National Cyber Director should lead quantum cyber preparations, GAO says

Marisol Cruz Cain, director of the Government Accountability Office’s Information and Cybersecurity team, told lawmakers on the House Oversight and Government Reform subcommittee Tuesday that a centralized office should handle government quantum policy and initiatives, highlighting action items the government should be taking to secure digital networks against a future fault-tolerant quantum computer.

Chief among those action items would be to delegate quantum computing policy decisions to the Office of the National Cyber Director. 

“We believe that the Office of the National Cyber director is well positioned to lead the coordination and oversight of a quantum strategy, and we recommended that the office take steps to do so,” she said. 

Cruz Cain’s comments follow her office’s 2024 report that proposed the Office of the National Cyber Director serve as the focal point for the pending quantum computing cybersecurity strategy. This recommendation was reiterated in the corresponding report GAO authored ahead of the Tuesday hearing. 

“We recorded last year that the federal government lacks a comprehensive national strategy for addressing cybersecurity risks posed by quantum computing,” she said. “Various documents developed by the White House [Office of Management and Budget], [the National Institute of Standards and Technology], and [the Department of Homeland Security] have contributed to an emerging U.S. national strategy. However, the documents, even when taken altogether, don't fully address the threat.”

One of the problems Cruz Cain cited within the flurry of post-quantum cryptography migration guidance documents was the lack of role assignment between federal entities for critical infrastructure owners to reference. Additionally, while critical infrastructure owners were made aware of the risks posted by the advent of quantum computing, Cruz Cain noted the lack of documented risks specific to federal government operations. 

“Unless we have done a complete risk assessment to find out where our vulnerabilities are and the threats that they pose and how to mitigate it, we are not even prepared to start to protect our systems and transition them to PQC,” she said.

Ideally, appointing the ONCD as the lead in PQC planning would expedite and streamline the development of a national roadmap to ensure all vulnerable digital networks upgrade their code to a quantum-resistant standard.

“If the office embraces this role and ensures that the strategy fully addresses key characteristics, the nation will have a better-defined roadmap for allocating resources and holding participants accountable.”

The ONCD was formally established in 2021 and is helmed by an appointed and Senate-confirmed director. President Donald Trump nominated Sean Cairncross, a former Republican National Committee official and past appointee during the first Trump administration, to the position in February.

Senate confirmation of Cairncross to the position is likely given the body’s Republican majority, but it is still pending. While Cruz Cain didn’t mention Cairncross specifically, she noted the importance of choosing a director to help craft comprehensive PQC migration policy.

“I think it's important to get the National Cyber Director confirmed, so that they have clear and pointed leadership,” Cruz Cain said. “That's going to be important. But they're best positioned being that they are in charge of coming up with national strategies and then sort of piecing out what every other federal agency needs to do to support that strategy.”