How quantum computing may pose a cybersecurity risk

30 Jan 2023

Image: © ArtemisDiana/

William Fry’s Barry Scannell discusses the potential privacy implications of quantum computing and how it will ultimately alter our approach to encryption technologies.

As pointed out in a White House National Security Memorandum of May 2022: “a quantum computer of sufficient size and sophistication – also known as a cryptanalytically relevant quantum computer (CRQC) – will be capable of breaking much of the public-key cryptography used on digital systems across the US and around the world. When it becomes available, a CRQC could jeopardise civilian and military communications, undermine supervisory and control systems for critical infrastructure, and defeat security protocols for most internet-based financial transactions.”

Everyday computers work with bits – the ones and zeros of our digital age, which represent everything in our digital world. Bits are binary, and can only be a one or a zero, on or off – but this binary code is extremely useful to us.

Quantum computers on the other hand rely on the unintuitive physics of the sub-atomic realm. Quantum computers use quantum bits, or qubits. Qubits aren’t ones or zeros – they are made up of physical systems such as the spin of an electron or the orientation of a photon.

Where this gets strange, is that quantum elements such as electrons or photons, are ‘probabilistic’ in nature. As crazy as it sounds, an electron only exists as a probabilistic wave function until it is measured. Once measured, the wave function collapses and the electron can be ‘pinned down’ and its properties, such as momentum for example, can be identified.

Quantum computing relies on this probabilistic nature of the fabric of the universe – before things like electrons and photons are measured, they can be in any number of states, and indeed, are in all of those states all at once, until ‘pinned down’.

Quantum computing relies on this idea of superposition. Eight bits are enough for a normal computer to represent any number between zero and 255. Eight qubits, however, are enough for a quantum computer to represent all numbers between zero and 255 – all at once, at the same time. The most famous use case so far for quantum computers is Shor’s algorithm. This is a quantum algorithm that provides a theoretically enormous ability for a quantum computer to speed up how they rapidly factor large numbers.

Cybersecurity threats

Why is the ability to factor large numbers a problem? Well, because that’s what our encryption technologies are based on. If technology is created that can rapidly factor very large numbers, most of our current encryption technology will be obsolete. Factoring integers – working out which numbers were multiplied together to give larger resultant numbers – is a function used in public-key encryption, a common form of encryption used throughout the digital economy. This means that quantum computers will be able to break public-key encryption.

While the technology is still very much in its nascent stages, and so sensitive that even an air molecule could cause a quantum computer to crash, the technology is improving all the time. On the one hand, this will be an incredible development for society but on the other hand, it means that in order to protect our data in the future, we must ensure that our encryption technologies stay one step ahead.

There are some who say that quantum computing is even more dangerous than AI, although this presupposes the idea that AI technology is inherently dangerous or that our response to it has been inadequate.

In an article in Foreign Policy Magazine, Stanford University law professor Mauritz Kop said that we must learn from the mistakes made in the regulation of AI “before it is too late” so that we can ameliorate the impact of quantum machines. This would seem to ignore the fact that there are already very robust protections in place with regards to AI and personal data processing.


The GDPR places strict regulatory obligations on any organisations using AI to process personal data, to make automated decisions and which carry out automated profiling. These AI related obligations are so esoteric that even the most sophisticated GDPR regimes in organisations may not have addressed the technology’s impact on their regulatory risk. This is not to mention the EU’s AI Act, which places strict regulatory obligations on high risk AI systems.

In the US, the Biden White House considers the risk of losing the quantum computing so severe that it issued two executive orders in May 2022: one to place the national quantum initiative advisory committee directly under the authority of the White House and another to direct government agencies to ensure US leadership in quantum computing while mitigating the potential security risks quantum computing poses to cryptographic systems.

In response to the threat of quantum computing on current encryption technologies, in December 2022, president Biden signed legislation to encourage federal government agencies to adopt technology that is protected from decryption by quantum computing, called the Quantum Computing Cybersecurity Preparedness Act. This new legislation is in response to significant leaps in quantum technology being made by other countries, which could allow existing forms of secure encryption to be decrypted much more quickly.

The EU is responding also. In October, the European High-Performance Computing Joint Undertaking (EuroHPC JU) announced the selection of six sites that will host the first European quantum computers: Czech Republic, Germany, Spain, France, Italy, and Poland. They will be integrated on site into existing supercomputers to form a pan-European network with a total planned investment of more than €100m.

Since June 2019, all 27 EU member states have signed the European Quantum Communication Infrastructure (EuroQCI) Declaration, agreeing to work together, with the Commission and with the support of the European Space Agency, towards the development of a quantum communication infrastructure covering the whole EU.

According to the EU Commission, the EuroQCI will safeguard sensitive data and critical infrastructures by integrating quantum-based systems into existing communication infrastructures, providing an additional security layer based on quantum physics. It will reinforce the protection of Europe’s governmental institutions, their data centres, hospitals, energy grids and more, becoming one of the main pillars of the EU’s Cybersecurity Strategy for the coming decades.

Like all new technologies, the potential for good for quantum computing is limitless. Scientists expect the new technology to assist in drug discovery, improved weather forecasting and making scientific breakthroughs. However, like all new technologies, it brings with it significant risks, and these risks will need to be carefully regulated.

We have seen the positive benefits of the regulation of new technologies, as is clear from the EU’s legislative programme for its Digital Decade, but more than ever, organisations need to be alive to the operational risks new technologies pose to their business, as well as the regulatory risks which arise in response to those new technologies.

By Barry Scannell

Barry Scannell is a consultant in William Fry’s Technology department.

10 things you need to know direct to your inbox every weekday. Sign up for the Daily Brief, Silicon Republic’s digest of essential sci-tech news.