Quantum computing is expected to solve complex problems, but the technology has a dark underbelly, which is its ability to render classical encryption obsolete. That means every file at rest and in motion is at risk without limitation.[T]he advent of quantum computing is a game-changer -- a double-edged sword that demands both urgency and precision in response, says Timothy Bates, AI, cybersecurity, blockchain and XR professor of practice at University of Michigan and former Lenovo CTO, in an email interview. Quantum computing has the potential to render our current encryption methods, like RSA and ECC, obsolete almost overnight. It's not a question of if but when. That when could be sooner than we think given the accelerating pace of quantum advancements. The implications for secure communications, financial systems and even national security are staggering.As Always, Bad Actors Have an EdgeThe potential winners of the cryptography threat are countries unbound by strict ethical or regulatory frameworks. Bates says they will leverage quantum to breach security protocols without hesitation. Quantum-as-a-service (QaaS) platforms lower the bar for malicious actors, and the asymmetry between regulatory-constrained organizations and rogue entities gives the latter a significant edge.Related:Quantum-safe encryption must be prioritized. The industry needs to fast-track the development of post-quantum cryptographic standards and embed them into critical systems now, not later. Collaboration between quantum computing pioneers, cybersecurity leaders and regulators will be crucial to staying ahead, says Bates. Governments must adopt policies that encourage responsible quantum development while creating international standards to deter misuse.He also believes that CIOs, CTOs, and CISOs must band together to share intelligence, pool resources, and test emerging quantum technologies in controlled environments because no one can tackle the problem alone.Timothy Bates, University of MichiganTimothy Bates, University of MichiganStart piloting quantum-resistant technologies today. Its better to face small, controlled failures now than catastrophic breaches later. Push for investments in quantum technologies and talent pipelines. These will be the linchpins of your organizations survival in a post-quantum world, says Bates.While competition drives innovation, collaboration ensures resilience. Engage with peers, regulators, and even competitors to develop collective safeguards. Quantum computing isnt a looming threat, its an imminent reality. Our response must be strategic, collaborative and immediate. The stakes couldnt be higher, and the clock is ticking. Lets not get caught on the wrong side of history.Related:CISOs Are Rightly ConcernedQuantum computing has sent shivers down the spines of CIOs, CTOs, and CISOs. While there's always innovation, such as Post Quantum Cryptography (PQC), the question is will that innovation happen soon enough?What is different is that quantum computing, rather than being an evolution, is shaping to be a revolution, says Jon France, CISO at ISC2, a non-profit member organization for cybersecurity professionals, in an email interview. One of the concerns is the compromise of classical asymmetric encryption. However, theres also quantum resilient encryption, algorithms, and attendant cryptography suites that are designed to be resilient to the emerging quantum compute -- it's shaping up to be a race to become resilient [and] safe.Examples of quantum resilient suites currently include Crystals-Dilithium, Crstals Kyber, Sphincs+ and Falcon.Jon France, ISC2Jon France, ISC2[T]he solution to the problem is known: Change from quantum vulnerable suites to quantum safe suites. [It] is conceptually easy but practically hard to achieve, says France. The concern is that this is a huge change task. Nearly everything digital relies on asymmetric encryption, and changing those billions of entities over to new suites will take time. For some, this will not be possible due to compute constraints, reachability, etc., so we will also have a legacy problem.Related:Savvy IT Departments Also Recognize the Threat[O]ur lives are on the internet -- banking, utilities, everything. If quantum computers existed today, there would be a global shutdown of services, says Troy Nelson, chief technology officer at cybersecurity solutions provider Lastwall, in an email interview. My biggest concerns are that the education right now doesn't exist, and that people aren't aware, or the people in the right places aren't aware, or aware enough to start reacting. [W]e see state actors that are intercepting core internet routers to divert traffic, and they've got warehouses full of all of our internet data that at some point in time, whether it's three or five or 10 years from now, when they do have access to a quantum computer, they will be able to decrypt everything that they're currently capturing.Companies are potentially exacerbating the problem by failing to comprehend the threat and postponing investment.None of the quantum computers that are being offered as a service today can really break our modern-day encryption, but when they do become full million qubit quantum computers that can break modern encryption, we need to be using quantum resistant algorithms, says Nelson. [I]f you don't have budget to start moving to new algorithms, start making a cryptographic inventory [because] a lot of organizations and agencies probably aren't aware of what cryptographic algorithms they're using, where theyre using them or what theyre being used for. If you have an executive summary of your cryptography, and you can see your weak points, and you can plan for the upgrade and start having an idea of how to fit that into your budgeting cycle.Sebastian Straub, principal solution architect at enterprise-grade data protection solution provider N2WS, says three things need to happen: the development of post-quantum cryptography before quantum computers can be weaponized; the passage of regulation designed to prevent a quantum arms race through international agreements; and education among IT professionals.With QaaS platforms already available today, state-sponsored hackers can experiment with quantum computing without worrying about oversight. Examples include IBM Quantum, Amazon Braket,Microsoft Azure Quantum, and Xanadu, says Straub in an email interview. Defensive measures like PQC and zero-trust architectures can help level the playing field before we lose our minds -- if we start implementing them now.Peter O'Donoghue, chief technology officer at technology solutions provider Tyto Athene, says while quantum computers capable of breaking RSA-2048 are probably decades away, proactive measures are nevertheless essential.The timeline for innovation is less about technology readiness and more about how swiftly organizations implement quantum-resistant solutions to stay ahead of emerging threats, says ODonoghue. Organizations should implement PQC as an element of a modern security posture. Migrating to post-quantum encryption requires a multi-year, multi-pronged approach toward complying with PQC mandates and safeguarding digital assets against future quantum threats. Although this isnt an easy transition, its a necessary one. Organizations must start implementing these measures to remain ahead of emerging quantum threats, or they risk long-term security challenges.He believes enterprises should establish a centralized center of excellence (CoE) for crypto agility because it would provide a unified encryption policy plane across all infrastructure elements, managing key generation, storage, rotation and deployment. By centralizing these functions, risk management professionals gain the necessary oversight and control to ensure that appropriate risk-based decisions are made. Theyre also in a better position to adapt to evolving cryptographic challenges while maintaining strong security and compliance.The Time To Start is NowIn addition to generating a technical inventory of the cryptography use, Konstantinos Karagiannis, head of quantum computing services at business consulting firm Proviti, warns that organizations should also examine any third-party vendors used and their PQC plans.On August 13, 2024, NIST published its first set of standards for post-quantum cryptography. The group will standardize further ciphers in the future, too, says Karagiannis in an email interview. NIST has given dates of 2030 for deprecating and 2035 for disallowing vulnerable encryption, so it should be feasible for most companies to meet these deadlines.While the deadlines should protect most data types, some secrets with a long shelf life may still leak. Bad actors, especially nation states, have already been harvesting trade secrets, healthcare information and government classified information that will remain of interest even decades after being harvested.My biggest concern is that companies will think they have a long time because quantum computers might be a decade away from cracking encryption. Public opinion swings quickly, as we saw when quantum stocks went down in value after Nvidias CEO commented on how long it would be before quantum computers offered value, says Karagiannis. As mentioned, harvest-now, decrypt-later attacks mean your data can be awaiting decryption by an attacker even as you read these words. Everyone needs to start the migration process this year.Only federal agencies are currently required to begin PQC migration, he says. Regulators in the private sector need to quickly follow the example set by the White House NSM-10 memorandum and require companies to go through the steps of building a cryptographic inventory, creating a migration plan by 2030, and then executing the plan.We also need system manufacturers, software providers, and cloud service companies to begin offering PQC solutions. Ideally, anything you buy a year or two from now will have PQC aboard, making migrating older systems a one-time process we all need to get through. New organizations formed towards the decade's end should have turn-key PQC available, says Karagiannis. Start the journey to PQC today.