Secure data and communications

Report of the Commission on the Geopolitical
Impacts of New Technologies and Data

Chapter 2. Secure data and communications

Scroll down to navigate and learn more

This chapter addresses secure data and communications in two timeframes. Part A discusses current cybersecurity concerns and includes recommendations for improving US cybersecurity against an expanding range of vulnerabilities. Part B focuses on quantum information science (QIS) and recommends steps for ensuring the United States, along with its allies and partners, remains a leader in the development and operationalization of QIS technologies.

Secure data and communications are fundamental to the United States’ digital infrastructure and to attaining the full benefits of the global digital economy.

Part A: Current cybersecurity concerns

Secure data and communications are fundamental to the United States’ digital infrastructure and to attaining the full benefits of the global digital economy. Through the use of standards, risk assessments, monitoring, and technologies, the US government enables the public and private sectors to secure systems, data, and communications.

As the digital economy connects more public and private sector processes, effective cybersecurity for the US government faces several challenges: (i) the US government, through regulations, can affect though not assure the cybersecurity preparedness of the private sector; (ii) the ultimate size of the needed cybersecurity workforce to secure US government and private sector networks requires the private sector to fulfill the larger share, though some small- and medium-sized companies cannot afford a dedicated cybersecurity workforce; and (iii) US government agencies and laws for ensuring cybersecurity are not fully adapted to the evolving characteristics of cyberattacks. The effects of these limitations will lead to more attack vectors, missed early warning indicators, and lower cybersecurity preparedness. To maintain secure data and communications, the United States must overcome these limitations and must also stay ahead of adversaries’ exploitation of US network and endpoint vulnerabilities.

Finding 2A: Expanding cybersecurity vulnerabilities require partnerships between the public and private sectors.

Cybersecurity vulnerabilities are increasing in scope and effect: greater connectivity yields more vectors for attacks, interdependent networks produce cascading effects, data breaches and records exposed are increasing,¹ and disjointed governance limits awareness and speed of action.

Cyberattackers leverage the interdependent parts of digital infrastructure to create complex attacks for the purposes of “coercion, sabotage, espionage, or extortion.”² The greater number of connected devices can give attackers new, less defended points of access to systems and networks; for example, attackers could access the network controller devices in an electrical power network.³ Software supply chains also present new cyberattack vulnerabilities when companies fail to employ industry-best security practices.

In the recent SolarWinds Orion software supply chain attack, malware was inserted into a trusted software update, which led to significant breaches of government and private networks as the update was downloaded by as many as eighteen thousand SolarWinds customers (including other software and IT vendors). Such exploits of software/IT supply chains require knowledge of software configurations and dependencies. If a software vendor in the supply chain is vulnerable, then its software updates become vectors for diffusing malware.⁴

Interdependencies among networks, including between digital infrastructures and physical systems or people, are a growing type of vulnerability. Three cases illustrate such interdependencies. In a cyber risk assessment of the election infrastructure, the Cybersecurity and Infrastructure Security Agency (CISA) found that “Disinformation campaigns conducted in concert with cyberattacks on election infrastructure can amplify disruptions of electoral processes and public distrust of election results.”⁵ Ransomware attacks cost institutions money, caused inconvenience, and disrupted the healthcare at some hospitals.⁶ An adversary could hold hostage one of the US critical infrastructure sectors⁷ to preempt US military or diplomatic responses.

Data are as important as the networks, and are the foundation for new capabilities to monitor the climate, global health, agriculture, and cyberspace. Large data collections are essential for new applications of AI and innovations in medicine and education. The data infrastructure, including where the data are stored, analyzed, and the networks that communicate the results, are targets for cyberattacks.

Advanced cyberattacks take advantage of the limited information sharing between government cybersecurity experts and private industry, and the limited collection of cyberattack indicator information on private systems. Cyberattackers can spend weeks or months carefully probing the target systems, unnoticed.

Federal and private sector organizations lack sufficient insight into system operations, acquired software dependencies, and vendor practices. Also lacking is an effective system of liability and incentives to promote software supply chain security.

Finding 2A.1: Private sector infrastructure critical for economic or national security needs strengthened cybersecurity.

Private sector enterprises and small businesses can be a vector for significant attacks on critical infrastructure, yet cannot readily access or benefit from US government cybersecurity expertise. According to Securing Cyber Assets, Addressing Urgent Cyber Threats to Critical Infrastructure:⁸

“[M]any outstanding federal capabilities play crucial roles in cyber defense and resilience today. However, their effectiveness is constrained in the following ways:

Private sector knowledge of these [federal cybersecurity] capabilities and incentives to use them is limited.
Access [to federal cybersecurity capabilities] is hindered by multiple legal and administrative constraints.
Government capabilities are scattered across a wide swath of agencies, departments, and their sub-units—a complicated labyrinth comparatively few can effectively navigate.
Classification of essential threat information can delay and hinder coordinated response.”

The following sources of cyber information and resources, along with improved coordination with the federal government, can address these needs: (i) Government sharing of critical information about cyberthreats, capabilities, and early attack indicators. This information can help private companies focus their cyberdefense resources and be more agile in doing so. (ii) A national cyber strategy that incorporates the private sector as an integral participant. This requires clarifying the laws governing the ability of the US government to direct the cybersecurity actions of private sector entities, including obligatory information sharing from certain private sector entities. (iii) For software/IT supply chains that support critical economic or national security infrastructure, US government provided risk information on vendors and components flowing into the software/IT supply chain, based on comprehensive and up-to-date collection of supply chain data and analysis of supply chain risks. Private industry can use this information to inform their risk assessments. (iv) US government incentives that assist private industry to grow the cybersecurity workforce needed to make the private sector more secure.

Finding 2A.2: Obtaining the needed cybersecurity workforce and expertise requires participation by the public and the private sector.

“Executive Order 13870 of May 2, 2019: America’s Cybersecurity Workforce,”⁹ establishes national requirements to expand both the federal cybersecurity workforce and the cybersecurity workforce for state, territorial, local, and tribal governments, academia, private sector stakeholders, and others. There are five hundred and twenty-one thousand unfilled cybersecurity jobs in the United States, of which thirty-seven thousand are in the federal government.¹⁰

The EO supports workforce mobility between the public and private sector for cybersecurity workers, and directs departments to share recruitment strategies and tools across these sectors. A starting point, for both sectors, is the Workforce Framework for Cybersecurity [National Initiative for Cybersecurity Education (NICE) Framework].¹¹ This defines categories and specialty areas, knowledge, tasks, skills, abilities, and work roles. It can be used by public and private sector employers to better match candidates with sets of needed skills.

To close the workforce gap in nonfederal positions, a flexible approach, consistent with the NICE Framework, may be effective.¹² The strategy is to develop new career models that are better matched to the pool of candidates, aligned with the NICE Framework where possible, and using employee development programs and financial incentives to grow workforce skills.

Finding 2A.3: Cybersecurity governance, which must enable timely protective actions, has not matched the speed of the cyber threat environment.

The National Institute of Standards and Technology (NIST) Cybersecurity Framework comprises five functions: Identify, Protect, Detect, Respond, and Recover.¹³ In each function, timely action is essential for effective cybersecurity. Yet, defensive cybersecurity posture is systemically outpaced by offensive actors.

Patching quickly is imperative. A FireEye study¹⁴ reports the average time disclosure and patch availability was approximately nine days. Other reports¹⁵ have found longer times to patch though—up to thirty-eight days on average—and some of the most notorious cyber incidents exploited vulnerabilities patched months before their compromise.¹⁶
Organizational adjustments and implementation of best practices must be rapid to keep up with developing threats. Yet, at the federal level, many agencies have been unable to adopt NIST-recommended best practices for ICT supply chain risk management for years.¹⁷
Timely and rapid detection and response is necessary to forestall damage and the risk of cascading effects. This capability relies on a system of indicators and warnings, and, at times, comprehensive situational awareness that allows one to monitor cyber events closely and deploy defensive tools with precision. Still, the most sophisticated incursions can remain undetected for months.¹⁸
Timely recovery depends on having built resilience into the digital infrastructure, and in having efficient decision making. Long-running attacks, however, can take more than a year to fully recover from.¹⁹
All core cybersecurity functions depend on efficient information sharing between and within the public and private sectors. Yet, industry still complains about their incident response being hampered by liability concerns²⁰ and information sharing challenges.²¹

Approach 2A: Establish comprehensive situational awareness of cybersecurity risks in systems that are critical for national and economic security.

The foundation of an effective cybersecurity strategy is comprehensive situational awareness of the state of the critical infrastructure for economic and national security. This is built upon the continuous collection of key indicators, prioritization of risk, the ability to assess key points in the software/IT supply chain, standards to inform best practices, and assessments of the actual levels of cyberdefense and resilience.

To achieve such comprehensive situational awareness requires that the public and private sectors must develop a partnership that ensures sufficient information is monitored and exchanged; that the authorities for taking action, when needed, are established in law; and that sufficient cybersecurity training and knowledge is available across the private sector to help strengthen the cybersecurity of this sector.

Recommendation 2A: The United States should update and renew the National Cyber Strategy’s Implementation Plan with a focus on streamlining how public and private sector entities monitor their digital environments.

The administration should establish a process to incorporate both regular and ad hoc updates into the National Cyber Strategy so that the strategy remains current and evolves to meet future cybersecurity threats and challenges.

Recommendation 2A.1: Review, update, and reestablish the Implementation Plan for the National Cyber Strategy.

The administration should establish a process to incorporate both regular and ad hoc updates into the National Cyber Strategy so that the strategy remains current and evolves to meet future cybersecurity threats and challenges.²² The strategy should retain focus on streamlining how public and private sector entities continuously monitor their digital environments to include outlining the appropriate roles, responsibilities, and governance. In addition to a single national cyber coordinator²³ that was established in the FY 2021 National Defense Authorization Act (NDAA), the strategy should consider the following components: uniform rules and increased compliance with standards for cybersecurity practices across all government activities (with exceptions for national security activities); skilled cybersecurity officers either in, or embedded in, organizations; and a national educational program to improve individuals’ cybersecurity habits.

Recommendation 2A.2: Establish effective and coordinated continuous monitoring for software and hardware used by the federal government.

As part of COVID-19 pandemic relief, the America Rescue Plan Act of 2021 (Public Law No: 117-2, March 11, 2021)²⁴ includes $1.65 billion for cybersecurity capabilities, readiness, and resilience. This increases the Technology Modernization Fund and helps CISA and the General Services Administration (GSA) complete modernization projects at federal agencies. Additional funds for CISA could bolster cybersecurity across federal civilian agency networks and support pilot programs for shared security and cloud computing services.

The acquisition strategies to achieve cybersecurity resilience should reflect the unique cybersecurity requirements and the need for specialized expertise in operations and networks supporting Title 5 (Government Organization and Employees), Title 10 (Armed Forces), Title 34 (Crime Control and Law Enforcement), and Title 50 (War and National Defense) of the US Code. The acquisition strategies should strengthen compliance with standards for continuous monitoring of cybersecurity performance.

The federal government should seek to achieve continuous cybersecurity monitoring of the hardware and software systems that support US government functions, including critical supply chains and network infrastructure. The approach should ensure coordination across all relevant elements of the federal government. Attributes to monitor include external network traffic, internal network behavior, vulnerability exposure, asset tracking, security posture, vendor compliance, product compliance, and product updates. There are four contributing activities to fully realize a cybersecurity posture informed by continuous monitoring: (i) assess the trustworthiness of software and hardware employed by the US government based on inherent vulnerabilities and risks due to the network position, permissions, and supply chain considerations; (ii) further empower the Department of Homeland Security (DHS) to perform these assessments by strengthening the ties among US government agency chief information officers (CIOs) and DHS for the various government networks; (iii) make these hardware and software risk assessments available to local and state governments to inform their endeavors; and (iv) leverage these assessments to support the private sector, especially small- to mid-sized businesses that do not have the capacity to fully assess their own supply chains yet would benefit from knowing what software is trustworthy. The risk assessments developed by the US government could also be shared with like-minded partners that are seeking to do the same regarding the hardware and software they employ to achieve assured supply chains and trusted digital environments.

There are several lines of effort, described further in Appendix B.

Recommendation 2A.3: Increase compliance with continuous monitoring that is part of the National Institute of Standards and Technology security control guidance.

The administration should require GAO to review the efficacy of agency-specific practices regarding the continuous monitoring portion of its security control guidance. NIST controls dedicated to continuous monitoring for agencies²⁵ are required for all three priority levels of the federal agency information systems.²⁶ OMB memoranda as far back as 2011²⁷ discuss continuous monitoring superseding periodic reviews. While NIST has long recommended the practice, agencies have failed to implement it: in 2019, only about three-quarters had done so,²⁸ marking little improvement over several years. The most recent GAO report²⁹ indicates that general compliance with fundamental risk management practices has turned worse.

To achieve increased compliance, CISA should be empowered to assist lagging agencies in conforming with NIST guidelines and best practices mandated by the Federal Information Security Modernization Act (FISMA).³⁰ This would support a more responsive and uniform implementation of security methods—monitoring, security updates, approaches such as stress tests, assessing vendor security maturity, and certificate transparency. New data disclosure policies must be developed to enable the mapping, visualization, and testing of the software/IT supply chain networks.³¹

More specific understanding of the continuous monitoring practices is needed to guide implementation. There is overlap in the types of continuous monitoring discussed most often. First is the continuous monitoring of vendor compliance with certification regimes— the Federal Risk and Authorization Management Program (FedRAMP), the Department of Defense (DoD) information networks approved product list (DoDIN APL), the new Cybersecurity Maturity Model Certification (CMMC), etc. Each describes and aspires toward continuous assessment of compliance, but they are still organized around monthly, yearly, or three-year review periods. Truly continuous monitoring would bring more rigor and regularity to reviewing changes made to deployed software, a potentially devastating attack vector for adversaries, and changes in vendor security practices and context.

NIST guidelines refer to continuous monitoring of security control efficacy, asset exposure, threat vulnerability, configuration compliance, and other quasi-technical metrics. Between 79 percent and 83 percent of Chief Financial Officers Act of 1990 (CFO Act) federal agencies,³² and between 58 percent and 63 percent of non-CFO Act agencies, fulfill these requirements. This type of continuous monitoring is determined by agency policy, leading to varying standards for how often to perform checks, what to check, and what satisfactory levels are.³³ A program at CISA, the Continuous Diagnostics and Mitigation (CDM) program, is supposed to integrate these activities. It has met systemic implementation difficulties, however,³⁴ and Homeland Security Secretary Alejandro Mayorkas has sought a review of the CDM program, along with CISA’s EINSTEIN program, which monitors inbound and outbound traffic on federal networks.³⁵ It also must overcome great variation among the networks and products that would be checked. There is little agreement and the quality of implementation is not well-known.

Finally, there is the continuous monitoring of actual network behavior. This would include mandating the maintenance of standardized access logs, auditing of those logs, monitoring inbound and outbound traffic, and all the related detailed measurements. More transparency is needed in how much such monitoring occurs within government networks, though CISA’s EINSTEIN program does the work of monitoring traffic in and out of federal civilian agencies.

Recommendation 2A.4: Ensure cybersecurity best practices, expertise, and assurance testing are widely available to industry and government entities.

The administration should provide the private sector technical information on threats on a regular basis, to bolster cybersecurity. The private sector outreach would be linked to the existing Information Sharing and Analysis Centers (ISACs) for US critical infrastructure entities and the Information Sharing and Analysis Organizations (ISAOs) to ensure monitoring of both supply chain risks and cybersecurity performance for vital US private sector companies of all sizes.

The US national security domain requires independent certification of adherence to a set of multinational standards.³⁶ One approach could be to expand CMMC to all of government instead of just DoD. While the program is still facing implementation challenges,³⁷ it could provide useful information on general cybersecurity maturity to industry and government alike, with benefits beyond the specific vendor products. Because DoD is only just beginning to implement CMMC, as a first step the administration should conduct a feasibility assessment for an across-government approach. To improve and streamline cybersecurity requirements, the administration should assess how a government-wide implementation of CMMC would overlap with FedRAMP or any other cybersecurity requirements, and how the broadened implementation of CMMC could improve general industry cyber hygiene.

To implement cybersecurity capabilities and practices, private sector companies must acquire cleared personnel, spaces, and IT equipment. The administration should consider accelerating any necessary prerequisite steps.

Part B: Quantum information sciences

The United States, the European Union (EU), China, Russia, the United Kingdom, Canada, and other nations are expanding their investments in QIS, with national and regional QIS strategies and programs.³⁸ Recent demonstrations of quantum computers increase concerns that aspects of the technical foundation of the United States’ digital security may be vulnerable in the foreseeable future.³⁹ Quantum communication and quantum key distribution (QKD) methods,⁴⁰ though, can enhance the security of the digital infrastructure. These methods may contribute to data and communications security against untrusted and corrupted hardware and also protect against the ability to make inferences about sensitive data based on access to multiple data sources containing nonsensitive data.⁴¹

A primary element of leadership in QIS is the ability to set key standards for QIS applications. This relies on developing and deploying devices that operationalize QIS, and in working in collaboration with many nations and partners. While collaboration is identified as a national priority in the US national strategy for QIS, it should be extended beyond basic S&T activities.

Finding 2B.1: The US strategy for quantum information science emphasizes US efforts and benefits.

The National Strategic Overview for Quantum Information Science⁴² provides a strategic approach for achieving US leadership in QIS and its applications to national and economic security. The six policy areas are as follows:

Choosing a science-first approach to QIS: Strengthen the research foundation and the collaboration across disciplines. Use Grand Challenge problems as a strategic mechanism to coordinate and focus efforts.
Creating a future quantum-smart workforce: Foster a QIS-skilled workforce through investments in industry, academia, and government laboratories that increase the scope of QIS research, development, and education.
Deepening engagement with the quantum industry: Increase coordination among the federal government, industry, and academia to enhance awareness of needs, issues, and opportunities.
Providing critical infrastructure: Encourage necessary investments, create and provide access to QIS infrastructure, and establish testbeds.
Maintaining national security and economic growth: Maintain awareness of the security benefits and risks of QIS capabilities.
Advancing international cooperation: Seek opportunities for international cooperation to benefit the US talent pool and raise awareness about other QIS developments.

The US strategy for QIS recognizes the sensitivities of this research, which can both enable new scientific and economic applications, and create new methods for attacking sensitive data and communications. This strategy supports international collaboration in QIS both to advance the basic research and its applications, and to ensure the United States maintains its leadership and competitiveness in QIS.⁴³

The US strategy for QIS supports international efforts in three ways: It reviews international research to maintain awareness of new results and directions, selects partnerships that will give the United States access to top-quality researchers and facilities, and shares certain public data from QIS research to help the development of standards for future QIS applications.

In addition to the US strategy for QIS, the National Quantum Initiative Act “authorized $1.2 billion in federal research and development (R&D) spending over five years, established the National Quantum Coordination Office, and called for the creation of new QIS research institutes and consortia around the country.”⁴⁴ Also, the National Science Foundation (NSF) recently established three quantum research centers⁴⁵ and added the opportunity for limited supplemental funding requests to support international collaboration on basic research topics.⁴⁶

Congressional hearings on “Industries of the Future” discussed the importance of QIS and establishing US leadership in QIS.⁴⁷ One effort by the United States to establish international cooperation in QIS is the agreement between the United States and Japan to cooperate on quantum research through activities including “collaborating in venues such as workshops, seminars, and conferences to discuss and recognize the progress of research in QIST, which in turn will lead to the identification of overlapping interests and opportunities for future scientific cooperation.”⁴⁸

Finding 2B.2: China is pursuing quantum information science as a strategic technology.

Quantum communications and computing are among the strategic technologies highlighted in China’s 14^th Five-Year Plan (2021-2025). China aims to be a global leader in innovation, using large demonstration projects to advance its science and technology (S&T), and to build human capital for strategic technology areas. This includes major initiatives in quantum research and development (R&D), demonstrations of QKD and quantum computing, and a major new National Laboratory for Quantum Information Sciences.⁴⁹ China is able to advance in quantum R&D in part due to the close coordination among the government, universities, and industry, which aids both the advancement of the science and the building of a skilled workforce.⁵⁰

Finding 2B.3: EU’s science and technology strategy focuses on EU participation.

The EU’s S&T program includes three components that address QIS and other technology areas: (i) Horizon Europe, which has a seven-year budget of €95.5 billion for 2021-2027, within which the Digital, Industry and Space area is funded at €15.5 billion;⁵¹ (ii) Digital Europe Programme, funded at €7.5 billion;⁵² and (iii) Space Programme, with proposed funding of €13.2 billion.⁵³ The European Commission is soliciting proposals for quantum communications infrastructure, which will be funded by these initiatives. The objective is to enable the EU to be an independent provider of quantum technologies needed to build a quantum communications infrastructure.⁵⁴

Horizon 2020, the predecessor to Horizon Europe, involved US researchers in only 1.5 percent of the Horizon 2020 projects.⁵⁵ In comparison, EU researchers participate at a much greater level considering all National Science Foundation (NSF) and National Institutes of Health (NIH) active grants.⁵⁶ This asymmetry in participation is due to EU rules that require participants in Horizon 2020 projects to sign grant agreements. For US institutions, this raises issues concerning “governing law and jurisdiction, intellectual property treatment, joint and several liability⁵⁷ and indemnification, access to data and implications for export control, and auditing requirements.⁵⁸

Finding 2B.4: Funding policies constrain collaboration.

One issue of concern in the Horizon Europe initiative rules governing participation is the determination of financial contribution by the United States and “third countries” as defined in Article 12 of Horizon Europe—the Framework Programme for Research and Innovation.⁵⁹ The calculated cost of association with the Horizon Europe initiative is based on the relative size of a country’s gross domestic product (GDP) compared with EU GDP. For example, the European Commission has proposed making the UK pay a proportion of the 2021-2027 research budget based on its share of EU GDP, which currently stands at 18 percent. For the United States, this corresponding value is 137 percent, yielding a required contribution of $131.4 billion.

The regulations establishing Horizon Europe contain other potential issues for US participation. These include Article 36, which gives the European Commission rights regarding transfer and licensing, and Article 49, which gives certain EU entities the right to carry out investigations and inspections.

In the ongoing competitive R&D of QIS, key determinants of success are the size, skill, and collaboration of the technology workforce spanning a number of disciplines, including those in the fields of science, technology, engineering, mathematics (STEM), and manufacturing. The United States recognizes that it “must work with international partners, even while advancing domestic investments and research strategies.”⁶⁰

Recommendation 2B: With allies and partners, the United States should develop priority global initiatives that employ transformative quantum information science and catalyze the development of human capital and infrastructure for these and other next-generation quantum information science applications.

Recommendation 2B.1: Establish, with other nations, a common set of demonstration milestones for quantum data and communications security.

The administration should extend the technological development portfolio of national investments in QIS to incorporate a common set of milestones with allies. The members of the National Science and Technology Council (NSTC) Subcommittee on Quantum Information Science should develop such milestones in coordination with representatives from collaborating nations. These are to be consonant with plans by the United States and like-minded nations to develop testbeds, demonstrations, standards, and a quantum-skilled workforce. The milestones will inform the practical applications for use with near-, mid-, and long-term levels of quantum information capabilities. The EU’s Horizon Europe initiative is a potential opportunity for such collaboration. The United States should also establish data sharing agreements with other nations for QIS results pertaining to shared economic and national security interests.

Recommendation 2B.2: Create a program of quantum information science research and development focused on emerging issues for digital economies.

The administration should continuously evaluate QIS progress and technologies through the White House Office of Science and Technology Policy (OSTP) and the National Academies of Sciences, Engineering, and Medicine; this could be accomplished by the creation of a standing committee such as they have done for other areas that will be long-lived. This will identify new technology directions, review QIS policies, and revisit priorities and partnerships. The evaluations should focus on entirely new quantum capabilities that can benefit digital economies, e.g., privacy and advances in biotechnology and data capabilities, open sharing of data while maintaining data privacy, principles for systems to be quantum-secure by design, digital supply chain security for both hardware and software, evolution of Internet protocols, network modernization, and other topics.

Recommendation 2B.3: Establish a program to accelerate the operationalization of quantum information science technologies.

Recognizing the need for broad and significant investment in quantum applications to focus and accelerate progress, Congress and the administration should establish a program, led by the Defense Advanced Research Projects Agency (DARPA), to accelerate the operationalization of continually evolving hybrid (classical and quantum) computing architectures. This program will mature prototype demonstrations of quantum computing, communication, sensing, and metrology technologies to yield fieldable capabilities. The program also should include elements that seek to develop a quantum-skilled workforce in the private and public sectors. Several models for such a program are seen in DARPA’s long history of rapidly growing and maturing advanced technology fields, e.g., Grand Challenges for autonomous vehicles, Have Blue for stealth technologies, and AI Next for artificial intelligence.

Recommendation 2B.4: Establish leading roles for the United States in setting international standards for data and communications security as quantum information science evolves.

Building on the results obtained from NDAA FY 2021, SEC. 9414, Study on Chinese Policies and Influence in the Development of International Standards for Emerging Technologies,⁶¹ the administration should take steps to bolster the development of standards for QIS technology development and applications.⁶² This will drive toward a strategy for achieving a leadership role in international quantum standards setting, sharing sensitive security-related advances with allies, responding to China’s efforts to influence international standards,⁶³ and catalyzing private sector investments in quantum technologies. NIST is currently developing quantum resilient encryption standards for the United States.⁶⁴ The administration should direct NIST to broaden the scope of its work to develop standards for QIS technology development and applications.⁶⁵

The administration should develop DoD and Intelligence Community policy guidance to govern the sharing of QIS findings and capabilities with allies and partners. This guidance should be developed with representation from the Department of Commerce’s National Telecommunications and Information Administration (NTIA) and NSF to balance security concerns with the benefits of collaboration; address government and private industry information, both classified and proprietary; and also should include categories of information that the United States is interested in receiving from allies and partners.

Recommendation 2B.5: Establish a national QIS research, development, and testing infrastructure; fund quantum demonstration programs.

The administration should establish a national QIS research, development, and testing infrastructure. This will comprise research centers focused on quantum computing, quantum communications, quantum sensing, and evaluation of QIS (including QIS-secure) applications; a national computational infrastructure to support this initiative; engineering testbeds; programs to build a skilled QIS workforce; and participation by private industry (for example, the Quantum Economic Development Consortium⁶⁶) to advance the development of a national QIS infrastructure and create fielded capabilities. In support of the National Quantum Coordinating Office, an interagency group led by the Department of Energy, NIST, and DARPA should oversee this infrastructure initiative, coordinating federal programs and guiding private industry’s participation.

The administration should develop demonstration programs that show, in operational settings, national security implications of near-term quantum platforms. Some examples include the following:

Quantum communications: There are two areas of interest: (i) understanding vulnerabilities of various public key cryptographic systems to future quantum computing systems, an effort currently underway at NIST in the development of quantum resilient encryption standards, and (ii) use of QKD in large-scale demonstrations relevant to commercial and security applications, including space communications. QKD provides an approach to post-quantum communications security that is based on quantum phenomena, not algorithmic complexity.
Quantum computing: Using small quantum computers in networked clusters or in hybrid architectures with classical computers.
Quantum networks: The use of quantum networks for long-range quantum communications.
Quantum sensing: Using quantum mechanics phenomena and devices for high-sensitivity and precision applications in sensing and communication, life sciences, and other fields.

The administration, through the National Quantum Coordinating Office, should establish funded competitions to improve the exchange of intellectual property and foster a common understanding across the government, industry, academic communities, and foreign institutions working on QIS.J.⁶⁷

Back to
Chapter 1

All Recommendations as an abridged List

Download
Full Report

Read
Chapter 3

Transcript Jun 23, 2021

Brian Deese on Biden’s vision for ‘a twenty-first-century American industrial strategy’

By Atlantic Council

National Economic Council Director Brian Deese spoke about how the Biden administration can strengthen US economic recovery by working with the private sector and global allies.

Economy & Business Future of Work

GeoTech Cues Aug 10, 2021

Contextualizing COVID-19 and its implications for the future of work

By Matthew Gavieta

As workers around the world adapted to a new normal amid a public health crisis, remote work took on a new meaning. However, questions about how to structure long-term telework arrangements remain. The current landscape of data reveals a tenuous relationship between well-being and telework. To secure a brighter future for our labor force, we must continue developing worker-centered technology policy and doing research on how to improve life at work.

Digital Policy Future of Work

Blog Post Jul 27, 2021

The time for US immigration reform is now

By Jeff Goldstein

The US is currently grappling with a multi-decade long trend of declining population rates leading to fewer and fewer workers. To meet the challenges of the future, US policymakers must manage declining population growth – and one of the best arrows in their economic policy quiver is comprehensive immigration reform.

Future of Work Macroeconomics

Report of the Commission on the Geopolitical Impacts of New Technologies and Data