July.07.2022
Quantum computing has the potential to drive economic growth and promote innovation across a range of industries such as manufacturing, supply chain optimization and logistics, molecular simulations and pharmaceuticals, machine learning, and finance. With a sustained influx of private and government investment and scientific advancements, quantum computing has moved rapidly towards the commercial market. For certain currently intractable problems, quantum computers will have a transformative effect, providing answers exponentially faster than a classical computer.
However, alongside this potential, quantum computing poses an existential threat to certain current forms of cryptography and thus the security of our data.
We have outlined the 6 things you need to know about quantum computing, from its use cases to the hazards it poses to cybersecurity, and how to prepare for the quantum age.
In December 2018, former President Trump signed the National Quantum Initiative Act (the “NQI”). The NQI called for a “coordinated Federal program to accelerate quantum research and development for the economic and national security of the United States” and allocated $1.2 billion to advance quantum technologies.
Spurred by recent scientific breakthroughs and extensive government support across agencies, national labs, and partnerships across government, academia, and the private sector, the quantum market is on the rise. According to McKinsey, funding of start-ups focused on quantum technologies (which also encompass quantum sensing and quantum networking) more than doubled—from $700 million in 2020 to $1.4 billion in 2021. The share of investments in quantum coming from private-capital entities now accounts for more than 70 percent of investments. In total, quantum computing companies raised $3 billion by the end of 2021. In particular, four industries—pharmaceuticals, chemicals, automotive, and finance—are projected to be the first beneficiaries of quantum advantages, with the potential to capture nearly $700 billion in value as early as 2035. This increased funding suggests a growing confidence from the investment community in quantum computing.
While the possibility of huge long-term returns from quantum computing investments is clear, many companies and industries are already deriving value by mapping many of their high-value intractable problems onto hybrid quantum-classical algorithms being developed by quantum software companies. Companies that have already announced major quantum initiatives include Daimler, Volkswagen, Boeing, Airbus, Goldman Sachs, JPMorgan Chase, Wells Fargo and Merck. Additionally, prominent technology companies are also developing their own quantum capabilities - notably Alibaba, Amazon, IBM, Google, and Microsoft have launched commercial quantum computing cloud services.
A quantum computer can factor prime numbers far more efficiently than a classical computer, thus allowing a requisitely large scale fault tolerant computer running what is known as “Shor’s algorithm” to break RSA encryption. The RSA cryptosystem is based on the complexity of prime number factorization for classical computers and is the building block of the current internet infrastructure used to secure most online communication and protect banking, health care, national security, trade secrets, and other vital digital information. As of April 2022, some 78% of all websites communicate relying on the secure version of the HTTP protocol, which is based on RSA encryption. Thus, the possibility of a quantum computer breaking RSA poses a significant threat to the public and private sectors’ information technology systems.
Although large scale fault tolerant quantum computers remain on the technological horizon as the hardware and software continue to develop, the cybersecurity risk is not just at the point when a quantum computer reaches the technological capacity to run Shor’s algorithm. Using what is known as “harvest, decrypt later” attacks, a hacker could obtain RSA-encrypted data now in a classic cyberattack and then decrypt that data in the future when large scale fault tolerant quantum computers are accessible. This is especially concerning for the financial and healthcare industries as unauthorized disclosure of sensitive financial and personal health information would impact consumers and patients at an unprecedented scale.
To address these threats while still promoting the overwhelmingly positive impacts that quantum technologies can have, on May 4, 2022, the White House released a national security memorandum (the “NSM”) outlining the Biden Administration’s plan to address the cybersecurity risks posed by quantum technology. The NSM directs the National Institute of Standards and Technology (“NIST”) to come up with new algorithms (“post-quantum algorithms”) and standards through a "Migration to Post-Quantum Cryptography Project". NIST is currently engaged in a six-year effort to devise and assess encryption methods that could resist an attack from a future quantum computer.
On July 5, 2022, NIST announced four encryption algorithms that will become part of its post-quantum cryptographic standard, expected to be finalized in about two years at which point the public and private sector can fully implement them. The selection signals the beginning of the final stage of NIST’s post-quantum cryptography standardization project, which will likely become an international reference for the industry. However, it is important to note that the final standards will likely constitute more than one algorithm for different use cases in the event one proves vulnerable. While the standards remain in development, NIST encourages IT professionals to explore the new algorithms and consider how their applications will implement them, while remaining flexible as the algorithms could change before the standard is finalized.
The advent of quantum computers will likely change the nature of what is considered “appropriate cybersecurity” or “industry standard security practice” under privacy laws, industry regulations, and commercial contracts. If organizations wait to invest in solutions to adequately protect their data until after a quantum hack, they put themselves at risk both of losing their data in the future and suffering reputational harm.
Regulations such as Articles 5 and 32 of the European Union’s General Protection Regulation (“GDPR”) require personal data to be stored with appropriate security and protection against unauthorized users and to implement appropriate technical and organizational measures to ensure a level of security suitable to the risk. In addition, the California Consumer Privacy Act (“CCPA”) requires that a business utilize reasonable security in the context of personal information collected or processed for specific purposes. Meanwhile, industry-specific laws such as the Gramm-Leach-Bliley Act (“GLBA”) and the Health Insurance Portability and Accountability Act (“HIPAA”) include security rules and safeguard requirements to ensure that financial and health data respectively is adequately protected. However, due to the scale at which a quantum computer will likely be able to break current methods of encryption, appropriate protection against a ransomware or other “classical” cyberattack will likely look far different in the quantum age.
If an organization processes personal data protected under current encryption methods that aren’t quantum-proof, that may be seen by future regulators as failing to take appropriate security measures to protect personal data and could subject the organization to significant fines under the GDPR as well as the possibility for costly fines and regulatory settlements from the Federal Trade Commission (“FTC”), Consumer Financial Protection Bureau (“CFPB”), and state regulators. The risk of the immense amount of personal, financial, and other types of data that could be lost or otherwise compromised in a quantum-driven hack will increase the burden companies face in terms of what is an “appropriate security measure”. Over the coming years, as the NIST standards are finalized, we will likely see a push across the legislative and regulatory landscape to promote implementation of post-quantum algorithms with regulators looking for (i) privacy, cybersecurity, and IT policies to affirmatively address the quantum threat and detail what the company has done to mitigate it and (ii) physical updates to cryptography practices and IT stacks to fortify data, especially sensitive and personal information.
In April 2022, a bipartisan group of U.S. lawmakers introduced The Quantum Cybersecurity Preparedness Act (the “Cybersecurity Act”), which would ensure NIST’s standards are implemented in all US Federal systems within a year after their release and require the Office of Management and Budget (“OMB”) to submit a report to Congress on what else is needed to protect quantum computers from hackers. This focus on protecting US government systems will likely spur further legislation and possible regulatory rules requiring similar post-quantum cryptographic standards be instituted across the private sector as well.
Quantum computers also threaten digital signatures, often used to verify identities in a digital transaction or sign documents remotely. While the NIST algorithms address this threat as well, organizations should understand that digital signatures must too be fortified to protect these vital instruments of modern commerce and limit the possibility of widespread identity theft, fraud, and forgery.
These wide-ranging downstream legal consequences must be considered and addressed by business leaders, lawyers, and technologists alike.
Though the quantum threat to cybersecurity is real with certain data potentially already at risk due to “harvest now, decrypt later” attacks, the technology must not be seen as the death nail to privacy and cybersecurity. Quantum technologies such as quantum random number generators and quantum key distribution (“QKD”) can both mitigate the cybersecurity risks posed by quantum computers and strengthen cybersecurity systems that better protect communications and data.
It is paramount to see quantum technologies both as a sword and a shield for cybersecurity. The time is now for organizations to begin the planning and implementation process for post-quantum cryptography while also exploring quantum-enhanced technologies to proactively defend against cyber threats in the quantum age. By taking an “all of the above” approach investing in different quantum and quantum-enhanced technologies to fortify IT stacks, addressing quantum mitigation measures in policies and programs, and by evaluating quantum’s pros and cons, organizations can proactively protect their data and limit regulatory scrutiny and legal liability without curbing innovation.
For organizations, the first steps are to identify vulnerable data and systems and prepare to institute NIST’s post-quantum algorithms (and any other government standards regarding quantum cryptographic standards) once they are standardized. Organizations should undertake a quantum-readiness assessment that (i) classifies what data needs protecting and the length of time for which it must be protected and (ii) inventories the types of cryptography protecting critical data. With this information, organizations will be able to label which types of critical data are currently vulnerable to a theoretical quantum attack and can then make necessary plans and investments to ensure that data is adequately protected against both classical and quantum attacks.
Organizations that store financial records, medical records, national security documents, and other sensitive data for long periods of time should immediately consider building post-quantum cryptography into their IT budgets, policies, and strategic planning processes. Failure to start adopting a post-quantum cryptographic strategy could put all existing encrypted data assets at risk of exposure.
The key to protecting data in the quantum age is “cryptographic agility” which will allow the existing cryptography to be easily swapped out with NIST-approved post-quantum algorithms when they are announced as well as further developments in cryptography and in quantum technologies themselves. This will be a long-term transformation for IT systems akin to Y2K at a larger scale. Integrating an understanding of the quantum threat into policies and programs while also investing the time and resources to begin making systems quantum-safe will be the key to avoiding regulatory scrutiny, protecting sensitive information, and proving to clients, shareholders, and investors that an organization is ready for the quantum age.
Quantum technologies promise a massive impact. As investments and technological evolution continue to increase, organizations must come to terms with quantum’s vast promise alongside its risks. The cybersecurity danger posed by quantum computing is undeniable. However, rather than fearing quantum technologies, organizations can both seek to address currently intractable business problems via quantum-leveraged solutions and invest in the policy and IT infrastructure necessary to protect data from an attack via a quantum computer. Making this investment in resources now will be the first step in developing the next stage of cybersecurity to protect data long-term both from classical cyberattacks as well as future quantum attacks. Harnessing quantum technologies will be the key to economic growth and building stronger cyber defenses in this dawning age of the technological revolution.
Contact Shannon Yavorsky if you have any questions regarding the legal implications of quantum computing. Stay tuned for forthcoming articles about quantum computing’s impact on fintech, AI, health data companies, and more.