Quantum computing will change the cyber landscape, here's why we need proper governance

It is hard to underestimate the power of quantum computers. Compared to a classical computer, a quantum computer is like a plane is to a car. They operate fundamentally differently and no matter how fast a car is, it cannot fly over a river. Quantum computers use different physical principles, or quantum mechanics, to communicate and process information in such a way that no classical computer can ever do using classical physics.

A classical computer can only hold one bit of information at a time (0 or 1), whereas qubits in quantum computers can be in a superposition state and have aspects of both 0 and 1 simultaneously. However, the result of an operation will also be in a superposition state and manipulating superposition states to extract the desired answer is the field of quantum algorithms. The focus of this article is on how to govern this technology to ensure a secure future.

We now live in a ‘Wright brothers’ moment’ in quantum computing history. But when a commercial jet version arrives, it will deliver a new leap in information technology similar to what classical computation delivered in the 20^th century, and, just like with any general-purpose technology – such as the internet, electricity, and, for that matter, fire – alongside great benefits, comes great risks.

Among the benefits are that quantum computers could be used to simulate quantum physical processes for much faster drug and material design; to accelerate artificial intelligence (AI) development and to provide new levels of security and information communication. But they could also be used to break public-key encryptions, to amplify current AI risks at a faster pace, or be misused in biotechnology to design bio-weapons or other risks.

As such, it is hard to imagine the success of such technologies without strong regulations and governance policies. Can you imagine a world without electricity regulations, internet protocols and fire safety standards? However, even though the risks of quantum computers are well understood, little has yet been done to mitigate them due to the unclear horizon as to their future.

Proper governance is key to minimizing the risks and maximizing the benefits of quantum computing. However, it is easy to get lost in all the detail about potential benefits and risks and, as an extension of classical computing, it will inevitably inherit them both.

So when forming quantum computing policies, it is more effective to first examine current policies to determine which needs to be:

One promising area of quantum computing is optimization, which will accelerate AI development, and, consequently, its risks, such as data bias. Therefore, it is vital to distinguish between what quantum computing will add and what it will multiply.

Taking cybersecurity as an example, without loss of generality, governance approaches can be grouped into three categories:

All three are equally important, but the latter is often overlooked. Procedural approaches are based on classical economic theory that assumes humans are rational, selfish and profit maximizers. On the other hand, behavioural techniques are based on modern behavioural economics that understands that humans are not perfectly rational and are influenced by their emotions and cognitive biases.

There are many ways to mitigate quantum risks through behavioural tactics, but we’ll highlight two examples here.

A fault-tolerant quantum computer will be able to break most public-key encryptions that secure our modern communications. Even if the threat is still far away in the future, preparation has to start now because an adversary can store encrypted data today, then retroactively decrypt once the technology is mature enough.

This threat is an excellent example of how all the above tactics can be employed. A technical take on the problem, for example, is to develop new encryption schemes that are quantum-proof, which is already an active field of research in cryptography. Another technical approach is to use quantum key distribution (QKD) protocols – combating quantum computers with quantum communication channels to exchange keys.

On the procedural front, the NIST’s post-quantum cryptography competition and EU’s OpenQKD projects are great examples of putting standards and agreements in place to pave the way for a quantum-secure future.

However, people need to be incentivized to walk down this path and this is where we think behavioural approaches can help. Simply raising awareness will not cut it; anti-smoking campaigns being a case in point.

Instead, creating a sense of urgency might be a more effective behavioural approach – such as drawing an artificial deadline to transition to post-quantum cryptography. Deadlines, even if self-imposed, have shown to be effective in improving performance.

For example, after the NIST standards are announced, say within five years that any data encrypted using pre-quantum cryptography would no longer be protected legally. This way, consumers will pressure vendors to provide quantum-safe solutions, and, as a result, vendors will accelerate their transition efforts.

It is well known in the sociology sphere that humans tend to overestimate, and sometimes underestimate, their performance compared to their peers. A famous Swedish study published in 1981 found that 88% of US drivers think they have better than average driving skills.

This is an example of the Dunning-Kruger effect, a cognitive bias whereby people with limited knowledge tend to overestimate their abilities. Although the key term here is “limited knowledge”, it is also shown that people tend to acknowledge their weaknesses and improve themselves with performance feedback, especially when compared to others.

One experiment showed that people worked harder when told they would learn their ranking compared to another group where no feedback was given. We can imagine such tactics working on the macro scale. Accordingly, a global quantum-readiness index can be considered a form of feedback that would help nations assess their performance and track its trajectory.

Moreover, such relative rankings would create the social pressure needed to incentivize governments in order to enhance their quantum readiness. Although, such indices should be designed carefully not to discourage nations at the bottom of the list. For example, by subdividing the lists by regions and diversifying the metrics, such as having a dimension for quantum sensing, governments would be pressed to give it more attention, even if otherwise they are ranked at the top of the overall list.

Quantum computing is a new problem that requires our latest solutions. It is crucial not to let the old threats make us lose sight of the new ones. Behavioural approaches are very effective and inexpensive in that regard.

That being said, this is not an argument to use behavioural approaches in place of technical or procedural approaches when considering governance for quantum computing, but instead to include them in the mix of possible solutions and considered when designing new quantum computing-related policies.