Future of Cybersecurity: Leadership Needed to Fully Define Quantum Threat Mitigation Strategy

What GAO Found

Federal agencies and our nation's critical infrastructure—such as energy, transportation systems, communications, and financial services—rely on cryptography (e.g., encryption) to protect sensitive data and systems. However, some experts predict that a quantum computer capable of breaking certain cryptography—referred to as a cryptographically relevant quantum computer (CRQC)—may be developed in the next 10 to 20 years, putting agency and critical infrastructure systems at risk. Quantum computers leverage the properties of a qubit (the quantum equivalent of classical computer bits) to solve selected problems significantly faster than classical computers.

To address this threat, various documents developed over the past eight years have contributed to an emerging U.S. national strategy. Based on its review of these documents, GAO identified three central goals (see figure).

Figure: The Three Central Goals of the U.S. National Quantum Computing Cybersecurity Strategy

The strategy partially addresses the desirable characteristics of a national strategy identified in prior GAO work. For example:

• Problem definition and risk assessment. Several documents defined the problem as the threat of a CRQC to cryptography, but did not fully define a CRQC. In addition, although the executive branch conducted a comprehensive risk assessment on systems with vulnerable cryptography supporting critical infrastructure, it has not conducted such an assessment for systems used by federal agencies.
• Purpose, scope, and methodology. Several documents identified purpose and scope. With regard to methodology, three post-quantum cryptography standards documents provided information on how they were developed. However, the remaining documents did not describe the methodology or process used to develop them for the other two goals.
• Objectives, activities, milestones, and performance measures. The strategy documents identified objectives and activities for the first two goals but did not do so for the third. In addition, the strategy documents did not fully identify milestones for the second and third goals and did not identify performance measures for any of the three goals.

These desirable characteristics have not been fully addressed, in part, because no single federal organization is responsible for coordinating the strategy. In January 2021, Congress established an organization that is well-positioned to lead these efforts: the Office of the National Cyber Director. If the office embraces this role and ensures that the strategy fully addresses the desirable characteristics, the nation will have a better-defined roadmap for allocating resources and holding participants accountable.

Why GAO Did This Study

GAO was asked to examine the federal government’s strategy to address the threat that quantum computers pose to our nation’s cryptography. This report provides information on, among other things, how cryptographic methods protect systems and data, the threat quantum computers pose, and the extent to which the U.S. national quantum computing cybersecurity strategy addresses the desirable characteristics of a national strategy.