Quantum Is Coming: Here’s What the Data Protection Regulator Says

A new technological development is coming in the ongoing arms race between network defenders and their adversaries, which could dramatically disrupt the current landscape. When fully functioning quantum computers finally begin to emerge, the encryption on which most of the digital world relies could be broken. That has enormous implications for data protection, which is why the UK regulator, the Information Commissioner’s Office (ICO), has released new guidance for organisations.

The message is clear. It’s time to start identifying and addressing quantum-related risks as part of data protection compliance programmes.

What Will Quantum Computing Mean?

Governments and private investors worldwide are spending tens of billions to fund quantum computing research. It’s easy to see why: the scientific and mathematical breakthroughs it promises are mind-blowing. Not without reason has the significance of quantum computing been compared to the harnessing of electricity.

Quantum computing is based on the theory of quantum mechanics, pioneered in work by Albert Einstein that won him the Nobel Prize. To the untrained eye, it seems to defy logic. Quantum particles, or qubits, don’t behave according to the traditional rules of physics. They do strange things like existing in two places simultaneously and travel forwards or backwards in time.

While today’s computers process and store information in zeros and ones, quantum computers use qubits, which can be a zero and a one at the same time. This radically reduces the time it takes to process data, calculate, and solve problems.

According to the ICO, there are several potential use cases for the technology, including:

• A new generation of quantum sensors and advanced quantum timing technologies to be used in medical diagnostics, urban infrastructure and environmental resource management, climate change planning, and surveillance and jamming-resistant navigation
• Quantum-enhanced imaging to detect people and objects around corners or behind walls, or more accurately identify molecules in the body.
• A new and potentially ‘unhackable’ method for securely sharing cryptographic keys, known as quantum key distribution (QKD)

Decrypting the Internet

However, the most concerning potential use case of quantum is its ability to solve the complex mathematical problems on which modern asymmetric encryption (public key cryptography) is based. That could one day give hostile states or well-funded cybercrime groups the ability to unmask everything from encrypted e-commerce and online communications to digital banking data. The implications for organisations that use asymmetric encryption to protect customer data and sensitive IP are obvious.

In fact, there are concerns that bad actors may already be harvesting encrypted data with a view to decrypting it in the future in so-called “store now, decrypt later” (SNDL) attacks. That’s why efforts are accelerating to find post-quantum algorithms (PQAs) that will resist quantum-driven decryption.

Things are certainly accelerating. In an approach backed by the UK’s National Cyber Security Centre (NCSC) and the US National Institute of Standards and Technology (NIST), they released the first three post-quantum cryptography (PQC) standards in August of this year. The US has already set objectives for the public sector to transition to quantum secure systems by 2035, while the UK government has introduced mitigations for critical services and set out technical guidance and expectations for large organisations and system owners. The European Commission has called on member states to develop a roadmap while major tech companies are exploring quantum-safe systems.

The ICO Wants Crypto Agility

So where does that leave the majority of UK organisations? The current NIS regulations (soon to be updated by the Cyber Security and Resilience Bill) cover cloud services and e-commerce providers, organisations that provide digital identity or authentication services, and internet and telecom providers. They must notify the ICO either of a personal data breach (GDPR) or a NIS-related security incident if:

• They discovered an SNDL attack that “substantially affected their service or led to the disclosure of personal information.”
• They made a mistake in implementing PQC, which exposed personal information and posed a risk to people’s rights and freedoms.

All other organisations have obligations under the GDPR to secure personal data “using appropriate technical and organisational measures” that align with the risk of processing and consider the state of the art. According to the ICO, this means they: “should consider identifying and addressing quantum risks as part of their existing legal obligations to adapt to new and emerging cyber threats to personal information.”

What does that mean in practice? As always, the ICO says that – under the Data Protection Act 2018 and GDPR – organisations must determine what technical measures they need to ensure the “appropriate level of security”. But there is a further hint. The regulator’s own guidance on encryption urges organisations to be “crypto agile”. This means keeping encryption use under regular review and being alert to new updates and possible vulnerabilities.

“New standards have been developed and, at some stage in the next 10 years, PQC is likely to become an accepted and widely implemented norm in the future state of the art,” it adds.

A Checklist for Compliance

Thus, most organisations should continue to protect personal data in line with encryption best practices and standards and report any breaches or leaks, including SNDL and any incidents caused by mistakes in implementing PQC. The ICO adds that they should proactively:

• Start considering risk exposure “in the immediate and near future,” including identifying high-risk information and at-risk cryptography and systems.
• Keep abreast of evolving international crypto standards and NCSC guidance, as per NIS and UK GDPR.
• If they are considering implementing QKD or other quantum-secure tech in addition to PQC, they should consider completing a data protection impact assessment (DPIA). This can help assess whether rights and freedoms associated with personal information may be at risk and document what measures they are taking to address these risks.
• Continue to mitigate “wide-ranging, short- and medium-term” cyber risks unrelated to quantum computing, following essential cyber hygiene best practices for data protection.

It will be years before quantum computing capable of cracking asymmetric encryption appears. But that’s no reason for complacency. It’s better to assess the risks and plan for the future today than be forced into making hasty (and potentially expensive) decisions tomorrow.