Why we need to solve our quantum security challenges

Last week, the industrial giant Honeywell announced that it has built the world's fastest quantum computer, overtaking their main competitors IBM and Google in a technological arms race that has the potential to unlock trillions of dollars of value to the world’s economy.

Using lasers to target atoms suspended in absolute-zero temperatures, Honeywell took the world one step closer to a quantum future that will bring about major advances across industries including healthcare, computing, finance and mobility, but most notably security.

The most significant implications of this technological arms race are increasingly being felt by the global cybersecurity community. This is because quantum computing has the potential, if used maliciously, to break the systemically important cryptographic underpinnings of the infrastructure on which enterprises and the wider digital economy rely. Furthermore, the community has to act now to ultimately ensure security and strategic advantage issues don’t become major barriers to fully realizing the potential transformative value of quantum technology.

At a recent meeting of the World Economic Forum Centre for Cybersecurity’s Future Series, a group of leading global technology, security and policy experts discussed the strategic cybersecurity issues arising from quantum technology. There are two major sets of challenges that require collective action by the global community:

1. Quantum computing has the potential to break the encryption on which most enterprises, digital infrastructures and economies rely

The sheer calculating ability of a sufficiently powerful and error-corrected quantum computer means that public key cryptography is "destined to fail", and would put the technology used to protect many of today’s fundamental digital systems and activities at risk. The key exchanges, encryption and digital signatures that protect financial transactions, secure communications, e-commerce, identity and electronic voting all rely on mechanisms which would be made redundant in such a scenario.

Businesses and governments could be rendered unable to ensure the confidentiality, integrity and availability of the transactions and data on which they rely. Ultimately, this could put all our data at risk. While the timeline and potential impacts are debated by technology and security professionals, there is a clear potential future threat relevant to the risk decisions being made today. This is especially the case where sensitive data and systems currently being rolled out have long lifespans, such as in the healthcare sector, satellites, transportation vehicles and industrial control systems - all of which could be in operation for decades.

The global ecosystem has created – and is increasingly rolling out – a range of shared infrastructures with distributed ownership and governance. Where these systems have long legacy tails, a collective dependence on cryptography that may be at risk already exists. This comes at a time when hyper-connectivity is leading to increasingly shared architectures, interconnected systems and interdependent business models. Infrastructure including the security of the internet's architecture itself is underpinned by implementations of public-key cryptography (for example, SSL, TLS and HTTPS) that are distributed globally and which could be at risk.

2. The geopolitics of quantum technology could act as a barrier to unlocking its full value

National security concerns over sovereignty, and maintaining control over strategic capability, could also act as major barriers to unlocking the potential transformative value of quantum technology in the wider economy. Quantum technology has the potential to be game-changing for national security and the information race, and there is a real risk that competition will interfere with international collaboration and widen asymmetries in security and industrial capability. National governments are putting significant investment into the development of sovereign quantum technologies and skills, and several countries have already placed quantum technologies on their lists of controlled goods.

Complex security challenges can already be identified. These include communicating how quantum algorithms have made decisions (explainability), ensuring that the algorithms actually do what they purport to do and are not inherently biased (verification), and certifying the results they produce. While this issue exists for artificial intelligence (AI, other more transformational risks – including misuse by criminals and other actors – also exist.

Addressing these risks requires action now both at an individual enterprise as well as at a collective level. An approach similar to the global technology councils that emerged to manage AI might be required to govern the full range of global governance principles and models as quantum technology rolls out. A list of principles could include promoting the ethical use of quantum resources or ensuring that quantum infrastructure is not used to break standard encryption, as well as enabling equitable access so that 'quantum poverty' doesn’t emerge.

One key step will also be building ‘quantum literacy’ across the ecosystem at an enterprise and policy leadership level. There is an need to educate and train leaders on what is meant by quantum technology; its different elements, when it might become available and at what rates, the nature of the associated risks and how they apply to organizations, and what, therefore, needs to be protected. Enterprise leaders are among the first who will need to make judgements on the materiality of the quantum risk to their business and decide when and how to act. There is also a need for a sector-by-sector analysis to explore where there are distributed industries who need to move together to address the threat collectively; this is most important when the responsibility for driving this transition is unclear.

Incentivizing the adoption of quantum-resistant cryptography is a possible solution – but to secure the global ecosystem, policy and governance initiatives will be needed. Standards such as NIST's post-quantum cryptography challenge can clarify the practices that should be adopted by individual organizations, and by ensuring international interoperability of these and similar standards we can take a critical step in enabling broader adoption across the globe.

Conclusion

As a strategically important technology, and one that is generating record amounts of investment, we are at a tipping point in the quantum arms race that is developing between nations. The technology has the potential to generate major and systemic risks to the ecosystem, which – unless we act collectively in order to address the obstacles – might act as major barriers to unlocking the true value of quantum technology. This offers an opportunity, especially to the cybersecurity community, to pioneer the principles, approaches and multi-stakeholder ecosystem that will be crucial in building the trust required to fully harness the promise of this new technology.