The transition to quantum secure systems
On the future of information security and the transition to quantum secure systems, we will:
- update our encryption guidance in line with the transition to post-quantum cryptography. We will also continue to work with NCSC and others on issues such as the ‘timeline’ for transition;
- continue to educate and raise awareness of current and future cyber risks (including the risks from a quantum computer) and available mitigations;
- continue to engage with all relevant stakeholders on the transition to postquantum cryptography. We will continue to engage with our DRCF counterparts to ensure our regulatory approaches are aligned; and
- maintain awareness of the developing landscape and standards initiatives for QKD and other quantum secure technologies to inform our understanding of the state of the art.
Organisations should:
- continue evaluating their risk exposure. This could include identifying high risk information, critical systems and at-risk cryptography;
- ensure they take evolving international standards and NCSC guidance into account, as required under NIS and UK GDPR; and
- continue adequately protecting existing information processing, including through basic cyber hygiene.
These steps are consistent with existing security obligations.
Other quantum technologies
Beyond information security questions, discussions of responsible innovation in quantum technologies are at an early stage. With the exception of some quantum sensing, timing and imaging techniques, many quantum technology use cases are more likely to mature in the medium to long term (five-15 years or more). We will need to remain alert to developing use cases and any new, emerging or exacerbated risks.
To support responsible innovation and people’s information rights in a quantum-enabled future, we will continue to:
- seek out further opportunities to share our insights with, and learn from, industry, UKQuantum, the National Quantum Computing Centre, the UK’s quantum hubs and their pilot projects, the Office for Quantum, academia, the DRCF and other regulators; and
- explore potential applications and capabilities that may impact on people’s privacy, including use cases for:
- sensing, timing and imaging technologies that could lead to an elevated risk of surveillance or other privacy harms to people;
- quantum computing that could involve processing personal information or improve privacy enhancing technologies; and
- real world pilots of QKD.
We encourage further discussions with organisations to ensure they embed privacy by design and default when testing and deploying quantum technologies, including during the initial pilot phase. We are also open to observing and inputting into testbeds and other regulatory sandbox initiatives for quantum technology applications that may also intersect with our remit. Initially, we will do this through DRCF and Regulators Forum, and engagement with the UK’s quantum hubs.
For any organisation developing quantum applications likely to be piloted or come to the market in the near term (in the next three years) with novel privacy implications, they can apply to our sandbox. However, based on current timescales, we anticipate such applications for technologies such as quantum sensing and timing in a few years time, and for quantum computing in the longer term.
This report reflects our early-stage thinking. We welcome contact from any stakeholders wishing to continue the conversation. We encourage organisations exploring applications that may involve processing personal information, or novel uses of quantum technologies and privacy enhancing technologies, to contact us at: [email protected].