Quantum computing has beneficial applications in many sectors but is also somewhat of a double-edged sword, creating new forms of exposure that need regulating.
Since commercially available computers first arrived on the market in 1951, companies have been racing to produce the most powerful, technologically advanced machines possible.
In 1965, Gordon Moore made a prediction, now known as Moore’s Law, that the number of transistors per silicon chip in a computer would double every year, thereby doubling the power. Whilst this prediction was revised 10 years later, in 1975, to a more conservative doubling of power every 2 years, this prediction remains largely accurate.
However, in October of 2019, Google proudly published a paper in the journal Nature stating that they had reached quantum supremacy using a processor known as ‘Sycamore’. Such a milestone would mean that a quantum computer had successfully solved a problem that would have taken the most powerful conventional computer thousands of years to solve. Whilst this has been the subject of much debate, the development has been disputed by one of Google’s main rivals, IBM, who argued that ‘…an ideal simulation of the same task can be performed on a classical system in 2.5 days and with far greater fidelity’. Thus, by the definition of quantum supremacy coined by John Preskill in 2012, that it is the point at which ‘quantum computers can do things that classical computers can’t’, this threshold has not been met.
Nevertheless, as will be discussed in this post, quantum computing has become a source of both concern and excitement for many. Whilst it has several potentially beneficial applications in sectors such as life sciences, machine learning, cryptography and cybersecurity, it is somewhat of a double-edged sword, as it also creates new forms of exposure, particularly in relation to the maths problems currently used in many common forms of encryption (IBM, 2018).
What is quantum computing?
Unlike conventional computing, which stores information in a form known as bits, encoded into a value of either a 1 or a 0, known as binary code, quantum computing is measured in quantum bits, or qubits. In contrast to conventional computers, a qubit is able to take a value of either 0, 1 or also all possible combinations of the two. This is a concept known as superposition.
Another distinguishing feature of quantum computing is that of entanglement, ‘a property in which measuring one qubit yields information about another qubit’ allowing quantum systems to measure large data sets using only one measurement, in contrast to the large number of measurements required by a conventional computer (Lamba et al, 2018).
In practical terms, this can be analogised as conventional computers operating in a very linear way and quantum computers operating in a far more complex and interconnected way, with some commentators suggesting it is akin to a conventional computer ‘operating in a straight line’ and a quantum computer ‘doing so in a web, with each point branching out into several other points’ (De Schrijver, 2019).
As a result, this allows quantum computers to benefit from increased calculation capacities, resulting in important innovations being realised at much greater speed than is currently possible, which, in turn will provide numerous practical applications.
What are the applications?
As mentioned above, quantum computing will provide numerous possibilities for advancement in a plethora of industries.
One such industry is life sciences which stands to benefit greatly from the advent of quantum computing, allowing scientists to perform faster comparisons between interactions and effects of medication on diseases to determine the most efficient treatments for use within the medical setting.
Further, the financial markets and trading sectors will likely see a boost in efficiency provided by the ability to create more powerful algorithms that can perform several calculations simultaneously, leading to a greater number of probabilities and predictions being made about how markets are likely to perform (Lehot, 2020).
Similarly, machine learning and artificial intelligence stand to benefit from quantum computing, as the rate at which machines learn can be accelerated. This is due to the possibility of multiple algorithms being run concurrently. Accordingly, quantum-based machine learning systems will be able to train on vast data sets at a faster rate than is currently possible.
Cybersecurity and cryptography
Another industry that has shown concern and excitement in equal measure at the prospect of quantum computing is that of cybersecurity and cryptography. From a positive standpoint, quantum computing stands to revolutionise cryptography as we know it, providing a platform for the development of exponentially more secure quantum communications networks (Harrow et al, 2020). These can be secured by a method known as quantum key distribution (QKD) ‘which… uses attenuated laser pulses to share a classical encryption key between two users’ (Buchholz et al, 2020).
This would mean that should a third party attempt to intercept communications encrypted using this method, should the quantum key be read by a malicious individual or a third party, the quantum state would collapse and the attempt to gain access would be notified to both parties to the quantum communication. Whilst this is not an impenetrable form of communication, it is significantly more secure than current communications networks. Nevertheless, when it is considered that the same technology could be used to break current forms of encryption, the potential problems become worryingly clear.
What are the cybersecurity risks?
At present, encryption is one of the most widely used ways of securing data and is used by governments to secure intelligence as well as individuals to secure devices such as phones and laptops. There are two primary forms of encryption, asymmetric encryption and symmetric encryption. The former is the most widely used form and is a common means of securing connections to the internet and providing secure payments to e-commerce websites (Council on Foreign Relations, 2018). In contrast, the latter is considerably more secure and cannot be easily decoded, even by quantum computers – although in time it will be prudent to greatly increase key sizes to reduce the likelihood of being decoded (IBM, 2018).
Combatting cybersecurity risks
In order to combat the risks involved with quantum computing from a technological standpoint, cryptographers and mathematicians have been working on a number of new forms of encryption, known as ‘post-quantum encryption’, including both lattice-based cryptography and fully homomorphic encryption. The former, which deduces its name form the use of extremely difficult mathematical problems involving lattices (Alwen, 2018) have so far proven extremely effective as no quantum algorithms known at present are able to solve lattice problems (Macciancio and Regev, 2008). A lattice problem, in its simplest form, relies upon a geometric grid of regularly spaced points which continues indefinitely (Alwen, 2018), producing a multi-dimensional lattice and often running to the multiple hundreds of dimensions. The goal of the problem is to find the nearest lattice point but doing so in a 500-dimensional lattice when you have only been provided with an arbitrary location is notoriously difficult (Wolchover, 2015). However, these are still regarded as being incapable of practical use. The latter allows the user to view, analyse or review the encrypted data without first having to decrypt it, thereby making it significantly less vulnerable to interception. However, at present, this is far too slow to be used in a practical way (Marr, 2019).
Despite the practical problems associated with both of the aforementioned forms of encryption, it is necessary to acknowledge that even when either or both of these forms of encryption become practically useful, there are a number of further complications to be overcome. In particular, the implementation of this technology is likely to prove cumbersome, necessitating the need to update encryption keys and add software patches, a process which can often take years if it is possible at all. When coupled with the likely need to entwine both conventional and post-quantum security measures on present systems, some commentators have suggested that post-quantum security should not be regarded as a ‘drop-in replacement for existing measures’ but rather an additional form of security that will coexist with current infrastructure.
In addition to the cybersecurity issues set out above, the arrival of quantum computing also raises questions in relation to the European Union’s General Data Protection Regulation (‘GDPR’) and its UK Counterpart, the Data Protection Act 2018 (‘DPA 2018’). Article 5(1)(f) of the GDPR provides that personal data is to be processed ‘in a manner that ensures appropriate security of personal data… using appropriate technical or organisational measures’; this criterion is unlikely to be met if organisations use conventional encryption methods in the quantum age. Consequently, as De Schrijver suggests, organisations will need to consider the implementation of ‘enterprise-wide procurement policies that require cryptographic flexibility and provide the ability to quickly switch to newer and more secure algorithms’.
Moreover, Article 5(1)(a) of the GDPR sets out the requirement that personal data must be processed in a transparent manner, something which may be affected by the predicted rise in automated decision making stemming from the introduction of quantum computing, a form of decision making that is currently prohibited by the GDPR. This is likely to lead to a renewed and strengthened requirement for decisions made to be both transparent and explainable (De Schrijver, 2019). Given this, it is next necessary to consider how such a powerful new technology should be regulated.
How can quantum computing be regulated?
Given the potential impact of quantum computing on present day cryptographic methods, any form of regulation that is adopted should aim to maximise the possible benefits and mitigate the negative consequences. Arguably the most effective first step in regulating quantum computing is to educate policy makers on what quantum technology is and how it works. In doing so, policy makers would be able to use this knowledge to highlight security concerns and assess the impact of these, facilitating a move toward creating an agile and adaptive regulatory strategy that creates global standards to reduce the risks arising from quantum computing.
To do so, it is important to find a balance between the interests of stakeholders and society, focussing on providing ‘...legal certainty, a favourable investment climate and... respecting democratic rights, fundamental freedoms... protecting wellbeing and safeguarding moral values’ (Kop, 2020). In relation to creating legal certainty, it is important to provide a common language comprising of mutually agreed definitions, something that the institute of Electronic and Electronics Engineers Standards Association is currently attempting to create.
Once uniform terminology has been established, policymakers can further elaborate on their concerns, enrolling the help of industry and academics to provide varying standpoints, thereby ensuring standardisation is carried out in a comprehensive and inclusive manner and facilitating open international discussion on regulatory perspectives.
Finally, it should be noted that whilst post-quantum encryption is currently in its early stages, the implementation of such an encryption into critical networks, such as healthcare and transportation, is vital to the smooth introduction of quantum technologies. As Johnson argues, the best way of achieving this outcome without stifling investment and innovation would arguably be the production of standards for post-quantum cryptographics and a push toward creating industry codes of conduct outlining ‘best practices and principles for responsible deployment’ (Johnson, 2019).
In conclusion, whilst quantum computing is an incredible technological feat, demonstrating a significant leap in what computers are capable of, it also poses a considerable threat to some of the technologies that we have become accustomed to. In particular, asymmetric encryption could be rendered useless when quantum computers become the norm, highlighting the need for the rapid development of effective post-quantum encryption, a global approach to regulation and a robust yet flexible regulatory strategy that can adapt to changing demands as and when they arise.
Moreover, organisations will need to carefully consider the ramifications of this advancement, reviewing their current security systems and contemplating ways in which they can be amended to ensure that they do not fall afoul of Article 5 of the GDPR.
Regardless of when quantum computers become commercially available, one thing is clear: that current cybersecurity systems will be largely inadequate, and these risks require immediate action from governments and industries alike. Afterall, as Rash rightly argues, ‘a reduction in computing time from 10,000 years to a little over 3 minutes is more than just a game changer – it redefines the whole concept of the game’.
James Davey obtained both his LLB and LLM from the University of Hertfordshire, focussing on commercial and e-commerce law. During his LLM studies, he utilised his interest in technology to write a dissertation on the criminalisation of hacking in the United States and the United Kingdom. Following completion of his undergraduate and post-graduate studies, James worked in two Top 200 law firms based in London. He has recently completed his Legal Practice Course at BPP and is due to start his Training Contract in March 2021.