Every time you exchange data online, whether you are purchasing an item with a credit card or providing personal information for an application, you enter a tacit agreement with the service provider about the protection of your information. However, you probably don’t think about what specific measures the provider will take to secure your data for that particular transaction. The most recent Facebook security breach, involving the personal and browser data of 30 million users, exemplifies the risks inherent in such exchanges and the lack of immunity for anyone involved.
Emerging technologies, such as quantum computing, raise the stakes for these exchanges and further obfuscate the risks to users. As it is, few people who exchange their data online understand modern encryption and how to ensure that a provider is securing their data; an even smaller fraction of people are able to comprehend the potential for future decryption technologies. Quantum computing poses one such threat that could dwarf all modern encryption efforts. Because of the esoteric nature of encryption and the ubiquity of digital data in all facets of modern society, the government must help minimize the risk to users by ensuring that companies are keeping up with security standards to protect against current and future threats.
Just as encryption and digital security are beginning to be understood on a mass scale, the potential for a paradigm shift looms. Technological and theoretical advances, as well as diverse funding sources, are paving the way to quantum computing. Due to their physical advantages, quantum computers have the potential to completely alter the way people encrypt (and decrypt) data, threatening the entire field of cybersecurity technologies. Because of the risk for major ramifications not only in the field of encryption but also in other areas of computing, experts are dubbing the approach of useable quantum computers Y2Q, short for “years to quantum.” This is a cheeky reference to the Y2K panic, when it was believed that the year 2000 would launch computer systems into digital havoc and cause the collapse of online banking and digital infrastructure.
As was the case with Y2K, Y2Q raises questions about preparation for a forthcoming large-scale cyber disruption, and the role that the government should play in this preparation. While many people believe that the government over-prepared for Y2K, because nothing ended up happening, others know that nothing ended up happening because of the amount of money that was invested to prepare systems for the new millennium. Furthermore, the amount of money that was invested, and the time that was allocated to identify critical assets and liabilities, played an important role in mitigating Y2K hysteria. Concern over Y2Q should be leveraged to motivate renewed preparation efforts that build upon those for Y2K, and in doing so also help to illuminate the government’s role in preparing for other cyber-related disruptions.
A quantum leap in computing. Current data encryption relies on complex mathematical processes to scramble data in a way that renders it unreadable, while still containing the original information. A key or passcode is required to unscramble the data. The algorithms used depend on the specific encryption method, but the process is fairly consistent; all types rely on the fact that decrypting data without the key would take an enormous amount of computing power and time with a conventional computer.
However, quantum computers would be able to crack the most common encryption methods, as well as create other disruptions, because, in theory, they operate at much higher speeds than today’s computers. The difference lies in the smallest unit of computer storage: the bit. Quantum computers operate on a system of quantum bits (qubits), rather than traditional computer bits. While bits can only exist in one of two possible binary states (0 or 1), qubits are able to be in both states at once, thanks to a fundamental principle of quantum mechanics called the quantum law of superposition. For example, a two-bit system can be in one of four states (00, 01, 10, or 11). In comparison, a two-qubit system can be in all four states at the same time. Because a quantum computer would be able to simultaneously process multiple possibilities at once, it would be much faster than a traditional computer that has to test out each configuration individually.
The speed of quantum computers theoretically increases exponentially with each qubit added, but at the cost of pushing the limits of modern technology. Scientists have predicted that if a stable system of 50 qubits can be achieved, quantum computers will be faster than any traditional computer, and “quantum supremacy” will be achieved. However, creating a system with multiple qubits is not easy with current technology. Scientists are still trying to produce quantum computers with incrementally larger numbers of qubits. IBM claims to currently be blazing the trail with a system that can fleetingly support 50 qubits but has yet to remain stable for an indefinite period of time and maintain a low margin of error. Although it will take significant innovation to allow for a more usable system, the recent strides in quantum computing cannot be ignored.
Besides IBM, multiple other American businesses and foreign countries recognize the potential benefits of increased computing speed and are in the race to develop quantum computers, including Google, Microsoft, and the Chinese and Russian governments. While quantum computers may bring security risks, they will also have the power to contribute to the greater societal good. Because of their speed, quantum computers are expected to help researchers with molecular biology simulations, drug research, climate modeling, and other complex calculations unimaginable with current computing capabilities.
Although quantum computing promises many beneficial uses, it is a dual-use technology that also has the capacity to cause societal disruptions. Security risks associated with quantum computing that extend beyond decryption have already been identified. Artificial intelligence using quantum computers rather than traditional computers will have tremendously greater data-processing capacities, allowing for increased surveillance efforts. Detection technologies, such as nuclear submarine detectors, could also get a boost from the extreme computing capacity, which will make it possible to minimize the background noise in data that usually helps prevent detection.
Getting ready for Y2Q. Although the immense future impact of quantum computers is creating a buzz on the Internet, little has been discussed about the US government’s role in responding to data security concerns. Last fall, the US government did issue a national plan, and funding, to research the construction of quantum computers. However, this research will only address the offensive concerns of developing a quantum computer, rather than how to respond if someone else develops one. The National Security Agency and National Institute of Standards and Technology have both announced efforts to develop quantum-safe encryption methods. But at a higher level, the government must decide what its responsibility is in protecting public agencies and private businesses such as banks in the event that someone with malicious intent is able to harness quantum computing.
Although the name “Y2Q” might be misleading in its implication that quantum computers are only a few years away, and that once they arrive they will be ubiquitous, it does provide an interesting impetus for government response. In preparing for Y2K, the government assumed that there was a potential for detrimental impact to the public, and that the public needed help to adequately prepare for the threat. The government convened a special committee and determined what preparation responsibilities it would assume, be they requirements on private banks, technological research, and innovation for government infrastructure; or edification of stakeholders. Also, the government clearly articulated its role and actions to the public.
This preparation and communication proved useful not only in mitigating the fear and impact of Y2K, but also in facilitating rapid response for subsequent disruptions. In the case of Y2K, simply forming response guidelines and booklets for stakeholders provided reference material for various organizations that proved valuable when the unforeseen devastation of 9/11 occurred. Similarly, using Y2Q as an opportunity for preparation and procedural structuring could help the government to provide a guardrail in the event of another large-scale disruption that is less foreseeable than the known risks of quantum computing.
The current administration should issue a plan for Y2Q that prioritizes the security of public infrastructure and private industries that are critical for citizen safety. Within each of these categories, the government should identify primary responders and communication links to allow for expedient reaction should quantum computing, or some other disruption, prove to be imminent.
The government must also decide whether it has an obligation to educate other countries on the potential disruption, as it did with Y2K. This will require consideration of what impact other countries’ poor preparation would have on the United States, as well as what the US commitment is to general global security.
Unlike with Y2K, the current administration may also want to consider preventive or alert efforts that could address the mystery over when quantum computing will arrive. Preventive measures may include arms control and safeguard treaties similar to those for other dual-use technologies, such as nuclear. These measures would aim to narrow the range of potential actors who could acquire quantum computing capabilities.
Efforts to alert the national or international community about the use of a quantum computer, on the other hand, would likely require a greater focus on technology than on policy. This type of preparation could include the application of some sort of tampering-detection device (or program) to alert authorities to any attempted decryption using a quantum computer. The international politics required to navigate the commitments of such a system may work best if modeled after the International Monitoring System established under the Comprehensive Nuclear Test Ban Treaty, as it would have to cast a wide net to allow for timely detection.
Ideally, serious preparation efforts for Y2Q should start immediately. Where appropriate, Y2K successes and failures should be used to help guide a more robust preparation for Y2Q. This will be most pertinent in structuring a large-scale, cross-agency response effort. However, in appreciating the differences between Y2K and Y2Q, dual-use technology safeguards and monitoring systems should be applied to help eliminate uncertainty about the Y2Q timeline. These efforts would provide greater stability not only for the approaching Y2Q, but also for unforeseen cyber disruptions.