Our current encryption standards protect our bank accounts, financial markets, and most of our infrastructure, not to mention the logistics/supply-chain management system in the US Defense Department. But what happens when quantum computers can decipher the current asymmetric encryption that protects our vital systems? "Quantum-Day," or Q-Day, may happen sooner than scientists predict, and it will act like a "dirty bomb" on information architecture.
For standard encryption, Q-Day will occur when a 4,099 coherent qubit machine can complete the nonpolynomial hard factoring on which today's encryption relies. A quantum computer of this magnitude is not available yet, so the world's encrypted data is relatively safe for now. However, a global race is underway to get there.
Most computing experts agree our world is already in the "Quantum Decade," during which governments, businesses, and entrepreneurs will gain value from quantum advances. The opportunities are dizzying as tech companies race to bring quantum computing to commercial products. In late 2021, IBM trumpeted its plan to complete a 1,000-qubit computer by 2023. Numerous others have made subsequent announcements about even larger quantum processors.
All of these advances push for quantum advantage, meaning the time when a quantum computer exceeds the computing power of today's supercomputers. However, most projects are closer to quantum practicality, as computer scientists acknowledge. Quantum practicality (sometimes called quantum utility) is when a quantum machine is able to outperform traditional computers of comparable power under similar conditions. Regardless of what this Quantum Decade brings, it will force changes to existing systems and break several stable information paradigms that lack resilience.
Because of this, the United States — and indeed, every nation — needs backward-compatible quantum resilience now. The US Defense Department hands out awards to contractors that develop or maintain backward compatibility of system hardware and software interfaces. These contracts bring new capabilities to older systems or remedy known limitations for legacy systems (for example, hardening them for continued use). Any post-quantum communication solution that isn't deeply backward compatible cannot scale in deployment quickly enough and will leave the US vulnerable on Q-Day.
Legacy Systems Open up Vulnerabilities
With this requirement in mind, it's worth asking how we're doing. Is the US ready for Q-Day? Can we get there from here? The easiest answer comes from following the money. Since 1990, each US government executive branch department has been required to produce an annual financial statement. For the Defense Department, the details of its most recent audit point to these new systems and legacy systems being material weaknesses, although the audit does not mention which systems those are. This is mainly because we rush to advocate for innovation, but pay for it slowly and reluctantly.
In both the commercial and government worlds, the financial and time cost of updating old software is significant. For the US Government, each fiscal year these obligated stable (sunk) costs are lagging, according to the audit agency; that means they are inadequately funded and falling further behind the innovation curve. This is a big drawback for warfighters. Of the 28 material weaknesses identified in the "Fiscal Year 2021 DoD Agency Financial Report" (up from 26 in the prior year's report), the top two were legacy systems and configuration management.
We can "get there from here" and must do so for the good financial stewardship and national security standards US citizens expect. Perhaps more important than increasing domestic spending to keep up with innovation, we need to keep in mind our adversaries have a vote. Those seeking to damage the US know that legacy systems are particularly vulnerable. The nine legacy systems the DoD extended beyond their expected retirement and the numerous systems (more than 140) that are out of compliance make for a juicy target. Quantum computing advances only increase threat complexity and limit the time legacy systems are useful without breathing new security protocols into them via backward compatibility.
Backward Compatibility Is Key
The recent Fiscal Year 2022 Omnibus directs funding and policy conditions on most US government agencies' IT infrastructure and cybersecurity practices. Most of these comprehensive provisions will require the modernization of legacy systems. Even if funding does not allow new systems to replace these legacy systems, a newly developed post-quantum communication protocol can limit threat vulnerability in our legacy systems. These new protocols will help protect our security environment after Q-Day.
In every war the United States has fought, we've used legacy systems mixed with newer systems. A natural stepping stone to efficiency is purchasing products proven to be backward compatible. This allows warfighters to develop new tactics, techniques, and procedures by blending new and old systems when countering adversary advances.
However, normal technological development timelines are a bigger hurdle than most admit. This lack of understanding slows innovative products in US government markets, as leaders spend on advanced development without demanding these new products have backward compatibility built in. Backward compatibility is the foundation on which our resilience must be built to survive Q-Day. Buying and training US forces with this truth in mind means we will be ready.