The Next Big Cyber Threat Could Come from Quantum Computers… Is the Government Ready?
Whether you’re sending an email, paying a bill online, or logging in to a credit card or bank account—websites and many more systems rely on cryptography to keep your information safe. But emerging quantum computer technologies could allow unauthorized access to your sensitive data. They could also be used to access systems that house important taxpayer records or manage critical infrastructure like electricity grids.
Today’s WatchBlog post looks at our recent work on the quantum threat and the status of a federal strategy to prevent such attacks.
Image
How can quantum computers be used to break cryptography?
Unlike computers we use today, a sufficiently powerful quantum computer could break cryptography in just a few hours or days compared to the billions of years a conventional computer would take. Public-key cryptography, a common type of cryptography used by federal agencies and critical infrastructure, is specifically at risk.
An Illustration of a Public-Key Cryptography Method Used to Protect Data
Image
Experts estimate that development of a quantum computer capable of breaking cryptography may be just 10 to 20 years away. That doesn’t leave much time for the U.S. to prepare for this threat. Indeed, the threat might already be here. Adversaries can already copy currently-protected data and store it with the intention of accessing it later when a quantum computer powerful enough to do so is available. This kind of attack is known as a “harvest now, decrypt later” attack.
The U.S. does not have a fully developed plan to address quantum threats.
Federal agencies have developed a variety of documents detailing guidance, strategies, and best practices to deal with the quantum threat. But these efforts are not fully coordinated or developed, which could leave federal and critical infrastructure systems vulnerable. For example, there are documents that provide milestones for updating federal systems to safer cryptography. But the same milestones don’t exist for critical infrastructure systems.
In our recent report, we found that part of the reason the U.S. strategy is not complete is because no central federal organization is responsible for its coordination and oversight. Without a leader, federal agencies and critical infrastructure organizations don’t fully know what their responsibilities are or what they need to do to address the quantum computing threat.
The Office of the National Cyber Director was specifically created in 2021 to lead the U.S.’s cyber policy and strategy efforts. So, we recommended this office take the lead in coordinating this important strategy and ensuring efforts are comprehensive enough to address the threat quantum computers pose.
Learn more about this issue by checking out our latest report and by reading our Science & Tech Spotlight on Securing Data for a Post-Quantum World.
- GAO’s fact-based, nonpartisan information helps Congress and federal agencies improve government. The WatchBlog lets us contextualize GAO’s work a little more for the public. Check out more of our posts at GAO.gov/blog.
- Got a comment, question? Email us at blog@gao.gov.
GAO Contacts
Related Products
GAO's mission is to provide Congress with fact-based, nonpartisan information that can help improve federal government performance and ensure accountability for the benefit of the American people. GAO launched its WatchBlog in January, 2014, as part of its continuing effort to reach its audiences—Congress and the American people—where they are currently looking for information.
The blog format allows GAO to provide a little more context about its work than it can offer on its other social media platforms. Posts will tie GAO work to current events and the news; show how GAO’s work is affecting agencies or legislation; highlight reports, testimonies, and issue areas where GAO does work; and provide information about GAO itself, among other things.
Please send any feedback on GAO's WatchBlog to blog@gao.gov.