Why law firms need to worry about quantum computing

Blame it on faulty PR, but quantum computers just don’t scare people the same way that artificial superintelligence does. That’s a mistake because many experts say the tech’s threat to secrecy is real. The time to prepare is now.

Among those sending up warning flares are spy agencies like the U.S. National Security Agency, Canada’s Communications Security Establishment, tech giants like IBM, as well as computer experts at University of Waterloo, a world leader in quantum studies. Anyone who needs to keep data protected for more than a decade should start thinking beyond today’s common encryption standards, which quantum computers could easily smash through, they say.

Some law firms say they are already taking action.

“It’s definitely on our radar,” says Benoit Yelle, a member of the executive committee of the tech group at Gowling WLG in Montreal. The firm has a research team in place that studies developments in the security field, including quantum technology. “We decided long ago to be proactive,” says Yelle, who has an engineering background.

There’s little agreement on timing, but the growing consensus is that eventually, engineers, physicists, and programmers will work out the current technology’s many challenges. When that day comes, quantum computers, which use quantum mechanics rather than binary digital transistors for their calculations, will be able to compromise many of today's algorithms that protect data on the internet. Right now, difficult math is what protects private-public key encryption, the common security protocol. But because machines would not be restricted to linear calculations, quantum computers could solve many problems simultaneously. Today's popular algorithms won't hold up against quantum computing.

While traditional computers use transistors to store “bits” of information, quantum computers use quantum bits — so-called qubits  — to make computations.  These could also be useful for all sorts of applications that require super processing power — from predicting weather patterns to creating new life-saving medicines. How many high-quality qubits are needed for a functioning quantum computer (i.e., one that can seriously surpass traditional computers’ abilities) is the topic of much debate. There are even doubters who argue such machines will likely never be built. But others say it’s just a matter of money and effort. Given that China, America, and Europe — and Google for that matter— are spending billions to crack both hardware and software problems, the quantum age may come sooner than expected. Recent breakthroughs are heightening expectations, with Canada’s D-Wave at the forefront of this nascent technology.

“We know it’s coming,” said Scott Jones, chief of the newly-created Canadian Centre for Cyber Security (CCCS), in an interview with INTREPID. “It’s now an engineering challenge.”

Indeed, small-scale, limited-capacity quantum computers have already been built. But at the moment, these super-expensive machines reportedly loose their computational power if even minutely disturbed; they operate briefly and at temperatures near absolute zero. That’s colder than deep space, and hardly cheap. Error-prone, they expend much of their energy correcting, which means current models aren’t capable of much that is truly useful.

And yet, many think we have a blueprint. What’s more, experts say that the technology is advancing at a rapid rate, but so are quantum-proof encryption methods to counter an attack. “It's better than 50 percent probable that we will have working, available (e.g., cloud-based) quantum computing within 5-10 years,” said former Microsoft executive Ken Nickerson, CEO iBinary LLC, in an email. Nickerson added, however, that the threat to encryption is a “known,” and large companies are already taking necessary steps to include quantum-proof layers. The military, government, and financial institutions are employing them “not because of existing or imminent threat, but because the (legal) horizon to quantum computing is now presumed to be less than 7 years — the minimal record retention risk scenario.”

To be sure, the quantum danger is only part of the scary environment for entities that hold lots of sensitive information. Jaw-dropping break-ins like the Equifax mega-hack show that black-hat programmers are becoming more adept at infiltrating systems. Gone is the image of hoodie-wearing maladjusted loners; hackers are often professionals, with ample, state-backed resources. In response, jurisdictions are passing increasingly stringent laws regarding responsibility and breaches. Europe’s General Data Protection Regulation, which can fine non-compliant firms up to 4 percent of annual turnover, is the first serious shot across the corporate bow. The quantum threat adds another dimension.

“In general, people need to start thinking about encryption risk,” said James Kosa, a partner at Toronto-based WeirFoulds, and president of the Canadian Technology Law Association. “Relying solely on encryption is not a good move.”

Law firms, depositories of lots of long-held sensitive information, will need to fight their usual conservative tendencies when it comes to this bleeding-edge technology. Vacuumed up encrypted data remains private today, but it can be easily stored for decoding at a later date by bad actors. Legal companies should consider not only how their data is stored, but also why they are keeping it available in the first place, said Kosa, who holds an electrical engineering degree. “You need multiple layers” of protection, including restricting access or segregating it offline. At the very least, law firms should put in place a data retention policy that reduces the amount of sensitive data being retained unnecessarily, Kosa added.

Experts in the field agree. Law firms “should allocate someone to be responsible to making sure they are sufficiently informed about the threat and solutions, and that an appropriate risk mitigation plan is in place,” said Michele Mosca, a founder and professor of the Institute for Quantum Computing at the University of Waterloo. If information needs to remain confidential for more than a decade, “then you should be sure that your [virtual private network] and secure email vendors have a quantum-safe algorithm protecting your communications.”

“They should start with a quantum risk assessment to better understand what the risk is to them,” Mosca added.

Indeed, authorities like the National Institute of Standards and Technology are working on standards, and have called for proposals for post-quantum public-key cryptographic algorithms to protect against quantum attacks. But it will take time for an agreement on protocols that can work both with today’s digital technology as well as anything designed to resist tomorrow’s quantum attacks. That’s why firms need to start looking at their systems sooner rather than later, experts say.

So what’s the Canadian government’s role in this? Neither the CSE nor Innovation, Science and Economic Development Canada would comment on their efforts in this area. However, the CSE’s recently launched federal agency, the CCCS, plans to disseminate information on all things cyber, including advice on threats for the public and Canadian businesses. They also issued guidance last year.

Ultimately, experts say that law firm managers need to think further than today’s common protection standards, and not wait for government advice or systems vendors to make decisions. Shrugging shoulders and passing the buck will not be an option.

“IT firms don’t manage your risk for you,” said Mosca. “That’s your job.”