[Senate Report 117-251]
[From the U.S. Government Publishing Office]
Calendar No. 635
117th Congress } { Report
SENATE
2d Session } { 117-251
_______________________________________________________________________
QUANTUM COMPUTER CYBERSECURITY PREPAREDNESS ACT
__________
R E P O R T
of the
COMMITTEE ON HOMELAND SECURITY AND
GOVERNMENTAL AFFAIRS
UNITED STATES SENATE
to accompany
S. 4592
TO ENCOURAGE THE MIGRATION OF FEDERAL GOVERNMENT
INFORMATION TECHNOLOGY SYSTEMS TO QUANTUM-RESISTANT
CRYPTOGRAPHY, AND FOR OTHER PURPOSES
[GRAPHIC(S) NOT AVAILABLE IN TIFF FORMAT]
December 13, 2022.--Ordered to be printed
_________
U.S. GOVERNMENT PUBLISHING OFFICE
39-010 WASHINGTON : 2023
COMMITTEE ON HOMELAND SECURITY AND GOVERNMENTAL AFFAIRS
GARY C. PETERS, Michigan, Chairman
THOMAS R. CARPER, Delaware ROB PORTMAN, Ohio
MAGGIE HASSAN, New Hampshire RON JOHNSON, Wisconsin
KYRSTEN SINEMA, Arizona RAND PAUL, Kentucky
JACKY ROSEN, Nevada JAMES LANKFORD, Oklahoma
ALEX PADILLA, California MITT ROMNEY, Utah
JON OSSOFF, Georgia RICK SCOTT, Florida
JOSH HAWLEY, Missouri
David M. Weinberg, Staff Director
Zachary I. Schram, Chief Counsel
Christopher J. Mulkins, Director of Homeland Security
Jeffrey D. Rothblum, Senior Professional Staff Member
Pamela Thiessen, Minority Staff Director
Sam J. Mulopulos, Minority Deputy Staff Director
William H.W. McKenna, Minority Chief Counsel
Laura W. Kilbride, Chief Clerk
Calendar No. 635
117th Congress } { Report
SENATE
2d Session } { 117-251
======================================================================
QUANTUM COMPUTER CYBERSECURITY
PREPAREDNESS ACT
_______
December 13, 2022.--Ordered to be printed
_______
Mr. Peters, from the Committee on Homeland Security and Governmental
Affairs, submitted the following
R E P O R T
[To accompany S. 4592]
[Including cost estimate of the Congressional Budget Office]
The Committee on Homeland Security and Governmental
Affairs, to which was referred the bill (S. 4592) to encourage
the migration of Federal Government information technology
systems to quantum-resistant cryptography, and for other
purposes, having considered the same, reports favorably thereon
with an amendment and recommends that the bill, as amended, do
pass.
CONTENTS
Page
I. Purpose and Summary.............................................. 1
II. Background and Need for the Legislation.......................... 2
III. Legislative History.............................................. 3
IV. Section-by-Section Analysis of the Bill, as Reported............. 3
V. Evaluation of Regulatory Impact.................................. 4
VI. Congressional Budget Office Cost Estimate........................ 5
VII. Changes in Existing Law Made by the Bill, as Reported............ 6
I. PURPOSE AND SUMMARY
Scientists and engineers have demonstrated that certain
problems that are effectively impossible for conventional,
classical computers to solve because of the length of time it
would take, can be solved in exponentially less time on quantum
computers.\1\ As the technology to develop practical quantum
computers continues to advance, experts expect the technology
to raise challenges to current cryptography methods, putting
existing encryption and data protection methods at risk.\2\ S.
4592, the Quantum Computer Cybersecurity Act, is based on
President Biden's National Security Memorandum addressing
``risks posed by quantum computers to America's
cybersecurity.'' The bill requires the Director of the Office
of Management and Budget (OMB) and federal agencies to take
actions to address these challenges and protect federal data
and information systems.
---------------------------------------------------------------------------
\1\In 2019 researchers demonstrated that a quantum computer was
able to perform a function in 200 seconds, which would take a state-of-
the-art classical supercomputer approximately 10,000 years. F. Arute et
al., Quantum supremacy using a programmable superconducting processor,
Nature (Oct. 23, 2019); California Institute of Technology, What Is
Quantum Computing? (accessed Dec. 6, 2022) (https://
scienceexchange.caltech.edu/topics/quantum-science-explained/quantum-
computing-computers).
\2\California Institute of Technology, How Will Quantum
Technologies Change Cryptography? (accessed Dec. 6, 2022) (https://
scienceexchange.caltech.edu/topics/quantum-science-explained/quantum-
cryptography).
---------------------------------------------------------------------------
II. BACKGROUND AND NEED FOR THE LEGISLATION
Quantum computing is a rapidly-emerging technology that
harnesses the laws of quantum mechanics to solve problems too
complex for classical computers, which rely on classical
physics principles.\3\ This foundational difference in
computing method enables quantum computers to make certain
highly complex calculations far more efficiently than classical
computers. The continuing advancements of quantum computing
technology is anticipated to have wide-ranging applications,
including in artificial intelligence, cybersecurity, biological
engineering, financial services, including the ability to break
current cryptographic systems.\4\
---------------------------------------------------------------------------
\3\IBM, What is quantum computing? (accessed Dec. 6, 2022) (https:/
/www.ibm.com/topics/quantum-computing).
\4\Quantum Computing is Coming. What Can it Do?, Harvard Business
Review, (July 16, 2021) (https://hbr.org/2021/07/quantum-computing-is-
coming-what-can-it-do); California Institute of Technology, What Is
Quantum Computing? (accessed Dec. 6, 2022) (https://
scienceexchange.caltech.edu/topics/quantum-science-explained/quantum-
computing-computers); California Institute of Technology, How Will
Quantum Technologies Change Cryptography? (accessed Dec. 6, 2022)
(https://scienceexchange.caltech.edu/topics/quantum-science-explained/
quantum-cryptography); U.S. Department of Energy, Office of Science,
DOE Explains Quantum Computing (accessed Dec. 6, 2022) (https://
www.energy.gov/science/doe-explainsquantum-computing).
---------------------------------------------------------------------------
The threat of quantum computing to current encryption
schemes today is minimal, but the future risks are not
hypothetical--since 1994 scientists have predicted that quantum
computers would be able to crack existing encryption
schemes.\5\ The National Institute of Standards and Technology
(NIST) began work in 2016 to identify ``quantum-resistant''
encryption algorithms, meaning they would be less susceptible
to a quantum computer's attack, and announced in July 2022 the
first four algorithms that met such a standard.\6\
---------------------------------------------------------------------------
\5\Worried that quantum computers will supercharge hacking, White
House calls for encryption shift, American Association for the
Advancement of Science, (May 5, 2022) (https://www.science.org/content/
article/worried-quantum-computers-will-supercharge-hacking-white-house-
calls-encryption-shift); Quantum computers could crack today's
encrypted messages. That's a problem, CNET (May 24, 2021) (https://
www.cnet.com/tech/computing/quantum-computers-could-crack-todays-
encrypted-messages-thats-a-problem).
\6\National Institute of Standards and Technology: NIST Asks Public
to Help Future-Proof Electronic Information (Dec. 20, 2016); National
Institute of Standards and Technology: NIST Announces First Four
Quantum-Resistant Cryptographic Algorithms (Jul. 5, 2022).
---------------------------------------------------------------------------
In May 2022, President Biden signed a quantum computing
National Security Memorandum recognizing this threat by
identifying ``key steps needed to maintain the Nation's
competitive advantage in quantum information science (QIS),
while mitigating the risks of quantum computers to the Nation's
cyber, economic, and national security.''\7\ The NSM requires a
number of actions for agencies to take to migrate information
systems to quantum-resistant cryptography, in anticipation of
those systems becoming vulnerable as quantum computing
technology continues to advance.\8\
---------------------------------------------------------------------------
\7\The White House, Promoting United States Leadership in Quantum
Computing While Mitigating Risks to Vulnerable Cryptographic Systems
(NSM-10) (May 4, 2022).
\8\Id.
---------------------------------------------------------------------------
S. 4592, the Quantum Computer Cybersecurity Act, codifies
the NSM and requires Director of OMB and the heads of federal
agencies to prepare for the migration of systems to quantum-
resistant encryption. The bill requires agencies to inventory
their information technology systems and prioritize which
systems need to be migrated to quantum-resistant encryption
systems. The bill also requires the Director of OMB to submit a
report to Congress on strategies to address the vulnerabilities
of agency information technology systems based on the potential
capabilities of quantum computers, including an estimate of the
necessary funding to secure those systems and a description of
federal coordination efforts to develop standards for quantum
resistant cryptography.
III. LEGISLATIVE HISTORY
Senators Hassan (D-NH) and Portman (R-OH) introduced S.
4592, the Quantum Computer Cybersecurity Preparedness Act, on
July 21, 2022. The bill was referred to the Committee on
Homeland Security and Governmental Affairs.
The Committee considered S. 4592 at a business meeting on
August 3, 2022. There were no proposed amendments to the bill.
The Committee ordered the bill to be reported favorably by
voice vote en bloc. Senators present for the voter were:
Peters, Hassan, Sinema, Rosen, Padilla, Ossoff, Lankford,
Romney, Scott, and Hawley.
IV. SECTION-BY-SECTION ANALYSIS OF THE BILL, AS REPORTED
Section 1. Short title
This section designates the name of the bill as the
``Quantum Computer Cybersecurity Preparedness Act.''
Section 2. Findings; sense of Congress
This section details the findings made by Congress on the
potential applications of quantum computers and cryptography.
It states that quantum computers might one day have the ability
to push computational boundaries, allowing us to solve problems
that have been intractable thus far, such as integer
factorization, which is important for encryption.
It also states that the rapid progress of quantum computing
suggests the potential for adversaries of the United States to
steal sensitive encrypted data today using classical computers,
and wait until sufficiently powerful quantum systems are
available to decrypt it.
Based on these findings, it is the sense of Congress that a
strategy to transition information technology into a model of
post-quantum cryptography is needed.
Section 3. Definitions
This section defines the terms ``classical computer,''
``Director of CISA,'' ``Director of NIST,'' ``Director of
OMB,'' ``executive agency,'' ``information technology,''
``post-quantum cryptography,'' and ``quantum computer.''
Section 4. Inventory of cryptography systems; migration to post-quantum
cryptography
Subsection (a) mandates the Director of OMB to require each
executive agency to establish and maintain an inventory of each
cryptographic system in use by the agency. The requirement by
the Director of OMB will be made by rule or binding guidance
and must include the following: a description of information
technology to be prioritized for migration to post-quantum
cryptography, a description of the information required to be
reported, and a process for evaluating progress on migrating
information technology to post-quantum cryptography. This
subsection also grants the Director of OMB with the ability to
update the rule or binding guidance as they see fit.
Subsection (b) requires each executive agency to provide an
inventory of all information technology in use by the executive
agency that is vulnerable to decryption by quantum computers.
This inventory report must be provided to the Director of OMB,
the Director of CISA, and the National Cyber Director no later
than 1 year after the enactment of S. 4592.
Subsection (c) requires the Director of OMB to issue
guidance requiring executive agencies to a plan to transition
its information technology to post-quantum cryptography. This
subsection also directs OMB to issue guidance on which
information technologies to prioritize based on their risk and
potential to be decrypted by quantum computers.
Subsection (d) requires the Director of OMB to ensure that
the designation and prioritizations of specific information
technologies are interoperable.
Subsection (e) requires the Director of OMB to submit a
report to Congress detailing a strategy to address
vulnerabilities within the encryptions of information
technologies and their ability to defend against potential
breaches from quantum computers. The report must also include
an estimate on the necessary funding for executive agencies to
develop their defenses and a description of Federal civilian
executive coordination efforts.
Subsection (f) requires the Director of OMB to submit a
progress report to Congress on the improvements made within
executive agencies in adopting post-quantum cryptography
standards.
Section 5. Determination of budget effects
This section states that the budgetary effects of this Act
will be determined by reference to statement titled ``Budgetary
Effects of PAYGO Legislation''.
V. EVALUATION OF REGULATORY IMPACT
Pursuant to the requirements of paragraph 11(b) of rule
XXVI of the Standing Rules of the Senate, the Committee has
considered the regulatory impact of this bill and determined
that the bill will have no regulatory impact within the meaning
of the rules. The Committee agrees with the Congressional
Budget Office's statement that the bill contains no
intergovernmental or private-sector mandates as defined in the
Unfunded Mandates Reform Act (UMRA) and would impose no costs
on state, local, or tribal governments.
VI. CONGRESSIONAL BUDGET OFFICE COST ESTIMATE
U.S. Congress,
Congressional Budget Office,
Washington, DC, August 16, 2022.
Hon. Gary C. Peters,
Chairman, Committee on Homeland Security and Governmental Affairs, U.S.
Senate, Washington, DC.
Dear Mr. Chairman: The Congressional Budget Office has
prepared the enclosed cost estimate for S. 4592, the Quantum
Computing Cybersecurity Preparedness Act.
If you wish further details on this estimate, we will be
pleased to provide them. The CBO staff contact is Aldo
Prosperi.
Sincerely,
Phillip L. Swagel,
Director.
Enclosure.
[GRAPHIC(S) NOT AVAILABLE IN TIFF FORMAT]
Quantum computers use advanced algorithms and subatomic
particles to process complex problems significantly faster than
traditional computers. While still in the early stages of
development, quantum computers could allow malicious actors to
decrypt classified information stored on federal networks. S.
4592 would require federal agencies to compile inventories of
information systems that could be vulnerable to decryption by
quantum computers. The bill also would require the Office of
Management and Budget to issue guidance to agencies on the
adoption of technology that is protected from decryption by
quantum computing and to report to the Congress on the
effectiveness of its efforts.
National Security Memorandum 10, Promoting United States
Leadership in Quantum Computing While Mitigating Risks to
Vulnerable Cryptographic Systems, issued on May 4, 2022,
requires federal agencies to prepare for the future risks of
quantum decryption. Thus, because most of the planning required
under S. 4592 will be completed under current law, CBO expects
that satisfying those requirements would not have significant
costs. On the basis of similar reports to the Congress, CBO
estimates that satisfying the reporting requirements would cost
$1 million over the 2022-2027 period. Such spending would be
subject to the availability of appropriated funds.
Enacting S. 4592 could affect direct spending by some
agencies that use fees, receipts from the sale of goods, and
other collections to cover operating costs. CBO estimates that
any net changes in direct spending would be negligible because
most of those agencies can adjust amounts collected to
accommodate changes in operating costs.
On June 7, 2022, CBO transmitted a cost estimate for H.R.
7535, the Quantum Computing Cybersecurity Preparedness Act, as
ordered reported by the House Committee on Oversight and Reform
on May 11, 2022. The two bills are similar, and CBO's estimates
of their costs are the same.
The CBO staff contact for this estimate is Aldo Prosperi.
The estimate was reviewed by Leo Lex, Deputy Director of
Budget.
VII. CHANGES IN EXISTING LAW MADE BY THE BILL, AS REPORTED
This legislation would make no change in existing law,
within the meaning of clauses (a) and (b) of subparagraph 12 of
rule XXVI of the Standing Rules of the Senate, because this
legislation would not repeal or amend any provision of current
law.
[all]