Classical computing is binary; everything you and I run today ultimately reduces to bits, 0s and 1s toggling through transistors and logic gates. Quantum computing isn’t just faster; it’s different. Qubits can exist in many potential states before measurement and can be entangled, enabling correlations impossible in classical systems. Quantum algorithms exploit this structure to tackle certain problems with massive parallelism. That’s why quantum will eventually upend some of our most relied‑upon cryptosystems.
We’re also seeing real progress, not just hype: vendors such as IBM, Google, and Quantinuum are pushing qubit counts past the 1,000 mark, demonstrating early error‑corrected logical qubits and tracking improvements via quantum volume (a metric that better reflects practical capability). Industry roadmaps now sketch a credible path toward cryptographically relevant machines.
The timeline remains uncertain. Optimists argue we could reach CRQC (cryptographically relevant quantum computing) in less than 5 years, while skeptics think it may take multiple decades due to error‑correction scaling. Regardless of the exact timeline, the extremely high stakes and potentially catastrophic consequences of a quantum breakthrough occurring before we are prepared justify taking action now.
Once CRQC is achieved, today’s public-key encryption will no longer hold. Shor’s algorithm makes it possible to factor large numbers and solve elliptic-curve discrete log problems in polynomial time, instantly undermining the math that protects RSA and ECC. In practical terms, any system relying on those algorithms — which is almost every secure system today — would be exposed overnight.
The short answer is… nearly everything. Effectively anything that uses RSA or ECC asymmetric key cryptography will be exposed.
Quantum compromise would ripple through every layer of our digital infrastructure:
Internet security: TLS/HTTPS, VPNs, and PKI certificates would no longer be trustworthy.
Identity and access: Smartcards, badges, and FIDO tokens could be cloned or spoofed.
Software assurance: Code-signing and email encryption mechanisms would fail.
Data security: File encryption, databases, backups, cloud APIs and SaaS.
Critical infrastructure: IoT, OT, and edge devices would be vulnerable to interception and tampering
Most importantly, the danger isn’t limited to the future. Adversaries are already collecting encrypted communications data today, with the intent to decrypt it once quantum capabilities arrive. This strategy, known as Harvest Now, Decrypt Later (HNDL), means that even data you consider secure right now could be exposed years from now when quantum computers catch up.
National security agencies including the NSA, CISA, and NIST have all warned that this represents a long-term strategic risk to both government and industry. The only defence is to start adopting quantum-safe cryptography now, before attackers have a reason to use it against you
The danger isn’t limited to the future. Adversaries are collecting encrypted data today — corporate archives, intellectual property, and sensitive communications — with the intent to decrypt it once quantum capabilities arrive. This strategy, known as Harvest Now, Decrypt Later (HNDL), means that even data you consider secure right now could be exposed years from now when quantum computers catch up.
National security agencies including the NSA, CISA, and NIST warn that this represents a long-term strategic risk to both government and industry. The only defense is to start adopting quantum-safe cryptography now, before attackers have a reason to use it against you.
The good news is that the world isn’t starting from scratch. The National Institute of Standards and Technology (NIST) has completed its first round of post-quantum cryptography (PQC) selections. The two main algorithms selected, Kyber and Dilithium, form the foundation of post-quantum encryption and digital-signature standards. These algorithms are designed to withstand quantum attacks while still being efficient on classical hardware. For enterprises, this means that production-ready, standardized tools for quantum-safe migration now exist.
Global governments and regulators are no longer in wait-and-see mode:
U.S. NSM-10 requires all federal agencies to complete their PQC transition by 2035.
UK NCSC and EU programs are already in progress, with similar completion timelines (2030–2035).
Financial regulators—including BIS, the G7, and FS-ISAC—are warning that delayed adoption could pose systemic financial risk.
Regulation is effectively setting the floor for compliance; private-sector readiness must meet or exceed it to avoid being the weak link.
A rapid, full migration to architectures that exclusively support post-quantum cryptography (PQC) can be risky. Many existing systems, legacy applications, and older clients depend on classical cryptographic libraries and protocols. Moving too quickly could cause major compatibility issues or even downtime.
Because the timeline for achieving cryptographically relevant quantum computing (CRQC) is still uncertain, the smart approach is a measured and informed migration. Progress should be guided by a comprehensive cryptographic inventory and threat modeling assessments, to pinpoint where sensitive data is most at risk (now and in the future), where PQC support already exists, and how each phase of migration will affect operations.
In the near term, organizations should prioritize crypto-agility. Crypto-agility is the process of designing systems and applications that can easily swap out cryptographic algorithms and keys without re-engineering core software or infrastructure. This flexibility ensures that future upgrades, including PQC adoption, can happen with minimal disruption.
A crypto-agile architecture allows you to:
Swap in new algorithms rapidly as standards evolve.
Deploy hybrid models, where classical and PQC algorithms run together for transition periods.
Future-proof your systems against whatever comes next, quantum or otherwise.
This approach avoids expensive re-engineering every time a new standard, threat, or vulnerability emerges.
Transitioning to PQC isn’t a single project; it’s a programmatic shift. A structured, four-phase approach ensures a smooth and measurable migration:
1. Discover & Inventory
Catalog every cryptographic asset (algorithms, key lengths, certificates, and libraries).
Use edge scanning to locate TLS endpoints and legacy protocols.
Build a Crypto Bill of Materials (CBOM), a machine-readable list of crypto components across systems and dependencies.
2. Assess & Prioritize
Conduct independent readiness assessments to benchmark preparedness.
Threat-model systems vulnerable to “Harvest Now, Decrypt Later.”
Run table-top exercises simulating CRQC scenarios with executive and technical teams.
Perform gap analysis against emerging NIST and regulatory timelines.
3. Monitor & Test
Validate PQC implementations in controlled environments.
Track compliance and performance across hybrid deployments.
4. Implement in Phases
Execute staged rollouts across systems and vendors.
Begin with hybrid algorithms, then transition fully once stable
Quantum timelines are uncertain, but migration timelines are not. Even a conservative enterprise migration can take several years, and every year of delay increases your risk exposure. With standards finalized, regulatory frameworks in place, and vendor tooling already available, there’s no reason to wait. The organizations that move now will not only protect their data, but also position themselves as trusted leaders in a post-quantum world.
Justin “Hutch” Hutchens is an Innovation Principal at Trace3 and a leading voice in cybersecurity, risk management, and artificial intelligence. He is the author of “The Language of Deception: Weaponizing Next Generation AI,” a book focused on the adversarial risks of emerging AI technology. He is also a co-host of The Cyber Cognition Podcast, a show that explores the frontier of technological advancement and seeks to understand how cutting-edge technologies will transform our world. Hutch is a veteran of the United States Air Force, holds a Master’s degree in information systems, and routinely speaks at seminars, universities, and major global technology conferences.