Why Should Quantum Threats Be a Priority Despite Uncertainty and Other Pressing Issues?

This note is part of a series of brief discussions addressing the most common and important questions we encounter around quantum-safe migration, as listed in the article titled "What's Your Most Important Question When It Comes to Quantum Safe Migration?"

In this instalment, I focus on two crucial questions raised by CISOs and business leaders:

• Given other pressing issues and priorities, why should we allocate resources to address the quantum threat?

• With uncertainty around the timeline for quantum computers capable of breaking current encryption, why should we care about this issue now?

These two questions are essential to any organization considering quantum-safe migration. Without addressing them, the quantum threat may not gain the attention and resources necessary to mitigate the risks effectively. Although these are two distinct concerns, they are closely related, and it’s most effective to discuss them together.

Quantum-safe migration is sometimes referred to as Y2Q (Year-to-Quantum), drawing parallels with the Y2K problem from over two decades ago. However, unlike Y2K, where we had a clear deadline, precisely predicting when quantum computers will become capable of breaking encryption is far more uncertain. For instance, various qubit technologies are progressing at different rates, and breakthroughs could occur at different times. The overall quantum computing technology stack—hardware, electronics, error correction, algorithms, and application software—is evolving rapidly, but at uneven paces. Additionally, the vulnerability of cryptographic algorithms depends on the type of algorithm and its configuration. Given this uncertainty, it’s natural for CISOs and industry leaders to question the urgency of addressing the quantum threat.

Why allocate resources to the quantum threat now?

A successful quantum attack could compromise sensitive data, disrupt critical infrastructure, and erode trust in digital systems. The economic, social, and national security consequences would be far-reaching. Transitioning to quantum-resistant cryptography now can help protect future data and infrastructure, ensuring long-term security.

Even though quantum computers capable of breaking encryption are not yet available, preparing for quantum-safe cryptography is crucial for several reasons:

Long-Term Data Sensitivity: Certain data, such as health records, financial transactions, trade secrets, and government communications, need to remain secure for decades. Even if quantum computers capable of breaking encryption are 10–20 years away, data intercepted today could be stored and decrypted later using future quantum capabilities. This is known as the "harvest now, decrypt later" attack and makes the protection of long-term sensitive data a current priority.

Long Transition Period: The transition from classical to post-quantum cryptography (PQC) is not a simple task. It involves risk assessments, cryptographic inventory preparation, system upgrades, ensuring backward compatibility and interoperability, for securing communications across infrastructures. Given the complexity and widespread reliance on cryptographic systems, this migration could take many years. Delaying it could leave organizations vulnerable.

Exponential Growth of Quantum Technology: Quantum technology is advancing at a rapid speed. While we don’t know the exact timeline for when a quantum computer capable of breaking encryption will emerge, experts estimate it could happen within the next decade. This is a relatively short time horizon for addressing the long-term encryption security needs of organizations.

Regulatory Pressure: Governments and regulatory bodies globally are recognizing the quantum threat and issuing guidelines for migration to quantum-safe cryptography. For example, the USA has already passed the Quantum Computing Cybersecurity Preparedness Act, and many other regions have issued guidelines. More guidelines and regulations are expected across the regions. Preparing early will help organizations stay compliant and avoid last-minute adjustments.

Pre-emptive Security: Cybersecurity requires a proactive approach. The uncertainty surrounding when large-scale quantum computers will emerge should encourage organizations to act now rather than react later. Attackers may not announce the availability of CRQCs (Cryptographically Relevant Quantum Computers) and could launch covert attacks on critical systems before vulnerabilities are exposed.

Risk Management: Treating quantum risks as part of broader risk management ensures organizations are future-proofing their infrastructure. Quantum-safe migration is not just about cryptography; it involves assessing risks to systems, applications, and data, ensuring business continuity and security.

Economic and Reputational Risk: The cost of transitioning too late could be substantial, with potential breaches, regulatory fines, and loss of trust. Starting early allows organizations to spread the cost and effort over time, minimizing financial and reputational damage.

Strategic Advantage: Organizations that begin quantum-safe migration early will gain a competitive and strategic advantage. They will avoid the scramble when quantum computers become a reality, giving them time and flexibility to adapt.

In Summary, while organizations face many pressing current issues, neglecting quantum-safe migration leaves their infrastructure vulnerable to long-term security threats. The transition to quantum-resistant cryptography takes time, and starting now ensures a smooth migration without the rush. The threat of CRQCs is real and growing, and most experts agree: The time to act is now.

By addressing quantum-safe migration early, organizations can protect their digital assets and ensure a secure future.

I’d love to hear your thoughts on how you're approaching quantum-safe strategies.