Quantum computing: a blessing and a threat to our digital world

Quantum computing is poised to revolutionise our world, promising groundbreaking advancements in drug development and climate modelling. It is a technology that could quite literally save lives. However, as we marvel at the potential benefits of quantum computing, it is imperative that we address its implications for cryptography.

The European Union, one of the most digitalised regions globally, has seen a surge in online services over the past decade – a trend further accelerated by the pandemic. From filing tax returns and accessing health records to online banking and grocery shopping, our lives have increasingly migrated into the digital realm. These transactions hinge on encryption, ensuring data safety and preventing cyber theft. While this digitalisation wave has boosted productivity and flexibility, it has also heightened the severity of potential cyber-attacks, underscoring the critical role of encryption in our modern economy.

However, quantum computing poses a significant challenge. Most of our data is secured by cryptographic keys not designed with quantum technology in mind, making them potentially vulnerable to decryption within seconds by a quantum-powered attempt.

Fortunately, quantum computing remains relatively inaccessible for now, and those few equipped with it – mainly nation-states – are not yet primed for such purposes. Moreover, awareness around the issue is growing, as demonstrated by a February 2024 event co-hosted by Tata Consultancy Services (TCS) and the Kangaroo group in the European Parliament. This event highlighted the stark contrast between the EU’s ambitions to lead in quantum computing and its preparedness for a post-quantum attack on its infrastructure, which is especially concerning given the escalating geopolitical threats facing the EU.

The United States has already taken proactive measures against quantum attacks through its Quantum Cybersecurity Preparedness Act in 2022. The EU should not only take note but act decisively. The EU has in recent years adopted a raft of new legislation, including NIS II, the Cybersecurity Act, and the Cyber Resilience Act, but none of them make reference to quantum threats within their articles. While the EU is not entirely defenceless – thanks to its EuroQCI network safeguarding critical government infrastructure – the EU’s defences do not extend to the multitude of citizen-reliant services outside governmental purview.

Last October, the Commission already earmarked quantum as one of four critical technologies up for risk review – the others being artificial intelligence, biotech and advanced chips. The next logical step would be to support industries in assessing their quantum readiness. With ENISA, the EU is well-equipped to initiate this process. For many online service providers, particularly SMEs, even this basic step is currently beyond reach. Member states should also explore ways to expand the EuroQCI network to cover additional non-governmental services critical to citizens’ security. Looking ahead, the industry needs streamlined regulations and explicit guidance from regulators regarding the full extent of their cybersecurity policies. This is to guarantee that future quantum cybersecurity threats will fall within the scope of cybersecurity regulations.

International cooperation will be critical to building a quantum-secure future, and the EU, as a world leader in cryptography and blockchain standards, is well-placed to rally that effort. While we often talk about the lack of STEM profiles coming through our education systems, the field of quantum cybersecurity experts is a very small one. A few are in Europe. TCS has already partnered with the VTT Technical Research Centre of Finland, based in the city of Espoo, to help us build a greater understanding of the algorithms that will be needed to withstand quantum. They took part in the event in the European Parliament in Strasbourg alongside another of TCS’s partners on quantum, PQShield, who are based in Oxford. Together on this panel, there was an Indian, a Brit and a Finn speaking on the same issue. A real-world example of international cooperation that I trust was positively recognized by the EU officials who were present. Cooperation in this field will need to extend beyond our small global community of cybersecurity experts and into law enforcement and policymakers for us to build a robust defence against the risks to cybersecurity that could be presented by quantum.

So, what needs to be done to make ourselves quantum-ready? In short, we will need to replace vulnerable algorithms with quantum-safe ones to protect against quantum attacks. The first step in that process is to be ‘crypto-agile’, which means supporting multiple cryptographic algorithms and enabling faster migration to new ones. Quantum-safe algorithms are not yet standardised for production use, but organisations can take immediate steps for crypto-agility, such as apprising senior management of risks, conducting risk assessments, engaging with third-party providers and automating key management. Organisations can start by migrating some applications as proof-of-value projects using quantum-safe algorithms and should take a hybrid approach in their initial years of adoption. Applications should support both traditional and quantum-safe algorithms to quickly fall back on alternative algorithms or transition to a more secure one if vulnerabilities are identified.

In conclusion, while quantum computing offers exciting possibilities, it also presents new challenges to our digital security. It is crucial that we prepare for these challenges now, to ensure that our ‘brave new quantum world’ is not just revolutionary, but secure too.

This article is a contribution from a member or partner organisation of Friends of Europe. The views expressed in this #CriticalThinking article reflect those of the author(s) and not of Friends of Europe.