Opinion & Analysis

Quantum technologies and cybersecurity in the EU – there’s still a long way to go

We are now living through a quantum revolution, with modern technology allowing us to directly manipulate individual quantum systems and fully utilise quantum phenomena. These breakthroughs are enabling a new class of technologies based on quantum mechanics.

Quantum technologies may drastically change the world as we know it. They are expected to positively impact many sectors, including pharmaceuticals, climate and weather modelling, and financial portfolio management. They could be used for molecular simulation to upgrade electric vehicle batteries, optimise traffic flows or improve generative models that create datasets to enhance machine learning. These benefits come from the computational advantages of problem-solving in totally superior ways compared to traditional computers.

At the same time, this new computational power also has a darker side – and that’s why quantum technologies are relevant to cybersecurity.

While quantum technologies can bolster cybersecurity, they can also break widely used cryptographic algorithms, thus breaking into confidential data. Since most internet applications rely on cryptography to guarantee confidentiality, authenticity and data integrity, cryptographically relevant quantum computers (CRQCs) that can break cryptographic algorithms would have major cybersecurity implications. A quantum computer with just 20 million quantum bits (a mid-range smartphone has hundreds of billions of bits of storage) would be able to break a code in eight hours that would take today’s best supercomputers trillions of years to do.

Currently, quantum computers are too small and error-prone to be a threat – experts believe that CRQCs will only emerge in the next 5-10 years but only become truly viable in the next 30 years. That said, the threat should be addressed long before this, for two reasons. First, sensitive encrypted data can be stored and subsequently decrypted with a CRQC (i.e. ‘hack now, decrypt later’). Second, transitioning to new, more resilient types of cryptography takes a long time.

Furthermore, we consider that advanced quantum cryptography may become a game changer for security and privacy, even more so when coupled with powerful AI systems. This combination would generate ‘Quantum AI’, allowing for the development of quantum machine learning algorithms that can analyse and make predictions based on large datasets.

Quantum computers only boost certain classes of mathematical problems, meaning that it’s still possible to develop cryptography based on mathematical problems that are resistant to quantum computers. This is called ‘quantum-resistant cryptography’. It’s reassuring that these solutions exist but there are still hurdles to overcome. Quantum-resistant cryptography is not a drop-in solution; thus, it requires a potentially complicated transition. Standards also need to be developed, both for quantum-resistant cryptography and for the many protocols that use cryptography.

In short, the transition to quantum-resistant cryptography is a lengthy process, requiring careful planning and it must begin well in advance of CRQCs becoming readily available. Cryptographic agility should be considered during the process, to ease the future transition.

As quantum technologies emerge, we need to seize the opportunity to decide how quantum technologies can help us promote better societies and a more sustainable future. This is going to be complicated – not only is quantum evolving at an unprecedented speed, but our current understanding of the technology, its use-cases, and its potential interconnections with other technologies (such as generative AI and large language models) is still quite limited.

Therefore, as quantum technologies develop, it’s important to promote responsible governance. Some general principles for responsible quantum could include, for instance, safeguarding against risks and engaging stakeholders in the development process. This includes addressing societal issues, such as equitable access to these solutions, their ethically aligned development, and respect for human rights.

Where does the EU fit in? After China, Europe is a world leader in publicly funding quantum technologies (about EUR 10 billion since 2016), yet it’s lagging countries like the US when it comes to policies favouring migration to quantum-resistant cryptography and quantum vulnerability assessment.

The final report of the CEPS Task force on Quantum Technologies and Cybersecurity highlights the need to funnel EU funding into quantum-resistant cryptography, best practices for IT system migration, and cryptographic agility. It also underscores the importance of transitioning to quantum-resistant cryptography early on, considering the complexity and length of the process, and it recommends a hybrid approach during the transition period. It emphasises a coordinated European strategy, alongside international collaboration and standardisation.

Moreover, it’s imperative to promote awareness of the potential risks and threats posed by quantum technologies, as well as to address the talent gap in the quantum sector, invest in quantum and cybersecurity skills, and modernise enforcement methods, such as dual-use export controls.

In this context the EU can also play a valuable role, through the EU-US Trade and Technology Council – it has promoted an ad hoc task force on quantum – in facilitating transparency, information exchange and cooperation.

With all this in mind, the key question now is: will EU leaders seize the moment and take up the quantum challenge in front of them?

About the authors

Lorenzo Pupillo is an Associate Senior Research Fellow and Head of the Cybersecurity @CEPS Initiative.

Carolina Polito is an Associate Research Assistant at CEPS, in the Global Governance, Regulation, Innovation, Digital Economy Unit, more specifically in the Cybersecurity@CEPS Program.

Valtteri Lipiainen is an Associate Research Assistant at CEPS, doing policy research on quantum technologies and cybersecurity.

Access the original publication here