Quantum Computing Is Advancing Fast: A Cybersecurity Pocket Guide

Quantum computing used to be a distant threat, something to worry about years down the line. Not anymore. Researchers in the past year have announced major advances – including some stunning claims in just the last two months – and the consequences are coming straight for cybersecurity.

The recent breakthroughs appear significant, although all have their fair share of skeptics poking holes in the underlying research.

Still, none deny quantum’s impending arrival or this sobering fact: Q-Day, the day a quantum computer will be able to break today’s standard forms of encryption and gain access to all forms of financial, medical, military, and corporate proprietary data, will be a reality sooner than expected. Which means organizations must start planning now – this year – for changes to cybersecurity and fast-track any plans already in place.

Automated Endpoint Management is the next phase in cybersecurity – leverage real-time data from millions of endpoints, execute changes at scale, and oversee time-saving automation, all from a unified platform.

The latest quantum advances? In February, researchers said they created a chip using a “new state of matter” that could drive unimaginably robust quantum computers. Some leading physicists question the claim’s validity.

In March, D-Wave Quantum revealed it had built a quantum computer that outperformed one of the world’s most powerful supercomputers. Some say the research is too limited to justify the claims and others argue D-Wave’s specific approach still offers no known path to break current encryption codes.

Also last month, researchers at the University of Science and Technology of China announced the development of a quantum machine that could process calculations a million times faster than Google’s advanced quantum chip. The research, based on older work, hasn’t drawn strong detractors – but it’s early.

Skepticism aside, the accelerating pace of the research has shifted quantum from a distant prospect to a more urgent concern for businesses: Once quantum machines grow powerful enough, standard encryption safeguards could collapse overnight, exposing vast amounts of sensitive data. Some experts say we could see the first tangible signs of quantum computing’s impact on cybersecurity as early as this year.

[Read also: 4 critical leadership priorities for CISOs in today’s AI era and our quantum future]

Any organization that delays quantum prep will be at significant risk, akin to playing “Russian roulette,” says noted quantum expert Michele Mosca, CEO of quantum-safe solutions provider EvolutionQ and a mathematics professor at the University of Waterloo.

“So far, we’ve been lucky,” he says. “But we’re not playing Russian roulette with ping-pong balls. There are bullets now. And the stakes are too high to ignore.”

The basics (and basic risks) of quantum computing

Quantum computers promise transformative processing power for incredibly fast calculations and problem-solving.

So far, we’ve been lucky. We’re not playing Russian roulette with ping-pong balls. There are bullets now. And the stakes are too high to ignore.

While classical computers process information using binary bits – the smallest units of data, which can exist in one of two states, represented by ones and zeros – quantum computers rely on principles of quantum mechanics to perform calculations at lightning speed. Instead of bits, they use qubits, which can exist in multiple states at once. This allows quantum computers to solve complex problems exponentially faster than traditional machines, making them transformative for a variety of fields, such as materials science, drug discovery, and cryptography.

These advanced algorithms pose a significant threat to the cryptographic systems many organizations rely upon, from banks to hospitals and government agencies. The juggernaut IT services advisory firm Gartner warns that asymmetric encryption – the foundation of internet security – will become fully breakable by 2034. And Mosca, who surveyed cybersecurity experts last year and co-authored the most recent “Quantum Threat Timeline” report from the Global Risk Institute, projects a 10 percent chance in five years and a 30 percent chance in 10 years that quantum will pose a “material problem” for businesses and government agencies.

[Read also: Seeing is believing – how enterprises are using AI to improve cybersecurity]

Indeed, like any new-ish innovation in the hands of hackers, quantum computers could soon become weaponized and undermine decades of cryptographic safety and security. While the threat will always involve some level of organized crime going after money or digital identities, U.S. officials fear nation-states hostile to the United States, such as North Korea or China, could use the technology to steal classified information or harm critical infrastructure.

Retiring trusted algorithms

Adversaries are already recording encrypted data to decrypt it once quantum computers become readily available. This “harvest now, decrypt later” surveillance strategy is a genuine concern. In fact, it’s thought a massive amount of encrypted data is susceptible to being recorded, collected, and stored for future use against U.S. businesses and government agencies.

Every bit of communication being sent right now is being recorded.

“Every bit of communication being sent right now is being recorded,” says Jason Soroko, senior fellow at Sectigo, a certificate lifecycle management (CLM) solutions provider.

Soroko notes that while this encrypted data is largely secure today because no current computer can crack RSA 2048 or ECC 256 – two of the most widely used public key encryption standards – they could become quickly prone when quantum computers become sufficiently powerful to decrypt recorded packet streams. In fact, it’s thought hostile nation-states may already be collecting recorded data in anticipation of the day they can access it and put it to their own use, he says.

[Read also: What is cyber threat intelligence? A simplified guide for 2025]

Acknowledging this looming threat, the National Institute of Standards and Technology (NIST) recently set firm timelines to transition the world away from those widely used cryptographic algorithms. NIST, which was required to propose quantum security standards under the 2023 Quantum Computing Cybersecurity Preparedness Act, recommends that these algorithms be deprecated by 2030 and disallowed after 2035.

Quantum complacency

At the heart of this urgency, Mosca explains, is the ability of quantum computers to harness the laws of quantum physics to solve problems in exponentially fewer steps than the best-known algorithms on today’s machines. Two of the first – and most troubling – examples are breaking RSA (by factoring large numbers) and ECC (by solving discrete logarithms), he says.

Despite these concerns, a recent Deloitte survey of Fortune 500 CISOs finds that two out of three organizations have no quantum security strategy in place, with far too many completely inactive (17%) or still in the “yeah, let’s think about this” risk-assessment stage (27%) and only 12% implementing solutions at scale.

[Read also: How to get the board to listen to CISO priorities? Show the link between quantum (or anything else) to brand reputation]

Such complacency is disconcerting, especially considering the potential risks involved. But it’s also somewhat understandable, given the significant challenges of moving to quantum-resistant cryptography. Gartner says hurdles include:

• No drop-in replacements: Companies can’t just swap out encryption algorithms overnight; many of their systems weren’t designed for quantum-safe cryptography
• Performance trade-offs: Post-quantum algorithms require bigger cryptographic key sizes – the long strings of numbers used to encrypt and decrypt data in public key infrastructure (PKI). These larger keys demand more computing power, which could slow down operations.
• Lack of visibility: Most organizations don’t even know where cryptography is used across their networks, making risk assessment nearly impossible.
• Vendor inertia: Businesses must assess their third-party risk and threats to their software supply chain – look to a software bill of materials (SBOM) to assist with that – and then pressure software and security vendors to accelerate their adoption of post-quantum cryptography

How to prepare: 7 steps to a quantum cybersecurity plan

Despite these obstacles, experts recommend enterprise and security leaders start the quantum journey now by taking these steps:

1. Build quantum expertise

Assign a team to assess the risks, costs, and roadmap for transitioning to quantum-safe security. Avoid waiting until the last minute when quantum-secure talent will be scarce.

2. Map out cryptographic assets

Soroko recommends identifying where RSA and ECC are used in encryption, authentication, and digital signing and determining which sensitive data needs protection beyond 2030. Not to be overlooked: Also perform a risk assessment of cryptographic assets. It may seem early, but knowing what might be vulnerable if hackers suddenly gain the capability to use quantum technology will be key to fending off or responding to such attacks.

3. Establish a migration plan

Set a timeline for transitioning to quantum-resistant cryptographic protocols – before it’s too late.

[Read also: Identity access management can prevent hackers from accessing your network in the first place]

4. Design for cryptographic resilience

Mosca says it’s essential to ensure that security plans don’t rely on a single point of failure, like RSA or ECC encryption. He also recommends implementing defense-in-depth strategies that use multiple cryptographic methods to avoid catastrophic failure. Soroko notes that several quantum-resistant cryptographic algorithms are emerging from NIST and elsewhere.

5. Stay current on quantum-safe solutions

Some vendors, like Apple and Cloudflare, have already started implementing quantum-resistant key exchange technology, Soroko says. Organizations should monitor these developments and consider adopting them as soon as possible. Sectigo and others are also developing post-quantum certificate authorities (CAs) and cryptographic tools worth watching. Sectigo recently released a sandbox that allows customers to see ML-DSA-based digital certificates, which would use digital signature algorithms to help resist attacks from quantum computers.

6. Monitor the regulatory landscape

Keep an eye out for regs – especially if you do business with the federal government. Across administrations, there’s been increased interest in quantum security out of concern that hostile nations could use the technology against us. And there are already standards and executive orders emerging. NIST, for example, released three post-quantum cryptographic standards in late 2024, and President Joe Biden signed an executive order in January mandating federal agencies to begin transitioning to post-quantum cryptography within specified timeframes.

[Read also: NIST’s new thinking on password security may surprise you]

7. Pressure vendors

Businesses should also demand cryptographic resilience from their supply chains, Mosca advises. Major industries should align on post-quantum migration timelines, like NIST’s 2030 RSA/ECC deprecation recommendation, he adds.

Quantum cybersecurity’s bottom line

Quantum computing isn’t theoretical anymore. It’s happening, and it’s happening fast. Organizations that rely on secure transactions, intellectual property, and customer trust cannot afford to wait for quantum computers to evolve and pose a threat.

“It doesn’t matter when quantum computers become sufficiently powerful, because the risk of not preparing starting now is actually bad,” says Soroko.

FOR MORE RESOURCES:

Check out these information hubs for info on quantum computing and the ways enterprises can prepare for the coming quantum threat.

• NIST – Computer Security Resource Center
• NIST – Quantum Information Science
• CISA – Post Quantum Cryptography Initiative
• NSA – Commercial National Security Algorithm Suite (CNSA 2.0)
• ETSI – Quantum-Safe Cryptography