Quantum next: Navigating a new cyber threat landscape

Whether quantum computing will be as revolutionary as advertised is no longer in question — it’s already moving beyond the lab and changing the way we approach complex problem solving, encryption and security. What’s become increasingly clear, however, is that as technology advances, so do the potential threats to traditional cryptographic assets and systems.

While quantum computing promises unprecedented computational power, it also presents a substantial risk to the cryptographic foundations securing today’s digital world, particularly modern public key infrastructure (PKI). Although further innovation is needed to achieve the required accuracy and scale of qubit operations — the quantum equivalent to classical computing bits needed to break the encryption used in PKI — advancements in quantum technology signal significant progress and a quicker timeline for achieving this capability.

This is a now problem — not a five or 10 years from now problem. And with new resilience measures and cryptography compliance standards coming into focus, assessing, preparing and proving technological and regulatory readiness to handle cyber-attacks can be critical in a post-quantum world.

There are countless positive and practical benefits of enhanced quantum-enabled systems. Nevertheless, quantum is challenging traditional data security and risk control practices.

The major risk posed by quantum computing capabilities is sensitive data being lost or compromised. This has wide-reaching impacts across industries, especially those reliant on vulnerable cryptographic systems for critical services such as operational technology, information technology, infrastructure and secure financial transactions. The net effect of lost or compromised data is loss of trust from customers and stakeholders, leading to significant and unpredictable consequences for reputation, regulatory compliance and finances.

Nation-state actors pose the greatest near-term threat to current encryption systems, given the significant resources needed for quantum computing. As quantum technology becomes more accessible, attacks from other groups, such as independent criminal enterprises, may also rise.

Threats at a glance:

• “Harvest Now, Decrypt Later” attacks: Malicious actors have already started harvesting and storing substantial amounts of encrypted data so they can mass-decrypt sensitive information as quantum capabilities become accessible.
• Secure channel decryption: Quantum computing can break encrypted network communications and “listen in” on sensitive conversations.
• Signature impersonation: Quantum computing power allows attackers to impersonate signed digital certificates, resulting in attacks such as malware distribution and targeted phishing.
• New “Zero-Day” vulnerabilities: This includes the potential for yet unknown quantum algorithms to break existing cryptographic systems and challenges associated with transitioning to quantum-resistant cryptography.

As risks increase, industry and government regulatory guidance is also expanding. The 2022 USA Quantum Computing Cybersecurity Preparedness Act mandates that federal agencies evaluate and document the encryption algorithms they use, focusing on vulnerabilities to quantum computing and preparing for the transition to post-quantum cryptography. Also, new National Institute of Standards and Technology (NIST) guidance — including the finalization of post-quantum cryptographic standards — aims to further strengthen modern public-key cryptography infrastructure for the quantum era.

These standards are not meant to go on a shelf and be pulled down later. NIST recommends companies begin implementing now — not only because implementation will take time, but also because threat actors are already gaining the computing capabilities needed to expose secrets and vulnerabilities across systems.

Organizations across major sectors are responding by investing in research, developing quantum-resistant technologies, and collaborating with industry advisors. For example, major financial institutions, energy corporations, and technology firms are exploring quantum key distribution (QKD) and post-quantum cryptographic protocols to secure communications and safeguard against other future quantum threats. Some US government programs and contracts awarded to defense firms also highlight the strategic focus on developing quantum-safe technologies.

Whether you're well into your quantum journey or still assessing your risk, you should ask some key questions:

• Does your organization understand how you are currently using cryptography to secure your data and how quantum computing can impact your security protocols and controls?
• Does your organization understand which systems utilize and process sensitive or proprietary information vulnerable to the quantum threat?
• Is your data safeguarded from “Harvest Now, Decrypt Later” attacks?
• Are you prepared to meet regulatory requirements (e.g., NIST) and answer regulatory questions about data security and quantum threat resilience?
• Have you assessed your third-party relationships, their cryptologic standards and any potential impacts on post-quantum cryptography?

When it comes to quantum cryptography, one thing is certain: The technology will continue to advance with or without you. The transition to post-quantum readiness should begin now if you haven’t started already. Once you’ve asked the right questions, it’s time to adopt a clear and methodical plan of action.

The most important question that technology, security and business leaders should ask is simple yet pivotal: Is my organization ready for a post-quantum world?

The time to act is now. Organizations should regularly revisit their risk exposure, stay informed about the latest advancements in quantum computing, and adjust their defense and risk strategies accordingly. A static approach could leave critical gaps in security infrastructure, as quantum threats can undoubtedly grow more sophisticated.

By adopting quantum-resistant technologies, and fostering a culture of agility and preparedness, organizations can build the resilience necessary to safeguard their most essential assets. This isn’t just about a technological upgrade. It’s a strategic imperative for business survival.