What Is Quantum Cyber Security?

This is part of the Quantum Security Reference Deep Dive series. For the full landscape overview, see the capstone article on quantum security.

Introduction

Quantum cyber security is the practice of protecting organizations against threats from quantum computing while preparing to adopt quantum technologies for defense. For most CISOs and security leaders, this means one thing above all else: migrating cryptographic infrastructure from classical algorithms to post-quantum cryptography (PQC) before regulatory deadlines and quantum computing advances converge.

Why Quantum Computing Changes the Security Calculus

A sufficiently powerful quantum computer will break the public-key cryptography that underpins TLS, VPNs, digital signatures, PKI, code signing, and virtually every authenticated or encrypted transaction in enterprise IT. Shor’s algorithm handles RSA and Diffie-Hellman. It also handles Elliptic Curve Cryptography (ECC), which recent research suggests may be easier to break than RSA. Grover’s algorithm weakens symmetric cryptography like AES, though the mitigation there (larger key sizes) is straightforward.

The machine capable of executing these attacks is called a Cryptographically Relevant Quantum Computer (CRQC). No one has built one yet. The resource estimates for building one keep shrinking, and my CRQC Quantum Capability Framework tracks the ten engineering capabilities that must converge before a CRQC becomes operational. The timeline is genuinely uncertain, which is precisely why the focus for security leaders should be on the deadlines that are certain rather than on Q-Day predictions that vary by a decade or more depending on who you ask.

The Threat Is Already Active

Quantum cyber security is not a problem you can defer until a CRQC exists. Two categories of attack are already underway or exploitable today.

Harvest Now, Decrypt Later (HNDL) is the interception and storage of encrypted data by adversaries who plan to decrypt it once quantum capabilities mature. Nation-state intelligence services have the collection infrastructure and the strategic patience to execute this at scale. Any data that must remain confidential for more than a decade is exposed to HNDL right now, regardless of when a CRQC arrives.

The less discussed counterpart is Trust Now, Forge Later (TNFL), a concept I introduced in 2018. TNFL targets trust rather than confidentiality: digital signatures made today with RSA or ECC could be forged retroactively by a future quantum computer. The consequences cascade through software supply chains, legal instruments, identity systems, and any domain where digital signatures establish authenticity. I have argued that signature migration should precede encryption migration because the trust infrastructure is harder to replace and the failure modes are more systemic.

What a Quantum Cyber Security Program Looks Like

For a CISO building a quantum readiness program, the work breaks down into phases that mirror other large-scale cryptographic transitions, except that the scope is broader and the interdependencies run deeper. I have described PQC migration as the largest, most complex cryptographic overhaul in IT history, with a large enterprise program spanning upwards of 120,000 discrete tasks.

The first phase is discovery. You cannot migrate what you cannot find. A cryptographic inventory catalogues where vulnerable algorithms are deployed across your enterprise, ideally formalized as a Cryptographic Bill of Materials (CBOM). If a full inventory feels overwhelming, risk-driven strategies allow you to prioritize the systems with the highest HNDL and TNFL exposure first.

Then comes assessment and planning. Mosca’s inequality provides one framework for prioritization: if the time your data needs to remain secure, plus the time it will take to migrate, exceeds the time until a CRQC exists, you are already too late. The Quantum Readiness Assessment formalizes this evaluation, and the PQC Readiness Self-Assessment Scorecard provides a quick benchmark of organizational posture.

Migration itself is where the work becomes tangible. It involves deploying NIST-standardized PQC algorithms (ML-KEM, ML-DSA, SLH-DSA) across network protocols, certificate hierarchies, key management systems, application code, and vendor integrations. Hybrid cryptography provides defense-in-depth during the transition. Crypto-agility ensures you can adapt as standards evolve.

Vendor engagement runs parallel to all of this. Most organizations depend on third-party products for their cryptographic infrastructure. Start asking vendors for their PQC roadmaps now, and include PQC requirements in new procurement decisions. The vendors who cannot answer that question are telling you something important about their own readiness.

The Deadlines Driving Action

I have argued repeatedly that the deadlines are already set, and they come from regulators, standards bodies, and technology vendors rather than from Q-Day predictions.

NSA’s CNSA 2.0 requires quantum-resistant algorithms for all new National Security System acquisitions by January 2027. Software and firmware signing must migrate by 2030. Full compliance is expected by 2035. NIST’s draft IR 8547 deprecates RSA, ECDSA, and Diffie-Hellman for federal systems by 2030 and disallows them by 2035. Google has committed to a 2029 PQC migration deadline. Cloudflare has published a phased roadmap to full post-quantum security by 2029. In Europe, NIS2 and DORA create parallel compliance pressure, and the US PQC regulatory framework is already comprehensive.

These deadlines cascade. Defense contractors must meet CNSA 2.0 timelines to retain contracts. Cloud-dependent enterprises inherit their providers’ migration timelines. Regulated industries face audit and compliance pressure whether or not a CRQC is imminent.

NIST estimates that a large agency migration takes three to five years once fully resourced. Organizations starting in 2026 are on schedule. Organizations starting in 2028 will be compressed. Waiting until 2030 means missing the first wave of hard deadlines entirely.

Getting Started

The Applied Quantum PQC Migration Framework provides the structured, open-source methodology for planning and executing a migration program. My practical steps guide maps the first concrete actions, and my first-year planning guide covers how to scope, resource, and govern the program. If you need a comprehensive resource for organizational readiness strategy, my forthcoming book Quantum Ready covers the full picture.

For CISOs facing budget conversations, I have also written about how to use quantum readiness to secure bigger budgets and why the negligence and liability implications of ignoring quantum risk are becoming increasingly concrete.

Go Deeper

Q-Day Deadlines Are Set — why the ecosystem clock matters more than Q-Day predictions

Getting Started With Quantum Security and PQC Migration — the structured starting point

Practical Steps to Quantum Readiness — first concrete actions for cybersecurity teams

120,000 Tasks: Why PQC Migration Is Enormous — full program plan breakdown

Planning the First Year of a Quantum Readiness Program — scoping and governance

The Quantum Threat: A Guide for Executives and Boards — board-level briefing

CISO Negligence and Personal Liability — legal exposure from inaction