II

The Cryptographic Threat

Section II

The cryptographic threat, in plain terms.

What a sufficiently powerful quantum computer actually does to today's encryption — and why nation-state adversaries are already collecting our data.


A. What a Quantum Computer Actually Does to Your Security

Nearly every authenticated, private exchange on the internet — a customer logging in, a wire transfer clearing, a software update installing, a physician retrieving a patient file — is protected by a family of cryptographic techniques called asymmetric cryptography. The technical names for its main forms are “RSA,” “elliptic curve,” and “Diffie-Hellman.” What they all have in common is that their security rests on mathematical equations that today's computers, even the biggest supercomputers, cannot solve within any useful amount of time.

The science underlying quantum technology is not in dispute. In 1994, the mathematician Peter Shor proved that a sufficiently powerful quantum computer could solve the same math equations efficiently. What remains uncertain is the engineering timeline — how many years until a cryptographically relevant quantum computer (“CRQC”) is built. When that machine is built, encrypted web traffic will become readable. Digital signatures will become forgeable. The code-based infrastructure that certifies a software update came from the vendor, the private networks that carry remote-work traffic, encrypted email, cryptocurrency wallets, and the identity infrastructure underneath every secure website all lose their core security guarantee at the same moment.

B. “Harvest Now, Decrypt Later”

The industry abbreviation is HNDL: harvest now, decrypt later. The practice is documented and unambiguous. Nation-state intelligence services and sophisticated criminal enterprises are intercepting and storing encrypted traffic today, on the expectation that the keys will become available in the coming decade. Information with a long confidentiality half-life — trade secrets, merger deal books, personnel files, source code, litigation work product, attorney-client communications, clinical trial data, national security information — is likely already in hostile hands. Only the key is missing, and it is only a matter of time until the key is produced.

The encryption protecting your 2026 data must survive not only the adversary of 2026, but the adversary of 2036.

C. The Timeline That Actually Matters to the Organization and Its Data

Expert estimates of when a CRQC will arrive range broadly, but many in the U.S. government expect it to occur at some point in the 2030s. That range is not reassuring. A responsible organization should assume CRQC is just a few years away and act accordingly.

The Mosca Inequality

A formula every board should know.

The cryptographer Michele Mosca framed the governance question as a simple inequality. Add the number of years your data must stay confidential (X) to the number of years migration will take (Y). If that sum exceeds the years until a quantum computer arrives (Z) —

X + Y  >  Z

— you are already too late. The job of organizational leaders in the c-suite and on the board is to manage X and Y so the organization is prepared.

Migration can take years.

Enterprise cryptographic transitions for mature organizations can go on for years. For context, the industry-wide moves from SHA-1, which was used for digital signatures and password storage, to SHA-2, and from TLS 1.0 to TLS 1.2, each took well over a decade — and neither migration is fully complete. Post-quantum migration is larger in scope than either, because it touches nearly every system that authenticates a user, signs a piece of code, or encrypts traffic between two parties.

Put plainly: an organization that does not begin the important work of hardening its systems to combat security risks posed by quantum until 2028 or 2029 risks finding itself with little effective protection against a quantum-based cyber assault — and having to explain to its stakeholders why action to prepare was not taken sooner.