The European Union (EU) must prepare for quantum cyberattacks and adopt a new coordinated action plan to ensure a harmonized transition to post-quantum encryption to tackle quantum cybersecurity threats of the future. That’s according to a new discussion paper written by Andrea G. Rodr?guez, lead digital policy analyst at the European Policy Centre.
Advances in quantum computing put Europe’s cybersecurity at risk by rendering current encryption systems obsolete and creating new cybersecurity challenges, Rodr?guez wrote. This is often coined “Q-Day” – the point at which quantum computers will break existing cryptographic algorithms – and experts believe this will occur in the next five to ten years, potentially leaving all digital information vulnerable to malicious actors under current encryption protocols. For Europe to be serious about its cybersecurity ambitions, it must develop a quantum cybersecurity agenda, Rodr?guez stated, “sharing information and best practices and reaching a common approach to the quantum transition” across member states.
Cybersecurity impact of quantum computing out of EU’s purview
Quantum computing will disrupt online security by compromising cryptography or by facilitating cyberattacks such as those on digital identities, Rodr?guez wrote. “Cyberattacks on encryption using quantum computers would allow adversaries to decode encrypted information, interfere with communications, and access networks and information systems without permission, thereby opening the door to stealing and sharing previously confidential information,” she warned.
“Given that the prospects of a cryptographically significant quantum computer – one able to break encryption – are not a question of if but rather when, cybercriminals and geopolitical adversaries are rushing to obtain sensitive encrypted information that cannot be read today to be de-coded once quantum computers are available.” These types of cyberattacks, known as “harvest attacks” or “download now-decrypt later,” are already a risk to European security.
The impact of quantum computing on Europe’s cybersecurity and data protection has been mainly left out of the conversation despite sporadic mentions in some policy documents such as the 2020 EU Cybersecurity Strategy or the 2022 Union Secure Connectivity Programme, Rodr?guez said.
US leads the way on post-quantum cybersecurity
The US arguably leads the transition to post-quantum cybersecurity, in which post-quantum cryptography will be the protagonist, according to Rodr?guez. The National Institute of Standards and Technology (NIST) has initiated a standardization process of post-quantum cryptography algorithms, while the Quantum Cybersecurity Preparedness Act, established in 2022, sets up a roadmap to migrate government information to post-quantum cryptography, Rodr?guez wrote.
“In 2023, the new US National Cybersecurity Strategy established protection against quantum cyberattacks as a strategic objective. This priority encompasses the use of post-quantum cryptography and the need to replace vulnerable hardware, software, and applications that could be compromised.”
EU’s post-quantum cybersecurity focus is too narrow
Meanwhile, the EU’s efforts to secure information from quantum cyberattacks lack a clear strategy about how to deal with short-term threats, she added. The narrow focus at the EU level on how to mitigate short-term quantum cybersecurity challenges, especially harvest attacks and quantum attacks on encryption, leaves member states as the frontline actors in the quantum transition, Rodr?guez said. “As of 2023, only a few EU countries have made public plans to counter emerging quantum cybersecurity threats, and fewer have put in place strategies to mitigate them, as in the case of Germany.”
As quantum computers develop, European action will be needed to prevent cybersecurity loopholes that can be used as attack vectors and ensure that all member states are equally resilient to quantum cyberattacks. “A Coordinated Action Plan on the quantum transition is urgently needed that outlines clear goals and timeframes and monitors the implementation of national migration plans to postquantum encryption,” Rodr?guez claimed.
Such a plan would bridge the gap between the far-looking objective of establishing a fully operational European Quantum Communication Infrastructure (EuroQCI) network and the current needs of the European cybersecurity landscape to respond to short-term quantum cybersecurity threats. Europe can also leverage the expertise of national cybersecurity agencies, experts, and the private sector by establishing a new expert group within ENISA where seconded national experts in post-quantum encryption can exchange good practices and encourage the establishment of migration plans, Rodr?guez wrote.
6 steps to an effective quantum cybersecurity agenda
Rodr?guez’s paper set out six recommendations for an EU quantum cybersecurity agenda.
- Establish an EU Coordinated Action Plan on the quantum transition that outlines clear goals and timeframes and monitors the implementation of national migration plans to post-quantum encryption.
- Establish a new expert group within ENISA with seconded national experts to exchange good practices and identify obstacles to the transition to post-quantum encryption.
- Assist in setting priorities for the transition to post-quantum encryption and push for cryptographic agility to respond to emerging vulnerabilities in postquantum encryption systems.
- Facilitate political coordination between the European Commission, EU member states, national cybersecurity agencies, and ENISA to determine technological priorities and identify relevant use cases for quantum-safe technologies.
- Facilitate technical coordination at the EU level to address research gaps in quantum-safe technologies, such as the need to develop quantum nodes to ensure long-range connections for quantum key distribution.
- Explore the use of sandboxes to accelerate the development of near-term applications of quantum information technologies.