Advancing technology requires regulators to act quickly to develop standards and defenses against cyberattacks.
After a false-start in September, Google provided the first peer-reviewed evidence of “quantum supremacy” a month later in the prestigious journal Nature. The announcement was the latest crescendo in the development of quantum computers—emerging technologies that can efficiently solve complicated computational problems with hardware that takes advantage of quantum mechanics.
With data privacy and national security at stake, agile and adaptive regulatory strategies are needed to manage the risks of fast-approaching quantum computers without thwarting their potential benefits.
Although “classical” computers use binary bits to perform calculations, devices under development, like Google’s, use qubits that are not limited to 1s and 0s when they process information. Instead, through phenomena like superposition and entanglement, groups of qubits can have exponentially more power by not merely being “on” or “off,” but also being some blend of on and off at the same time. With the right programming and hardware design, quantum computers should be able to work smarter than classical computers when making sense of large datasets.
Demonstrating that a quantum computer can actually solve problems even supercomputers cannot handle—so called quantum supremacy (or, preferably, the less violent “quantum advantage”)—has long been an envied goal in the quantum engineering field. But, as the CEO of leading quantum technology firm Rigetti noted, practical quantum devices will create new risks and could lead to unanticipated policy challenges.
Setting risks aside, quantum technologies do promise exciting near-term benefits. Quantum advantage highlights the raw power of these devices to work with big datasets and could be used to advance drug discovery, business analytics, artificial intelligence, traffic control, and more. Although IBM has moved to cast doubt on the achievement, Google’s publication claims the team is “only one creative algorithm away from valuable near-term applications.” The world could almost be at the dawn of an era of quantum computers with day-to-day applications.
But practical quantum computers could also rip through current cybersecurity infrastructure. The abilities of these emerging technologies create significant national security concerns, both in the United States and for other countries investing heavily in quantum technologies, such as China.
Quantum cyberattacks could also put private or sensitive information at risk or expose corporate intellectual property and trade secrets.
To be sure, one developer showing quantum advantage for a single task does not mean the quantum cyberattacks will start tomorrow, so panic should be avoided. But, despite the hype, attaining quantum advantage does signal an approaching time when these attacks could become possible.
Achieving quantum advantage or “supremacy” is bittersweet, then, given the potential for both benefit and harm. Even though this is the first report of the achievement in the United States, it is not impossible that this goal has been reached elsewhere or will be soon. With this understanding, what should the regulatory and policy responses look like to manage novel risks while still encouraging benefits?
Three strategies can help prepare for the coming wave of quantum computers without undermining innovation, drawing on technical standards and codes of conduct as regulatory tools.
First, private standards will be useful for responding to quantum concerns. These voluntary, technical standards can give government and industry a common language to speak by creating agreed-upon definitions and ways of measuring quantum computers’ performance capabilities. Technical standards can therefore facilitate policy conversations about how powerful quantum computers really are and what types of risks are realistic and deserve policymakers’ attention.
The Institute of Electrical and Electronics Engineers Standards Association (IEEE) is currently working on setting standards for terminology and performance metrics in quantum computing. Given the global authority and reputation of IEEE, these standards could become quite influential when adopted and even be helpful for industry. To get ahead of potential quantum cyberattacks, experts from government, industry, academia, and NGOs should participate in standardization efforts to accelerate this work and add different perspectives to make standards more comprehensive and inclusive.
Second, the quantum computing industry itself can be proactive even without government taking the lead. I argue in a recent paper that, to guide responsible development of these powerful new technologies, quantum computing companies could create codes of conduct to detail best practices and principles for the responsible deployment of quantum computing.
Codes of conduct can show that an emerging industry is trying to be responsible and transparent while publicly setting expectations for good behavior. With concerns that quantum computers might be used for nefarious purposes or fall into the wrong hands, the industry should respond by committing to act responsibly through “quantum codes”—and have a chance to help define what responsibility means in this new area as an added benefit.
Finally, the industry should work to support the development of standards for another technology intended to defend from quantum cyberattacks, called post-quantum cryptography. Quantum computers excel at solving problems that require factoring large numbers, which gets right to the heart of current cybersecurity methods. Post-quantum cryptography tries to counter this strength by creating new types of encryption that quantum computers will be less adept at cracking.
Post-quantum methods still must be fully developed, standardized, and then implemented in critical networks—creating a need for policy and governance efforts to facilitate the transition to a post-quantum world. The National Institute of Standards and Technology has begun to work on post-quantum standards, but these efforts will not finish overnight. The potential urgency of practical quantum computers means that work to standardize and advance post-quantum cryptographic methods deserves greater attention and resources from both the public and private sectors, as well as expert groups and non-governmental organizations.
Google’s announcement that it has reached quantum advantage or “supremacy” is a great achievement in the long push to develop pragmatic quantum computers that can benefit society. But even though this announcement does not mean cybersecurity ends tomorrow, the security and privacy risks of quantum computers deserve policymakers’ prompt attention.
Responding to these challenges with public and private standards and codes of conduct should promote responsibility, security, and growth in the development of emerging quantum technologies.