[Congressional Record Volume 168, Number 192 (Monday, December 12, 2022)]
[House]
[Pages H9659-H9661]
From the Congressional Record Online through the Government Publishing Office [www.gpo.gov]
QUANTUM COMPUTING CYBERSECURITY PREPAREDNESS ACT
Ms. NORTON. Madam Speaker, I move to suspend the rules and concur in
the Senate amendment to the bill (H.R. 7535) to encourage the migration
of Federal Government information technology systems to quantum-
resistant cryptography, and for other purposes.
The Clerk read the title of the bill.
The text of the Senate amendment is as follows:
Senate amendment:
Strike all after the enacting clause and insert the
following:
SECTION 1. SHORT TITLE.
This Act may be cited as the ``Quantum Computing
Cybersecurity Preparedness Act''.
SEC. 2. FINDINGS; SENSE OF CONGRESS.
(a) Findings.--Congress finds the following:
(1) Cryptography is essential for the national security of
the United States and the functioning of the economy of the
United States.
(2) The most widespread encryption protocols today rely on
computational limits of classical computers to provide
cybersecurity.
(3) Quantum computers might one day have the ability to
push computational boundaries, allowing us to solve problems
that have been intractable thus far, such as integer
factorization, which is important for encryption.
(4) The rapid progress of quantum computing suggests the
potential for adversaries of the United States to steal
sensitive encrypted data today using classical computers, and
wait until sufficiently powerful quantum systems are
available to decrypt it.
(b) Sense of Congress.--It is the sense of Congress that--
(1) a strategy for the migration of information technology
of the Federal Government to post-quantum cryptography is
needed; and
(2) the governmentwide and industrywide approach to post-
quantum cryptography should prioritize developing
applications, hardware intellectual property, and software
that can be easily updated to support cryptographic agility.
SEC. 3. DEFINITIONS.
In this Act:
(1) Agency .--The term ``agency''--
(A) means any executive department, military department,
Government corporation, Government controlled corporation, or
other establishment in the executive branch of the Government
(including the Executive Office of the President), or any
independent regulatory agency; and
(B) does not include--
(i) the Government Accountability Office; or
(ii) the governments of the District of Columbia and of the
territories and possessions of the United States, and their
various subdivisions.
(2) Classical computer.--The term ``classical computer''
means a device that accepts digital data and manipulates the
information based on a program or sequence of instructions
for how data is to be processed and encodes information in
binary bits that can either be 0s or 1s.
(3) Director of cisa.--The term ``Director of CISA'' means
the Director of the Cybersecurity and Infrastructure Security
Agency.
(4) Director of nist.--The term ``Director of NIST'' means
the Director of the National Institute of Standards and
Technology.
(5) Director of omb.--The term ``Director of OMB'' means
the Director of the Office of Management and Budget.
(6) Information technology.--The term ``information
technology'' has the meaning given the term in section 3502
of title 44, United States Code.
(7) National security system.--The term ``national security
system'' has the meaning given the term in section 3552 of
title 44, United States Code.
(8) Post-quantum cryptography.--The term ``post-quantum
cryptography'' means those cryptographic algorithms or
methods that are assessed not to be specifically vulnerable
to attack by either a quantum computer or classical computer.
(9) Quantum computer.--The term ``quantum computer'' means
a computer that uses the collective properties of quantum
states, such as superposition, interference, and
entanglement, to perform calculations.
SEC. 4. INVENTORY OF CRYPTOGRAPHIC SYSTEMS; MIGRATION TO
POST-QUANTUM CRYPTOGRAPHY.
(a) Inventory.--
(1) Establishment.--Not later than 180 days after the date
of enactment of this Act, the Director of OMB, in
coordination with the National Cyber Director and in
consultation with the Director of CISA, shall issue guidance
on the migration of information technology to post-quantum
cryptography, which shall include at a minimum--
(A) a requirement for each agency to establish and maintain
a current inventory of information technology in use by the
agency that is vulnerable to decryption by quantum computers,
prioritized using the criteria described in subparagraph (B);
(B) criteria to allow agencies to prioritize their
inventory efforts; and
(C) a description of the information required to be
reported pursuant to subsection (b).
(2) Additional content in guidance.--In the guidance
established by paragraph (1), the Director of OMB shall
include, in addition to the requirements described in that
paragraph--
(A) a description of information technology to be
prioritized for migration to post-quantum cryptography; and
(B) a process for evaluating progress on migrating
information technology to post-quantum cryptography, which
shall be automated to the greatest extent practicable.
(3) Periodic updates.--The Director of OMB shall update the
guidance required under paragraph (1) as the Director of OMB
determines necessary, in coordination with the National Cyber
Director and in consultation with the Director of CISA.
(b) Agency Reports.--Not later than 1 year after the date
of enactment of this Act, and on an ongoing basis thereafter,
the head of each
[[Page H9660]]
agency shall provide to the Director of OMB, the Director of
CISA, and the National Cyber Director--
(1) the inventory described in subsection (a)(1); and
(2) any other information required to be reported under
subsection (a)(1)(C).
(c) Migration and Assessment.--Not later than 1 year after
the date on which the Director of NIST has issued post-
quantum cryptography standards, the Director of OMB shall
issue guidance requiring each agency to--
(1) prioritize information technology described under
subsection (a)(2)(A) for migration to post-quantum
cryptography; and
(2) develop a plan to migrate information technology of the
agency to post-quantum cryptography consistent with the
prioritization under paragraph (1).
(d) Interoperability.--The Director of OMB shall ensure
that the prioritizations made under subsection (c)(1) are
assessed and coordinated to ensure interoperability.
(e) Office of Management and Budget Reports.--
(1) Report on post-quantum cryptography.--Not later than 15
months after the date of enactment of this Act, the Director
of OMB, in coordination with the National Cyber Director and
in consultation with the Director of CISA, shall submit to
the Committee on Homeland Security and Governmental Affairs
of the Senate and the Committee on Oversight and Reform of
the House of Representatives a report on the following:
(A) A strategy to address the risk posed by the
vulnerabilities of information technology of agencies to
weakened encryption due to the potential and possible
capability of a quantum computer to breach that encryption.
(B) An estimate of the amount of funding needed by agencies
to secure the information technology described in subsection
(a)(1)(A) from the risk posed by an adversary of the United
States using a quantum computer to breach the encryption of
the information technology.
(C) A description of Federal civilian executive branch
coordination efforts led by the National Institute of
Standards and Technology, including timelines, to develop
standards for post-quantum cryptography, including any
Federal Information Processing Standards developed under
chapter 35 of title 44, United States Code, as well as
standards developed through voluntary, consensus standards
bodies such as the International Organization for
Standardization.
(2) Report on migration to post-quantum cryptography in
information technology.--Not later than 1 year after the date
on which the Director of OMB issues guidance under subsection
(c)(2), and thereafter until the date that is 5 years after
the date on which post-quantum cryptographic standards are
issued, the Director of OMB, in coordination with the
National Cyber Director and in consultation with the Director
of CISA, shall submit to the Committee on Homeland Security
and Governmental Affairs of the Senate and the Committee on
Oversight and Reform of the House of Representatives, with
the report submitted pursuant to section 3553(c) of title 44,
United States Code, a report on the progress of agencies in
adopting post-quantum cryptography standards.
SEC. 5. EXEMPTION OF NATIONAL SECURITY SYSTEMS.
This Act shall not apply to any national security system.
SEC. 6. DETERMINATION OF BUDGETARY EFFECTS.
The budgetary effects of this Act, for the purpose of
complying with the Statutory Pay-As-You-Go Act of 2010, shall
be determined by reference to the latest statement titled
``Budgetary Effects of PAYGO Legislation'' for this Act,
submitted for printing in the Congressional Record by the
Chairman of the House Budget Committee, provided that such
statement has been submitted prior to the vote on passage.
The SPEAKER pro tempore. Pursuant to the rule, the gentlewoman from
the District of Columbia (Ms. Norton) and the gentlewoman from New
Mexico (Ms. Herrell) each will control 20 minutes.
The Chair recognizes the gentlewoman from the District of Columbia
(Ms. Norton).
general leave
Ms. NORTON. Madam Speaker, I ask unanimous consent that all Members
have 5 legislative days in which to revise and extend their remarks and
include extraneous material on the measure.
The SPEAKER pro tempore. Is there objection to the request of the
gentlewoman from the District of Columbia?
There was no objection.
Ms. NORTON. Madam Speaker, I yield myself such time as I may consume.
Madam Speaker, I strongly support the Quantum Computing Cybersecurity
Preparedness Act.
Last year, Congressman Khanna came to me about a grave national
security threat looming on the horizon.
Today, the processes we use to encrypt data are very reliable and can
keep sensitive data secure during storage or transmission. But
tomorrow, that may no longer be the case.
Researchers around the world are making rapid advances toward quantum
computing, which is the application of quantum physics to allow
computers to perform calculations many magnitudes faster and more
powerfully than they do today.
While quantum computers have the potential to provide considerable
benefits to society, it is also increasingly likely that they could
allow our adversaries to break the best encryption we are capable of
today.
Capabilities of this magnitude are likely still a decade or more in
the future, but China and other adversaries are expected to begin
stealing sensitive encrypted data much sooner to unlock it when they
have the capacity to do so.
It is essential that the Federal Government prepare for this
inevitability now, while we still have time to protect data that is
critical to our national and economic security. The process of
migrating all Federal IT systems to quantum-resistant cryptography will
be complex and costly, but we need to start laying the groundwork for
this today.
I applaud Mr. Khanna, as well as Ms. Mace, Mr. Connolly, and Senator
Hassan, for introducing the Senate companion, all of them for putting
forth a thoughtful, bipartisan bill to establish that very process.
This bill would require the Office of Management and Budget to
quickly issue guidance requiring Federal agencies to create and
maintain inventories of all cryptographic systems currently in use, as
well as all Federal IT systems that could be vulnerable to future
quantum computers.
Within a year, OMB would be required to submit to Congress a strategy
for addressing the risk posed by quantum computing, allowing time for
assessment of this strategy before the National Institute of Standards
and Technology is expected to issue its standards for how to deal with
quantum computing in 2024.
The OMB would then be required to issue guidance requiring agencies
to develop a plan to migrate their IT systems to quantum-resistant
cryptography using those standards and to consult with the Chief
Information Officers Council to prioritize agency IT systems for
migration based on risk.
The bill before us today provides more concrete direction to support
this vision, and I urge my colleagues to support it.
Madam Speaker, I reserve the balance of my time.
Ms. HERRELL. Madam Speaker, I yield myself such time as I may
consume.
Madam Speaker, as we wind down the 117th Congress, I am glad to be
here supporting final passage of the Quantum Computer Cybersecurity
Preparedness Act, a bipartisan bill the House sent to the Senate just
this past July.
After the Senate made technical, perfecting edits, we are here today
to consider sending H.R. 7535 to the President.
As an emerging technology, quantum computing holds great promise and
potential peril for our Nation.
While the technology continues to rapidly develop with potential to
improve computing capabilities for American research in the economy,
there is a clear risk that foreign adversaries, like China, will be
using this technology for malicious purposes.
One such risk is that our foreign adversaries may use the first
quantum computers to unlock data that has already been stolen from U.S.
Federal agencies.
Current data encryption methods are nearly impossible to decrypt with
today's computing capabilities.
However, mature quantum computing systems could unlock our most
sensitive information. This is a clear national security threat.
The Quantum Computing Cybersecurity Preparedness Act will require a
government-wide strategy to better secure valuable government data.
While the Federal Government already has initiatives underway to
address these emerging threats--such as a recent Presidential national
security directive--H.R. 7535 makes this a clear congressional
priority.
Advancing a strategic approach to evaluating quantum computing risks
to Federal IT and network cybersecurity is important given the
significant potential risk to our public-sector data.
Madam Speaker, I thank my House Oversight Committee colleagues,
Representatives Ro Khanna and Nancy
[[Page H9661]]
Mace, for their work on this important bill.
Madam Speaker, I encourage my colleagues to support this bill, and I
reserve the balance of my time.
{time} 1445
Ms. NORTON. Madam Speaker, I reserve the balance of my time.
Ms. HERRELL. Madam Speaker, I yield 3 minutes to the gentlewoman from
South Carolina (Ms. Mace).
Ms. MACE. Madam Speaker, I rise today in support of the Quantum
Computing Cybersecurity Preparedness Act.
I first thank Congressman Ro Khanna and Ranking Member Comer for
their assistance in helping craft this important legislation. There is
no doubt Congressman Khanna has been a leader in this Congress on
cybersecurity measures, coming from a cyber and technology background
to Congress. Being able to serve with him and put this bill together,
which is heading to, it looks like, the desk of the President to be
signed into law, is no small feat.
Cybersecurity is national security, and today, we are going to vote
on this bill and send it to the President of the United States to be
signed into law.
H.R. 7535 will help future-proof the security of sensitive data and
information which Federal agencies use in support of their missions.
Quantum computing might sound like something far and away and very
far off in the future, but we face the threat of real adversaries
stealing very sensitive, encrypted information from the Federal
Government with the hope of unlocking it in the future. That threat is
here, and that threat is real today.
In 2020, there were 11 Federal agencies that were hacked by agents of
Russia and China, so there is no time like the present to put
legislation like this through.
We need to strengthen and protect our Nation's systems and keep our
data secure. Now, we will have the opportunity to see the progress that
we are making in the Federal Government through this annual report
through OMB.
Transitioning to post-quantum cryptography is a necessary step to
ensure Federal agencies' sensitive information remains secure from
prying eyes.
The future of quantum computing brings with it both significant
opportunities and significant risks, but I am very optimistic about the
power of quantum computing and the technology advances that we are
making on this frontier.
Madam Speaker, I encourage all of my colleagues to vote for this
measure today, and I look forward to its passage and being signed into
law.
Ms. NORTON. Madam Speaker, I reserve the balance of my time.
Ms. HERRELL. Madam Speaker, I encourage my colleagues to support this
bipartisan bill that addresses an emerging national security issue, and
I yield back the balance of my time.
Ms. NORTON. Madam Speaker, I urge concurrence in the Senate amendment
to H.R. 7535, and I yield back the balance of my time.
The SPEAKER pro tempore. The question is on the motion offered by the
gentlewoman from the District of Columbia (Ms. Norton) that the House
suspend the rules and concur in the Senate amendment to the bill, H.R.
7535.
The question was taken.
The SPEAKER pro tempore. In the opinion of the Chair, two-thirds
being in the affirmative, the ayes have it.
Mr. ROSENDALE. Madam Speaker, on that I demand the yeas and nays.
The yeas and nays were ordered.
The SPEAKER pro tempore. Pursuant to clause 8 of rule XX, further
proceedings on this motion will be postponed.
____________________