Quantum Computing Cybersecurity Preparedness Act

Posted on September 12, 2024 by Vijayashankar Na

USA has passed a federal Act called “Quantum Computing Cybersecurity Preparedness Act”. The Act was signed on December 21 2022 with different timelines for implementation. The concept of a legislation urging the Federal Agencies in US to be prepared for Quantum attacks even before the use of Quantum computing has become commercially relevant is a principle that needs a special commendation.

It is natural for organizations like FDPPI or Naavi to say “Be Ready” and start compliance from today since DPDPA 2023 is “Due Diligence” under ITA 2000. But what USA has done with its Quantum Computing Cybersecurity Preparedness Act is that there is a legislative compulsion to make Federal agencies start their security preparedness in advance.

This “Preparedness Act” has mandated certain agencies like OMB (Office of Management and Budget), CISA (Cyber Security and Infrastructure Agency) and NIST (National Institute of Standards and Technology) to start acting and given them time lines.

It has mandated that within 180 days, the OMB shall issue guidance on the migration of IT to post-quantum cryptography and to set budgets. Such efforts are expected to include creating an inventory of assets where there is an exposure of Quantum Cryptographic risks. Again, within 1 year the heads of CISA and National Cyber Director shall provide information on the inventory of such assets to OMB. The NIST shall also issue guidelines for post quantum cryptography standards. It is under this mandate that NIST came out with three standards on August 13, 2024. The Private sector though not part of this mandate is likely to follow suit to enhance their reputation and be eligible for Government Contracts.

This law requires federal agencies to migrate their systems to “Post-Quantum” Cryptography, which is resilient against attacks from Quantum Computers and classical computers.

The RSA (Rivest-Shamir-Adleman) algorithm which is the most commonly used cryptographic algorithm which even India uses in the Digital Signatures is considered vulnerable under Quantum attacks.

If any organization is using cryptographic algorithms like RSA at present then they are considered as not compliant with the “Quantum Computing Cybersecurity Preparedness Act”.

On August 13, 2024, NIST announced approval of three algorithms which are considered “Quantum Safe” Cryptographical algorithms.

These are :

  1. FIPS 203, Module-Lattice-Based Key-Encapsulation Mechanism Standard
  2. FIPS204, Module-Lattice-Based Digital Signature Standard
  3. FIPS205, Stateless Hash-Based Digital Signature Standard

FIPS 203 is a general encryption standard, and FIPS 204 and 205 are digital signature standards for authenticating users. Unlike RSA, FIPS 203 and 204 rely on lattice cryptography, which relies on the difficulty of finding the lowest common multiple in a set of numbers. FIPS 205 uses hash functions as its core mathematical problem. Neither cryptographic approach is thought to be susceptible to quantum computing.

NIST’s release of the final post-quantum cryptography standards sets a one-year clock ticking for Office of Management and Budget OMB to issue further guidance preparing agencies for the migration of their data to the new, quantum-resilient standards. 

Agencies are expected to start migrating to post-quantum cryptography quickly once OMB issues further guidance.

The Private Sector needs to follow the new Cryptographic standards at the earliest if they have to remain compliant with the new Act and is able to meet the Quantum risks.

The auditors are now required to provide some guidance to organizations on “Quantum Readiness”.

FDPPI presently has its framework namely DGPSI which is a process based Compliance system. Under DGPSI framework, “Cryptographic Systems” is one process which can be assessed for compliance separately to whatever compliance is required.

In the case of “Quantum Readiness Assessment”, we try to check if the organization is prepared to move to the post quantum cryptographic algorithms. Along with this the awareness of Quantum risks and the inventory of Cryptographic algorithms need to be kept ready before scouting for vendors who can provide replacement of the crypto algorithms.

This type of assessment is new and the SOPs need to be developed. FDPPI is trying to put together an SIG to create such SOPs. Interested members can get in touch with the undersigned.

Naavi

In India it would have been preferable if there had been a similar “DPDPA Preparedness Act”. Instead the DPDPA Rules itself may substitute this requirement and set timelines for the setting up of DPB and for them to roll out certain provisions.

Certain agencies such as SEBI and IRDAI have already issued their own sectoral guidelines for their sectoral organizations to incorporate DPDPA Compliance. Further when the rules are released, the organizations that will be aspiring to apply for registration as “Consent Manager” will require to prepare their platform to comply with the rules.

About Vijayashankar Na

Naavi is a veteran Cyber Law specialist in India and is presently working from Bangalore as an Information Assurance Consultant. Pioneered concepts such as ITA 2008 compliance, Naavi is also the founder of Cyber Law College, a virtual Cyber Law Education institution. He now has been focusing on the projects such as Secure Digital India and Cyber Insurance
This entry was posted in Cyber Law. Bookmark the permalink.