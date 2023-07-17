The European Union (EU) must prepare for quantum cyberattacks and adopt a new coordinated action plan to ensure a harmonized transition to post-quantum encryption to tackle quantum cybersecurity threats of the future. That\u2019s according to a new discussion paper written by Andrea G. Rodr\u00edguez, lead digital policy analyst at the European Policy Centre.\n\nAdvances in quantum computing put Europe\u2019s cybersecurity at risk by rendering current encryption systems obsolete and creating new cybersecurity challenges, Rodr\u00edguez wrote. This is often coined \u201cQ-Day\u201d \u2013 the point at which quantum computers will break existing cryptographic algorithms \u2013 and experts believe this will occur in the next five to ten years, potentially leaving all digital information vulnerable to malicious actors under current encryption protocols. For Europe to be serious about its cybersecurity ambitions, it must develop a quantum cybersecurity agenda, Rodr\u00edguez stated, \u201csharing information and best practices and reaching a common approach to the quantum transition\u201d across member states.\n\nCybersecurity impact of quantum computing out of EU\u2019s purview\n\nQuantum computing will disrupt online security by compromising cryptography or by facilitating cyberattacks such as those on digital identities, Rodr\u00edguez wrote. \u201cCyberattacks on encryption using quantum computers would allow adversaries to decode encrypted information, interfere with communications, and access networks and information systems without permission, thereby opening the door to stealing and sharing previously confidential information,\u201d she warned.\n\n\u201cGiven that the prospects of a cryptographically significant quantum computer \u2013 one able to break encryption \u2013 are not a question of if but rather when, cybercriminals and geopolitical adversaries are rushing to obtain sensitive encrypted information that cannot be read today to be de-coded once quantum computers are available.\u201d These types of cyberattacks, known as \u201charvest attacks\u201d or \u201cdownload now-decrypt later,\u201d are already a risk to European security.\n\nThe impact of quantum computing on Europe\u2019s cybersecurity and data protection has been mainly left out of the conversation despite sporadic mentions in some policy documents such as the 2020 EU Cybersecurity Strategy or the 2022 Union Secure Connectivity Programme, Rodr\u00edguez said.\n\nUS leads the way on post-quantum cybersecurity\n\nThe US arguably leads the transition to post-quantum cybersecurity, in which post-quantum cryptography will be the protagonist, according to Rodr\u00edguez. The National Institute of Standards and Technology (NIST) has initiated a standardization process of post-quantum cryptography algorithms, while the Quantum Cybersecurity Preparedness Act, established in 2022, sets up a roadmap to migrate government information to post-quantum cryptography, Rodr\u00edguez wrote.\n\n\u201cIn 2023, the new US National Cybersecurity Strategy established protection against quantum cyberattacks as a strategic objective. This priority encompasses the use of post-quantum cryptography and the need to replace vulnerable hardware, software, and applications that could be compromised.\u201d\n\nEU\u2019s post-quantum cybersecurity focus is too narrow\n\nMeanwhile, the EU\u2019s efforts to secure information from quantum cyberattacks lack a clear strategy about how to deal with short-term threats, she added. The narrow focus at the EU level on how to mitigate short-term quantum cybersecurity challenges, especially harvest attacks and quantum attacks on encryption, leaves member states as the frontline actors in the quantum transition, Rodr\u00edguez said. \u201cAs of 2023, only a few EU countries have made public plans to counter emerging quantum cybersecurity threats, and fewer have put in place strategies to mitigate them, as in the case of Germany.\u201d\n\nAs quantum computers develop, European action will be needed to prevent cybersecurity loopholes that can be used as attack vectors and ensure that all member states are equally resilient to quantum cyberattacks. \u201cA Coordinated Action Plan on the quantum transition is urgently needed that outlines clear goals and timeframes and monitors the implementation of national migration plans to postquantum encryption,\u201d Rodr\u00edguez claimed.\n\nSuch a plan would bridge the gap between the far-looking objective of establishing a fully operational European Quantum Communication Infrastructure (EuroQCI) network and the current needs of the European cybersecurity landscape to respond to short-term quantum cybersecurity threats. Europe can also leverage the expertise of national cybersecurity agencies, experts, and the private sector by establishing a new expert group within ENISA where seconded national experts in post-quantum encryption can exchange good practices and encourage the establishment of migration plans, Rodr\u00edguez wrote.\n\n6 steps to an effective quantum cybersecurity agenda\n\nRodr\u00edguez\u2019s paper set out six recommendations for an EU quantum cybersecurity agenda.