Quantum computing (QC) has the potential to fundamentally disrupt cybersecurity. For business leaders and legal professionals, understanding what QC is, how it threatens encryption, and what can be done today is not optional—it’s essential.
What Is Quantum Computing?
To grasp the significance of quantum computing, it’s helpful to first understand classical computers. Traditional or “classical” computers process data in binary form using bits, which are either 0s or 1s. Each bit represents a simple on-or-off state—like a light switch. These bits are combined and processed in sequence to perform calculations, run programs, and transmit information.
Quantum computers, by contrast, use quantum bits, or qubits. Thanks to principles of quantum mechanics—particularly superposition and entanglement—qubits can exist in multiple states simultaneously. A qubit isn’t limited to being just a 0 or a 1; it can be both at once, like a spinning coin that hasn’t landed.
Quantum computers also use entanglement, a phenomenon where two qubits become interlinked, such that the state of one instantly determines the state of the other, even at great distances. These capabilities enable quantum computers to evaluate vast numbers of possible solutions at the same time, allowing them to solve certain problems orders of magnitude faster than classical machines.
While quantum computing remains in its early stages, breakthroughs from companies like IBM and Google suggest that practical applications are not far off. One of the most urgent concerns is its impact on encryption—the foundation of modern cybersecurity.
How Encryption Works—and Why It’s at Risk
Encryption protects data by converting it into unreadable code, which can only be deciphered with a key. There are two main types of encryption:
Symmetric Encryption
This method uses the same key for both encryption and decryption. It’s fast and widely used—for example, the AES (Advanced Encryption Standard) algorithm protects everything from stored files to VPN connections. However, it comes with a major weakness: if the key is intercepted, the data can be decrypted by an attacker.
Asymmetric Encryption
Asymmetric, or public-key encryption, solves the key-sharing problem by using two mathematically related keys—one public and one private. This system underpins secure web communications (like HTTPS), digital signatures, and email security. Algorithms such as RSA, ECC (Elliptic Curve Cryptography), and the Diffie-Hellman key exchange are common examples.
Take RSA: it relies on the difficulty of factoring large numbers. While it’s easy to multiply two large prime numbers, reversing the process—factoring the product to find the original primes—is computationally infeasible for classical computers. That’s what keeps RSA secure—at least for now.
But quantum computers can change that. Shor’s algorithm, developed in 1994, can factor large numbers exponentially faster than any known classical method, potentially making RSA and other common encryption methods obsolete once scalable quantum computers arrive.
The “Store Now, Decrypt Later” Threat
Even though powerful quantum computers aren’t here yet, the risk is real today. Adversaries can intercept and store encrypted data now with the intention of decrypting it later using quantum technology. This is especially troubling for information requiring long-term confidentiality—like trade secrets, health records, or classified government data.
Regulatory Responses to Quantum Risks
Governments and regulatory bodies are not standing still. Both the European Union and the United States are creating legal frameworks and policy strategies to manage the quantum threat.
The European Union’s Approach
EU laws like the General Data Protection Regulation (GDPR) already require companies to implement “appropriate” technical and organizational security measures based on current threats. That includes keeping up with quantum risks.
Recent developments include:
- EU Commission’s 2024 Recommendation: Urges a coordinated plan to migrate to post-quantum cryptography (PQC).
- NIS Cooperation Group Workstream: Co-chaired by France, Germany, and the Netherlands, this group coordinates national PQC strategies.
- Joint Statement (Dec 2024): Signed by 18 national cyber agencies, this statement calls on critical industries to mitigate “store-now, decrypt-later” threats by 2030.
- ENISA Guidance: The EU cybersecurity agency has issued technical recommendations highlighting the need for cryptographic agility—the ability to quickly adapt to new encryption standards.
The United States’ Strategy
The U.S. has taken a proactive stance with multiple policies:
- National Security Memorandum 10 (2022): Outlines quantum risks and national strategy.
- Quantum Computing Cybersecurity Preparedness Act (2022): Requires federal agencies to inventory vulnerable systems and plan for PQC adoption.
- NIST Standards (2024): NIST published FIPS 203, 204, and 205—official PQC standards ready for use.
- NSA’s CNSA Suite 2.0: Defines future encryption standards for national security systems.
- CISA and DHS Initiatives: These agencies provide roadmaps and support for migrating to quantum-safe systems, especially for critical infrastructure.
Together, these efforts make clear that mitigating quantum threats is a priority—and organizations should begin preparing now.
How Businesses Can Mitigate the Quantum Threat
Addressing quantum risk requires a blend of legal, technical, and operational strategies.
Legal and Compliance Measures
- Stay informed about emerging regulations and standards related to PQC.
- Update governance documents and vendor contracts to account for new encryption requirements.
- Ensure supply chain compliance, particularly in data sharing and cloud services.
- Interpret “state-of-the-art” requirements under laws like the GDPR as including quantum-resistant solutions when appropriate.
Technical Strategies
- Conduct a cryptographic inventory: Identify where encryption is used, what algorithms are in place, and which systems are most vulnerable.
- Classify sensitive data: Prioritize data with long confidentiality requirements for early migration to PQC.
- Adopt cryptographic agility: Design systems that can support multiple algorithms and be updated quickly.
- Collaborate with tech vendors: Work with cloud providers and cybersecurity firms to begin integrating PQC solutions.
Business Operations and Training
- Train your workforce: Educate IT and legal teams on quantum risks and new encryption standards.
- Incorporate quantum threats into risk management: Treat this as an enterprise risk requiring executive attention and strategic planning.
- Pilot quantum-safe solutions: Engage in industry initiatives and test new cryptographic protocols before full deployment.
Real-World Action: Leading by Example
Some major organizations are already preparing:
- Amazon Web Services has announced phased integration of PQC across its infrastructure.
- Google has deployed post-quantum algorithms in its internal networks.
- Financial institutions, led by forums like Europol’s Quantum Safe Financial Forum, are prioritizing transitions to PQC.
These early adopters underscore that the quantum threat is not theoretical. Businesses that wait until quantum computers are fully mature risk falling behind—legally, operationally, and competitively.
Conclusion
Quantum computing is set to revolutionize the digital world—but with that potential comes significant risk. Encryption methods that safeguard today’s internet will not hold up against tomorrow’s quantum machines. Legal, technical, and business leaders must act now to protect data, comply with evolving laws, and future-proof their systems. The message from regulators, experts, and leading companies is unanimous: start the transition to post-quantum cryptography today—before it’s too late.
