Imagine a world in which powerful computers can instantaneously break a company’s standard encryption, threatening the most valuable financial data, intellectual property, personal information, and even national security secrets. The US National Institute of Standards and Technology (NIST) is, and with increasing urgency.

On August 13, 2024, NIST released the first three finalized algorithms designed to withstand the attack of a quantum computer, a development which in-house security leads as well as in-house counsel would do well to take onboard.¹ Quantum-resistant cryptography, also known as post-quantum cryptography, has made significant progress in recent years. The focus has been on developing algorithms that can withstand attacks from quantum computers, which pose a mortal threat to traditional cryptographic methods. As quantum computing advances, existing cryptographic methods will become vulnerable, making quantum-resistant cryptography essential. Indeed, NIST is urging companies to begin transitioning to the new system as soon as possible.

In recent years, quantum computing has seen significant advancements, decreasing the time companies have to get ahead of the problem—especially as malicious actors may steal and save today’s encrypted data to access in the future once they possess quantum capabilities. Notable developments include achieving quantum supremacy milestones, where quantum computers solved specific problems faster than classical ones. Additionally, quantum cloud services have expanded, allowing broader access to quantum computing resources. Progress has also been made in quantum hardware, improving the stability and error rates of quantum systems. The software ecosystem around quantum computing has matured, enabling more complex and scalable quantum algorithms.

The Office of the Director of National Intelligences predicts that quantum computing will be widely available within five to six years.² Although quantum computing poses a grave threat to traditional cryptography, it could also dramatically enhance AI's capabilities by enabling faster data processing and more complex computations, leading to breakthroughs in areas like drug discovery, climate modeling, and supply chain problems. However, this convergence also poses significant threats, including enabling more sophisticated and scalable attacks. Generative AI can be used to craft convincing phishing messages, deepfake media, and personalized social engineering tactics. AI-driven tools can also automate the discovery of vulnerabilities and the execution of attacks, making cyber-attacks more accessible even to less-skilled attackers.

Although adoption of NIST’s encryption algorithms is not legally binding, it is likely to form part of the basis of what is considered reasonable regarding data security, specifically the use of encryption, in the future. For lawyers involved in cybersecurity, data protection, and compliance, these standards could influence the regulatory and vendor management landscape, requiring organizations to update their cryptographic practices. Similarly, the intersection of quantum computing and AI will require organizations to evolve their defenses in the face of these amplified risks and will require their legal counsel to carefully navigate potential effects related to privacy and security.

This article is an update to our prior Insight, getting ready for quantum computing: Managing the quantum threat.

^{1 NIST Releases First 3 Finalized Post-Quantum Encryption Standards | NIST}

^{2 “Intelligence community leaders see five-year ‘window’ for securing AI against quantum,” https://insideaipolicy.com/ai-daily-news/intelligence-community-leaders-see-five-year-window-securing-ai-against-quantum.}

[View source.]