Chair recognizes the gentlewoman from New York.
General Leave
Mrs. CAROLYN B. MALONEY of New York. Mr. Speaker, I ask unanimous
consent that all Members may have 5 legislative days within which to
revise and extend their remarks and include extraneous material on this
measure.
The SPEAKER pro tempore. Is there objection to the request of the
gentlewoman from New York?
There was no objection.
Mrs. CAROLYN B. MALONEY of New York. Mr. Speaker, I yield myself such
time as I may consume.
I rise in support of H.R. 7535, the Quantum Computing Cybersecurity
Preparedness Act.
Today, the processes we use to encrypt data are incredibly reliable
and can keep sensitive data secure from unauthorized users during
storage or transmission. But tomorrow, that may no longer be the case.
Researchers around the world are accelerating advances toward quantum
computing, which refers to the application of quantum physics to
computers. This will allow the computers of tomorrow to perform
calculations many magnitudes faster and more powerfully than they do
today.
While quantum computers have the potential to provide considerable
benefits to society through unimaginable innovation, they could also
equip our adversaries with the ability to break the best encryptions
available today.
Capabilities of this magnitude are estimated to be a decade or more
away, but China and other adversaries are expected to begin stealing
sensitive encrypted data much sooner with the intent of unlocking it
when they have the ability to do so. It is essential that the Federal
Government prepare for this inevitability now while we still have time
to protect data that is critical to our national and economic security.
The process of migrating all Federal IT systems to post-quantum
cryptography will be complex and costly, but putting the right steps in
place now will help us stay at the forefront of this frontier.
I applaud Representative Ro Khanna, as well as Representatives Nancy
Mace and Gerry Connolly, for introducing this thoughtful bipartisan
bill to establish this process.
Within a year of enactment, the bill would require the Office of
Management and Budget to submit a report to Congress containing a
strategy for addressing the risk posed by quantum computing, the
funding needed to secure Federal information technology systems from
quantum computing threats, and a review of related coordination
efforts. This will allow time for assessment of this strategy before
the National Institute of Standards and Technology issues its post-
quantum cryptographic standards, which are expected in 2024.
OMB would then be required to prioritize and designate Federal IT
systems for migration to post-quantum cryptography using those
standards and to submit an annual report to Congress on progress toward
transitioning Federal agencies to the new standards.
The bill has been carefully aligned with the national security
memorandum released by the Biden-Harris administration in May, which
made important strides to advance U.S. leadership in quantum computing
by strengthening collaboration and partnerships with private-sector
leaders, securing critical capabilities, and making strategic
investments.
I am grateful to Representative Ro Khanna for leading on this
important issue and setting an ambitious but achievable framework to
both maximize the benefits and minimize the threats of quantum
computing for the U.S.
[[Page H5954]]
Mr. Speaker, I urge support for this bill, and I reserve the balance
of my time.
Mr. KELLER. Mr. Speaker, I yield myself such time as I may consume.
Mr. Speaker, as an emerging technology, quantum computing holds great
promise and potential peril for our Nation. It has the potential to
exponentially increase computing power and processing speeds, which
will mean technological leaps for American research activities and
business sectors.
While such major advances are likely decades away, there is a clear
risk that foreign adversaries like China are using early developments
in quantum computing technology for malicious purposes.
One immediate risk is that our foreign adversaries may use the first
quantum computers to unlock data that has already been stolen from U.S.
Federal agencies.
Current data encryption methods protect the privacy, security, and
integrity of underlying data and are nearly impossible to decrypt with
today's computing capabilities. The computations required to unlock
encrypted data require computing resources that we do not currently
possess. However, as quantum computing matures, so does the possibility
that sensitive information could be unlocked. This is a clear national
security threat.
The Quantum Computing Cybersecurity Preparedness Act will require a
governmentwide strategy to better secure valuable government data.
While the Federal Government already has initiatives underway to
address such emerging threats, including the development of post-
quantum cryptography standards and a recent Presidential national
security directive, H.R. 7535 makes this a clear congressional
priority.
The bill requires a governmentwide review of vulnerable agency
information systems and consistent guidance to Federal agencies, and it
seeks to ensure proper congressional oversight.
Advancing a strategic approach to evaluating quantum computing risks
to Federal IT and network cybersecurity is important given the
significant potential risk to our public-sector data.
{time} 1445
And since this bill only requires centralized guidance and reporting,
the Congressional Budget Office found it would cost American taxpayers
less than $1 million over 5 years. This is a reasonable investment.
Mr. Speaker, I thank my House Oversight and Reform Committee
colleagues, Representatives Ro Khanna and Nancy Mace for their work on
this important bill.
Mr. Speaker, I reserve the balance of my time.
Mrs. CAROLYN B. MALONEY of New York. Mr. Speaker, I yield such time
as he may consume to the gentleman from California (Mr. Khanna).
Mr. KHANNA. Mr. Speaker, I thank Chairwoman Maloney and Chairman
Connolly for their leadership, and I thank the bipartisan leadership
with Representative Mace and the Republican committee.
This is the most significant legislation to address the challenge
that quantum computing poses to our security. The reality is that
quantum computing is going to be much faster and can do many more
things than regular computing.
For example, if you have an iPhone and you have a pass code on the
iPhone, now you have a computer that can do a billion different
combinations to try your pass code in a matter of a few seconds.
Chances are they can break through the pass code. The problem is that a
lot of the bad actors--they have been stealing American data from our
government in anticipation of having these quantum computers, these
super-fast computers--try all the combinations to break through.
I am proud that this committee, in a bipartisan basis, came together,
and said: We need to make sure that our security in our critical
agencies do not suffer from these computers that can try all these
codes. Let's design that security in a way that will be safe, even with
quantum computing.
The bill directs the agencies to start having those algorithms now
that are not vulnerable to these supercomputers. It is an example, with
Representative Mace and the committee, of Congress actually working, of
Congress being proactive, of Congress looking ahead on the horizon and
anticipating problems to keep the American people safe.
Mr. Speaker, I also appreciate the bipartisan spirit. I acknowledge
Geo Saba, my staff, and all of the staff on the Oversight and Reform
Committee, both the majority and minority, for helping make this
possible.
Mr. KELLER. Mr. Speaker, I yield 3 minutes to the gentlewoman from
South Carolina (Ms. Mace).
Ms. MACE. Mr. Speaker, I rise in support of H.R. 7535, the Quantum
Computing Cybersecurity Preparedness Act, a truly bipartisan piece of
legislation.
I thank Congressman Ro Khanna from California for his leadership in
this and Congressman Connolly and Congresswoman Maloney for working
together across the aisle on an issue like this.
I could never imagine 20 years ago--or further than that, 40 years
ago, 35 years ago--playing with an Apple IIe in the 1980s, and fast-
forward to college as a cadet at the Citadel, learning and teaching
myself how to code. We have seen leaps and bounds in technology and the
advances over the last decades in technology.
We see the risks to our national security here and abroad, and we are
working together in this environment today where many of us are
attacked for working together but looking forward and looking to the
future and protecting our country and protecting our allies.
Quantum computing is without a doubt the next frontier in technology.
It will take our civilization forward by leaps and bounds. In many
ways, it will turn conventional understanding of computing on its head.
I am here to tell you that the quantum computing era is upon us.
Just 3 years ago, an entry level quantum computer the size of a
refrigerator was proven capable of outperforming a supercomputer the
size of a football field. Imagine the advances in technology in that
short a period of time and how quickly we are moving forward to the
future.
We are looking at a world not unlike the last few days of the
Manhattan Project, knowing what is to come will alter the security of
the world forever. Fortunately, as with the development of the atomic
bomb, America is at the forefront of pioneering this kind of
technology--no doubt by leadership from Congressman Khanna and others.
We must inevitably face the reality that one day soon this technology
may, in fact, be used against us by China and others that are against
us today. The most significant threat of quantum computing is its
ability to break through encryption with unprecedented speed.
Currently, our sensitive data is usually encrypted and protected with
a password. It might take a conventional computer years or even decades
to try to break that password and eventually steal your data.
In the next few years or decades, a computer will be created which
will crack the last 20 years of encryption--not in years or months, but
in minutes or seconds. To prevent any illicit use of this technology,
we want to ensure that we are transitioning to a post-quantum
cryptography future, to ensure Federal agencies that their sensitive
information remains secure from any prying eyes. And we know that in
2020 we had 11 Federal agencies that were hacked by those that aligned
with China and with Russia--11 Federal agencies.
Our bill prompts the Federal Government to begin taking the necessary
steps to future proof current sensitive information and its databases.
It will ensure the Federal Government will study the specific risks,
draft a report on strategies to address these risks, and estimate the
costs associated with securing our agencies and their IT systems.
Mr. Speaker, I thank my colleagues across the aisle for their work
and their leadership on this issue.
Mrs. CAROLYN B. MALONEY of New York. Mr. Speaker, if the gentleman
from Pennsylvania has no further speakers, I am prepared to close, and
I reserve the balance of my time.
Mr. KELLER. Mr. Speaker, I encourage my colleagues to support this
bipartisan bill that addresses an emerging national security issue.
[[Page H5955]]
Mr. Speaker, I yield back the balance of my time.
Mrs. CAROLYN B. MALONEY of New York. Mr. Speaker, I urge passage of
H.R. 7535, as amended, and I yield back the balance of my time.
The SPEAKER pro tempore (Mr. Peters). The question is on the motion
offered by the gentlewoman from New York (Mrs. Carolyn B. Maloney) that
the House suspend the rules and pass the bill, H.R. 7535, as amended.
The question was taken; and (two-thirds being in the affirmative) the
rules were suspended and the bill, as amended, was passed.
A motion to reconsider was laid on the table.
____________________