Quantum computers could eventually pose huge risks to the security of encrypted information, including national security information. There are two possible countermeasures to this threat. The U.S. government has clearly stated which one it plans to pursue, but not all U.S.-allied governments have articulated a clear position. Allied governments, especially militaries, should clarify their strategy for responding to this threat in order to ensure the future interoperability of communications that are secure against quantum attacks.
The Quantum Computing Threat
Scientific researchers across the world are racing to build some of the most complex and counterintuitive machines ever built: quantum computers.
A quantum computer is a new type of computer that leverages the strange rules of quantum physics, which describe the smallest particles and the coldest temperatures known to science. Quantum computers are so different from conventional computers that they don’t even use bits – the ubiquitous 0’s and 1’s that underlie all the calculations in every computer that you’ve (probably) ever used.
Quantum computers use these strange laws of physics to perform certain types of calculations vastly more quickly than even our best supercomputers can. Many of the problems that quantum computers may one day be able to solve have useful commercial applications, such as improved drug development, battery design, financial modeling, and logistics, implying that quantum computing may one day deliver huge economic value.
But there is another, more concerning type of calculation that quantum computers also excel at: codebreaking. At the heart of all modern cryptography are extremely hard math problems, which have been constructed to be far too difficult for even the most powerful supercomputers to break. But in 1994, the computer scientist Peter Shor discovered a quantum algorithm known as Shor’s algorithm. If run on a sufficiently powerful quantum computer, Shor’s algorithm could quickly solve the same math problems that underlie our cryptography – allowing the operator to read essentially all the information that is currently being transmitted over the internet.
It’s hard to overstate the consequences that might occur if a bad actor acquired the ability to use a quantum computer to break today’s cryptography. Think of all the sensitive information that gets transmitted over the internet: personal emails, medical records, financial information, Social Security numbers, credit card numbers, cryptocurrency transactions. All of them could become vulnerable to a large-scale quantum computer. Today’s quantum computers are nowhere near up to the task of attacking cryptography, so this threat may well still be 15 years away, but it is very real.
Even more concerning from a national security perspective: the cryptography that protects classified national security information is also vulnerable to quantum-computing attacks. A hostile nation may eventually be able to use a quantum computer to read some of the United States’s most sensitive military and intelligence secrets. The National Security Agency (NSA) has publicly stated that “the impact of adversarial use of a quantum computer could be devastating to [National Security Systems] and our nation.”
Two Potential Countermeasures
Fortunately, there are two preemptive countermeasures against quantum attacks on cryptography that are being deployed today.
The first is called post-quantum cryptography (PQC). Post-quantum cryptography works on the same basic principles as today’s cryptography: it encodes information mathematically, using math problems that are too difficult for even the fastest supercomputers to solve. The difference is that we don’t believe that even a quantum computer would be able to break the math problems used in PQC (although we can’t rule out that possibility completely).
In 2022, President Biden issued National Security Memorandum 10, which acknowledged the risk that quantum computers may eventually pose to the security of U.S. government communications and ordered the entire U.S. government to upgrade “as much of [its communication systems to PQC] as is feasible by 2035,” in recognition of that fact that such a massive undertaking is likely to take many years. The NSA has released detailed guidance on how this Memorandum applies to classified military communication systems. Thanks in large part to years of careful work by the National Institute of Standards and Technology (NIST), the United States is widely considered to be the world leader in the practical implementation of PQC.
Another countermeasure is called quantum key distribution (QKD). Unlike either PQC or today’s cryptography, QKD does not rely on math at all. Instead, it uses the laws of physics to protect information – ironically, some of the same laws of quantum physics that underlie quantum computing, although put to very different ends. While we can think of PQC as a mostly software-based solution, QKD is a hardware-based solution; it requires physically replacing much of the existing communication hardware. Generally speaking, QKD is a more expensive solution than PQC, which is one reason why the NSA does not support the use of QKD to protect U.S. national security information.
For several years, the People’s Republic of China has been the clear world leader in the deployment of quantum key distribution. At enormous expense, China has deployed a national-scale QKD network consisting of 2,000 kilometers of fiber optic cable and two QKD communication satellites, which it has used to encrypt communications with Russia and South Africa. While the PRC government has generally framed the purpose of this network as improving cybersecurity broadly, it is certainly plausible that they plan to use it to defend against any large-scale quantum computers that may eventually arise.
The U.S. government has clearly communicated through National Security Memorandum 10 that it plans to pursue PQC as its preferred defense against the threat that quantum computers will pose to cryptography, and the NSA prohibits the use of QKD to protect U.S. national security information. The PRC has been less clear about its plans, but it has invested more resources into QKD than any other nation has (although it is exploring PQC as well).
Each countermeasure has some theoretical advantages that the other one lacks. Moreover, they are not mutually exclusive; it is possible to combine both together.
Other Nations’ Positions
The overall picture regarding quantum countermeasures across U.S.-allied nations is messy and complicated. Some European countries have expressed a clear choice of PQC as their sole defense against the quantum threat, while other nations have conveyed openness to both PQC and QKD, and some are actively funding the deployment of both.
No other nation’s intelligence community has laid out plans as detailed as the NSA’s for deploying countermeasures against quantum computers. But several national governments have released position papers on the general topic of quantum countermeasures. The cyber and communications security agencies of the British, French, German, Dutch, Swedish, and Czech governments have all stated a clear choice of PQC over QKD, similar to the NSA’s position (although only the British and French governments have specifically addressed the question of protecting classified military information as the NSA has).
At the same time, the European Defence Industrial Development Programme has co-funded the DISCRETION Consortium, which is deploying QKD systems in Austria, Italy, Portugal, and Spain. The DISCRETION Consortium states that it has provided services to Portuguese military clients. (All ten countries mentioned above, except for Austria, are NATO allies.) NATO’s Quantum Technologies Strategy itself takes a middle ground, stating that “Today, post-quantum cryptography is an important approach to secure communications against quantum-enabled attacks. In the future, further improvements could allow quantum key distribution to also contribute to secure communications.”
The Canadian government is promoting the adoption of PQC, but the Canadian National Quantum Strategy also promises to “develop commercially viable quantum key distribution” and launch a QKD satellite. The Canadian military has listed QKD as a significant defense capability and is currently funding academic research into QKD networks, although its quantum roadmap does acknowledge that “QKD is not currently recommended to protect national security systems.”
Meanwhile, the South Korean government seems enthusiastic about both PQC and QKD. Its National Intelligence Service has co-led a competition that selected four PQC algorithms for standardization in January. At the same time, the Korean government has connected 48 government departments over an 800-kilometer QKD network, and its Korean National Quantum Strategy encourages “swift adoption by the government ministries and public institutions” of QKD and similar quantum cryptography systems. In January, the South Korean National Intelligence Service accredited a QKD system with meeting national security standards.
The Japanese quasi-governmental New Energy and Industrial Technology Development Organization is funding the deployment of both PQC and QKD technology in Japan. The Japanese government does not appear to have directly invested as many resources into deploying QKD as the South Korean government has, but the Japanese Quantum Technology Innovation Strategy sets a goal to “improve the safety of various security applications by commercializing quantum cryptography devices,” and its Strategy of Quantum Future Industry Development “promot[es] the use of public authorities as … early adopters [of] quantum security networks.”
Implications for Communication Interoperability
Why should anyone care which solution another nation chooses? Because PQC and QKD operate on completely different principles, and communication systems that use different cryptography systems could encounter huge interoperability challenges.
Combining PQC and QKD together in the same communication system is possible, although not easy. But information security systems raise additional challenges beyond purely technical ones. For an information security system, it isn’t enough that the information reliably travels from the sender to the receiver; you also need to be confident that it wasn’t intercepted or modified along the way. Suppose that an organization doesn’t trust the security of QKD and forbids using it to convey sensitive information – or likewise with PQC. In a complicated communication network (like the internet) that used both PQC and QKD, it could become extremely challenging to ensure that a given message never passed through the forbidden system.
This fact raises the risk that different nations may adopt different cryptography countermeasures against the quantum computing threat, which may or may not be mutually compatible. At best, it could be very expensive to connect different communication systems that use different protocols; at worst, some nations might forbid the use of communication systems that other nations adopt, thereby leaving those nations unable to securely communicate at all.
Interoperable communications can be a challenge in both the civilian and military sectors. But in the case of quantum-safe communication, the challenge is likely to be much greater for military communications. Competitive pressure between companies and a robust system of voluntary standard development organizations are usually enough to ensure smooth interoperability between commercial communication systems. (And in general, it isn’t the role of government policy makers to manage commercial standards anyway.)
But communication interoperability between military systems has always been much more challenging for several reasons, including military systems’ tight regulations, limited vendor and user bases, and uniquely strong security requirements (including the ability to handle information at various levels of classification). These interoperability challenges only get harder between different nations’ militaries.
Ease of communication between allied militaries is critical for their success in combined operations. The earlier that U.S.-allied militaries clearly lay out their strategy for protecting their communications against quantum computers, the better. Allied militaries should ideally be coordinating these strategies among themselves. There are several challenging questions that may arise in the future. For example: even if the NSA does not allow the U.S. military to use QKD to transmit national security information, will the NSA allow the U.S. military to share that information with allied militaries that might be using QKD?
To be clear, I am not taking any position about whether PQC, QKD, or a hybrid system is the technically superior solution. Nor am I even arguing that allied nations should necessarily firmly commit to one of those choices yet; there is a case to be made for remaining flexible and monitoring how the technologies evolve.
But there is also little time to waste. Even though quantum computers may still be many years away from being able to implement Shor’s algorithm to attack cryptography, there is a risk that adversaries may already be storing encrypted information that they could decrypt years from now, when quantum computers are sufficiently powerful. And an early and deliberate deployment of countermeasures will be much cheaper than a rushed deployment once the threat draws closer.
U.S.-allied governments should move out as soon as possible to secure their communications systems against the quantum computing threat. In doing so, they should clearly lay out their overall strategy regarding which countermeasures they plan to adopt, and when, and any countermeasures that they may have already ruled out. Doing so will offer commercial vendors in those countries clear guidance on which systems to be developing for government clients over what timelines.
Allied militaries should also coordinate their migration to the maximum extent feasible, and they should reach a common understanding regarding which security protocols will be acceptable for national security information shared between nations. (Even between countries that have committed to adopting PQC, there are important differences in implementation details that could lead to interoperability challenges. These differences should also be harmonized).
The NSA and its counterparts in Britain and France have been admirably transparent and proactive in laying out their strategy and timelines on this issue. Other allied militaries should follow suit as soon as possible.
