Europe must prepare for a future in which powerful quantum computers are commercially available, allowing hackers to decode previously-encrypted material, experts and industry practitioners have urged, while calling for an action plan.
The European Policy Centre (EPC), a Brussels-based think tank, published a paper outlining a cybersecurity strategy for quantum computing, arguing that the EU needs a Coordinated Action Plan to respond to ‘harvest attacks’ and future quantum attacks on encryption.
Quantum computing is a rapidly developing field, offering new opportunities in the field of AI, as quantum computers outstrip supercomputers’ capacities.
Currently, EU governments operate under rules that sensitive documents will be declassified between 20 and 50 years. With the ‘download now-decrypt later’ attacks, encryption and dissemination of sensitive information can be much faster than that – estimated at seven years.
“This paper is the result of a reflection process with stakeholders across the European policymaking community and industry and tries to offer policy recommendations to mitigate the impact of cyber threats created by the advent of a cryptographically significant quantum computer,” Andrea Rodríguez, the paper’s author and Lead Digital Policy Analyst at EPC, told EURACTIV.
Quantum attacks on encryption
The so-called ‘harvest attacks’ allow cybercriminals to download encrypted information to be decrypted once the technology is available, significantly changing the threat landscape.
“These are no ‘future challenges’ but actual ones, such as harvest attacks,” Rodríguez explained.
While cryptography is the silver bullet of secure digital communication, the impact on the everyday life of broken cryptography algorithms in a post-quantum security era would allow decoding encrypted information and access to information systems.
In other words, it would open the door to previously confidential information and includes everything ranging from internet traffic, financial transactions, banks, e-passports, VPNs, and Bitcoin to intellectual property theft and disruption of critical infrastructure.
“In a fastly evolving quantum and cybersecurity world, time for decision-making and security implementation need to be in terms of weeks, not years/decades,” warns Iva Tasheva, a cybersecurity expert at CyEn consultancy.
As the policy paper pointed out, cybercriminals aim to obtain sensitive encrypted data that cannot be decoded yet, to hold onto until super and quantum computers become commercially available.
“Whether it’s cars to planes or even power plants if systems will be operational 15 – 30 years from now, they already need to begin planning a migration towards Quantum Safe cryptography because once the products are in the field, it will be harder to upgrade,” Zygmunt Lozinski working at IBM Research told EURACTIV.
To secure information in the post-quantum security era, there are currently two potential solutions for the private and public sectors, quantum key distribution and post-quantum cryptography.
While quantum key distribution offers two parties to establish a secure communication channel based on quantum physics, post-quantum cryptography comprises cryptographic algorithms which are believed to be quantum resistant.
Nevertheless, both options do not exclude potential eavesdropping, authentication problems, or retrospective decryption of these algorithms.
“From our perspective, IBM thinks companies and governments should be thinking now about the promise of quantum computing and the need to secure data from quantum hacks side by side,” Lozinski added.
EU quantum cybersecurity approach
Compared with the US approach, the EU’s efforts to prevent quantum cyberattacks “lack a clear strategy about how to deal with short-term threats, such as ‘harvest attacks’,” the discussion paper reads.
While the EuroQCI is the EU’s flagship programme for secure communication in quantum computing by 2027, “its promising applications divert policymakers from paying attention to today’s needs of the European cybersecurity agenda about quantum cybersecurity threats,” writes Rodríguez.
A Coordinated Action Plan on quantum transition outlining clear goals and timeframes and monitoring the implementation of national migration plans to post-quantum encryption should be the solution to keep up with the Alley on the other side of the Atlantic.
“Coordination and cooperation within Europe must be intensified with this goal in mind – both in terms of opportunities and challenges,” the conservative Christian Democrat Thomas Jarzombek, member of the German Bundestag, told EURACTIV.
Germany, in particular, is striving to be at the forefront of global competition with its new concept of action on quantum technologies.
Unlike a new regulation or directive on this topic, the action plan would allow faster alignment of strategic objectives between EU countries and the European Commission and foster stronger cooperation between ENISA, the EU’s cybersecurity agency, and national experts to identify priorities and use cases.
“We don’t need only to secure quantum, but also to make it work for bettering our security. Governments’ temptations to use it for surveillance should be regulated,” CyEn’s Tasheva told EURACTIV.
The expert added that the maturity in security risk management must also be improved since not all data needs to be encrypted, and not always by the same method.
[Edited by Luca Bertuzzi/Nathalie Weatherald]
Read more with EURACTIV