Jason McNutt is the Founder of Ceruleant Systems.
The term “quantum apocalypse” refers to the future day when a quantum computer is capable of breaking an existing established encryption system, and it is particularly concerning because most of the world relies on a small set of algorithms like RSA and ECC to secure data.
If one system is breached, it could lead to widespread security failures across many organizations that use the same encryption methods. The ability to breach one algorithm may also indicate that similar algorithms could be compromised, snowballing this potential crisis across data security providers worldwide.
But why should organizations care, especially when the threat still seems distant? The reality is that adversarial parties and governments are already preparing. According to U.S. cybersecurity leaders, they store encrypted data today with the intent to decrypt it when quantum computing makes that possible—an idea known as “harvest now, decrypt later.”
The data being transmitted today will still be valuable in the future, and when quantum computing reaches the necessary power, vast amounts of stored data could suddenly become vulnerable. This retroactive threat multiplies the impact of the quantum apocalypse.
If we don’t know when, why act now?
However, many organizations might not see the need to act now. One of the most concerning facts is that even when it does occur, many organizations will not know. An adversary who spends significant resources breaking an algorithm is looking to gain as much intelligence as possible without the other party realizing it.
This was the case when the Allies broke the German Enigma code during World War II but kept this fact secret for years. The Germans continued to use the compromised system, unaware that it had been breached. A similar scenario could unfold with quantum computing, where a breach occurs, but the victims remain oblivious, continuing to use compromised systems.
So, what can chief information security officers (CISOs) and organizations do to prepare?
Urgent focus might best be directed at a preemptive post-mortem examination: If this happens, what will you do about it, and how much might it cost you if you can’t recover quickly? This isn’t just a technical concern; it becomes an actuarial one.
As corporations explore whether their insurers will cover potential exposure and demonstrated losses, they may find that the costs for coverage are substantial. It’s a pitfall that we’ve never had to consider before, and one that sounds the alarm bell.
The amount of computing power behind quantum machines is growing rapidly. It’s no longer enough to simply do what everyone else does and call it “good enough.”
When quantum computers break current encryption, those who haven’t prepared will be stuck like everyone else using the compromised system. It’s not a perfect solution, but the new best practice is to become crypto-agile and develop the ability to switch quickly from one algorithm to another when needed.
Developing Crypto Agility
Organizations need to maintain an inventory of their encryption methods and understand which ones might become vulnerable. The next step is to establish contingency plans that allow for a swift switch to more secure algorithms, like those based on lattice problems, which are designed to be more resistant to quantum attacks. The challenge for leaders lies in whether these transitions can be made with minimal disruption to current operations.
Becoming crypto-agile involves more than just adopting new algorithms; it requires the organizational ability to transition between different cryptographic protocols as threats evolve. Organizations developing the ability to change encryption methods on the fly incur a significant cost when they go at it alone.
On August 13, 2024, the National Institute of Standards and Technology (NIST) released three post-quantum encryption algorithms ready for immediate use. These tools took over eight years to develop, and according to NIST, it is “critical to begin planning for the replacement of hardware, software, and services that use public-key algorithms now so that information is protected from future attacks.”
Still, I think it’s time leaders take accountability for their organization’s unique risks and make the necessary preparations. Some targets are more valuable and should be more concerned, while others may still be easy targets despite being less critical. Remember that where there is easy money, adversaries will be ready to exploit it.
The idea of the quantum apocalypse presents potential dangers that require serious consideration. High-value organizations must establish plans to become crypto-agile, ready to switch from one encryption method to another as the need arises. The time to act is now, before the full power of quantum computing is unleashed.
Forbes Technology Council is an invitation-only community for world-class CIOs, CTOs and technology executives. Do I qualify?
