DealTech: Experts disagree on risk quantum hacking poses to law firms
Analysis: 13:58 EDT, March 25 2022
DealTech (formerly known as M&ATech) covers technology trends aimed at M&A professionals. If you would like to give us any feedback, please contact email@example.com
- A hack can kill a law firm — expert
- Defences against quantum hacking will improve — expert
- Quantum hacking overhyped and a minor concern — expert
Quantum computers — which take advantage of the peculiar characteristics of very small particles to solve problems much faster than regular computers — have the potential to hack the decryption methods currently used to protect confidential data, but experts disagree on the significance of this to law firms.
Current systems of security and encryption will not protect law firm networks from quantum hacking, Louis Lehot, an M&A and technology lawyer with Foley & Lardner working in the firm’s Silicon Valley, San Francisco, and Los Angeles offices, said.
“The way we do M&A deals, the way we do emerging growth financing, it relies on the company that is being transacted to make a virtual data room available in the metaverse that has its most secret information within it,” he said. “If that information is compromised, the damage to the franchise is incalculable.”
Although today’s early-stage, largely experimental quantum computers cannot hack current encryption methods, governments and private entities around the world are collecting large amounts of encrypted data in the hopes that future quantum computers will be able to reveal the secrets inside.
The risk this poses to anyone holding or transferring sensitive data now is real and law firms have to protect against it, Lehot said. If confidential information collected today from a few law firms is later hacked by quantum computing, those law firms will be dead, he stated.
Law firms successfully attacked by hackers often lose clients, Lehot said. Transaction counterparties may also refuse to work with a hacked law firm and request that its clients seek alternative counsel, he added.
In 2017, a cyberattack that started in Kiev, Ukraine, spread to the DLA Piper law firm. Parts of its network, including its billing system, were down for a significant time.
In cyberattack cases involving law firms, opposing counsel in some cases may refuse to email, confirm calendar items or participate in conference calls with the affected firm, afraid of malware, Lehot said.
Lehot was reluctant to say whether a lawyer who fails to consider the risk of quantum computers is negligent but did note that law firms are required to disclose any hack of client data and that not protecting client data from foreseeable threats may be considered professional malpractice.
If companies become unwilling to trust confidential information with lawyers due to quantum hacking, that threatens fundamental change to the legal profession, Lehot concluded.
Louis-Pierre Gravelle, an intellectual property and technology lawyer at Bereskin & Parr’s Montreal office, is less concerned than Lehot about the danger of quantum computers directly hacking law firm networks in the future.
As quantum computers become more adept at hacking encryption, encryption will evolve and become stronger, he argued. There are already firms that claim to have invented encryption systems on traditional computers that are quantum proof, he noted. In the future, quantum-based defence tech may nullify quantum-based attacks.
However, Gravelle acknowledged the risk that some parties may be collecting data encrypted under current technology, with the intention of hacking it later with quantum computers.
Much of the information currently held by law firms will be stale or already public by the time quantum computers are able to reveal it, Gravelle said.
“Things are a little touchier when we talk about more sophisticated business strategies, when it comes to potential mergers, potential acquisitions, potential trade deals, potential licensing deals,” he said.
Most concerning are Panama Papers-style revelations that cause embarrassment, if not criminal investigations, to the clients of a law firm that has been hacked, he said. Firms that are involved in offshore transactions and highly sophisticated tax planning should be especially careful with their data and encryption, he said.
Future hacking of today’s information is not an insignificant risk but needs to be weighed against the freshness of the information, Gravelle said. Law firms should use the latest security tools and stay up to date in terms of patching and software updates, he advised. Smart law firms will have systems to detect intrusion, take remedial action very quickly and keep an eye on both new threats and new security-tech advances, he added.
Chris Hoofnagle, a professor of law at the University of California, Berkeley, where he teaches cybersecurity and programming for lawyers, agreed that some of today’s data will be vulnerable to quantum hacking but argued that the threat is overhyped and a minor concern. Most of today’s data will likely be irrelevant in a few years, he said, echoing Gravelle’s comments.
“Quantum computers will not magically break all encryption quickly, as sometimes implied by the news media and even by some policy analysts,” he said. The idea of encryption’s collapse has led to many “privacy doomsday predictions.” Some currently available security tools, such as Advanced Encryption Standard (AES) 256 encryption keys, are probably invulnerable to foreseeable quantum attacks, he added.
Even when quantum computers do become widely available, law firms will still probably be more at risk from email phishing or other behaviour-based attacks, he argued.
The experts also disagreed on when quantum computing will directly affect law firms.
“My bet is that we will not have an encryption-busting computer seven years from now,” Hoofnagle said.
With Simson Garfinkel, the Senior Data Scientist in the Office of the Chief Information Officer at the US Department of Homeland Security, Hoofnagle co-wrote Law and Policy for the Quantum Age. He and Garfinkel predict a “quantum winter,” in which investment and hype for quantum research dwindles away for a long time, much as artificial intelligence and cold fusion research did in the 1970s.
Eventually, a big tech player or a start-up may bring quantum technology mainstream, but “no matter who develops that device, it will almost certainly not waste effort on cryptanalysis,” Hoofnagle and Garfinkel agreed.
“There is not much money to be made in cryptanalysis,” Hoofnagle said. “Realistically, governments are the only real buyers of the service.”
Gravelle, however, observed that despite lagging the US in quantum commercialization, Canada is very strong in quantum research and has at least one company, D-Wave, that is already selling computers based on quantum technology and claims to be the world’s first company to sell computers which exploit quantum effects.
When quantum computers will become relevant to lawyers is anyone’s guess, Gravelle concluded.
According to the National Venture Capital Association, there has been a steady increase in the number of quantum computing start-ups and the amount of venture funding for the sector, Lehot said. He referred to a 2021 PitchBook study that indicated that quantum funding had increased to USD 55bn from the previous year’s USD 35bn, in at least 51 2021 deals compared to 34 in 2020.
Quantum computing will probably be a day-to-day part of life for M&A lawyers in two to three years, Lehot said.
by Mark Coakley in Toronto
Originally published on Mergermarket.com (subscription required)