| 12 | 13 | | A BILL TO BE ENTITLED 1 |
|---|
| 13 | 14 | | AN ACT ESTABLISHING THE NORTH CAROLINA CYBERSECURITY AND QUANTUM 2 |
|---|
| 14 | 15 | | RESILIENCE STUDY COMMISSION AND APPROPRIATING FUNDS FOR THAT 3 |
|---|
| 15 | 16 | | PURPOSE. 4 |
|---|
| 16 | 17 | | The General Assembly of North Carolina enacts: 5 |
|---|
| 17 | 18 | | SECTION 1.(a) This act shall be known and may be cited as the North Carolina 6 |
|---|
| 18 | 19 | | Cybersecurity and Quantum Resilience Study Act. 7 |
|---|
| 19 | 20 | | SECTION 1.(b) The North Carolina Cybersecurity and Quantum Resilience Study 8 |
|---|
| 20 | 21 | | Commission (Commission) is established to investigate the potential impacts of emerging 9 |
|---|
| 21 | 22 | | quantum computing technologies on the security of State systems, legacy encryption methods, 10 |
|---|
| 22 | 23 | | and critical infrastructure—including the Internet of Things (IoT) and smart city initiatives. The 11 |
|---|
| 23 | 24 | | Commission shall review vulnerabilities and provide recommendations on necessary future 12 |
|---|
| 24 | 25 | | measures to enhance the state's cybersecurity posture. To help guide the Commission work, the 13 |
|---|
| 25 | 26 | | General Assembly finds that: 14 |
|---|
| 26 | 27 | | (1) Advances in quantum computing pose potential risks to traditional encryption 15 |
|---|
| 27 | 28 | | methods, such as Rivest–Shamir–Adleman (RSA) and Elliptic Curve 16 |
|---|
| 28 | 29 | | Cryptography (CC), that many State and local systems rely on. 17 |
|---|
| 29 | 30 | | (2) Emerging technologies and IoT integrations, common in smart city initiatives, 18 |
|---|
| 30 | 31 | | could be at risk if quantum computing breakthroughs compromise existing 19 |
|---|
| 31 | 32 | | security protocols. 20 |
|---|
| 32 | 33 | | (3) North Carolina is home to a robust academic and technological ecosystem 21 |
|---|
| 33 | 34 | | which can contribute significantly to understanding and mitigating these risks. 22 |
|---|
| 34 | 35 | | (4) A proactive study is necessary to understand the scope of these vulnerabilities 23 |
|---|
| 35 | 36 | | and to inform potential legislative or administrative actions in the future. 24 |
|---|
| 36 | 37 | | SECTION 1.(c) The Commission shall be composed of twenty-one (21) members, 25 |
|---|
| 37 | 38 | | with seven members appointed by the Governor, seven members appointed by the President Pro 26 |
|---|
| 38 | 39 | | Tempore of the Senate, and seven members appointed by the Speaker of the House of 27 |
|---|
| 39 | 40 | | Representatives, as follows: 28 |
|---|
| 40 | 41 | | (1) Five representatives from cabinet agencies appointed by the Governor. 29 |
|---|
| 41 | 42 | | (2) Three cybersecurity experts from both the public and private sectors appointed 30 |
|---|
| 42 | 43 | | by the President Pro Tempore. 31 |
|---|
| 43 | 44 | | (3) Two academic experts in quantum computing and cybersecurity from North 32 |
|---|
| 44 | 45 | | Carolina institutions appointed by the President Pro Tempore 33 |
|---|
| 45 | 46 | | (4) Three industry representatives involved in IoT, smart infrastructure, and 34 |
|---|
| 48 | 53 | | (5) Two public policy experts with experience in technology and cybersecurity 1 |
|---|
| 49 | 54 | | appointed by the Speaker. 2 |
|---|
| 50 | 55 | | (6) Six members of the general public knowledgeable about State government or 3 |
|---|
| 51 | 56 | | information technology. 4 |
|---|
| 52 | 57 | | SECTION 1.(d) The Commission is charged with the following duties: 5 |
|---|
| 53 | 58 | | (1) Conducting a comprehensive review of state IT systems and critical 6 |
|---|
| 54 | 59 | | infrastructure to identify vulnerabilities associated with legacy encryption 7 |
|---|
| 55 | 60 | | methods. 8 |
|---|
| 56 | 61 | | (2) Evaluating the potential impact of quantum computing on these systems. 9 |
|---|
| 57 | 62 | | (3) Analyzing current and emerging quantum-resistant cryptographic standards. 10 |
|---|
| 58 | 63 | | (4) Assessing risks in IoT and smart city implementations. 11 |
|---|
| 59 | 64 | | (5) Providing a roadmap and recommendations for necessary legislative, 12 |
|---|
| 60 | 65 | | regulatory, or administrative measures to bolster cybersecurity against future 13 |
|---|
| 61 | 66 | | quantum threats. 14 |
|---|
| 62 | 67 | | SECTION 1.(e) The Commission's tasks and deliverables include: 15 |
|---|
| 63 | 68 | | (1) Risk assessment to identify and document systems and sectors most 16 |
|---|
| 64 | 69 | | vulnerable to quantum-related cyber threats and evaluate the state's current 17 |
|---|
| 65 | 70 | | cybersecurity measures and determine gaps in protection. 18 |
|---|
| 66 | 71 | | (2) Research collaboration to engage with local universities and industry experts 19 |
|---|
| 67 | 72 | | to gather insights on quantum-resistant cryptographic techniques. 20 |
|---|
| 68 | 73 | | (3) Develop a recommendation roadmap to propose a timeline for transitioning to 21 |
|---|
| 69 | 74 | | quantum-safe encryption methods where needed and outline potential policies 22 |
|---|
| 70 | 75 | | or incentives for upgrading critical infrastructure security. 23 |
|---|
| 71 | 76 | | SECTION 1.(f) The Commission shall submit a comprehensive report with findings, 24 |
|---|
| 72 | 77 | | a detailed risk assessment, and recommended actions to the General Assembly by July 1, 2026. 25 |
|---|
| 73 | 78 | | SECTION 2.(a) Effective July 1, 2025, there is appropriated from the General Fund 26 |
|---|
| 74 | 79 | | to the General Assembly the sum of two hundred fifty thousand dollars ($250,000) to fund the 27 |
|---|
| 75 | 80 | | work of the Commission, including research initiatives, public hearings, stakeholder meetings, 28 |
|---|
| 76 | 81 | | and report development. The Commission may explore potential partnerships or federal grant 29 |
|---|
| 77 | 82 | | opportunities to supplement research and study efforts. 30 |
|---|
| 78 | 83 | | SECTION 2.(b) The Commission shall be convened within 30 days of this act's 31 |
|---|
| 79 | 84 | | enactment. The Commission members shall elect a chair and vice-chair. Members of the 32 |
|---|
| 80 | 85 | | Commission shall receive reimbursement as provided by Chapter 138 of the General Statutes. 33 |
|---|
| 81 | 86 | | SECTION 2.(c) Sensitive information received by the Commission shall remain 34 |
|---|
| 82 | 87 | | confidential and does not constitute a public record as defined by G.S. 132-1. For the purposes 35 |
|---|
| 83 | 88 | | of this subsection, the chair and vice-chair of the Commission may designate jointly information 36 |
|---|
| 84 | 89 | | as sensitive after balancing the need for public access against security concerns and 37 |
|---|
| 85 | 90 | | confidentiality requirements. 38 |
|---|
| 86 | 91 | | SECTION 2.(d) The Joint Legislative Committee on Information Technology shall 39 |
|---|
| 87 | 92 | | monitor the commission's progress. The Commission's report and recommendations will be 40 |
|---|
| 88 | 93 | | reviewed by the General Assembly to determine any further legislative or administrative actions 41 |
|---|
| 89 | 94 | | necessary during the 2026 Regular Session of the 2025 General Assembly, with provisions for 42 |
|---|
| 90 | 95 | | subsequent studies or actions as needed. 43 |
|---|
| 91 | 96 | | SECTION 3. Except as otherwise provided, this act is effective when it becomes 44 |
|---|
| 92 | 97 | | law. 45 |
|---|