OECD Digital Economy Outlook 2024 (Volume 2)

As the dependency of economies and societies on digital technologies and data increases, so does digital security risk. In response, governments are stepping up efforts to strengthen cybersecurity. More than two decades ago, governments began encouraging stakeholders such as businesses to adopt better risk management practices. They typically emphasised strategic priorities, such as the establishment of an appropriate institutional framework with clear responsibilities for cybersecurity policy making. They also focused policy efforts on operational support (e.g. through the establishment of a national incident response capacity). Today, most OECD members have an institutional cybersecurity framework.

Government priorities also included measures to enhance the digital security of critical activities such as the delivery of financial, energy, transportation and health services. Such measures stand at the intersection of digital security and critical infrastructure protection policies, generating significant national security implications. As such, they raise complex institutional challenges, which means they can take time to develop and implement.

Governments continue to improve and expand cybersecurity frameworks to further reduce digital security risk in an environment of growing threats and geopolitical tension. This chapter outlines some new digital security areas where governments are placing more policy attention than in the past.

Connected products and services have become an integral part of daily life in homes, businesses and infrastructure. They cross all sectors, including the most critical ones such as health, transportation and energy. While connected products and services underpin economic and social activities, they can also bring unexpected and harmful consequences in case of cyberattacks.

Digital products and services should be designed for security throughout their life cycle. While suppliers do not always meet a digital security “duty of care”, poor security practices and knowledge on the users’ side also heighten risk. Both factors therefore contribute to what could be considered a market failure: market forces alone do not produce adequate security by design or user awareness. Increasing market transparency and reducing information asymmetries is one approach to addressing the market failure (OECD, 2021[1]).

Certifications and labels are widely used in sectors such as food and energy to increase market transparency. Such tools reduce information asymmetries and ensure that products and services meet a certain level of quality or safety. Building on successes in other sectors, governments are increasingly developing and implementing labels and certifications for digital products and services through international and national initiatives.

The European Union launched a cybersecurity certification framework for information and communication technology (ICT) products, services and processes in 2019. The framework provides a comprehensive set of rules, technical requirements, standards and procedures that defines a mechanism to establish certification programmes throughout the EU membership. Ultimately, it seeks to harmonise both the security requirements for digital products and services, and the methodology for assessing them. Meanwhile, each member carries out its own certification process.

Three certification programmes, called “certification schemes” in the EU, are under development and defined by the European Union Agency for Cybersecurity (ENISA) (ENISA, 2019[2]). The first, known as EUCC, covers ICT security products such as firewalls, encryption devices and electronic signature devices. It also covers ICT products with inbuilt security such as routers, smartphones and bank cards. EUCC is based on an international standard called “Common Criteria” (Common Criteria, 2023[3]). The second programme, called EUCS, covers cloud services. The third one – EU5G – addresses 5G networks.

Each programme will specify the security requirements, the type of evaluation (self-assessment or third party), as well as the intended level of security assurance (basic, substantial and/or high). Implementing regulations are necessary for those programmes to enter into force in the European Union. The first implementing regulation draft for EUCC was released for comments in October 2023 (European Commission, 2023[4]).

EU cybersecurity certificates will be granted to certified ICT products, services and processes. No special EU label is foreseen. Certificates issued under the programme will be valid in all EU members for a limited duration. Extensions will be possible after a security re-assessment.

The EU cybersecurity certification framework is voluntary, but EU legislation linked to digital products and services increasingly makes use of certified products and services mandatory. Under the Network and Information Security (NIS)2 Directive, for instance, essential and important entities may need to use certified digital products, services and processes in accordance with the European certification programme (European Commission, 2022[5]).

Finland’s voluntary Cybersecurity Label, created in 2019, aims to help consumers make more secure choices when purchasing IoT devices or services (Traficom, 2019[7]). The label is mainly intended for smart consumer devices that collect and transmit data such as smart TVs, smart bracelets and home routers.

The label informs end-users that a given product or service meets a defined list of “security by design” requirements. It also guarantees that certain security features are updated for the duration set by the label. In addition, the label supports the competitiveness of companies that invest in their products’ security features from the outset and helps them anticipate compliance with future EU requirements on IoT security.

To earn the label, manufacturers must comply with the main security requirements defined by Traficom, the Finnish National Cyber Security Centre. These requirements are based on international IoT cybersecurity standards (ETSI, 2020[8]). A third party must verify products and services. The label, granted for a one-year period, can be renewed.

France’s “Security Visas” (ANSSI, 2016[6]), developed in 2016, is a voluntary programme for digital security products. It aims for labels to better inform purchasers of cyber security products and services about the level of security provided. The “Security Visa” label, issued by the French national cyber security agency (ANSSI), guarantees that products and services have been thoroughly evaluated.

The programme is mainly intended for critical entities and government authorities that need to use digital security products and services. However, it also enables manufacturers to gain a competitive advantage by displaying the “Security Visa” label on their products and services. Mainstream consumer products, such as Internet of Things (IoT) devices, are outside the scope of the programme.

The French security label encompasses “certification” and “qualification” components. Both include an independent evaluation of the products and services. However, the “qualification” label, though more complete, is also longer and more costly.

The certification process applies only to digital security products such as VPNs, firewalls and chip cards. It only verifies security targets defined by the product manufacturer. A certification can be granted for one to three years.

The qualification process applies to certain digital security products such as encryption or electronic signing devices, and certain security services such as for incident response. It verifies the robustness of all the security features in those products and services. In what amounts to a recommendation from the French government, it demonstrates compliance with certain regulatory, technical and security requirements. Critical infrastructures and French government authorities must use only qualified products and services. Products and services can be qualified for a maximum of three years.

In 2019, Germany introduced a voluntary IT Security Label to help consumers obtain information on the security functionalities of IT products and services (BSI, 2021[9]). Three categories of products and services can be granted the label: routers, e-mail services, and smart consumer devices connected with other end- consumer devices, such as smart TVs, smart speakers or smart toys. It is envisioned that Germany will make the IT Security Label available for other relevant product groups, such as devices in the smart home sector.

The label is affixed to devices or product packaging and contains a short link, as well as a QR code that links to a government information page. This page displays information about the security features of the device or service and any known security vulnerabilities.

The process for earning the label is based on self-declaration without third-party validation. Manufacturers must apply to the government agency in charge of the label (BSI). They declare their product or service meets certain predefined standards, such as governmental technical guidelines, basic international standards or industry standards. It is up to the manufacturer to ensure compliance with relevant requirements. The BSI, however, can carry out random checks. The label, granted for two years, can be withdrawn at any time for violation of the manufacturer’s declaration.

A separate programme in Germany certifies IT products and services used by critical infrastructures and the public sector. Under this certification, an independent evaluation checks the compliance of products and services against security requirements and standards. No specific label or marking is issued to demonstrate that a product or service has been successfully certified.

In March 2024, the Japanese Ministry of Economy, Trade and Industry (METI) published a draft policy on its IoT Product Security Conformity Assessment Scheme and opened a call for public comments that ran until 15 April 2024 (METI, 2020[10]).

The proposed programme will be voluntary and target a wide range of IoT products, including products indirectly connected to the Internet (excluding PCs, smartphones, etc.). The multi-level programme would establish security requirements to address minimum threats common to all targeted IoT products as a unified baseline (one-star level). It would also provide security requirements to address characteristics of each product category (two, three and four-star levels). METI aims to incorporate the programme into procurement requirements, including those of government agencies, critical infrastructure providers and local governments.

Under the proposal, labels would be granted for one- and two-star levels based on self-declarations of conformity by IoT product vendors. Three-star levels and above, which are intended for procurement use by government agencies, etc., require high reliability. Consequently, for such levels, labels will be granted based on a third-party evaluation by an independent test laboratory.

METI aims to start accepting self-declarations of conformity to the unified baseline criteria for all IoT products (the one-star level) and granting labels by March 2025. Discussions on the higher-level security conformance criteria to be developed per IoT product category (two-star levels and above) began in April 2024. The Information-technology Promotion Agency will operate the proposed programme.

Korea introduced security certification for IoT in 2017 to prevent security incidents and ensure the safety of various IoT products. As the security of IoT is closely linked to the safety of citizens and business, relevant laws have been updated accordingly to strengthen the security of digital products (Korea Ministry of Government Legislation, 2021[11]).

The Korean Ministry of Science and ICT co-ordinates implementation of IoT certification, and the Internet & Security Agency issues the certificates. The Korea Testing Certificate Institute and the Telecommunications Technology Association assess the technical aspects of IoT devices, including wall pads and medical devices. Once obtained, the certification is valid for three years with the possibility of a two-year extension.

Certification criteria comprise 50 items in seven areas: identification/authentication, data protection, password, software security, update, network security and hardware security (TTA, 2021[12]). They comply with international standards. Certificates come in three types: light (mandatory), basic (general) and standard (comprehensive).

In 2023, the Ministry of Science and ICT introduced the derivative model procedure as part of its certification programme to support its IoT manufacturing industry. This is expected to simplify the certification process for products with design changes that do not affect their security performance (Government of Korea, 2023[13]). In this way, the model encourages firms to release various products that meet market demands.

Türkiye developed a framework for certifying both domestic and foreign services and products. The framework conforms with international standards and considers the technical and functional aspects of the products, as well as secure software development criteria.

Under the Turkish Regulation on Authorisation of Participants in Public IT Service Procurement, certificates have been mandatory in IT service procurement tenders of public administrations since 2023 (Ministry of Industry and Technology, 2023[14]). The Ministry of Industry and Technology can issue three types of authorisation certificates for use in IT service procurement tenders: two for software and one for penetration testing. The certificates are for services, not products. They are granted for a one-year period and can be renewed. Selected companies get a certification document, with a number that can be verified on a government website.

Furthermore, the Cyber Security Products Testing and Certification Project was launched in 2019 to promote widespread use of reliable and mature cyber security products manufactured in Türkiye. The project involves determining criteria, testing and certifying products from various companies. Criteria for 11 product groups, mostly related to the technical functions of the products, were established with input from relevant stakeholders. The product groups comprise Firewall, SIEM, Data Loss Prevention, Vulnerability Management, Cyber Threat Intelligence, Endpoint Security (EPP-EDR), Governance Risk Compliance, Secure Messaging, Identity and Access Management, Video Conferencing and IoT products. Products tested against established criteria that pass the tests are entitled to receive a Product Conformity Certificate. The certificate is issued by a private company that is a subsidiary of several public institutions (TRtest, 2024[15]). As the initiative is not mandatory and the certificate does not have national validity, products that receive a Product Conformity Certificate are encouraged to get involved in public sector projects.

In 2022, the United States launched a national cybersecurity labelling programme, the “US Cyber Trust” for IoT devices (FCC, 2023[16]). The programme, managed by the Federal Communications Commission, aims to raise consumers’ knowledge about their purchased products and incentivise manufacturers to meet higher digital security standards. The programme covers widely used consumer products, including smart refrigerators, smart microwaves, smart televisions and smart fitness trackers. Digital services are out of its scope.

The programme draws on voluntary commitments from manufacturers that have agreed to a certification programme based on cyber security criteria developed by the National Institute of Standards and Technology (NIST). These criteria include unique and strong default passwords, data protection, software updates and incident detection capabilities. Manufacturers that commit to the defined security requirements will be able to mark their products with a distinct shield logo together with a QR code that will link to a national registry of certified smart devices. The programme, which began in 2024, has been developed with the participation of several major IoT retailers.

In 2020, as part of efforts to improve IoT security and raise overall cyber hygiene, Singapore launched the Cybersecurity Labelling Scheme for consumer smart devices (CSA, 2020[17]). This voluntary programme is managed by the Cyber Security Agency of Singapore (CSA) – the national cybersecurity agency. It provides different levels of digital security ratings to help users make informed choices about the security features of their smart devices.

The programme was introduced to cover widely used products such as Wi-Fi routers and smart home hubs. However, it has since been extended to include all categories of consumer IoT devices, such as IP cameras, smart door locks, smart lights and smart printers. Services are outside the scope of the programme.

The label on the product package indicates the level of security assurance with one to four stars, the individual ID and the QR code. The QR code directs users to the CSA website for more details, including the validity period of the label. This period, which lasts up to three years, represents how long developers will support devices with security updates.

One or two stars can be obtained through self-declaration of compliance with baseline security requirements and standards. An evaluation by an independent third-party testing laboratory is required to obtain three or four stars.

Singapore has developed international arrangements to foster recognition of certified products. It signed three separate mutual recognition agreements with Finland, Germany and the Connectivity Standards Alliance (CSA, 2022[18]).

Various countries around the globe have diverse approaches to product certification and labelling. Table 4.1 presents an overview of the labelling and certification programmes described above. Some countries, like Finland, France and Singapore, opt for combined certification and labelling. This entails the issuance of labels after a thorough certification process or some form of evaluation.

However, the scope and focus of these programmes vary significantly among nations. While Finland, Germany, Japan, Singapore and the United States concentrate on mainstream consumer devices, Korea emphasises IoT devices and mobile apps. Conversely, the European Union, France and Türkiye have distinct targets for their labelling and certification initiatives.

These programmes are voluntary. However, some jurisdictions, such as the European Union and Türkiye, are developing legislation that moves them towards potential mandatory compliance.

Interestingly, the development of these programmes predominantly occurs at the national level. Finland, France, Germany, Korea, Singapore, Türkiye and the United States lead the way for national approaches. The European Union stands out with its regional approach to labelling and certification.

The diversity of labels is striking, ranging from simple logos to comprehensive rating systems. Additional information embedded in these labels, such as QR codes linking to websites, product IDs or expiry dates, further enhances consumer transparency and awareness.

Definitions of certifications and labels can vary across sectors and countries (OECD, 2021[1]). However, the summary above demonstrates that both certifications and labels are an attractive tool for policy makers. They help increase transparency and indicate the level of digital security of products and services.

Certifications and labels are two separate but complementary tools to improve market transparency and trust. Both present advantages and disadvantages. Table 4.2 summarises the differences between certifications and labels.

Labelling and certification programmes for digital products and services are meant to improve digital security. While each country’s approach could be distinct, some baseline approaches could still be considered:

• User-centric approach: labels and certifications should be designed with user comprehensibility and accessibility in mind. Feedback mechanisms could gather users’ views on the efficiency of certification and labelling to continually refine and enhance the mechanisms and criteria.

• Consumer education: awareness campaigns could enlighten consumers on the relevance of certifications and labels and what they mean.

• Inclusion of SMEs: more streamlined and accessible certification and labelling processes for SMEs could facilitate their adherence to digital security and could improve their competitiveness.

• Co-operation of stakeholders: collaboration between governments, industries, academia and other stakeholders in the digital security ecosystem could be promoted. Collaboration would enable stakeholders to share insights, challenges and solutions pertaining to certification and labelling of digital products and services.

• Policy frameworks: policy makers could explore mechanisms that incentivise organisations to adopt and comply with certification and labelling programmes.

• Mutual recognition and international initiatives: efforts towards recognition of certification and labelling arrangements or establishment of global harmonised programmes could avoid redundancy and facilitate international trade. Fragmentation increases unnecessary costs, constrains competitiveness, and reduces the reliability of certificates and the security assurances themselves.

Different security options could be considered when defining certification and labelling programmes. These include inclusion of unique and strong default passwords, data protection, software updates, incident detection capabilities, distinct shield logos or QR codes linking to a national registry of certified smart devices.

Technical advancements, such as artificial intelligence, will also surely have an impact on labelling and certification. Artificial intelligence could become part of certification and labelling processes, while automating compliance verifications. It could also provide real-time updates regarding security features, flaws and information on upcoming end-of-support or end-of-life.

One potential challenge with labelling and certification is the level of adoption as most programmes are voluntary.

While certification and labelling programmes are promising, policy makers may also decide not to use them to enhance the digital security of products and services. Instead, they may resort to a law. In 2019, the UK government considered a voluntary label for IoT security. However, a public consultation highlighted important gaps that voluntary labels may not address. Consequently, it opted for a regulatory approach through legislation passed in 2022. The law requires manufacturers of smart products, as well as businesses involved in related supply chains, to meet certain security requirements. The law, which was to come into effect in April 2024, empowers the UK government to take enforcement measures in the event of non-compliance.

Over the years, certification and labelling programmes have been developed to enhance the digital security of products and services, as well as transparency, to enable informed decision making. The main challenge now is to cope with the multiplication of programmes that apply to different types of products and services.

Managed service providers (MSPs) – which deliver, operate or manage ICT services and functions for customers through contracts – are critical actors in the ICT supply chain (CISA et al., 2022[19]). MSPs manage and oversee certain aspects of their clients’ computer systems. The scope of their contracted services can be large, ranging from instance network management, software updates and data backup to recovery and support. MSPs can be found throughout the supply chain of many organisations of varying sizes and across sectors. They enable customers to focus on their core operations, while benefiting from enhanced IT performance and expertise. The global managed services market, valued at nearly USD 279 billion in 2022, is expected to exceed USD 400 billion in 2026 (Statista, 2023[20]). MSPs are increasingly vital to the continuity of critical infrastructure and business operations all over the world.

MSPs enjoy privileged access to their customers’ infrastructures and networks. To perform their activities and meet clients’ needs, MSPs rely on “remote monitoring and management” tools to monitor customers’ IT systems and networks. Generally, MSPs install a software “agent” with a small footprint in their customers’ information system to deploy remote monitoring management services. This agent then feeds information about the IT environment and reports back to the MSP. Such tools allow MSPs to gain insight into their client’s networks in order to maintain their systems by deploying patches and updates, and to intervene without visiting their physical locations.

Because they have a direct, trusted and privileged access to their customers’ networks, MSPs are attractive targets for malicious actors. With a single successful attack on a single MSP, an attacker can leverage such privileged access to breach all or many of the MSPs’ customers, including those operating in critical activities and government agencies. When successful, this one-to-many attack can be remarkably effective. It can allow attackers to expand their strategy to micro, small and medium organisations that would otherwise not be worth attacking. As MSPs are pervasive across all sectors’ supply chains globally, they represent a global systemic risk.

In hindsight, the so-called SolarWinds attack in 2020 was a wake-up call for the vulnerability of MSPs. While the US-based SolarWinds provided a routine update to customers’ systems, attackers embedded stealthy malware in the code applied to their systems. This “supply chain attack” compromised FireEye, one of the most well-known cyber security MSPs, which was also using SolarWinds’ software. It took months before these organisations realised they had been victims of one of the most important and sophisticated cyberattacks ever. Confirmed victims included the US National Institute of Health, the Cybersecurity and Infrastructure Security Agency, the Federal Aviation Administration and the Department of Justice, as well as companies such as Equifax, Cisco Systems, Microsoft, Nvidia and Palo Alto Networks. This single attack allowed malicious actors to steal vast amounts of data, ranging from military secrets to corporate intellectual property (Zetter, 2023[21]).

Supply chain attacks represent one of the most important cyber threats. According to the 2022 ENISA Threat Landscape, malicious actors have an increased interest in, and exhibit increasing capabilities for, supply chain attacks (Svetozarov Naydenov et al., 2022[22]). In 2021, ENISA identified supply chain compromises as the second most prevalent initial infection vector. In addition, supply chain attacks accounted for 17% of intrusions in 2021 compared to less than 1% in 2020 (Mandiant, 2022[23]).

In most countries, unregulated customers of MSPs reside outside critical sectors. They are primarily small or medium enterprises that lack the resources, skills and scale to carry out the service and manage the related risk themselves. Instead, they outsource the service to the MSP, without necessarily understanding the risk.

Furthermore, these customers often believe, based on the legal or contractual obligations, that when they outsource the service, they also relieve themselves of managing the associated risk. The MSP does not typically share this assumption. On the supply side, this may result in insufficient incentives for MSPs to invest in security and use security as a market differentiator (OECD, 2023[24]).

MSPs can become the weakest point in the chain of security. While most MSPs do pay attention to digital security, a misalignment of incentives can contribute to limited investments. However, when they serve large customers or customers in critical sectors, MSPs are more likely to embed better security in their service and sell products at a higher cost.

Furthermore, board members who are personally liable for security can also hold the leadership team accountable for implementing robust security that they can validate independently. These firms often have a Chief Information Security Officer and buying power, thereby strengthening MSPs’ incentives to invest in digital security. Larger firms may also be better placed to shift towards a “zero trust” security model, thereby incentivising their MSPs to follow this trend as well (Box 4.1).

More specifically, managed security service providers (MSSPs) generally have a higher level of digital security due to the nature of their business. MSSPs specialise in security solutions such as intrusion detection and prevention, or firewall management. This makes them difficult but even more interesting targets for attackers, as demonstrated in the SolarWinds case that compromised FireEye.

Until the 2010s, there seemed to be a clear distinction between the MSPs focusing on providing various IT solutions, such as network management, software updates, or data backup and recovery, and the MSSPs. However, these distinctions have begun to blur in recent years. Clients are more willing to address all their IT needs with a single service provider, although MSPs may differ regarding security considerations and maturity.

MSPs are just one major actor among many in an increasingly complex and opaque supply chain. Organisations rely on a complex ecosystem of suppliers that increasingly include MSPs. In addition to offering their own services, MSPs work with other providers such as cloud services or critical software vendors. This creates a network that can be complex and opaque to enterprise customers and end-users.

Those two kinds of providers may operate for the MSPs, but they may also have a direct relationship with end-users. Cloud service providers handle the ICT needs of their customers via cloud services, thereby creating a direct and privilege access to customers’ data and infrastructures. Similarly, critical software vendors are of paramount importance in the supply chain of public and private organisations.

Critical software is defined as software essential for the functioning of an organisation. Critical software can control access to data, have privileged access to the infrastructures, and perform critical functions such as network control and protection, and endpoint security (NIST, 2021[25]). In the case of SolarWinds, Orion’s IT performance management and monitoring system had privileged access to customers’ systems to produce and distribute updates. Eventually, MSPs themselves can even be software providers and cloud providers, which increases the complexity of their attack surface.

As the risks targeting MSPs and the supply chain in general are global, the solution needs to be collective. Because the supply chain will keep increasing in complexity (N-able, 2022[26]), its dependencies could be clarified for a comprehensive view of all the entities in the supply chain. This could be a first step to better risk management of the supply chain through security measures.

The rise of attacks on MSPs demonstrates that malicious actors understand the potential for their exploitation, but government authorities are responding to the threat. Incidents such as the Cloud Hopper (CISA, 2019[27]) and Kaseya (CISA, 2021[28]) may indicate that MSPs will remain an attractive target for malicious actors. In response, jurisdictions are addressing MSPs as a new threat vector. For example, the NIS2 Directive in the European Commission requires essential and important entities to incorporate cybersecurity risk management when dealing with such providers (European Commission, 2022[5]).

In addition, the European Union is considering adoption of the European cyber security certification programmes for “managed security services” under the Cyber Security Act (European Commission, 2023[29]). In May 2022, cyber security authorities of Canada, New Zealand, the United Kingdom and the United States released a joint advisory on how to protect against cyber threats to MSPs and their customers (CISA et al., 2022[19]). This advisory lists recommendations for MSPs and their customers to reduce their risk of falling victim to malicious actors. Such initiatives, which complement individual governmental approaches, are necessary to tackle a borderless and increasing risk (CISA et al., 2022[19]). As such, understanding the security practices of, and market dynamics around MSPs, can help in developing approaches to enhance MSPs’ security.

Throughout history, cryptographers have continuously researched new methods and techniques to improve on the cryptographic status quo of their time and respond to new threats. The last disruptive cryptographic innovation was probably the discovery of asymmetric cryptography in the 1970s, widely adopted 25 years later with the advent of the Internet. Two current areas of research could disrupt today’s cryptography status quo, with tremendous potential economic and social consequences: homomorphic encryption and quantum information technologies.

Homomorphic encryption (HE) is a cryptographic method allowing certain computations to be performed on encrypted data without the need for decryption or access to the secret key. Such computations remain encrypted and can later be revealed by the owner of the secret key (Homomorphic Encryption Standardization, 2024[30]).

Fully homomorphic encryption (FHE) has been described as the “Holy Grail of cryptography” (Tourky, ElKawkagy and Keshk, 2016[31]) and “a technology that will change the world” (Paillier, 2020[32]). FHE allows arbitrary operations on encrypted data in unconstrained combinations. With FHE, programmes can run directly on encrypted data, eliminating the risk of data leakage during or after computation. Other forms of HE, such as partially and somewhat homomorphic encryption are more limited in the number or types of operations they allow over encrypted data.

In principle, FHE has a wide variety of potential applications. For example, sensitive data could be computed in an untrusted cloud environment. Consequently, malicious actors attacking the cloud provider’s system would be as blind as the provider itself with respect to the homomorphically encrypted data and processing outputs. This would significantly reduce the risk of data breach.

Moreover, with FHE the cloud platform’s location would no longer be a relevant criterion for choosing a cloud provider.

• In certain cases, FHE would eliminate the risk of governments leveraging cloud providers and data transfers under their jurisdiction for monitoring (Paillier, 2020[32]). This could occur as long as no additional obligations, such as the custody of FHE keys, are imposed on cloud providers.

• Third parties could perform analytics without threatening the confidentiality of sensitive data in key areas. These areas include health care (e.g. applying machine learning to genome data for medical research), finance (e.g. analysing transaction records) and law enforcement (e.g. detecting tax evasion, preventing crime, carrying out investigations) (Koerner, 2021[33]). Third parties could also query if specific data exist in a data store without revealing the contents of the query or information about the data store (Creeger, 2022[34]).

• FHE could enable data sharing for machine learning in areas once considered impossible or highly undesirable due to lack of trust, including finance (Masters and Hunt, 2019[35]).

• Stakeholders could use FHE to analyse confidential data from multiple organisations without these organisations having to share the data and results from the computations among themselves or with others. This has been implemented on the SCRAM platform developed at the Massachusetts Institute of Technology.

FHE can also be viewed as a powerful privacy-enhancing technology (OECD, 2023[36]). As such, it could bring a considerable amount of privacy protection to everyday applications. With FHE, for example, no personal data would have to be shared with GPS navigation providers, biometric identification, voice assistant or other services to benefit from their services (Zama, 2024[37]).

HE enthusiasts even envision a next generation FHE-enabled HTTP, the protocol of the web. In this scenario, everything, including data processing, is encrypted by default (Zama, 2024[37]). FHE allows for computation even if the environment is known to be compromised by an attacker (Jordan, 2021[38]). Consequently, it could also be viewed as a building block for a “zero trust” environment.

For now, however, the “Holy Grail” remains more of a dream than a reality due to several important limitations of HE and FHE. While HE has progressed considerably over the last 40 years, it is still evolving. FHE, too, is not yet fully mature. Since the concept was proposed in 1978, four generations of improved FHE have been developed. Each has pros and cons in terms of efficiency and security (van den Nieuwenhoff, 27 May 2021[39]). Today, there are significant limitations to FHE:

• FHE is computationally intensive, slower, less efficient and more energy-consuming compared with processing the same data unencrypted. A computation that would take a millisecond to complete on a standard laptop would take weeks to compute on a conventional server running FHE (DARPA, 2021[40]). Current FHE processing can be from 1 000 to 1 million times slower than the equivalent plaintext processing (Mattsson, 2021[41]), at least until FHE-designed acceleration chips are available (DARPA, 2021[40]; Intel, 2021[42]).

• FHE is also limited in multi-user environments such as outsourced processing. Multi-user HE has been developed but uses several keys, increasing the size of the encrypted data according to the number of users. This, in turn, increases both computation and communication cost proportional to the number of users (Park, 2021[43]). This limitation reduces the potential for some scenarios such as government analysis of financial data for detecting tax evasion.

• It can raise correctness challenges because it generates noise that can accumulate over time and distort the results (Yang et al., 2023[44]). Implementing FHE or other HE computations in a cloud environment does not guarantee accuracy (Fernàndez-València, 2022[45]).

• It is potentially vulnerable to many types of attacks (Yang et al., 2023[44]).

• It is still neither beginner-friendly nor user-friendly and is difficult to understand for programmers who are not also cryptographers (van den Nieuwenhoff, 2021[39]). Some stakeholders, such as Intel, are working to improve HE usability to accelerate HE adoption (Intel, 2024[46]).

• HE standardisation is still at an early stage. In 2019, the International Organization for Standardization and the International Electrotechnical Commission (ISO/IEC) published a standard addressing some mechanisms for homomorphic encryption. It included a “general model” for HE. The US National Institute of Standards and Technology (NIST), the ITU-T Study Group 17 on security, as well as an open consortium of industry, government and academia called HomomorphicEncryption.org, are working on HE standardisation (Albrecht et al., 2018[47]; ISO/IEC, 2019[48]; ITU, 2023[49]; ITU, 2022[50]; NIST, 2023[51]).

Overall, HE and FHE hold promise for significant change in the security landscape with important economic repercussions across all sectors. However, while some HE applications are already in place, FHE does not seem to be ready for everyone to use. According to a well-known cryptographer, “fully homomorphic encryption is today where deep learning was 10 years ago” (Paillier, 2020[32]). It is not clear how much time FHE will need to reach the inflection point after which wide and rapid adoption will follow.

Once mature, quantum information technologies are expected to have a disruptive potential in many areas, including cryptography (Barker, Polk and Souppaya, 2021[52]). For example, a mature quantum computer could in theory easily break some widely used encryption methods. On the more positive side, recent progress in quantum computing is boosting cryptographic innovation. In particular, algorithms are being developed to resist attacks powered by a quantum computer. Furthermore, research on quantum technologies creates opportunities for new cryptographic approaches. These approaches, known as “quantum cryptography” and “quantum key distribution”, are based on the laws of quantum physics rather than mathematics.

Quantum computing is a new computing paradigm expected to allow complex computations on a massive scale. It aims to leverage the properties of nature at atomic scales to accomplish tasks not achievable with existing technologies. Initially proposed in 1982, quantum computing has become an established interdisciplinary research area between physics, computer science and engineering involving universities, research centres and companies worldwide (BSI, 2021[53]).

In quantum computers, information is encoded in qubits instead of bits. In traditional computers, an intangible binary digit (bit) reflects the state of a tangible (i.e. physical) transistor similar to a tiny on-off switch, reflecting binary information, i.e. either a 0 or a 1 for each transistor. In contrast, a qubit represents a property called “spin”. This is the intrinsic angular momentum of an electron, akin to a tiny compass needle that points either up or down.

Quantum computers manipulate that needle to encode information into the electrons. In so doing, they leverage the possibility of quantum systems to exist in two or more states simultaneously (superposition) to encode the information as 0, 1 or a combination of 0 and 1 at the same time (Nellis, 2022[54]). They also leverage the possibility to intrinsically link qubits (entanglement). In this way, when one qubit is acted upon, such as through measurement, it can reveal information about the other linked qubits regardless of distance. This allows quantum computers to perform parallel computations on entangled qubits (GAO, 2021[55]).

Quantum computers are expected to demonstrate a gigantic extension of both processing power and speed. The number of possible states in a traditional computer doubles with each additional bit and therefore scales linearly with the number of bits. However, the number of possible states in a quantum computer increases exponentially with the addition of each qubit (Congressional Research Service, 2022[56]).

In theory, quantum computers could outperform the power of classical computers by several orders of magnitude. This would make it possible to solve certain problems much faster. Quantum computers could even solve problems that classical computers cannot solve within a reasonable timeframe, known as “quantum supremacy” or “quantum advantage” (Preskill, 2012[57]). For example, it would take about 18 quadrillion bits (i.e. 2⁵⁴ bits) of classical memory to model a quantum computer with just 54 quadrillion bits. As of 2019, only one classical supercomputer – the IBM Summit – had such capacity. Modelling a 72-qubit quantum computer would require 2⁷² bits, which would require stacking 262 000 Summit-type supercomputers. Modelling a 100-qubit quantum computer would require more bits than there are atoms on the planet. Moreover, a 280-qubit computer would require more bits than there are atoms in the known universe (Sedik, Malaika and Gorban, 2021[58]).

In addition, quantum algorithms leveraging quantum properties differ from algorithms designed to run on classical computers, and can considerably reduce the time needed to perform specific tasks. For example, the best-known quantum algorithms (Grover and Shor) yield a polynomial speedup and an exponential speedup. In a polynomial speedup, a quantum computer solves a problem in time T (say, 1 000 steps) while a classical computer needs time T² (i.e. 1 million steps) to solve the same problem. In an exponential speedup, a quantum computer takes time T (say, 100), while a classical computer takes time 2^T (i.e. 2¹⁰⁰), which is a 31 digit number (Sedik, Malaika and Gorban, 2021[58]).

However, such figures are purely theoretical because building a quantum computer with sufficient computing qubits to perform useful tasks is extremely complex. Despite enthusiastic announcements and optimistic forecasts by some stakeholders, few independent experts predict a timeframe for the maturity of quantum computing. This is in part because of the significant design and engineering challenges. For example, researchers and engineers must isolate a quantum computer completely from the world around it to protect the fragile state of the qubits. At the same time, it must allow interactions with the qubits to control them (IQC Canada, 2024[59]; BSI, 2021[53]).

The loss of information due to environmental noise, called quantum decoherence, increases with the number of qubits. This requires maintaining current quantum computers at temperatures close to absolute zero (−273,15 °C, −459,67 °F). Quantum error correction techniques can address decoherence, but they require additional qubits.

Public announcements of major progress in quantum computing engineering reported only through an out-of-context number of qubits must be taken with caution. While it is an active area of research, no one is willing to predict how long it will take researchers to master error correction (Cho, 2020[60]). Furthermore, quantum algorithms are much more difficult to design than classical ones. According to some experts, only a few dozen quantum algorithms had been developed as of 2019 (Vardi, 2019[61]).

According to a 2019 consensus report of the US National Academies of Sciences, Engineering and Medicine, “it is impossible to project the timeframe for developing a large, operational, error-corrected quantum computer, and while significant progress continues, there is no guarantee that all these challenges will be overcome”. In this report, experts note that “the process of bridging this gap might expose unanticipated challenges, require techniques that are not yet invented, or shift owing to new results of foundational scientific research that change our understanding of the quantum world” (Grumbling and Horowitz, 2019[62]). In fact, some researchers have even expressed scepticism over the feasibility of ever building a mature quantum computer that can achieve useful tasks (Kalai, 2011[63]; Dyakonov, 2018[64]).

According to the German Federal Office for Information Security (BSI), the point where quantum computers can no longer be simulated by current supercomputers was reached in 2019. Design limitations prevented impacts on the robustness of current cryptography. However, quantum processors are still several orders of magnitude away from cryptography attacks. An enormous effort would be needed to scale up quantum computing technologies to a cryptographically relevant level (BSI, 2021[53]).

Like quantum computing, quantum communication also makes use of the laws of quantum physics to transmit information via quantum particles such as single photons of light through optical fibre or free space (Kristjánsson, Gardner and Chiri, 2021[65]). Superposition can be exploited to allow quantum particles to travel along multiple lines of communication simultaneously, making the information less susceptible to errors during transmission. Entanglement allows the transfer of quantum information across large distances, whereby the sender holds half of the entangled photons and the receiver holds the other half. Quantum information is transferred via a combination of entanglement and classical communication. Information is encoded in controllable parameters of the photons such as their polarisation. To control the property of individual photons and address noise challenges, the sender and receiver use specialised generation and detection devices. These require conditions such as complete isolation and cryogenic temperatures (below -153°C, -243°F). Importantly, quantum computing is necessary, albeit on a simple level, for quantum communication (Ofcom, 2021[66]).

The quantum computing race has begun, inspired by the considerable potential benefits. Quantum information technologies could support advances in areas such as materials science, pharmaceuticals, energy and finance (The White House, 2022[67]). They are thus attracting the attention and investments of public and private stakeholders. In 2022, private investors poured USD 2.35 billion into quantum technology start-ups (Bogobowicz et al., 2023[68]). Furthermore, many OECD countries are adopting national quantum strategies and allocating significant research budgets, as illustrated in Table 4.3.

Symmetric cryptographic methods such as the Advanced Encryption Standard are not significantly affected by quantum computing if used with suitable key sizes. However, this is not the case with public-key cryptography algorithms (ETSI, 2015[78]; NCSC, 2020[79]; BSI, 2021[80]; BSI, 2021[53]; ANSSI, 2022[81]; D’anvers et al., 2022[82]; NCSC, 2023[83]). Quantum computing directly threatens the continued robustness of public-key cryptography, which is widely used for digital signature and for key agreement between parties. For example, remote parties use it to determine the symmetric keys they intend to use in a communication (NCSC, 2020[79]; GAO, 2021[55]; ANSSI, 2022[81]).

The consequences are immense. The vulnerability of these cryptosystems to a quantum attack implies the vulnerability of all security protocols that derive security from their public-key ciphers, and of any product or security system deriving security from these protocols (ETSI, 2015[78]). While current quantum computers are not a threat to public-key cryptography, a future large general-purpose quantum computer could easily solve the mathematical problems at the core of public-key cryptography (NCSC, 2020[79]). Its availability would break the security of nearly all modern public-key cryptographic systems. Consequently, this could expose all secret symmetric keys and private asymmetric keys that are now protected using current public-key algorithms, as well as the information protected under those keys. Any information still considered to be private or otherwise sensitive would be vulnerable to exposure and undetected modification (Barker, Polk and Souppaya, 2021[52]).

It is impossible to predict when, if ever, modern public-key cryptographic systems would be broken. If it happens sooner rather than later, stakeholders will face a rapid collapse of their cryptographic architecture and have little time to react. Furthermore, some threat actors could carry out a “retroactive attack”. In other words, they could collect today both high-value encrypted data and the data used for key agreement in view of decrypting it later with a quantum computer. There is evidence that some countries have taken such an “intercept and store now, decrypt later” approach (D’anvers et al., 2022[82]).

In addition, a threat actor could use a quantum computer in the future to forge digital signatures and impersonate the legitimate private key owner, or tamper with information whose authenticity is protected by a digital signature. This threat needs to considered today for high-value, root-level public keys intended for long operational lifetimes (NCSC, 2020[79]; ANSSI, 2022[81]; BSI, 2021[80]). Furthermore, a national security agency may operate the first fully functional large quantum computer long before any public announcement about it to gain a significant intelligence advantage over competing nation states (D’anvers et al., 2022[82]).

The US National Security Agency issued an urgent warning in 2015 about the imminent threat to current public-key cryptography posed by the development of quantum computers (BSI, 2021[53]; ANSSI, 2022[81]). Several cybersecurity agencies recommended addressing today the anticipated collapse of the current cryptographic infrastructure resulting from tomorrow’s expected advent of quantum computing. They warned of the need to transition to quantum-resistant cryptography sooner rather than later (Chen et al., 2016[84]; NCSC, 2020[79]; BSI, 2021[80]; ANSSI, 2022[81]).

The solution to the challenge of quantum computers breaking current cryptography is to develop a family of cryptographic algorithms that are immune to attacks by leveraging both classical and quantum computers. This new family of algorithms, called “quantum-resistant cryptography” (QRC), includes key establishment and digital signatures, and can be executed on classical computers with classical communication channels (ANSSI, 2022[81]). Once developed, the algorithms could be deployed in anticipation of a mature quantum computer to address the “intercept and store now, decrypt later” challenge. QRC is also called interchangeably post-quantum, quantum-safe or quantum-secure cryptography.

Since 2006, a large international community of researchers has started to work on QRC, including through publicly funded research projects in the European Union and Japan (Chen et al., 2016[84]). In 2016, NIST initiated a QRC standardisation effort. After a thorough evaluation process in 2022, NIST selected four quantum-resistant algorithms out of 82 proposals from international teams of researchers. At the time of writing, it continues to evaluate four additional candidates for possible future inclusion in the standard (Alagic et al., 2022[85]; NIST, 2022[86]). Many cyber security agencies welcomed the NIST process (NCSC, 2020[79]; BSI, 2021[80]; ANSSI, 2022[81]). This acted as a catalyst for strong involvement of the international cryptography research community, stimulating initiatives to co-ordinate domestic cryptography players such as the French “Risq” project (ANSSI, 2022[81]).

During NIST’s standardisation process, cybersecurity agencies in several countries have issued recommendations encouraging organisations to consider QRC. Agencies in Australia, Canada, France, Germany, the United Kingdom and the United States are all encouraging large organisations to anticipate quantum-related disruptions. They recommend starting the transition to QRC in a hybrid mode, i.e. where both pre- and post-quantum cryptography coexist (NCSC, 2020[79]; BSI, 2021[80]; Cyber Centre, 2021[87]; DHS, 2022[88]; DHS, 2021[89]; ANSSI, 2022[81]; DHS, 2022[88]; ACSC, 2023[90]).

Quantum cryptography is often described as a major paradigm shift in cryptography. Instead of relying on mathematical complexity like most current cryptographic algorithms, quantum cryptography takes advantage of the laws of physics. In theory, it can remain secure regardless of the amount of processing power and mathematical innovation an adversary could use.

It is easy to mistake quantum cryptography with QRC. Like QRC, quantum cryptography is robust against future algorithmic and computational advances, including the emergence of quantum computers. However, quantum cryptography is fundamentally different from QRC as it requires special equipment to leverage quantum physics. Therefore, it cannot simply run on classical computers. Quantum cryptography can be viewed as a subset of quantum communication because it leverages the same quantum principles and uses the same modes of operation.

Despite sometimes being presented as synonymous with quantum cryptography, quantum key distribution (QKD) is instead a specific application of quantum cryptography. QKD enables two remote parties to build a secret key through a dialogue on public channels. It ensures that any observation of the secret in transit will be detected, a feature that classical (i.e. non-quantum) cryptographic methods do not provide (ANSSI, 2020[91]; NCSC, 2020[92]; BSI, 2021[53]; NSA, 2020[93]).

In practice, encrypted data are sent as classical bits over the network. Meanwhile, the secret key is transmitted (but not measured and retained) as quantum states of light (Ofcom, 2021[66]). This occurs with special equipment (e.g. single photon detectors) via a fibre or atmospheric (i.e. satellite) link. Because information is encoded in quantum states, an eavesdropper would be unable to observe the data stream without changing the value of some of the qubits and introducing errors. This would make the observation detectable by both sender and recipient (ETSI, 2015[78]). Therefore, QKD provides confidentiality and integrity but not availability (ANSSI, 2020[91]).

Furthermore, the eavesdropper would not be able to copy the qubits transmitted in an unknown state, a consequence of the quantum physics “no-cloning” principle (ETSI, 2015[78]; BSI, 2021[53]). There is no way to save the information for later decryption by more powerful technologies. This means that any attempt to exploit a flaw in an implementation of transmitters or receivers would have to be carried out in real time (ETSI, 2015[78]).

Unlike quantum computing, QKD is feasible with technology available today (BSI, 2021[53]). Several QKD networks based on fibre and free space have been deployed or are under construction worldwide. A review of recent and ongoing large-scale deployment of QKD networks identified projects in Canada, the People’s Republic of China, Europe, India, Italy, Japan, Korea, Spain, the Russian Federation, the United Kingdom and the United States. It also identified standardisation efforts by CEN-CENELEC, ETSI, IEEE, ITU-T, ISO/IEC JCT-1, the China Communications Standards Association and the UK British Standards Institute (BSI). Together, these organisations had published 22 standards as of 2022 and were developing 20 more (Stanley et al., 2022[94]).

Nevertheless, several cybersecurity agencies have expressed strong reservations regarding the potential of QKD and quantum computing to match security expectations and compete with QRC algorithms. In theory, the security of QKD is based on laws of physics. In practice, it is based on the degree of technical perfection with which it is implemented. In other words, it is based on the degree to which potential adversaries can exploit possible deviations of real-life quantum cryptography systems from the theoretical requirements, such as in the transmitters or receivers (Lucamarini, Shields and All, 2018[95]). Cybersecurity agencies point out that achieving such a degree of perfection is far from easy and cheap, considerably reducing the number of potential use cases. This main element, as well as additional issues such as security weaknesses and the need for specific hardware, have led these agencies to reject the use of QKD for sensitive government or military applications. They call instead for the promotion of cheaper and more easily implementable QRC algorithms (ANSSI, 2020[91]; NCSC, 2020[92]; BSI, 2021[53]; Cyber Centre, 2021[87]; ACSC, 2023[90]; NSA, 2020[93]).

[90] ACSC (2023), “Planning for Post-Quantum Cryptography”, webpage, https://www.cyber.gov.au/resources-business-and-government/governance-and-user-education/governance/planning-post-quantum-cryptography (accessed on 10 July 2023).

[85] Alagic, G. et al. (2022), “Status report on the third round of the NIST post-quantum cryptography standardization process”, Interagency or Internal Report, National Institute of Standards and Technology, Gaithersburg, MD, https://doi.org/10.6028/nist.ir.8413-upd1.

[47] Albrecht, M. et al. (2018), Homomorphic Encryption Standard, 21 November, Homomorphic Encryption Standardization, https://homomorphicencryption.org/standard.

[81] ANSSI (2022), “ANSSI views on the post-quantum cryptography transition”, Position Paper, 4 January, Agence nationale de la sécurité des systèmes d’information, Paris, https://cyber.gouv.fr/en/publications/anssi-views-post-quantum-cryptography-transition.

[91] ANSSI (2020), “Should quantum key distribution be used for secure communications?”, Technical Position Paper, 26 May, Agence nationale de la sécurité des systèmes d’information, Paris, https://www.ssi.gouv.fr/uploads/2020/05/anssi-technical_position_papers-qkd.pdf.

[6] ANSSI (2016), The ANSSI security Visa by the French National Cybersecurity Agency, Agence nationale de la sécurité des systèmes d’information, Paris, https://cyber.gouv.fr/publications/anssi-security-visa-french-national-cybersecurity-agency.

[52] Barker, W., W. Polk and M. Souppaya (2021), “Getting ready for post-quantum cryptography: Exploring challenges associated with adopting and using post-quantum cryptographic algorithms”, Cybersecurity White Paper, No. 04282021, 28 April, National Institute of Standards and Technology, Gaithersburg, MD, https://doi.org/10.6028/nist.cswp.04282021.

[68] Bogobowicz, M. et al. (2023), “Quantum technology sees record investments, progress on talent gap”, 24 April, McKinsey Digital, New York, https://www.mckinsey.com/capabilities/mckinsey-digital/our-insights/quantum-technology-sees-record-investments-progress-on-talent-gap.

[80] BSI (2021), “Migration to post quantum cryptography: Recommendation for action”, Federal Office for Information Security, Bonn, https://www.bsi.bund.de/SharedDocs/Downloads/EN/BSI/Crypto/Migration_to_Post_Quantum_Cryptography.pdf?__blob=publicationFile&v=2.

[53] BSI (2021), “Quantum safe cryptography – fundamentals, current developments, and recommendations”, (brochure), Federal Office for Information Security, Bonn, https://www.bsi.bund.de/SharedDocs/Downloads/EN/BSI/Publications/Brochure/quantum-safe-cryptography.pdf.

[9] BSI (2021), Transparency through the IT Security Label, webpage, https://www.bsi.bund.de/EN/Themen/Unternehmen-und-Organisationen/IT-Sicherheitskennzeichen/it-sicherheitskennzeichen_node.html (accessed on 10 July 2024).

[84] Chen, L. et al. (2016), “Report on post-quantum cryptography”, Internal Report, No. 8105, National Institute of Standards and Technology, Gaithersburg, MD, https://doi.org/10.6028/nist.ir.8105.

[60] Cho, A. (2020), “No room for error”, 8 July, Science, https://www.science.org/content/article/biggest-flipping-challenge-quantum-computing.

[28] CISA (2021), CISA-FBI Guidance for MSPs and their Customers Affected by the Kaseya VSA Supply-Chain Ransomware Attack, https://www.cisa.gov/news-events/alerts/2021/07/04/cisa-fbi-guidance-msps-and-their-customers-affected-kaseya-vsa-supply (accessed on 15 July 2024).

[27] CISA (2019), “Chinese cyber activity targeting managed service providers”, Awareness Briefing, Cybersecurity and Infrastructure Security Agency, United States, Washington, D.C., https://www.cisa.gov/sites/default/files/c3vp/Chinese-Cyber-Activity-Targeting-Managed-Service-Providers.pdf.

[19] CISA et al. (2022), “Protecting Against Cyber Threats to Managed Service Providers and their Customers”, 11 May, Cybersecurity and Infrastructure Security Agency, United States, https://www.cisa.gov/news-events/cybersecurity-advisories/aa22-131a (accessed on 26 June 2023).

[72] Clasen, A. (2023), “Germany strives to catch up with US, China in quantum tech race”, 16 May, Euractiv, https://www.euractiv.com/section/digital/news/germany-strives-catch-up-with-us-china-in-quantum-tech-race.

[3] Common Criteria (2023), The Common Criteria, website, https://www.commoncriteriaportal.org (accessed on 26 June 2024).

[56] Congressional Research Service (2022), “Defense primer: Quantum technology”, CRS Report, 25 October, Congressional Research Service, United States, Washington, D.C., https://crsreports.congress.gov/product/pdf/IF/IF11836.

[34] Creeger, M. (2022), “The rise of fully homomorphic encryption”, Queue, Vol. 20/4, pp. 39-60, https://doi.org/10.1145/3561800.

[18] CSA (2022), “Mutual recognition arrangement on cybersecurity labels between the Cyber Security Agency of Singapore and the Connectivity Standards Alliance”, 19 March, News Release, Cyber Security Agency of Singapore, Singapore, https://www.csa.gov.sg/News-Events/News-Articles/2024/mutual-recognition-arrangement-on-cybersecurity-labels-between-csa-and-the-connectivity-standards-alliance.

[17] CSA (2020), “Singapore Cybersecurity Labelling Scheme”, webpage, https://www.csa.gov.sg/our-programmes/certification-and-labelling-schemes/cybersecurity-labelling-scheme (accessed on 26 June 2024).

[87] Cyber Centre (2021), “Preparing your organization for the quantum threat to cryptography – ITSAP.00.017”, February, Canadian Centre for Cyber Security, Vanier, Canada, https://www.cyber.gc.ca/en/guidance/preparing-your-organization-quantum-threat-cryptography-itsap00017 (accessed on 10 July 2023).

[82] D’anvers, J. et al. (2022), Post-Quantum Cryptography: Current State and Quantum Mitigation, European Union Agency for Cybersecurity, Athens, https://www.enisa.europa.eu/publications/post-quantum-cryptography-current-state-and-quantum-mitigation.

[40] DARPA (2021), “DARPA selects researchers to accelerate use of fully homomorphic encryption”, 8 March, Press Release, Defense Advanced Research Projects Agency, United States, Arlington, VA, https://www.darpa.mil/news-events/2021-03-08.

[88] DHS (2022), “Post-Quantum Cryptography”, webpage, https://www.dhs.gov/quantum (accessed on 10 July 2023).

[89] DHS (2021), “Preparing for post-quantum cryptography”, Infographic, Department of Homeland Security, United States, Washington, D.C., https://www.dhs.gov/publication/preparing-post-quantum-cryptography-infographic (accessed on 10 July 2023).

[76] DSIT (2023), “National quantum strategy”, Policy Paper, 15 March, Department for Science, Innovation and Technology, United Kingdom, London, https://www.gov.uk/government/publications/national-quantum-strategy.

[64] Dyakonov, M. (2018), “The case against quantum computing”, 15 November, IEEE Spectrum, https://spectrum.ieee.org/the-case-against-quantum-computing.

[2] ENISA (2019), “EU Certification Framework”, webpage, https://digital-strategy.ec.europa.eu/en/policies/cybersecurity-certification-framework (accessed on 26 June 2024).

[8] ETSI (2020), “EN 303 645 - V2.1.1 - CYBER; Cyber Security for Consumer Internet of Things: Baseline Requirements”, webpage, https://www.etsi.org/deliver/etsi_en/303600_303699/303645/02.01.01_60/en_303645v020101p.pdf (accessed on 26 June 2024).

[78] ETSI (2015), “Quantum safe cryptography. An introduction, benefits, enablers and challenges”, White Paper, No. 8, June, European Telecommunications Standards Institute, Sophia Antipolis, France, https://www.etsi.org/images/files/ETSIWhitePapers/QuantumSafeWhitepaper.pdf.

[4] European Commission (2023), “Commission implementing regulation as regards the adoption of the European Common Criteria-based cybersecurity certification scheme (EUCC)”, 31 January, European Commission, Brussels, https://digital-strategy.ec.europa.eu/en/library/implementing-regulation-adoption-european-common-criteria-based-cybersecurity-certification-scheme.

[29] European Commission (2023), “Proposed regulation on managed security services amendment”, 17 April, European Commission, Brussels, https://digital-strategy.ec.europa.eu/en/library/proposed-regulation-managed-security-services-amendment.

[5] European Commission (2022), “NIS 2 Directive”, webpage, https://digital-strategy.ec.europa.eu/en/policies/nis2-directive (accessed on 26 June 2024).

[16] FCC (2023), US Cybersecurity Labeling Program, webpage, https://www.fcc.gov/document/fcc-proposes-cybersecurity-labeling-program-smart-device (accessed on 26 June 2024).

[45] Fernàndez-València, R. (2022), “Verifiable homomorphic encryption: The multi-group setting – one scheme to rule them all”, 22 March, Medium, https://medium.com/iovlabs-innovation-stories/verifiable-homomorphic-encryption-7de41e39c20.

[55] GAO (2021), “Quantum computing and communications: Status and prospects”, Technology Assessment, US Government Accountability Office, Washington, D.C., https://www.gao.gov/assets/gao-22-104422.pdf.

[70] Government of Canada (2023), “Government of Canada launches National Quantum Strategy to create jobs and advance quantum technologies”, 13 January, News Release, Government of Canada, Waterloo, https://www.canada.ca/en/innovation-science-economic-development/news/2023/01/government-of-canada-launches-national-quantum-strategy-to-create-jobs-and-advance-quantum-technologies.html.

[71] Government of France (2023), “France 2030: des résultats concrets pour les 2 ans de la stratégie quantique”, 3 April, Government of France, Paris, https://www.gouvernement.fr/sites/default/files/contenu/piece-jointe/2023/03/20230330_france2030_dp_deux_ans_de_la_strategie_nationale_quantique_vdef2_clean.pdf.

[74] Government of India (2023), “Cabinet approves national quantum mission to scale-up scientific & industrial R&D for quantum technologies”, 19 April, Press Release, Government of India, https://pib.gov.in/PressReleaseIframePage.aspx?PRID=1917888.

[13] Government of Korea (2023), “Internet of Things (IoT) security certification reduces the burden on businesses and increases consumer convenience! (사물인터넷(IoT) 보안인증, 기업 부담은 줄이고, 소비자 편의성은 높인다!)”, 4 July, Ministry of Science and IT, Korea, Sejong, https://www.korea.kr/briefing/pressReleaseView.do?newsId=156578757#pressRelease.

[75] Government of The Netherlands (2021), “Innovative projects given additional €1.35 billion boost due to funding from National Growth Fund”, 9 April, News Item, Government of The Netherlands, https://www.government.nl/latest/news/2021/04/21/innovative-projects-given-additional-%E2%82%AC1.35-billion-boost-due-to-funding-from-national-growth-fund.

[62] Grumbling, E. and M. Horowitz (eds.) (2019), Quantum Computing, National Academies Press, United States, Washington, D.C., https://doi.org/10.17226/25196.

[30] Homomorphic Encryption Standardization (2024), “Introduction”, webpage, https://homomorphicencryption.org/introduction (accessed on 26 June 2024).

[46] Intel (2024), “Intel Homomorphic Encryption Toolkit”, webpage, https://www.intel.com/content/www/us/en/developer/tools/homomorphic-encryption/overview.html (accessed on 26 June 2024).

[42] Intel (2021), “Intel to collaborate with Microsoft on DARPA program”, 8 March, News Release, Intel, Santa Clara, CA, https://www.intel.com/content/www/us/en/newsroom/news/intel-collaborate-microsoft-darpa-program.html#gs.yo43kd.

[59] IQC Canada (2024), “Quantum Computing”, webpage, https://uwaterloo.ca/institute-for-quantum-computing/quantum-101/quantum-information-science-and-technology/quantum-computing (accessed on 26 June 2024).

[48] ISO/IEC (2019), “ISO/IEC 18033-6:2019 - IT Security techniques — Encryption algorithms — Part 6: Homomorphic encryption”, webpage, https://www.iso.org/standard/67740.html (accessed on 26 June 2024).

[49] ITU (2023), “Technical Report: FHE-based Data Collaboration in Machine Learning”, webpage, https://www.itu.int/ITU-T/workprog/wp_item.aspx?isn=17999 (accessed on 26 June 2024).

[50] ITU (2022), “The case for standardizing homomorphic encryption”, 7 December, ITU News, https://www.itu.int/hub/2022/12/the-case-for-standardizing-homomorphic-encryption.

[38] Jordan, M. (2021), “The next step in homomorphic encryption for Linux on IBM Z and LinuxONE”, IBM blog, https://www.ibm.com/blog/the-next-step-in-homomorphic-encryption-for-linux-on-ibm-z.

[63] Kalai, G. (2011), “How quantum computers fail: Quantum codes, correlations in physical systems, and noise accumulation”, arXiv, 1106.0485, https://arxiv.org/abs/1106.0485.

[73] Kim, J. (2023), “S. Korea to invest $2.6 bn in quantum technology by 2035”, 11 May, The Korea Economic Daily, https://www.kedglobal.com/tech,-media-telecom/newsView/ked202305110016.

[33] Koerner, K. (2021), “Introduction to homomorphic encryption”, 20 July, Medium, https://medium.com/golden-data/introduction-to-homomorphic-encryption-d903d02d4ce0.

[11] Korea Ministry of Government Legislation (2021), 정보통신망연결기기등 정보보호인증에 관한 고시 [Notice on information protection certification for information and communication network connected devices, etc.], webpage, https://www.law.go.kr/LSW/admRulLsInfoP.do?admRulSeq=2100000204704 (accessed on 26 June 2024).

[65] Kristjánsson, H., R. Gardner and G. Chiri (2021), “Quantum communications: New potential for the future of communications”, 28 July, Ofcom, United Kingdom, London, https://www.ofcom.org.uk/research-and-data/technology/general/quantum-communications.

[95] Lucamarini, M., A. Shields and R. All (2018), “Implementation security of quantum cryptography: Introduction, challenges, solutions”, ETSI White Paper, No. 27, European Telecommunications Standards Institute, Sopha Antiopolis, France.

[23] Mandiant (2022), M-Trends 2022 Report, Mandiant, Reston, VA, https://www.mandiant.com/m-trends.

[35] Masters, O. and H. Hunt (2019), Towards a Homomorphic Machine Learning Big Data Pipeline for the Financial Services Sector, Cryptology ePrint Archive, https://eprint.iacr.org/2019/1113.

[41] Mattsson, U. (2021), “Security and performance of homomorphic encryption”, June, Global Security Mag, https://www.globalsecuritymag.com/Security-and-Performance-of,20210601,112333.html.

[10] METI (2020), IOT Security and Safety Framework, Ministry of Economy, Trade and Industry, Tokyo, https://www.dataguidance.com/news/japan-meti-releases-iot-security-and-safety-framework.

[14] Ministry of Industry and Technology (2023), Kamu Bilişim Hizmet Alimi Kapsaminda Katilimcilarin Yetkilendirilmesi Hakkinda Yönetmelik [Regulation on the Authorization of Participants within the Scope of Public Information Technology Service Procurement], https://www.mevzuat.gov.tr/File/GeneratePdf?mevzuatNo=39610&mevzuatTur=KurumVeKurulusYonetmeligi&mevzuatTertip=5 (accessed on 10 July 2024).

[26] N-able (2022), “State of the market: The new threat landscape”, White Paper, N-able, Burlington, MA.

[77] National Science and Technology Council (2023), “National Quantum Initiative Supplement to the President’s FY 2023 budget”, Committee on Science of the National Science & Technological Council, United States, Washington, D.C., https://www.quantum.gov/wp-content/uploads/2023/01/NQI-Annual-Report-FY2023.pdf.

[83] NCSC (2023), “Next steps in preparing for post-quantum cryptography”, White Paper, 3 November, National Cyber Security Centre, United Kingdom, London, https://www.ncsc.gov.uk/whitepaper/next-steps-preparing-for-post-quantum-cryptography (accessed on 4 January 2024).

[79] NCSC (2020), “Preparing for quantum-safe cryptography”, White Paper, National Cyber Security Centre, United Kingdom, London, https://www.ncsc.gov.uk/whitepaper/preparing-for-quantum-safe-cryptography.

[92] NCSC (2020), “Quantum security technologies. V1.0”, White Paper, National Cyber Security Centre, United Kingdom, London, https://www.ncsc.gov.uk/whitepaper/quantum-security-technologies.

[54] Nellis, A. (2022), “The Quantum Internet, Explained”, webpage, https://news.uchicago.edu/explainer/quantum-internet-explained (accessed on 26 June 2024).

[51] NIST (2023), Privacy-Enhancing Cryptography, webpage, https://csrc.nist.gov/Projects/pec (accessed on 26 June 2024).

[86] NIST (2022), “NIST announces first four quantum-resistant cryptographic algorithms”, 5 July, Press Release, National Institute of Standards and Technology, United States, Washington, D.C., https://www.nist.gov/news-events/news/2022/07/nist-announces-first-four-quantum-resistant-cryptographic-algorithms.

[25] NIST (2021), “Definition of critical software under executive order (EO) 14028”, 13 October, National Institute of Standards and Technology, Washington, D.C., https://www.nist.gov/system/files/documents/2021/10/13/EO%20Critical%20FINAL.pdf.

[93] NSA (2020), “Quantum Key Distribution (QKD) and Quantum Cryptography (QC)”, webpage, https://www.nsa.gov/Cybersecurity/Quantum-Key-Distribution-QKD-and-Quantum-Cryptography-QC (accessed on 20 June 2023).

[24] OECD (2023), “Building cyber resilience in a post COVID-19 world: Local challenges, global solutions”, Summary, OECD Global Forum on Digital Security for Prosperity, hosted virtually by Israel, 7-9 June 2021, https://one.oecd.org/document/DSTI/CDEP/SDE(2022)5/FINAL/en/pdf.

[36] OECD (2023), “Emerging privacy-enhancing technologies: Current regulatory and policy approaches”, OECD Digital Economy Papers, No. 351, OECD Publishing, Paris, https://doi.org/10.1787/bf121be4-en.

[1] OECD (2021), “Enhancing the digital security of products: A policy discussion”, OECD Digital Economy Papers, No. 306, OECD Publishing, Paris, https://doi.org/10.1787/cd9f9ebc-en.

[66] Ofcom (2021), “Quantum Communications: New potential – Executive summary”, 28 July, Ofcom, London, https://www.ofcom.org.uk/__data/assets/pdf_file/0013/222601/Executive-Summary.pdf.

[32] Paillier, P. (2020), “Introduction to FHE”, webpage, https://fhe.org/meetups/001-introduction-to-fhe (accessed on 26 June 2024).

[43] Park, J. (2021), “Homomorphic encryption for multiple users with less communications”, Paper, No. 2021/1085, https://eprint.iacr.org/2021/1085.

[57] Preskill, J. (2012), “Quantum computing and the entanglement frontier”, arXiv 1203.5813, https://arxiv.org/abs/1203.5813.

[69] Quantum Flagship (2024), “Introduction”, webpage, https://qt.eu/about-quantum-flagship (accessed on 26 June 2024).

[58] Sedik, T., M. Malaika and M. Gorban (2021), “Quantum computing’s possibilities and perils”, September, International Monetary Fund, Washington, D.C., https://www.imf.org/en/Publications/fandd/issues/2021/09/quantum-computings-possibilitiesand-perils-deodoro.

[94] Stanley, M. et al. (2022), “Recent progress in quantum key distribution network deployments and standards”, Journal of Physics: Conference Series, Vol. 2416/1, p. 012001, https://doi.org/10.1088/1742-6596/2416/1/012001.

[20] Statista (2023), “Size of the managed service market worldwide in 2023 with forecast to 2032”, Statisa (database), https://www.statista.com/statistics/590884/worldwide-managed-services-market-size (accessed on 26 June 2024).

[22] Svetozarov Naydenov, R. et al. (2022), ENISA Threat Landscape 2022, European Union Agency for Cybersecurity, Athens, https://doi.org/10.2824/764318.

[67] The White House (2022), “National security memorandum on promoting United States leadership in quantum computing while mitigating risks to vulnerable cryptographic systems”, 4 May, The White House, United States, Washington, D.C., https://www.whitehouse.gov/briefing-room/statements-releases/2022/05/04/national-security-memorandum-on-promoting-united-states-leadership-in-quantum-computing-while-mitigating-risks-to-vulnerable-cryptographic-systems.

[31] Tourky, D., M. ElKawkagy and A. Keshk (2016), Homomorphic encryption the “Holy Grail” of cryptography, 2nd IEEE International Conference on Computer and Communications (ICCC), IEEE, 14-17 October, Chengdu, China, https://doi.org/10.1109/compcomm.2016.7924692.

[7] Traficom (2019), “The Finnish cybersecurity label”, (brochure), Finnish Transport and Communications Agency, Helsinki, https://tietoturvamerkki.fi/sites/default/files/media/file/cybersecurity_label_presentation-280920.pdf.

[15] TRtest (2024), “Certificates and Documents”, webpage, https://tr-test.com.tr/trtest/views/portal?lang=en (accessed on 26 June 2024).

[12] TTA (2021), “TTA designated as an information protection certification testing agency”, 14 January, Press Release, Telecommunication Technology Association of Korea, Seongnam, Kyonggi-do, https://www.tta.or.kr/tta/selectBbsNttView.do;jsessionid=_LxCSNRwGFnOaCHxj8bFDVXO6_PkIQJoUbtrI1meA0CNKO_Atts4!-1151557185?key=76&bbsNo=107&nttNo=12016&searchCtgry=&searchCnd=all&searchKrwd=&integrDeptCode=&pageIndex=10.

[39] van den Nieuwenhoff, T. (27 May 2021), “Fully homomorphic encryption: The history”, Tvdm blog, https://tvdn.me/fhe/2021-05-27-homomorphic-encryption-history.

[61] Vardi, M. (2019), “Quantum hype and quantum skepticism”, Communications of the ACM, Vol. 62/5, p. 7, https://doi.org/10.1145/3322092.

[44] Yang, W. et al. (2023), “A review of homomorphic encryption for privacy-preserving biometrics”, Sensors, Vol. 23/7, p. 3566, https://doi.org/10.3390/s23073566.

[37] Zama (2024), “A 6 Minute Introduction to Homomorphic Encryption”, webpage, https://6min.zama.ai (accessed on 26 June 2024).

[21] Zetter, K. (2023), “The untold story of the boldest supply-chain hack ever”, 2 May, Wired, https://www.wired.com/story/the-untold-story-of-solarwinds-the-boldest-supply-chain-hack-ever.