UK businesses urged to prepare for quantum resilience

This is the main message sent out by the UK’s Information Commissioner’s Office (ICO) through a recently published report on quantum technologies. The report explores the possibilities for quantum technology involving personal data and identifies the privacy and data protection implications from emerging technologies such as quantum computing and communications, and quantum sensing, timing and imaging.

Stephen Almond, the ICO’s director of regulatory risk, said in an article accompanying the report that the regulator’s priority has been to build understanding of this new frontier and how these technologies may impact people’s privacy – because understanding it now means the ICO is “better placed to enable innovators to consider data protection in development”.

He said that it is not just the ICO that needs to prepare for quantum technologies, but organisations processing personal data also need to do so. “Quantum computers could one day break widely used cryptographic algorithms that help protect everything from personal data to national security information. While quantum computers powerful enough to do this may be many years, or even decades away, the process of preparing for such a shift has already begun,” said Almond.

Post-quantum cryptography (PQC) has been highlighted by the regulator as the main proposed approach to address the cyber security risk posed by quantum technologies. This approach has already been endorsed by the National Cyber Security Centre, while the US National Institute of Standards and Technology (NIST) has released the first three PQC standards recently. The ICO suggests that large organisations, such as digital service providers and financial institutions, should start to prepare for the transition now. They can do so by identifying and reviewing at-risk information, systems and cryptography assets, for example.

Christian Toon, cybersecurity expert at Pinsent Masons, said that the ICO’s recommendations on developing quantum resilience are not to be overlooked because a business doesn’t use quantum today.

“The strategic approach organisations should take comes back to the ‘appropriateness’ of the technical and organisational controls a business must operate to remain compliant and resilient in the face of technical and cyber adversity,” said Toon.

He noted that businesses can balance immediate risk mitigation with long-term preparation for the quantum era by adopting a strategic approach that consists of immediate measures, and short-term and long-term strategies.

Immediate measures, as Toon pointed out, include conducting a comprehensive inventory of cryptographic assets and their uses within the organisation; implementing cryptographic agility to allow for rapid updates of encryption algorithms; and beginning to educate key stakeholders about quantum computing risks and opportunities.

For the short-term, or the next three years, businesses should focus on things like developing and implementing quantum risk assessment protocols; transitioning to quantum-resistant cryptographic algorithms for critical systems; and exploring potential applications of quantum sensing and quantum communication for business advantage.

Long-term plans over the next three to ten years should look at fully integrating quantum-safe cryptography across all systems and data storage; investing in quantum computing capabilities or partnerships to leverage computational advantages; and adopting business models to incorporate quantum technologies in areas such as optimisation, machine learning, and secure communication.

In September, techUK, an association of technology businesses across the UK, also published a report on quantum resilience. It provides practical recommendations for businesses and the government to navigate the challenges and significant cyber threats posed by quantum technologies. According to the report, quantum computers could be capable of breaking algorithms underpinning the use of cryptography that safeguards data. This could include the breach of sensitive health, financial or personal data; the interception of messages on the internet; and the undermining of the integrity of digital documents.

James Talbot, technology law expert at Pinsent Masons, emphasised that quantum technologies can also have a significant impact on businesses’ data protection risks and practices.

“Though still a long way off, as we move closer to the practical application of quantum technologies, opportunities to carry out data processing activities on a far greater scale than those currently carried out will present themselves. While these opportunities may provide greater insight to datasets, the potential risks to individuals rights and freedoms will also increase,” he said.

“Existing data protection legislation provides a framework for protecting such rights and freedoms and key points around data protection by design and default, accountability and transparency will help individuals have confidence in a future where their personal data is processed using quantum technologies. In the shorter term, given the challenges existing cryptography methods are likely to face, the ICO’s report signals the beginning of a shift in what, depending on the nature and purpose of the processing activity, appropriate technical and organisational measures might be. As state-of-the-art technology develops, protections that are appropriate now will be less so in the future and will also need to develop,” he said.

The ICO’s report states that many early anticipated use cases of quantum computing are unlikely to involve processing personal information – for example, using a quantum computer to solve a materials science or physics research problem. However, the data protection regulator mentioned several areas where privacy and personal data could be impacted. These include modelling highly complex systems and simulating new chemicals for advances in drug development and personalised medicine, solving optimisation problems such as optimising workforce scheduling, accelerating machine learning; and speeding up the systems used to recommend products and content on online shopping or media platforms.