In July, the European Policy Commission published a report titled A Quantum Cybersecurity Agenda for Europe, which assesses quantum readiness across Europe. The document is an uncomfortable read for security professionals, but brings important questions to the foreground.
The quantum threat has been likened to the nuclear arms race and climate change — in that they are all existential threats that promise to irrevocably change the international and geopolitical landscape. But unlike the nuclear arms race, it is not just a race to build capability. With quantum computing it is also a race to protect the world from their impact.
Quantum computers will be cryptographically superior to classical computers and contemporary encryption. These machines will soon crack the encryption algorithms we use today to protect everything from national critical infrastructure to online banking. ‘Q-Day’ is forecast to happen within years, not decades. But the threat is already very real. Today, information is at risk from Harvest Now, Decrypt Later attacks. Once a computer is functional, it will be able to access this stolen data. We know that information has already been collected en masse for this purpose. As such, the quantum threat exists today, even before the advent of a mature quantum computer.
The global race to build and secure against quantum computers is hastening. To date, billions have been invested in quantum computing, with China accounting for more than half of this investment. Last September, China committed $15.3 billion to quantum technologies, eclipsing the next two largest investors combined, America ( $1.9bn) and the EU ( $7.2bn).
Similarly, we are beginning to see policies created and passed that mandate migration to new encryption algorithms capable of securing data from attack using a quantum computer.
Historically, the US has been slower than Europe in the quantum arena, but they have recently passed some of the most significant quantum legislation to date. Under the Biden administration, the bi-partisan 2022 Quantum Computing Cybersecurity Preparedness Act established a roadmap for all government bodies and agencies to follow, which will secure sensitive information. This roadmap addresses the Harvest Now, Decrypt Later threat head on and looks to a future where post-quantum cryptography is embedded everywhere.
Importantly, this act is symbolic. It signals senate and congress unity in recognising the quantum threat while establishing the US as a leader in new public-key encryption technologies, which means that other states wanting to communicate with the US will likely have to follow their lead.
The US has also taken additional measures. In August, President Biden issued an executive order to ban investments in three select Chinese tech industries: Semiconductors, Quantum Information technologies and AI systems. Severing US investment will not realistically hinder Chinese efforts to develop these technologies but is another symbolic move – and a reminder that we’re living during a great technology arms race.
However, across the Atlantic, we are witnessing a different response unfold. Europe, while a historic leader in quantum science and host to a huge number of university graduates in these fields, is struggling to implement a meaningful and unified security response.
The central European policy originates from the European Quantum Communication Infrastructure (EuroQCI). It was launched in 2019 and supported by all 27 members to create a secure network for communications across Europe by 2027. However, the proposed network is based on Quantum Key Distribution (QKD) — a physical infrastructure solution that uses quantum properties to alert the network owner if someone is intercepting communications. Whilst novel, QKD is rarely useful beyond specific military use cases as it requires dedicated links with pre-trusted nodes to be built for each connection.
The world needs its existing internet and telecoms infrastructure to become quantum-safe rather than trying to build entirely new infrastructure, which would cost a great deal and take far too long. Even with a QKD network in place we would only know if someone was intercepting our data, we wouldn’t have encrypted it to be safe from quantum hacking. That’s why the US and its National Security Agency have explicitly prevented US organizations from pursuing QKD and instead are asking them to focus on rolling out PQC.
As Europe becomes increasingly interdependent and economies integrated, a cyberattack at any level, from the individual, enterprise or government level, could undermine cybersecurity across the bloc. This leans into the next core finding of the report, asymmetrical security developments.
As the quantum threat is increasingly in the foreground, nation-states’ security projects to insulate against them have begun to take shape. But these responses are unfolding at a national — rather than bloc level.
This has resulted in an asymmetrical development of quantum security across Europe. The proof is by looking at quantum investment more broadly, whereby Germany and France have invested more $5bn in quantum computing, while the rest of Europe combined has invested $1.2bn in the last decade. And, as previously mentioned — an attack at any level threatens the bloc. Simply put, a chain is only as strong as its weakest link.
The paper has identified the gaps in European policy, proved Europe is not a monolith and that a unified approach to policy will be difficult to pass and implement. This brings us to the importance of agility and interoperability. To be cryptographically agile, is to be able to respond to emerging threats. The security measures we find most secure today will cease to be so in several years. As such, adopting and integrating new measures will be as important as making a quantum migration today. Being interoperable is essential — communication across and between states must be secure and accessible.
In my view, Europe might choose to study what’s happened in the US since The Quantum Computing Cybersecurity Preparedness Act was passed last year. US public sector agencies are already taking steps to understand where they have aging cryptography that needs to be replaced and they’re beginning to migrate to the new NIST standard algorithms. Europe has a chance to be a leader in the next phase of cyber security but it will require greater consensus, sharper focus and most probably, top-down legislation that makes the quantum-safe migration a priority.
As Europe is already the global leader in privacy and cyber legislations, there is no reason why it cannot take a lead in blending quantum migration requirements into current legislations. Otherwise, the whole process will have to start again in a few years’ time.