This chapter addresses secure data and communications in two timeframes. Part A discusses current cybersecurity concerns and includes recommendations for improving US cybersecurity against an expanding range of vulnerabilities. Part B focuses on quantum information science (QIS) and recommends steps for ensuring the United States, along with its allies and partners, remains a leader in the development and operationalization of QIS technologies.
Secure data and communications are fundamental to the United States’ digital infrastructure and to attaining the full benefits of the global digital economy.
Part A: Current cybersecurity concerns
Secure data and communications are fundamental to the United States’ digital infrastructure and to attaining the full benefits of the global digital economy. Through the use of standards, risk assessments, monitoring, and technologies, the US government enables the public and private sectors to secure systems, data, and communications.
As the digital economy connects more public and private sector processes, effective cybersecurity for the US government faces several challenges: (i) the US government, through regulations, can affect though not assure the cybersecurity preparedness of the private sector; (ii) the ultimate size of the needed cybersecurity workforce to secure US government and private sector networks requires the private sector to fulfill the larger share, though some small- and medium-sized companies cannot afford a dedicated cybersecurity workforce; and (iii) US government agencies and laws for ensuring cybersecurity are not fully adapted to the evolving characteristics of cyberattacks. The effects of these limitations will lead to more attack vectors, missed early warning indicators, and lower cybersecurity preparedness. To maintain secure data and communications, the United States must overcome these limitations and must also stay ahead of adversaries’ exploitation of US network and endpoint vulnerabilities.
Finding 2A: Expanding cybersecurity vulnerabilities require partnerships between the public and private sectors.
Cybersecurity vulnerabilities are increasing in scope and effect: greater connectivity yields more vectors for attacks, interdependent networks produce cascading effects, data breaches and records exposed are increasing,1Joseph Johnson, “Annual number of data breaches and exposed records in the United States from 2005 to 2020,” Statista, March 3, 2021, accessed April 16, 2021, https://www.statista.com/statistics/273550/data-breaches-recorded-in-the-united-states-by-number-of-breaches-and-records-exposed/; Joseph Johnson, “Number of data breaches in the United States from 2013 to 2019, by industry,” Statista, March 9, 2021, https://www.statista.com/statistics/273572/number-of-data-breaches-in-the-united-states-by-business/. and disjointed governance limits awareness and speed of action.
Cyberattackers leverage the interdependent parts of digital infrastructure to create complex attacks for the purposes of “coercion, sabotage, espionage, or extortion.”2U.S. Cyberspace Solarium Commission, United States of America Cyberspace Solarium Commission Report, March 2020, accessed March 26, 2021, https://www.solarium.gov/report. The greater number of connected devices can give attackers new, less defended points of access to systems and networks; for example, attackers could access the network controller devices in an electrical power network.3Mission Support Center, “Cyber Threat and Vulnerability Analysis of the U.S. Electric Sector: Mission Support Center Analysis Report, Idaho National Laboratory, August 2016, accessed March 26, 2021, https://www.energy.gov/sites/prod/files/2017/01/f34/Cyber%20Threat%20
and%20Vulnerability%20Analysis%20of%20the%20U.S.%20Electric%20Sector.pdf. Software supply chains also present new cyberattack vulnerabilities when companies fail to employ industry-best security practices.
- In the recent SolarWinds Orion software supply chain attack, malware was inserted into a trusted software update, which led to significant breaches of government and private networks as the update was downloaded by as many as eighteen thousand SolarWinds customers (including other software and IT vendors). Such exploits of software/IT supply chains require knowledge of software configurations and dependencies. If a software vendor in the supply chain is vulnerable, then its software updates become vectors for diffusing malware.4Ken Thompson, “Reflections on Trusting Trust,” Communications of the ACM, Volume 27 (8) (August 1984): 761-763, accessed March 26, 2021, https://www.cs.cmu.edu/~rdriley/487/papers/Thompson_1984_ReflectionsonTrustingTrust.pdf.
Interdependencies among networks, including between digital infrastructures and physical systems or people, are a growing type of vulnerability. Three cases illustrate such interdependencies. In a cyber risk assessment of the election infrastructure, the Cybersecurity and Infrastructure Security Agency (CISA) found that “Disinformation campaigns conducted in concert with cyberattacks on election infrastructure can amplify disruptions of electoral processes and public distrust of election results.”5Cybersecurity and Infrastructure Security Agency, “Election Infrastructure Cyber Risk Assessment,” Critical Infrastructure Security and Resilience Note, July 28, 2020, accessed March 26, 2021, https://www.cisa.gov/sites/default/files/publications/cisa-election-infrastructure-cyber-risk-assessment_508.pdf. Ransomware attacks cost institutions money, caused inconvenience, and disrupted the healthcare at some hospitals.6Internet Crime Complaint Center, Internet Crime Report 2020, Federal Bureau of Investigation, accessed March 26, 2021, https://www.ic3.gov/Media/PDF/AnnualReport/2020_IC3Report.pdf. An adversary could hold hostage one of the US critical infrastructure sectors7White House, President Barack Obama, “Presidential Policy Directive – Critical Infrastructure Security and Resilience, PPD-21,” February 12, 2013, accessed March 26, 2021, https://obamawhitehouse.archives.gov/the-press-office/2013/02/12/presidential-policy-directive-critical-infrastructure-security-and-resil. to preempt US military or diplomatic responses.
Data are as important as the networks, and are the foundation for new capabilities to monitor the climate, global health, agriculture, and cyberspace. Large data collections are essential for new applications of AI and innovations in medicine and education. The data infrastructure, including where the data are stored, analyzed, and the networks that communicate the results, are targets for cyberattacks.
Advanced cyberattacks take advantage of the limited information sharing between government cybersecurity experts and private industry, and the limited collection of cyberattack indicator information on private systems. Cyberattackers can spend weeks or months carefully probing the target systems, unnoticed.
Federal and private sector organizations lack sufficient insight into system operations, acquired software dependencies, and vendor practices. Also lacking is an effective system of liability and incentives to promote software supply chain security.
Finding 2A.1: Private sector infrastructure critical for economic or national security needs strengthened cybersecurity.
Private sector enterprises and small businesses can be a vector for significant attacks on critical infrastructure, yet cannot readily access or benefit from US government cybersecurity expertise. According to Securing Cyber Assets, Addressing Urgent Cyber Threats to Critical Infrastructure:8The President’s National Infrastructure Advisory Council, Securing Cyber Assets: Addressing Urgent Cyber Threats to Critical Infrastructure, August 2017, accessed March 26, 2021, https://www.cisa.gov/sites/default/files/publications/niac-securing-cyber-assets-final-report-508.pdf.
“[M]any outstanding federal capabilities play crucial roles in cyber defense and resilience today. However, their effectiveness is constrained in the following ways:
- Private sector knowledge of these [federal cybersecurity] capabilities and incentives to use them is limited.
- Access [to federal cybersecurity capabilities] is hindered by multiple legal and administrative constraints.
- Government capabilities are scattered across a wide swath of agencies, departments, and their sub-units—a complicated labyrinth comparatively few can effectively navigate.
- Classification of essential threat information can delay and hinder coordinated response.”
The following sources of cyber information and resources, along with improved coordination with the federal government, can address these needs: (i) Government sharing of critical information about cyberthreats, capabilities, and early attack indicators. This information can help private companies focus their cyberdefense resources and be more agile in doing so. (ii) A national cyber strategy that incorporates the private sector as an integral participant. This requires clarifying the laws governing the ability of the US government to direct the cybersecurity actions of private sector entities, including obligatory information sharing from certain private sector entities. (iii) For software/IT supply chains that support critical economic or national security infrastructure, US government provided risk information on vendors and components flowing into the software/IT supply chain, based on comprehensive and up-to-date collection of supply chain data and analysis of supply chain risks. Private industry can use this information to inform their risk assessments. (iv) US government incentives that assist private industry to grow the cybersecurity workforce needed to make the private sector more secure.
Finding 2A.2: Obtaining the needed cybersecurity workforce and expertise requires participation by the public and the private sector.
“Executive Order 13870 of May 2, 2019: America’s Cybersecurity Workforce,”9“Executive Order 13870 of May 2, 2019: America’s Cybersecurity Workforce,” Federal Register, accessed March 26, 2021, https://www.federalregister.gov/documents/2019/05/09/2019-09750/americas-cybersecurity-workforce. establishes national requirements to expand both the federal cybersecurity workforce and the cybersecurity workforce for state, territorial, local, and tribal governments, academia, private sector stakeholders, and others. There are five hundred and twenty-one thousand unfilled cybersecurity jobs in the United States, of which thirty-seven thousand are in the federal government.10“Cybersecurity Supply/Demand Heat Map,” Cyberseek.org, accessed March 26, 2021, https://www.cyberseek.org/heatmap.html.
The EO supports workforce mobility between the public and private sector for cybersecurity workers, and directs departments to share recruitment strategies and tools across these sectors. A starting point, for both sectors, is the Workforce Framework for Cybersecurity [National Initiative for Cybersecurity Education (NICE) Framework].11National Initiative for Cybersecurity Careers and Studies, “Workforce Framework for Cybersecurity (NICE Framework),” Cybersecurity and Infrastructure Security Agency, accessed March 26, 2021, https://niccs.cisa.gov/workforce-development/cyber-security-workforce-framework. This defines categories and specialty areas, knowledge, tasks, skills, abilities, and work roles. It can be used by public and private sector employers to better match candidates with sets of needed skills.
To close the workforce gap in nonfederal positions, a flexible approach, consistent with the NICE Framework, may be effective.12Aspen Institute, Principles for Growing and Sustaining the Nation’s Cybersecurity Workforce, November 2018, accessed March 26, 2021, https://www.aspeninstitute.org/wp-content/uploads/2018/11/Aspen-Cybersecurity-Group-Principles-for-Growing-and-Sustaining-the-Nations-Cybersecurity-Workforce-1.pdf. The strategy is to develop new career models that are better matched to the pool of candidates, aligned with the NICE Framework where possible, and using employee development programs and financial incentives to grow workforce skills.
Finding 2A.3: Cybersecurity governance, which must enable timely protective actions, has not matched the speed of the cyber threat environment.
The National Institute of Standards and Technology (NIST) Cybersecurity Framework comprises five functions: Identify, Protect, Detect, Respond, and Recover.13“Cybersecurity Framework,” National Institute of Standards and Technology, accessed March 26, 2021, https://www.nist.gov/cyberframework/online-learning/five-functions. In each function, timely action is essential for effective cybersecurity. Yet, defensive cybersecurity posture is systemically outpaced by offensive actors.
- Patching quickly is imperative. A FireEye study14Kathleen Metrick, Jared Semrau, and Shambavi Sadayappan, “Think Fast: Time Between Disclosure, Patch Release and Vulnerability Exploitation — Intelligence for Vulnerability Management, Part Two,” FireEye, April 13, 2020, accessed April 16, 2021, https://www.fireeye.com/blog/threat-research/2020/04/time-between-disclosure-patch-release-and-vulnerability-exploitation.html. reports the average time disclosure and patch availability was approximately nine days. Other reports15Rapid7, “Security Report for In-Production Web Applications,” White Paper, accessed April 16, 2021, https://www.rapid7.com/globalassets/_pdfs/whitepaperguide/rapid7-tcell-application-security-report.pdf. have found longer times to patch though—up to thirty-eight days on average—and some of the most notorious cyber incidents exploited vulnerabilities patched months before their compromise.16Amir Preminger, “NotPetya: Looking Back Three Years Later,” Claroty, June 30, 2020, accessed April 16, 2021, https://claroty.com/2020/06/30/notpetya-looking-back-three-years-later/.
- Organizational adjustments and implementation of best practices must be rapid to keep up with developing threats. Yet, at the federal level, many agencies have been unable to adopt NIST-recommended best practices for ICT supply chain risk management for years.17United States Government Accountability Office, Information Technology: Federal Agencies Need to Take Urgent Action to Manage Supply Chain Risks, GAO-21-171, December 15, 2020, accessed March 26, 2021, https://www.gao.gov/assets/gao-21-171.pdf.
- Timely and rapid detection and response is necessary to forestall damage and the risk of cascading effects. This capability relies on a system of indicators and warnings, and, at times, comprehensive situational awareness that allows one to monitor cyber events closely and deploy defensive tools with precision. Still, the most sophisticated incursions can remain undetected for months.18Robert McMillan, “Hackers Lurked in SolarWinds Email System for at Least 9 Months, CEO Says,” Wall Street Journal, February 2, 2021, accessed April 16, 2021, https://www.wsj.com/articles/hackers-lurked-in-solarwinds-email-system-for-at-least-9-months-ceo-says-11612317963.
- Timely recovery depends on having built resilience into the digital infrastructure, and in having efficient decision making. Long-running attacks, however, can take more than a year to fully recover from.19Patrick Howell O’Neill, “Recovering from SolarWinds hack could take 18 months,” MIT Technology Review, March 2, 2021, accessed April 16, 2021, https://www.technologyreview.com/2021/03/02/1020166/solarwinds-brandon-wales-hack-recovery-18-months/.
- All core cybersecurity functions depend on efficient information sharing between and within the public and private sectors. Yet, industry still complains about their incident response being hampered by liability concerns20Cybersecurity and Infrastructure Security Agency, Information and Communications Technology Supply Chain Risk Management Task Force Year 2 Report: Status Update on Activities and Objectives of the Task Force, December 2020, accessed April 16, 2021, https://www.cisa.gov/sites/default/files/publications/ict-scrm-task-force_year-two-report_508.pdf. and information sharing challenges.21Lauren Feiner, “Microsoft president: The only reason we know about SolarWinds hack is because FireEye told us,” CNBC, February 23, 2021, accessed April 16, 2021, https://www.cnbc.com/2021/02/23/microsoft-exec-brad-smith-praises-fireeye-in-solarwinds-hack-testimony.html.
Approach 2A: Establish comprehensive situational awareness of cybersecurity risks in systems that are critical for national and economic security.
The foundation of an effective cybersecurity strategy is comprehensive situational awareness of the state of the critical infrastructure for economic and national security. This is built upon the continuous collection of key indicators, prioritization of risk, the ability to assess key points in the software/IT supply chain, standards to inform best practices, and assessments of the actual levels of cyberdefense and resilience.
To achieve such comprehensive situational awareness requires that the public and private sectors must develop a partnership that ensures sufficient information is monitored and exchanged; that the authorities for taking action, when needed, are established in law; and that sufficient cybersecurity training and knowledge is available across the private sector to help strengthen the cybersecurity of this sector.
Recommendation 2A: The United States should update and renew the National Cyber Strategy’s Implementation Plan with a focus on streamlining how public and private sector entities monitor their digital environments.
The administration should establish a process to incorporate both regular and ad hoc updates into the National Cyber Strategy so that the strategy remains current and evolves to meet future cybersecurity threats and challenges.
Recommendation 2A.1: Review, update, and reestablish the Implementation Plan for the National Cyber Strategy.
The administration should establish a process to incorporate both regular and ad hoc updates into the National Cyber Strategy so that the strategy remains current and evolves to meet future cybersecurity threats and challenges.22Government Accountability Office, Cybersecurity: Clarity of Leadership Urgently Needed to Fully Implement the National Strategy, report to congressional requestors, September 2020, accessed March 26, 2021, https://www.gao.gov/assets/gao-20-629.pdf; National Security Council, National Cyber Strategy Implementation Plan (Washington, D.C.: June 2019). The Implementation Plan was not published to the public, but any entity assigned a lead or supporting role within the plan received a digital copy of the plan. The strategy should retain focus on streamlining how public and private sector entities continuously monitor their digital environments to include outlining the appropriate roles, responsibilities, and governance. In addition to a single national cyber coordinator23William M. (Mac) Thornberry National Defense Authorization Act for Fiscal Year 2021. that was established in the FY 2021 National Defense Authorization Act (NDAA), the strategy should consider the following components: uniform rules and increased compliance with standards for cybersecurity practices across all government activities (with exceptions for national security activities); skilled cybersecurity officers either in, or embedded in, organizations; and a national educational program to improve individuals’ cybersecurity habits.
Recommendation 2A.2: Establish effective and coordinated continuous monitoring for software and hardware used by the federal government.
As part of COVID-19 pandemic relief, the America Rescue Plan Act of 2021 (Public Law No: 117-2, March 11, 2021)24American Rescue Plan Act of 2021, H.R. 1319, Public Law No. 117-2, 117th Congress (2021-2022), https://www.congress.gov/bill/117th-congress/house-bill/1319/text. includes $1.65 billion for cybersecurity capabilities, readiness, and resilience. This increases the Technology Modernization Fund and helps CISA and the General Services Administration (GSA) complete modernization projects at federal agencies. Additional funds for CISA could bolster cybersecurity across federal civilian agency networks and support pilot programs for shared security and cloud computing services.
The acquisition strategies to achieve cybersecurity resilience should reflect the unique cybersecurity requirements and the need for specialized expertise in operations and networks supporting Title 5 (Government Organization and Employees), Title 10 (Armed Forces), Title 34 (Crime Control and Law Enforcement), and Title 50 (War and National Defense) of the US Code. The acquisition strategies should strengthen compliance with standards for continuous monitoring of cybersecurity performance.
The federal government should seek to achieve continuous cybersecurity monitoring of the hardware and software systems that support US government functions, including critical supply chains and network infrastructure. The approach should ensure coordination across all relevant elements of the federal government. Attributes to monitor include external network traffic, internal network behavior, vulnerability exposure, asset tracking, security posture, vendor compliance, product compliance, and product updates. There are four contributing activities to fully realize a cybersecurity posture informed by continuous monitoring: (i) assess the trustworthiness of software and hardware employed by the US government based on inherent vulnerabilities and risks due to the network position, permissions, and supply chain considerations; (ii) further empower the Department of Homeland Security (DHS) to perform these assessments by strengthening the ties among US government agency chief information officers (CIOs) and DHS for the various government networks; (iii) make these hardware and software risk assessments available to local and state governments to inform their endeavors; and (iv) leverage these assessments to support the private sector, especially small- to mid-sized businesses that do not have the capacity to fully assess their own supply chains yet would benefit from knowing what software is trustworthy. The risk assessments developed by the US government could also be shared with like-minded partners that are seeking to do the same regarding the hardware and software they employ to achieve assured supply chains and trusted digital environments.
There are several lines of effort, described further in Appendix B.
Recommendation 2A.3: Increase compliance with continuous monitoring that is part of the National Institute of Standards and Technology security control guidance.
The administration should require GAO to review the efficacy of agency-specific practices regarding the continuous monitoring portion of its security control guidance. NIST controls dedicated to continuous monitoring for agencies25“NIST Risk Management Framework,” National Institute of Standards and Technology Computer Security Resource Center, accessed March 26, 2021, https://nvd.nist.gov/800-53/Rev4/control/CA-7. are required for all three priority levels of the federal agency information systems.26Kelley Dempsey et al., Information Security Continuous Monitoring (ISCM) for Federal Information Systems and Organizations, Special Publication 800-137, NIST, September 2011, accessed March 26, 2021, https://nvlpubs.nist.gov/nistpubs/Legacy/SP/nistspecialpublication800-137.pdf. OMB memoranda as far back as 201127Office of Management and Budget, “FY 2011 Reporting Instructions for the Federal Information Security Management Act and Agency Privacy Management,” Executive Office of the President, Memorandum M-11-33, September 14, 2011, accessed March 26, 2021, https://www.whitehouse.gov/sites/whitehouse.gov/files/omb/memoranda/2011/m11-33.pdf. discuss continuous monitoring superseding periodic reviews. While NIST has long recommended the practice, agencies have failed to implement it: in 2019, only about three-quarters had done so,28Executive Office of the President of the United States, Federal Information Security Modernization Act of 2014: Annual Report to Congress, Fiscal Year 2019, accessed March 26, 2021, https://www.whitehouse.gov/wp-content/uploads/2020/05/2019-FISMARMAs.pdf. marking little improvement over several years. The most recent GAO report29Government Accountability Office, Information Technology: Federal Agencies Need to Take Urgent Action to Manage Supply Chain Risks, GAO-21-171, December 15, 2020, accessed March 26, 2021, https://www.gao.gov/products/GAO-21-171. indicates that general compliance with fundamental risk management practices has turned worse.
To achieve increased compliance, CISA should be empowered to assist lagging agencies in conforming with NIST guidelines and best practices mandated by the Federal Information Security Modernization Act (FISMA).30Federal Information Security Modernization Act of 2014, S. 2521 — 113th Congress (2013-2014), https://www.congress.gov/bill/113th-congress/senate-bill/2521/text; FISMA requires each agency to handle its own security by meeting NIST SP 800-53 controls as well as requiring their information systems maintainers to comply with NIST SP 800-171. These NIST publications discuss continuous monitoring controls, with NIST SP 800-137 dedicated to even more, in depth consideration. This would support a more responsive and uniform implementation of security methods—monitoring, security updates, approaches such as stress tests, assessing vendor security maturity, and certificate transparency. New data disclosure policies must be developed to enable the mapping, visualization, and testing of the software/IT supply chain networks.31Cybersecurity and Infrastructure Security Agency, Information and Communications Technology.
More specific understanding of the continuous monitoring practices is needed to guide implementation. There is overlap in the types of continuous monitoring discussed most often. First is the continuous monitoring of vendor compliance with certification regimes— the Federal Risk and Authorization Management Program (FedRAMP), the Department of Defense (DoD) information networks approved product list (DoDIN APL), the new Cybersecurity Maturity Model Certification (CMMC), etc. Each describes and aspires toward continuous assessment of compliance, but they are still organized around monthly, yearly, or three-year review periods. Truly continuous monitoring would bring more rigor and regularity to reviewing changes made to deployed software, a potentially devastating attack vector for adversaries, and changes in vendor security practices and context.
NIST guidelines refer to continuous monitoring of security control efficacy, asset exposure, threat vulnerability, configuration compliance, and other quasi-technical metrics. Between 79 percent and 83 percent of Chief Financial Officers Act of 1990 (CFO Act) federal agencies,32Executive Office of the President of the United States, Federal Information Security Modernization Act of 2014. and between 58 percent and 63 percent of non-CFO Act agencies, fulfill these requirements. This type of continuous monitoring is determined by agency policy, leading to varying standards for how often to perform checks, what to check, and what satisfactory levels are.33Dempsey et al., Information Security Continuous Monitoring (ISCM). A program at CISA, the Continuous Diagnostics and Mitigation (CDM) program, is supposed to integrate these activities. It has met systemic implementation difficulties, however,34Congressional Research Service, Cybersecurity: DHS and Selected Agencies Need to Address Shortcomings in Implementation of Network Monitoring Program, August 2020, accessed March 26, 2021, https://www.gao.gov/assets/gao-20-598.pdf. and Homeland Security Secretary Alejandro Mayorkas has sought a review of the CDM program, along with CISA’s EINSTEIN program, which monitors inbound and outbound traffic on federal networks.35Justin Katz, “Mayorkas calls for review of Einstein, CDM,” FCW, January 19, 2021, accessed March 26, 2021, https://fcw.com/articles/2021/01/19/mayorkas-dhs-confirm-cyber.aspx. It also must overcome great variation among the networks and products that would be checked. There is little agreement and the quality of implementation is not well-known.
Finally, there is the continuous monitoring of actual network behavior. This would include mandating the maintenance of standardized access logs, auditing of those logs, monitoring inbound and outbound traffic, and all the related detailed measurements. More transparency is needed in how much such monitoring occurs within government networks, though CISA’s EINSTEIN program does the work of monitoring traffic in and out of federal civilian agencies.
Recommendation 2A.4: Ensure cybersecurity best practices, expertise, and assurance testing are widely available to industry and government entities.
The administration should provide the private sector technical information on threats on a regular basis, to bolster cybersecurity. The private sector outreach would be linked to the existing Information Sharing and Analysis Centers (ISACs) for US critical infrastructure entities and the Information Sharing and Analysis Organizations (ISAOs) to ensure monitoring of both supply chain risks and cybersecurity performance for vital US private sector companies of all sizes.
The US national security domain requires independent certification of adherence to a set of multinational standards.36“Cybersecurity Maturity Model Certification (CMMC) Compliance,” Compliance Forge, accessed March 26, 2021, https://www.cmmc-compliance.com/. One approach could be to expand CMMC to all of government instead of just DoD. While the program is still facing implementation challenges,37Jackson Barnett, “New bottleneck emerges in DOD’s contractor cybersecurity program, concerning assessors,” FEDSCOOP, April 19, 2021, accessed April 21, 2021, https://www.fedscoop.com/cmmc-bottleneck-c3pao-assessments-dod/. it could provide useful information on general cybersecurity maturity to industry and government alike, with benefits beyond the specific vendor products. Because DoD is only just beginning to implement CMMC, as a first step the administration should conduct a feasibility assessment for an across-government approach. To improve and streamline cybersecurity requirements, the administration should assess how a government-wide implementation of CMMC would overlap with FedRAMP or any other cybersecurity requirements, and how the broadened implementation of CMMC could improve general industry cyber hygiene.
To implement cybersecurity capabilities and practices, private sector companies must acquire cleared personnel, spaces, and IT equipment. The administration should consider accelerating any necessary prerequisite steps.
Part B: Quantum information sciences
The United States, the European Union (EU), China, Russia, the United Kingdom, Canada, and other nations are expanding their investments in QIS, with national and regional QIS strategies and programs.38Subcommittee on Quantum Information Science under the Committee on Science of the National Science & Technology Council, National Strategic Overview; “National Quantum Initiative Advisory Committee,” US Department of Energy, accessed March 26, 2021, https://science.osti.gov/About/NQIAC; QUROPE Quantum Information Processing and Communication in Europe, Quantum Technologies Roadmap, European Union, August 2018, accessed March 26, 2021, http://qurope.eu/h2020/qtflagship/roadmap2016; National Development and Reform Commission, “The 13th Five Year Plan for Economic and Social Development of the People’s Republic of China (2016-2020),” People’s Republic of China, accessed March 26, 2021, https://en.ndrc.gov.cn/newsrelease_8232/201612/P020191101481868235378.pdf; Arjun Kharpal, “In battle with U.S., China to focus on 7 ‘frontier’ technologies from chips to brain-computer fusion,” CNBC, March 5, 2021, accessed March 26, 2021, https://www.cnbc.com/2021/03/05/china-to-focus-on-frontier-tech-from-chips-to-quantum-computing.html. Recent demonstrations of quantum computers increase concerns that aspects of the technical foundation of the United States’ digital security may be vulnerable in the foreseeable future.39SS. Debnath et al., “Demonstration of a small programmable quantum computer with atomic qubits,” Nature 536 (2016): 63-66, accessed March 26, 2021, https://doi.org/10.1038/nature18648; Google AI Quantum and Collaborators et al., “Hartree-Fock on a superconducting qubit quantum computer,” Science 369 (6507) (August 28 2020): 1084–1089, accessed March 26, 2021, https://doi.org/10.1126/science.abb9811; Juan Yin et al., “Entanglement-based secure quantum cryptography over 1,120 kilometres,” Nature 582 (2020): 501-505, accessed March 26, 2021, https://doi.org/10.1038/s41586-020-2401-y; Vasileios Mavroeidis et al., “The Impact of Quantum Computing on Present Cryptography,” International Journal of Advanced Computer Science and Applications 9 (3) (2018), accessed April 16, 2021, https://arxiv.org/pdf/1804.00200.pdf. Quantum communication and quantum key distribution (QKD) methods,40“Quantum Key Distribution (QKD) and Quantum Cryptography (QC),” National Security Agency Central Security Service, accessed March 26, 2021, https://www.nsa.gov/what-we-do/cybersecurity/quantum-key-distribution-qkd-and-quantum-cryptography-qc/. though, can enhance the security of the digital infrastructure. These methods may contribute to data and communications security against untrusted and corrupted hardware and also protect against the ability to make inferences about sensitive data based on access to multiple data sources containing nonsensitive data.41M. Fujiwara et al. “Unbreakable distributed storage with quantum key distribution network and password-authenticated secret sharing,” Scientific Reports 6, 28988 (2016), accessed March 26, 2021, https://doi.org/10.1038/srep28988.
Finding 2B: Long-term quantum information science priorities include international collaboration, which is limited by national and regional funding and data-sharing policies.
A primary element of leadership in QIS is the ability to set key standards for QIS applications. This relies on developing and deploying devices that operationalize QIS, and in working in collaboration with many nations and partners. While collaboration is identified as a national priority in the US national strategy for QIS, it should be extended beyond basic S&T activities.
Finding 2B.1: The US strategy for quantum information science emphasizes US efforts and benefits.
The National Strategic Overview for Quantum Information Science42Subcommittee on Quantum Information Science under the Committee on Science of the National Science & Technology Council, National Strategic Overview. provides a strategic approach for achieving US leadership in QIS and its applications to national and economic security. The six policy areas are as follows:
- Choosing a science-first approach to QIS: Strengthen the research foundation and the collaboration across disciplines. Use Grand Challenge problems as a strategic mechanism to coordinate and focus efforts.
- Creating a future quantum-smart workforce: Foster a QIS-skilled workforce through investments in industry, academia, and government laboratories that increase the scope of QIS research, development, and education.
- Deepening engagement with the quantum industry: Increase coordination among the federal government, industry, and academia to enhance awareness of needs, issues, and opportunities.
- Providing critical infrastructure: Encourage necessary investments, create and provide access to QIS infrastructure, and establish testbeds.
- Maintaining national security and economic growth: Maintain awareness of the security benefits and risks of QIS capabilities.
- Advancing international cooperation: Seek opportunities for international cooperation to benefit the US talent pool and raise awareness about other QIS developments.
The US strategy for QIS recognizes the sensitivities of this research, which can both enable new scientific and economic applications, and create new methods for attacking sensitive data and communications. This strategy supports international collaboration in QIS both to advance the basic research and its applications, and to ensure the United States maintains its leadership and competitiveness in QIS.43Ibid.
The US strategy for QIS supports international efforts in three ways: It reviews international research to maintain awareness of new results and directions, selects partnerships that will give the United States access to top-quality researchers and facilities, and shares certain public data from QIS research to help the development of standards for future QIS applications.
In addition to the US strategy for QIS, the National Quantum Initiative Act “authorized $1.2 billion in federal research and development (R&D) spending over five years, established the National Quantum Coordination Office, and called for the creation of new QIS research institutes and consortia around the country.”44National Quantum Initiative Act of 2018, S. 3143, Public Law No. 115-368, 115th Congress (2017-2018), accessed March 26, 2021, https://www.congress.gov/115/plaws/publ368/PLAW-115publ368.pdf. Also, the National Science Foundation (NSF) recently established three quantum research centers45National Science Foundation, “NSF establishes 3 new institutes to address critical challenges in quantum information science,” Announcement, July 21, 2020, accessed March 26, 2021, https://www.nsf.gov/news/special_reports/announcements/072120.jsp. and added the opportunity for limited supplemental funding requests to support international collaboration on basic research topics.46“Dear Colleague Letter: International Collaboration Supplements in Quantum Information Science and Engineering Research,” National Science Foundation, NSF 20-063, March 24, 2020, accessed March 26, 2021, https://nsf.gov/pubs/2020/nsf20063/nsf20063.jsp.
Congressional hearings on “Industries of the Future” discussed the importance of QIS and establishing US leadership in QIS.47“Industries of the Future,” U.S. Senate Committee on Commerce, Science, and Transportation, January 15, 2020, accessed March 26, 2021, https://www.commerce.senate.gov/2020/1/industries-of-the-future. One effort by the United States to establish international cooperation in QIS is the agreement between the United States and Japan to cooperate on quantum research through activities including “collaborating in venues such as workshops, seminars, and conferences to discuss and recognize the progress of research in QIST, which in turn will lead to the identification of overlapping interests and opportunities for future scientific cooperation.”48“Tokyo Statement on Quantum Cooperation,” U.S. Department of State, December 19, 2019, accessed March 26, 2021, https://www.state.gov/tokyo-statement-on-quantum-cooperation/.
Finding 2B.2: China is pursuing quantum information science as a strategic technology.
Quantum communications and computing are among the strategic technologies highlighted in China’s 14th Five-Year Plan (2021-2025). China aims to be a global leader in innovation, using large demonstration projects to advance its science and technology (S&T), and to build human capital for strategic technology areas. This includes major initiatives in quantum research and development (R&D), demonstrations of QKD and quantum computing, and a major new National Laboratory for Quantum Information Sciences.49Elsa B. Kania, “China’s Quantum Future,” Foreign Affairs, September 26, 2018, https://www.foreignaffairs.com/articles/china/2018-09-26/chinas-quantum-future; European Commission, “Quantum Technologies Flagship kicks off with first 20 projects,” Factsheet, October 29, 2018, accessed March 26, 2016, https://ec.europa.eu/commission/presscorner/detail/de/MEMO_18_6241; Arjun Kharpal, “In battle with U.S., China to focus on 7 ‘frontier’ technologies from chips to brain-computer fusion,” CNBC, March 5, 2021, accessed March 26, 2021, https://www.cnbc.com/2021/03/05/china-to-focus-on-frontier-tech-from-chips-to-quantum-computing.html; Lauren Dudley, “China’s Quest for Self-Reliance in the Fourteenth Five-Year Plan,” Net Politics, March 8, 2021, accessed April 16, 2021, https://www.cfr.org/blog/chinas-quest-self-reliance-fourteenth-five-year-plan. China is able to advance in quantum R&D in part due to the close coordination among the government, universities, and industry, which aids both the advancement of the science and the building of a skilled workforce.50Martin Giles, “The man turning China into a quantum superpower,” MIT Technology Review, December 19, 2018, accessed March 26, 2021, https://www.technologyreview.com/2018/12/19/1571/the-man-turning-china-into-a-quantum-superpower/.
Finding 2B.3: EU’s science and technology strategy focuses on EU participation.
The EU’s S&T program includes three components that address QIS and other technology areas: (i) Horizon Europe, which has a seven-year budget of €95.5 billion for 2021-2027, within which the Digital, Industry and Space area is funded at €15.5 billion;51“Final budget breakdown Horizon Europe,” Science|Business, accessed April 16, 2021, https://sciencebusiness.net/sites/default/files/inline-files/Final%20budget%20breakdown%20Horizon%20Europe_0.pdf. (ii) Digital Europe Programme, funded at €7.5 billion;52“Digital Europe Programme,” European Commission, accessed April 16, 2021, https://ec.europa.eu/info/funding-tenders/opportunities/portal/screen/programmes/digital. and (iii) Space Programme, with proposed funding of €13.2 billion.53European Commission, Commission welcomes the political agreement on the European Space Programme, press release, December 16, 2020, accessed April 16, 2021, https://ec.europa.eu/commission/presscorner/detail/en/IP_20_2449. The European Commission is soliciting proposals for quantum communications infrastructure, which will be funded by these initiatives. The objective is to enable the EU to be an independent provider of quantum technologies needed to build a quantum communications infrastructure.54European Commission, “European Commission, Call for tenders CNECT/LUX/2020/CPN/0062, Detailed system study for a Quantum Communication Infrastructure, Competitive Procedure with Negotiation,” accessed April 16, 2021, https://ec.europa.eu/newsroom/dae/document.cfm?doc_id=69304; Éanna Kelly, “Switzerland pencilled back into quantum plans, but no access for UK, Israel,” Science|Business, March 18, 2021, accessed April 16, 2021, https://sciencebusiness.net/news/switzerland-pencilled-back-quantum-plans-no-access-uk-israel; “Horizon Europe, Work Programme 2021-2022, 7. Digital, Industry and Space,” European Commission, accessed April 16, 2021, https://sciencebusiness.net/sites/default/files/inline-files/7.%20Digital%20Industry%20Space.pdf.
Horizon 2020, the predecessor to Horizon Europe, involved US researchers in only 1.5 percent of the Horizon 2020 projects.55CORDIS, European Commission Research Results, accessed April 16, 2021, https://cordis.europa.eu/projects/en. This represents a comparison of Horizon 2020 projects originating in the United States during 2013-2020 with the total number of Horizon 2020 projects, excluding certain subcategories from both groupings. In comparison, EU researchers participate at a much greater level considering all National Science Foundation (NSF) and National Institutes of Health (NIH) active grants.56“Funding & tender opportunities, Single Electronic Data Interchange Area (SEDIA),” European Commission, accessed March 26, 2021, https://ec.europa.eu/info/funding-tenders/opportunities/portal/screen/opportunities/horizon-dashboard. This asymmetry in participation is due to EU rules that require participants in Horizon 2020 projects to sign grant agreements. For US institutions, this raises issues concerning “governing law and jurisdiction, intellectual property treatment, joint and several liability57“When two or more parties are jointly and severally liable for a tortious act, each party is independently liable for the full extent of the injuries stemming from the tortious act.” “Joint and Several Liability,” Cornell Law School, accessed March 26, 2021, https://www.law.cornell.edu/wex/joint_and_several_liability. and indemnification, access to data and implications for export control, and auditing requirements.58”Richard L. Hudson, “Tale of two cities: Brussels and Washington struggle to cooperate in science,” Science|Business, May 14, 2018, accessed April 16, 2021, https://sciencebusiness.net/tale-two-cities-brussels-and-washington-struggle-cooperate-science; Ryan Lankton and Jennifer Ponting, “Managing Horizon 2020 Grants: the Experiences of the University of Michigan and Harvard,” NCURA Magazine, National Council of University Research Administrators, XLVIII (1) (January/February 2016), accessed April 16, 2016, http://www.ncura.edu/portals/0/docs/srag/january%202016%20issue-weibo.pdf.
Finding 2B.4: Funding policies constrain collaboration.
One issue of concern in the Horizon Europe initiative rules governing participation is the determination of financial contribution by the United States and “third countries” as defined in Article 12 of Horizon Europe—the Framework Programme for Research and Innovation.59“Proposal for a REGULATION OF THE EUROPEAN PARLIAMENT AND OF THE COUNCIL establishing Horizon Europe – the Framework Programme for Research and Innovation, laying down its rules for participation and dissemination – Common understanding,” Council of the European Union, Interinstitutional File: 2018/0224(COD), accessed March 26, 2021, https://www.consilium.europa.eu/media/38902/st07942-en19.pdf. The calculated cost of association with the Horizon Europe initiative is based on the relative size of a country’s gross domestic product (GDP) compared with EU GDP. For example, the European Commission has proposed making the UK pay a proportion of the 2021-2027 research budget based on its share of EU GDP, which currently stands at 18 percent. For the United States, this corresponding value is 137 percent, yielding a required contribution of $131.4 billion.
The regulations establishing Horizon Europe contain other potential issues for US participation. These include Article 36, which gives the European Commission rights regarding transfer and licensing, and Article 49, which gives certain EU entities the right to carry out investigations and inspections.
Approach 2B: Coordinate with allies and partners to build human capital for quantum information science and overcome limitations imposed by national and regional funding and data-sharing polices.
In the ongoing competitive R&D of QIS, key determinants of success are the size, skill, and collaboration of the technology workforce spanning a number of disciplines, including those in the fields of science, technology, engineering, mathematics (STEM), and manufacturing. The United States recognizes that it “must work with international partners, even while advancing domestic investments and research strategies.”60Subcommittee on Quantum Information Science under the Committee on Science of the National Science & Technology Council, National Strategic Overview, 12.
Recommendation 2B: With allies and partners, the United States should develop priority global initiatives that employ transformative quantum information science and catalyze the development of human capital and infrastructure for these and other next-generation quantum information science applications.
Recommendation 2B.1: Establish, with other nations, a common set of demonstration milestones for quantum data and communications security.
The administration should extend the technological development portfolio of national investments in QIS to incorporate a common set of milestones with allies. The members of the National Science and Technology Council (NSTC) Subcommittee on Quantum Information Science should develop such milestones in coordination with representatives from collaborating nations. These are to be consonant with plans by the United States and like-minded nations to develop testbeds, demonstrations, standards, and a quantum-skilled workforce. The milestones will inform the practical applications for use with near-, mid-, and long-term levels of quantum information capabilities. The EU’s Horizon Europe initiative is a potential opportunity for such collaboration. The United States should also establish data sharing agreements with other nations for QIS results pertaining to shared economic and national security interests.
Recommendation 2B.2: Create a program of quantum information science research and development focused on emerging issues for digital economies.
The administration should continuously evaluate QIS progress and technologies through the White House Office of Science and Technology Policy (OSTP) and the National Academies of Sciences, Engineering, and Medicine; this could be accomplished by the creation of a standing committee such as they have done for other areas that will be long-lived. This will identify new technology directions, review QIS policies, and revisit priorities and partnerships. The evaluations should focus on entirely new quantum capabilities that can benefit digital economies, e.g., privacy and advances in biotechnology and data capabilities, open sharing of data while maintaining data privacy, principles for systems to be quantum-secure by design, digital supply chain security for both hardware and software, evolution of Internet protocols, network modernization, and other topics.
Recommendation 2B.3: Establish a program to accelerate the operationalization of quantum information science technologies.
Recognizing the need for broad and significant investment in quantum applications to focus and accelerate progress, Congress and the administration should establish a program, led by the Defense Advanced Research Projects Agency (DARPA), to accelerate the operationalization of continually evolving hybrid (classical and quantum) computing architectures. This program will mature prototype demonstrations of quantum computing, communication, sensing, and metrology technologies to yield fieldable capabilities. The program also should include elements that seek to develop a quantum-skilled workforce in the private and public sectors. Several models for such a program are seen in DARPA’s long history of rapidly growing and maturing advanced technology fields, e.g., Grand Challenges for autonomous vehicles, Have Blue for stealth technologies, and AI Next for artificial intelligence.
Recommendation 2B.4: Establish leading roles for the United States in setting international standards for data and communications security as quantum information science evolves.
Building on the results obtained from NDAA FY 2021, SEC. 9414, Study on Chinese Policies and Influence in the Development of International Standards for Emerging Technologies,61William M. (Mac) Thornberry National Defense Authorization Act for Fiscal Year 2021. SEC. 9414. Study on Chinese Policies and Influence in the Development of International standards for Emerging Technologies will produce an assessment of this issue for emerging technologies. SEC. 9414 is based on the “Ensuring American Leadership over International Standards Act of 2020,” S. 4901, introduced on November 16, 2020, by Senator Cortez Masto (D-NV) and Senator Portman (R-OH), accessed March 26, 2021, https://www.congress.gov/bill/116th-congress/senate-bill/4901/text comprises. the administration should take steps to bolster the development of standards for QIS technology development and applications.62“Working Group 14 for Quantum computing was established by ITO/IEC JTC1 in June 2020,” JTC1, accessed March 26, 2021, https://jtc1info.org/technology/working-groups/quantum-computing/. IEC and ISO have set up a working group (WG 14) in their joint technical committee on information technology (JTC1) to identify the standardization needs of quantum computing. This will drive toward a strategy for achieving a leadership role in international quantum standards setting, sharing sensitive security-related advances with allies, responding to China’s efforts to influence international standards,63“A ‘China Model?’ Beijing’s Promotion of Alternative Global Norms and Standards,” hearing before the U.S.-China Economic and Security Review Commission, 116th Congress, March 13, 2020, accessed March 26, 2021, https://www.uscc.gov/sites/default/files/2020-10/March_13_Hearing_and_April_27_Roundtable_Transcript.pdf. and catalyzing private sector investments in quantum technologies. NIST is currently developing quantum resilient encryption standards for the United States.64National Institute of Standards and Technology, “NIST’s Post-Quantum Cryptography Program Enters ‘Selection Round,’” July 22, 2020, accessed March 26, 2021, https://www.nist.gov/news-events/news/2020/07/nists-post-quantum-cryptography-program-enters-selection-round. The administration should direct NIST to broaden the scope of its work to develop standards for QIS technology development and applications.65Dr. Carl J. Williams, “NIST’s Program in Quantum Information Science,” accessed April 16, 2016, https://science.osti.gov/-/media/nqiac/pdf/NIST_-presentation-NQIAC-20201027.pdf?la=en&hash=79A89EDF5BF6175360DF7EBCEB024F9B240B64A7.
The administration should develop DoD and Intelligence Community policy guidance to govern the sharing of QIS findings and capabilities with allies and partners. This guidance should be developed with representation from the Department of Commerce’s National Telecommunications and Information Administration (NTIA) and NSF to balance security concerns with the benefits of collaboration; address government and private industry information, both classified and proprietary; and also should include categories of information that the United States is interested in receiving from allies and partners.
Recommendation 2B.5: Establish a national QIS research, development, and testing infrastructure; fund quantum demonstration programs.
The administration should establish a national QIS research, development, and testing infrastructure. This will comprise research centers focused on quantum computing, quantum communications, quantum sensing, and evaluation of QIS (including QIS-secure) applications; a national computational infrastructure to support this initiative; engineering testbeds; programs to build a skilled QIS workforce; and participation by private industry (for example, the Quantum Economic Development Consortium66National Institute of Standards and Technology, “NIST Launches Consortium to Support Development of Quantum Industry,” September 28, 2018, accessed March 25, 2021, https://www.nist.gov/news-events/news/2018/09/nist-launches-consortium-support-development-quantum-industry. The Quantum Economic Development Consortium (QEDC) is a public-private partnership in the United States tasked with developing the future workforce needs for the QIS economy. Virtually all of the US private sector quantum companies are represented in the QEDC.) to advance the development of a national QIS infrastructure and create fielded capabilities. In support of the National Quantum Coordinating Office, an interagency group led by the Department of Energy, NIST, and DARPA should oversee this infrastructure initiative, coordinating federal programs and guiding private industry’s participation.
The administration should develop demonstration programs that show, in operational settings, national security implications of near-term quantum platforms. Some examples include the following:
- Quantum communications: There are two areas of interest: (i) understanding vulnerabilities of various public key cryptographic systems to future quantum computing systems, an effort currently underway at NIST in the development of quantum resilient encryption standards, and (ii) use of QKD in large-scale demonstrations relevant to commercial and security applications, including space communications. QKD provides an approach to post-quantum communications security that is based on quantum phenomena, not algorithmic complexity.
- Quantum computing: Using small quantum computers in networked clusters or in hybrid architectures with classical computers.
- Quantum networks: The use of quantum networks for long-range quantum communications.
- Quantum sensing: Using quantum mechanics phenomena and devices for high-sensitivity and precision applications in sensing and communication, life sciences, and other fields.
The administration, through the National Quantum Coordinating Office, should establish funded competitions to improve the exchange of intellectual property and foster a common understanding across the government, industry, academic communities, and foreign institutions working on QIS.J.67 Bienfang et al., Building the Foundations for Quantum Industry, NIST, June 20, 2018, accessed March 26, 2021, https://www.nist.gov/system/files/documents/2018/06/20/report-on-qid-v10.pdf.