The Government Accountability Office (GAO) warned today that the Federal government’s shift to post-quantum cryptography will fail due to the lack of one singular entity overseeing and implementing a national strategy addressing the threat.
According to GAO, the White House’s Office of the National Cyber Director (ONCD) is best poised to lead Federal agencies in a U.S. National Quantum Computing Cybersecurity Strategy.
“Federal agencies and our nation’s critical infrastructure – such as energy, transportation systems, communications, and financial services – rely on cryptography to protect sensitive data and systems,” the Nov. 21 report reads. “However, some experts predict that a quantum computer capable of breaking certain cryptography – referred to as a cryptographically relevant quantum computer – may be developed in the next 10 to 20 years, putting agency and critical infrastructure systems at risk.”
GAO said the Federal government has worked over the past eight years to address this threat, releasing various guidance documents out of several different agencies that have informed an emerging national strategy to address the quantum computing threat.
“But the strategy lacks details and nobody’s in charge of implementing it,” GAO said.
According to the watchdog agency, each document has been aligned in three central goals: standardize post-quantum cryptography, migrate Federal systems to that cryptography, and encourage all sectors of the economy to prepare for the threat.
GAO said the strategy, led by ONCD, should incorporate “desirable characteristics,” like problem definition and risk assessment; purpose, scope, and methodology; and objectives, activities, milestones, and performance measures.
According to the report, these desirable characteristics have not been fully addressed “because no single federal organization is responsible for coordinating the strategy.”
For example, the GAO said the executive branch conducted a comprehensive risk assessment on systems with vulnerable cryptography supporting critical infrastructure, but it has not conducted such an assessment for systems used by Federal agencies. The report also found that existing guidance has failed to identify performance measures for any of the three central goals.
“In January 2021, Congress established an organization that is well-positioned to lead these efforts: the Office of the National Cyber Director,” GAO said. “If the office embraces this role and ensures that the strategy fully addresses the desirable characteristics, the nation will have a better-defined roadmap for allocating resources and holding participants accountable.”
ONCD did not agree or disagree with GAO’s recommendation.