Key Points: Quantum Computing and the Future of Encryption

• Quantum computing will eventually break today’s encryption, but the threat isn’t immediate, Preparation must start now because transitioning takes years.
• The real risk is “harvest now, decrypt later”: attackers can collect encrypted data today and decrypt it once quantum computers mature.
• Organisations should begin with awareness and inventory: map where encryption is used, and align with NIST’s upcoming post-quantum standards.
• The transition demands collaboration and coordination: across industries, governments, and supply chains to ensure compatibility and resilience.
• Plan early, stay calm. This is not panic time, but preparation time; those who start now will be ready when the quantum era arrives.

In its recent publication “Planning for Post-Quantum Cryptography,” the ASD urges organisations to begin preparing for a world where quantum computers could one day break today’s encryption. Not because this danger is imminent, but because readiness takes time. And time, in cybersecurity, is rarely on our side.

At first glance, it might sound like yet another wave in the endless tide of security warnings. Most organisations are still fighting yesterday’s battles: ransomware, phishing, patching, the basics. Why worry about a threat that doesn’t even exist yet?

Because encryption, that invisible shield protecting everything from your messages to your money, can’t simply be swapped overnight. The cryptographic systems underpinning our digital economy took decades to design, standardise and deploy. Replacing them will take just as long.

So the ASD’s call isn’t one of panic. It’s one of prudence. Like reinforcing a bridge before the flood arrives: not because the water’s rising now, but because you don’t want to be halfway across when it does.

Understanding the Quantum Risk

The Promise and the Paradox

To grasp the threat, we must first understand the promise. Quantum computing isn’t a faster version of what we already have. It’s an entirely different way of thinking.

Traditional computers process bits that are either 0 or 1. Quantum computers use qubits, which can be both 0 and 1 at once: a phenomenon called superposition. Combine that with entanglement, where qubits become linked so that one instantly influences another, and suddenly we can explore countless possibilities simultaneously.

That’s what makes quantum computing so exciting. It could revolutionise chemistry, medicine, logistics, and climate modelling. But that same power also threatens the very mathematical foundations of modern cryptography.

Cracking the Uncrackable

Most of today’s encryption relies on problems that are easy to compute in one direction but practically impossible to reverse. The RSA algorithm, for example, depends on factoring very large prime numbers, a task that would take classical supercomputers hundreds of years to reverse.

Enter Shor’s Algorithm. Developed in the 1990s, it proved that a sufficiently powerful quantum computer could factor large numbers exponentially faster. What would take classical machines centuries could, in theory, take hours or even minutes.

Today’s quantum computers aren’t anywhere near that level. They’re fragile, small, and plagued by errors. They are more laboratory prototypes than practical tools. But progress is steady, and investment is immense. Governments, universities and tech giants are racing towards the milestone known as cryptographically relevant quantum computing: the point where a quantum machine can break the encryption protecting much of the world’s data.

Experts debate the timeline, but the consensus hovers around 10 to 20 years. Some argue it could happen sooner. Others caution it may take longer. But few believe it will never happen.

The Real Threat Isn’t Tomorrow: It’s Today

The subtle danger isn’t that our encryption will suddenly become irrelevant one morning. It’s that attackers are already preparing for the day it might.

The concept is known as harvest now, decrypt later.

Imagine an adversary intercepting vast amounts of encrypted data: corporate records, government archives, medical research - and storing them for future use. They can’t read the data today, but one day they might. Once quantum computers mature, those once-secure files could yield their secrets.
This makes the quantum threat not a future problem, but a time capsule problem. Data stolen today could become readable years from now.

Not all data ages the same way. Some information, a one-off password reset email, for example, loses value quickly. But other data, like classified communications, design blueprints, or personal health records, might need to stay confidential for decades. For those, the risk is immediate.

Data in Transit vs. Data at Rest

Similarly, not all information is equally vulnerable.
Data in transit (the information moving across networks every second) is most at risk. Emails, transactions, cloud synchronisations: these can be easily intercepted and stored today, as they are largely travelling on a public network: the Internet.
Data at rest (files stored on secure systems) is generally safer, because it’s harder for attackers to access as they require attacker to break into the systems that store them.

This distinction matters. Quantum risk is not about encrypting everything now, but about prioritising the right things first. Information that travels, and must remain secret for decades, should top the list.

The Timeline Trap

Every discussion about quantum computing seems to circle back to one question: When will it happen?
But that’s not the question that matters. The real question is: How long will it take us to be ready when it does?

Transitioning to post-quantum cryptography isn’t a patch or a plug-in. It’s a systemic change. The algorithms underpinning online banking, VPNs, government services, and even IoT devices are deeply embedded in global infrastructure. Replacing them will take years of coordinated effort, testing and transition.

That’s why the ASD, along with international counterparts like NIST in the United States, is urging early preparation. Not because disaster is imminent, but because delay is the greater risk.

Protection Strategies: Building for the Post-Quantum Era

Start with Awareness, Not Alarm

The first step is simple but not necessarily easy: understand the landscape.
Quantum computing is not a cyber doomsday, it’s an engineering inevitability. The challenge isn’t to fear it, but to plan for it.

ASD’s guidance emphasises measured preparation. Organisations should begin by understanding what information they hold, how long it needs to stay confidential, and where quantum-vulnerable encryption is used.

This isn’t about tearing down existing systems overnight. It’s about mapping dependencies: discovering which data, systems, and services will need the most attention.

Inventory Before Action

Before migrating to new cryptographic standards, you need to know where your current ones live.

Most organisations use encryption in more places than they realise: databases, backups, internal APIs, messaging systems, authentication servers, cloud storage, and vendor integrations. The first task is to locate and document them.

Think of it as a cryptographic census, an audit not of what’s broken, but of what must evolve.
Once you know where encryption lives, you can prioritise based on risk and longevity. Data with long-term sensitivity should be at the top of the list; transient information can follow later.

Watch the Standards

The next phase is to stay aligned with emerging standards. The U.S. National Institute of Standards and Technology (NIST) is currently finalising a suite of post-quantum algorithms. These new methods are designed to resist attacks from both classical and quantum computers.
The ASD, like most national security agencies, will follow NIST’s lead, adapting these standards into local guidance once they are finalised. In other words: don’t invent your own. Wait for the global consensus, and plan your migration accordingly.

Develop a Roadmap

Preparation is a marathon, not a sprint. Organisations should build a long-term roadmap that includes:

• Inventory and assessment: identify all cryptographic systems and dependencies.
• Prioritisation: focus first on long-term sensitive or high-exposure data.
• Testing and pilots: experiment with hybrid encryption (classical + post-quantum).
• Gradual rollout: migrate systems as standards stabilise.
• Continuous review: adapt as new algorithms mature.

This roadmap should align with broader cybersecurity and digital transformation strategies. The shift to post-quantum cryptography isn’t just a technical change, it’s an organisational one, touching policies, procurement, and partnerships.

Educate and Collaborate

As with all major shifts, human understanding will be as important as technical readiness.

Training security teams, architects, and procurement officers will be key. So will collaboration across industries, between government and private sectors, and among international partners.

Quantum preparedness isn’t a competition; it’s a collective defence. The internet, after all, is only as secure as its weakest link.

Implementation Challenges: The Roadblocks Ahead

The Urgency Paradox

Here lies the first paradox: most organisations are still struggling with today’s threats.
Unpatched servers, weak passwords, social engineering: these remain the leading causes of breaches. It’s difficult to justify investing in defences against quantum attacks when ransomware and data leaks dominate the headlines now.

Post-quantum planning should not come at the expense of basic cybersecurity hygiene. A compromised system doesn’t need quantum power to fall apart, it just needs one unpatched vulnerability.

So, while it’s essential to plan for the quantum era, it’s even more essential to survive until you get there.

The Coordination Challenge

Protecting data at rest, files stored within your control, is comparatively straightforward. You can upgrade encryption when ready, re-encrypt your archives, and control the pace of change.

Data in transit, however, is another story. Communication depends on both ends of the connection agreeing on the same cryptographic standards. Updating a single organisation’s systems won’t matter if its partners, clients, or service providers are still using classical encryption.

This interdependence means the transition must be coordinated globally. Standards bodies, regulators, and industry groups will play crucial roles in setting timelines and ensuring compatibility. The sooner organisations engage in those discussions, the smoother their journey will be.

The Performance Question

Post-quantum algorithms are, by design, more complex. They typically require larger keys and heavier computation. This means more bandwidth, more processing power, and potentially slower operations, particularly for devices with limited resources, like IoT sensors or embedded systems.

These trade-offs won’t break the internet, but they will require thoughtful engineering. Balancing performance and security will be one of the defining challenges of the transition.

The Supply Chain Factor

Cryptography rarely stands alone. It’s embedded deep within software libraries, hardware chips, and cloud platforms. Changing algorithms means coordinating with vendors, service providers, and hardware manufacturers.

For many organisations, this will mean relying on external suppliers to implement post-quantum support, and trusting that they get it right. That’s why visibility, testing, and clear procurement requirements will be vital.

In short: Preparing for the Long Game

Quantum computing doesn’t spell the end of encryption. It marks the next chapter in its evolution.

Just as past generations adapted to new threats, from mechanical ciphers to digital keys, we too will adapt. What matters now is foresight: understanding that the transition will take time, collaboration, and persistence.

The ASD’s guidance captures this balance well. Start preparing, but don’t panic. Keep perspective. The danger isn’t that the quantum future will arrive tomorrow; it’s that we’ll wait too long to be ready when it does.

For most organisations, the roadmap begins not with code, but with clarity. Know your data. Know your dependencies. Stay close to the standards.

And above all, remember that cybersecurity is never static: it’s a dialogue between innovation and defence. Quantum computing is simply the next voice entering the conversation.

When the flood finally comes, those who prepared early won’t be the ones rebuilding bridges. They’ll be the ones already crossing them.

Disclaimer: This article is not legal or regulatory advice. You should seek independent advice on your legal and regulatory obligations. The views and opinions expressed in this article are solely those of the author. These views and opinions do not necessarily represent those of AMP or its staff. Artificial Intelligence Technology was used to proof-read this article.