• The potential benefits of quantum computing are profound, but so are the hazards
• Without strategic planning, massive disruption of critical infrastructure is very possible when ‘Q-Day’ arrives 
• A recent report finds quantum computing is “not top priority for C-suite executives”
• There is little sense of the potential dangers posed by quantum computing and a lack of urgency at many organisations

Do you remember Y2K – the dreaded Millennium Bug? It was the shorthand used to refer to the havoc that, it was claimed, would bring much of the world to a halt as the year 1999 ticked over into 2000 and global IT and communications systems would crash and bring civilization to its knees. There was massive scaremongering and panic in the run-up to that New Year and many companies made a lot of money by pushing the (expensive) solutions that they professed would solve the apparently intractable problem that tech systems would be unable to cope when the year, registered using two digits, switched from 99 to 00. 

But the year 2000 arrived, computer programs continued to function and the predicted mayhem never materialised: Y2K turned out to be pretty much a non-event. 

Now, a generation later, we are facing a much more serious threat. Q-Day – aka Y2Q – will be a point in the indeterminate but relatively near-term future when the proliferation of quantum computers will render even the most sophisticated of today’s encryption methods null and void – and that could trigger a very real global crisis.

Currently (and as far as we know), quantum computers are not advanced or powerful enough to break cryptographic algorithms, but we do know they’ll get there, and probably sooner rather than later. 

Fortunately, since as far back as 2006, various far-sighted agencies bodies, such as the European Telecommunications Standards Institute (ETSI), the Institute for Quantum Computing and the US National Institute of Standards and Technology (NIST), have been working on post-quantum cryptography (PQC) solutions. Indeed, as TelecomTV reported last year, NIST has already issued the first three encryption algorithms developed to resist and negate attacks made by quantum computers against digital security defences, including those deployed in communications network infrastructure.

Defence strategies are being honed and solution development timelines accelerated in light of so-called ‘harvest-now, decrypt-later’ programs developed by nation states (one of which is known to be China) and ‘malign actor’ criminal gangs (that often operate with the tacit approval or overt support of some governments). These programs are used to swipe all manner of data – military, financial, legal, R&D, healthcare records, anything in fact – encrypted using today’s algorithms and then store it until Q-Day, when a quantum computer will be ready and available to decode it in minutes or even seconds.

The harvesting is already underway, but when might Q-Day arrive on our calendars? 

Quantum Threat Timeline report

The Global Risk Institute (GRI) is a Toronto, Canada-based research house specialising in risk management, predominantly in the financial sector. It identifies, assesses and defines strategies to mitigate risks that can impact an organisation’s national and international operations to ensure business continuity and compliance and then brings together leaders from industry, academia and governments to provide actionable strategies to counter emerging risks. The GRI recently published its Quantum Threat Timeline 2025 report that covers the emergence of a cryptographically relevant quantum computer (CRQC) and the associated quantum threat to cryptography. 

The report is based on interviews held with senior executives from financial service organisations and regulators as well as inputs from the telecom and IT communities. It makes disquieting reading in that, 12 months on from the GRI’s previous such report, many respondents continue to believe that “quantum computing is not a top priority for C-suite executives”. They also retain the perception that regulators have the power to enforce change and that “some migration to the new technology will be handled by vendors” and third-party suppliers.

The key findings of the new report are that organisational leadership is now at least “conversant” with quantum security issues, but “considerable diversity” still pertains on when and how quantum migration efforts might begin, although respondents were satisfied there is “sufficient information available from multiple sources to inform decision-makers and track developments.” 

Meanwhile, “most” participants are familiar with the new NIST PQC standards and agree that they will “trigger rapid changes in the capabilities being offered by cryptographic security providers”. Simultaneously, all interviewees agreed that AI is a significant new business capability (whilst also being a threat) and is having an impact on quantum computing discussions. Some regard AI and quantum computing as complementary technologies, arguing that quantum computers could be used to increase the business benefits that AI can confer.

Overall, it seems to be complacency writ large, with major organisations and institutions taking little cognisance of today’s changing realities and the existential threats that comes from inaction. The report does note that “events of 2024, such as publication of the first PQC standards, the amplification of AI in the public eye, and changes arising from international politics or conflict” have somewhat piqued the interest of organisations in regard to the quantum threat to established practices and systems, but the response is characterised as lacking urgency. It seems that whilst the financial sector “generally” follows key developments in quantum-safe or quantum-proof technology developments, other sectors are waiting for “some event” to spur it into action. Any post-event action is bound to be far too little, far too late. 

Most companies in sectors such as telecom and digital/IT services seem to be passively sitting back in the belief that whilst media announcements and coverage suggests that far-reaching advances in quantum capability are happening constantly, there is no evidence that a cryptographically relevant quantum computer has yet been produced. The attitude seems to be – “let’s just ignore the problem until something really scary appears and then we’ll explode into action and defeat it.” That is not a sensible strategy and is prima facie evidence that the quantum computing threat is still not of serious concern to most economic sectors. 

One of the co-authors of the Quantum Threat Timeline, Michele Mosca, reminds readers that, according to the report’s forecast, there’s a 33% chance that Q-Day will hit us before 2035 – and that timeline presupposes there won’t be a sudden discovery that brings that day closer to 2030. You’d think that figure might galvanise immediate action, but it hasn’t – at least not yet.

How to prepare and defend against Q-Day 

So, what might happen when Q-Day dawns? Is there anything that can be used to prepare and defend against it? Much will depend on just who has access to the first cryptographically relevant quantum computers. The attacks might happen en masse and overwhelmingly over a very short timeframe or reveal themselves on apparently random later dates. 

For example, on the first day, a national electricity grid might go down, on the next, airline systems, and on the next day, the banking system collapses and so on.  

Meanwhile, the uptake and deployment of PQC capabilities will depend on how far they can be incorporated in vendor and service provider products. That said, the journey to quantum safety will not be based solely on post-quantum cryptography but also boosting existing yet old-fashioned systems and instituting it in organisations and enterprises that didn’t have it in the first place.

After all, masses of data remain unencrypted and many companies continue to use dated and depreciating cryptography that is known to be vulnerable to attacks from classical computers, never mind quantum engines. Some organisations are exploring the possibility of hybrid cryptography, but notions of how that would work in a quantum world so far remain nebulous.

Various western governments are suggesting that the best way for organisations to begin to protect themselves against Q-Day is to address their quantum vulnerabilities now by following a ‘quantum security blueprint’ – essentially a quantum playbook – to help prioritise and navigate the complexities of this threat and to develop strategies, implement quantum-safe technologies and educate staff about quantum threats.

It is recommended the blueprint should include risk assessment, cryptographic transition plans, training and trading awareness programmes, incident response plans, collaboration frameworks and regulatory compliance measures. It’s a lot, but organisations do not start from zero: Existing cybersecurity frameworks can be adapted to include quantum-specific considerations. Organisations can also use other foundations on which to build the superstructure of their plan to deflect/deny quantum-driven intrusions that can serve as models, such as advice from the US Cybersecurity and Infrastructure Security Agency (CISA) and the EU Digital Operational Resilience Act (DORA). 

Any organisational, institutional or enterprise strategies should plan for “defence-in depth” and ensure “crypto resilience” by guaranteeing access to different types of quantum-resistant cryptographic technologies, so that if one type is compromised, another level of layer protection can replace it. Strategies should also be “crypto agile”, which means the ability to switch between cryptographic algorithms and protocols without any significant or lengthy disruption. Then there’s “layered network cryptography”, where protection is afforded across different levels of the network to complement application-layer cryptography.

Well, it’s a starting point. Let’s hope by the time GRI publishes next year’s Quantum Threat Timeline report, the top brass of organisations will have moved on from smug complacency about quantum computing not being “a top priority for C-suite executives” and might be more than just “conversant” with quantum security issues. If they haven’t, they’ll find out the hard way that Q-Day could be very, very different from the non-event of the Millennium Bug. This time it’s serious.

– Martyn Warwick, Editor in Chief, TelecomTV