The United Nations has designated 2025 the International Year of Quantum Science and Technology, celebrating 100 years since the initial development of quantum mechanics. Quantum computing represents one of the most significant technological leaps in human history. While it has the potential to revolutionise drug discovery, climate modelling, and material science, we must also confront an uncomfortable truth: the same technology that promises so much could be weaponised to break the digital locks protecting our most sensitive data. This potential breaking point is what security experts call “Q-Day“: the moment when quantum computers become powerful enough to break some of the cryptographic algorithms that secure the world’s digital communications and data.
Despite Q-Day being several years away, the threat posed by quantum attacks on cryptography is jumping up the agenda. The latest Capgemini Research Institute report found nearly two-thirds of surveyed organisations consider quantum computing to be a critical cybersecurity threat.
Proactive business leaders have already begun to act, becoming educated on the threats posed by quantum hackers and understanding how their most sensitive data could one day be at risk. Acting now protects businesses from potentially huge security and brand reputation risks further down the line.
Why quantum creates new threats
Quantum computers differ from existing, classical computers in their ability to solve certain types of computational problems in far less time. This includes cracking some types of encryption. Google’s Willow chip, developed in 2024, could potentially take five minutes to complete a task that would take even the fastest supercomputers 10 septillion years to complete; that’s 10,000,000,000,000,000,000,000,000 years.
All quantum computers exploit the strange quantum properties of matter to perform calculations. Classical binary bits can exist as either a one or zero. Quantum computers use qubits, which can exist in a combination of both one and zero. Manipulating these combined states lets quantum computers run some new and powerful algorithms.
To understand the scale of this threat, consider how current digital security works. RSA asymmetric encryption,one of the foundations of internet security, works because of an asymmetry. It is easy to multiply two large prime numbers together but exponentially more difficult to identify these later, given only the result of the multiplication. Other common algorithms are based on another asymmetric calculation, the so-called ‘discrete logarithm’ problem. Classical computers would need thousands of years to factor a large composite number into its prime components. A quantum algorithm exists with the potential to solve this problem in hours or days. All it needs is a cryptographically relevant quantum computer to run it.
Anything that relies on vulnerable asymmetric cryptographic algorithms becomes easy to compromise. Diplomatic cables that shape international relations, NHS health records, the banking infrastructure underpinning our financial system, intellectual property, and state secrets could all be exposed by the quantum hacker. And it’s not just decryption. RSA is used to sign the digital certificates that computers use to prove their identity. It’s how a browser checks that it is talking to the right web server, for example. Breaking RSA would allow a hacker to forge digital certificates, undermining a core principle of online trust.
Not all cryptography is vulnerable. There are quantum algorithms that can theoretically accelerate attacks against symmetric ciphers like AES. Unlike factoring, these algorithms are unlikely to lead to practical attacks against symmetric cryptography. Part of the challenge is mapping out where different algorithms are used, not something that CISOs have typically had to worry about in the past.
‘Harvest now, decrypt later’
So, if working quantum computers are estimated to be five years away, and quantum computers capable of breaking asymmetric encryption are thought to be ten years away, why does the risk need to be on the C-suite agenda right now?
Simply put – adversaries don’t need working quantum computers to pose a danger today. They’re already implementing what intelligence agencies call ‘harvest now, decrypt later’ strategies.
Sophisticated nation-state actors and high-end contractors are stockpiling encrypted data right now with the patience of archaeologists and the resources of governments. They’re intercepting communications, stealing encrypted databases, and hoarding digital assets they can’t yet decrypt. They’re playing the long game. The data being stolen today will still be sensitive, valuable, and damaging when quantum computers mature.
Post-Quantum Cryptography
The quantum threat has been a topic of discussion for years. Awareness is growing, but not all organisations are planning for the post-quantum future.
Quantum risk assessments regularly reveal conversations with CEOs and Chief Information Security Officers (CISOs) who are focused on immediate concerns: ransomware, data breaches, regulatory compliance. These are immediate issues that rightly demand attention and need to remain at the front of a CISO’s mind. The quantum threat adds a substantial new challenge to how we think about and manage data security.
How can we protect against quantum attacks? New cryptographic algorithms resistant to quantum computers are known as postquantum cryptography (PQC) standards. These are encryption methods specifically designed to resist attacks from both classical and quantum computers, operating with existing communications protocols and networks.
In principle, this is easy, but PQC algorithms tend to have longer key sizes and larger messages than existing algorithms. This means that, where PQC integration is necessary, it may not be a trivial task. Taking the opportunity now to build in cryptographic agility will make future change easier to manage.
Becoming quantum-safe is a complex, multi-year effort that must begin now. It requires careful planning, testing, and integration across your entire technology stack. Earlier this year, the National Cyber Security Centre (NCSC) issued guidance recommending that large companies, including energy and transport providers, introduce PQC measures, noting that “these will be a key part of defence in the coming years”.
The road to quantum safety
The NCSC’s recent strategy highlights the importance of early preparation and sector-specific plans to ensure a smooth transition. This thinking is seen throughout the industry: the majority of organisations surveyed in recent Capgemini research recognise that early investment will yield advantages.
This is a big technology transition which involves organisation-wide management and affects supply chains. Getting this transition wrong risks introduces new vulnerabilities as an unwanted side-effect: in 2021, OWASPdesignated ‘cryptographic failures’ as the second biggest concern. Implementing cryptography well is hard and a major transition of cryptography is something to plan, deliver and assure with care.
The first step is awareness. Every organisation must understand which parts of its operations rely on quantum-vulnerable encryption and what assets need to be protected. This is essential for businesses and governments to plan effectively and build the right defences.
By 2028, every organisation should have a plan in place to migrate to post-quantum cryptography. This includes identification of priorities and setting clear goals and timelines. This should not be static but continually updated and refined to ensure a thorough and effective transition. Cross-industry partnerships will also be crucial to accelerate preparedness. Sharing best practices, threat intelligence, and technical solutions will help keep us all safe against the quantum threat.
Q-day is no longer a distant theoretical concept but an approaching reality that demands an immediate strategic response. Proper preparation, strategic thinking, and commitment will allow organisations to be confident that they and their critical assets are quantum safe.
Matthew Albans
Matt Albans has spent the last 25 years in the Defence Industry, and worked for various organisations, both Government and Industry providing technical expertise from some of the UK’s biggest platform programmes to some of its most cutting-edge research. His wide-ranging technical know-how has seen him seconded into the Headquarters of both the Royal Navy and British Army, most recently to act as the CTO of RAPSTONE. He has also held the Chair of the Defence Research and Technology Forum at Tech UK. He is currently the CTO of Roke, one of the UK’s most trusted providers of Defence and National Security capability. Matt finds Roke hugely rewarding, helping to deliver actual capability that protects our citizens and armed forces across the world.
