Page 1 GAO-25-107703 Quantum Cybersecurity Strategy
Federal agencies and our nation's critical infrastructure—such as energy,
transportation systems, communications, and financial services—are dependent
on technology systems and electronic data to provide essential services and to
process, maintain, and report vital information. Agencies and critical
infrastructure owners and operators rely on cryptography (e.g., encryption) to
protect sensitive systems and data.
However, the emergence of quantum computers could undermine the security of
widely used cryptographic methods. Some experts predict that a quantum
computer capable of breaking certain cryptography—referred to as a
cryptographically relevant quantum computer (CRQC)—may be developed in the
next 10 to 20 years, putting agency and critical infrastructure systems that rely on
cryptography for security at risk. Furthermore, adversaries could copy data
protected by cryptography today and store it with the intention of accessing it
later once a CRQC is developed.
We were asked to examine the federal government’s strategy to address the
threat that quantum computers pose to cryptography on unclassified systems.
This report provides information on how cryptographic methods protect systems
and data, the threat quantum computers pose, strategies that international
organizations have established to address this threat, and the U.S. national
quantum computing cybersecurity strategy and the extent to which it addresses
the desirable characteristics of a national strategy.
• Various documents developed over the past eight years have contributed to
an emerging U.S. national quantum computing cybersecurity strategy. Based
on our review of these documents, we identified three central goals: (1)
standardize post-quantum cryptography, (2) migrate federal systems to that
cryptography, and (3) encourage all sectors of the economy to prepare for the
threat.
• The U.S. strategy documents partially address the desirable characteristics of
a national strategy, as identified in prior GAO work. For example, with respect
to the objectives, activities, milestones, and performance measures
characteristic, the strategy documents identified objectives and activities for
the first two goals but not for the third. In addition, the strategy documents did
not fully identify milestones for the second and third goals and did not identify
performance measures for any of the three goals.
U.S. Government Accountability Office
Future of Cybersecurity: Leadership Needed to
Fully Define Quantum Threat Mitigation
Strategy
-25-107703
Report to the Subcommittee on Emerging Threats and Spending Oversight, Committee on Homeland
Security and Governmental Affairs, U.S.
Senate
21, 2024
