As quantum computing advances, the threat of “Q-Day” is closer than we think. Christopher Pope, MBA, CISSP, CCSP explained how cybersecurity leaders can prepare for a post-quantum future, mitigate “harvest-now, decrypt-later” risks and build resilient encryption strategies.
In the evolving world of cybersecurity, few topics generate as much uncertainty and urgency as post-quantum cryptography. Once a distant fear, the concept of “Q-Day,” the moment quantum computers can break current encryption keys, is now a clear and present danger. Much like Y2K, Q-Day poses a considerable challenge for IT and cybersecurity professionals who are tasked with preparing their organizations for a post-quantum future. Even though Q-Day does not have an X-marks-the-spot date, as Y2K did, preparation must begin now.
In “Leading Security into a Post-Quantum Future,” Christopher Pope, MBA, CISSP, CCSP, Manager, DevOps at ExxonMobil asked during his presentation at ISC2 Security Congress in Nashville, “How far away is Q-Day”? Unfortunately, that question no longer is just a rhetorical one. It is a practical one. To answer that question, Pope explained, “Rough estimates suggest that breaking 2048-bit RSA keys in a matter of hours could take on the order of one million physical qubits,” adding that “Currently, the two largest quantum computers have a little more than 1,000 physical qubits.” Based on those calculations and considering the major challenges with “error correction, quantum stability and other obstacles to overcome while scaling up,” many advisory services and industry commentators “generally assume 5-15 years from today.”
Getting Ready for the Age of Quantum Computing
The key to ardent preparation is striking a balance between strategic foresight and practical urgency. As Pope emphasized, “Q-Day has an uncertain deadline. We don't have that date on the calendar yet, but we know it's coming, and it has a likely widespread impact on the security of the vast majority of the data that's encrypted today.” Focusing his advice primarily on data in transit, Pope pointed out several challenges to cybersecurity professionals who are committed to staying ahead of nation-state adversaries and other threat actors intent on cracking the code to traditional public-key encryption algorithms such as RSA:
- Creating a long-term strategy vs. the desire for short-term returns
- Emerging technology that is not well understood in most enterprises
- Managing “splashier” threat vectors that demand more attention and investment
- Recognizing that best practices and industry guidance are still taking shape
Against this backdrop, one thing about the quantum threat is clear: All eyes should be on “capture-now, decrypt-later" attacks.
Capture-Now, Decrypt-Later Attacks in a Post-Quantum Future
According to Pope, “capture-now, decrypt-later" attacks are typically perpetrated by nation-state actors, who would be the most likely to be able to achieve a decryption breakthrough with quantum computing resources. Pope mapped out a variety of approaches that nation-state actors can use, such as:
- Exploiting routing weaknesses to reroute Internet traffic
- Capturing encrypted data from cloud providers
- Compromised devices
Pope warned the audience that, “Likely many attacks are unknown and unrecognized,” so one line of defense is recognizing that, “Today’s targets are high-value data that would still have relevance in 10-15 years.” No matter what, the more the enticing data increases, the more adversaries are compelled to plan such capture-now, decrypt later attacks. Indeed, sensitive data (ranging from trade secrets to long-term business strategies) is being intercepted today with the intent of decrypting it tomorrow.
Even though “post-quantum encryption continues to be an emerging technology that's not well understood in many enterprises,” and often “requires a level of strategic thinking” that is often superseded by other priorities, Pope did outline several post-quantum architectural approaches that underpin post-quantum encryption algorithms. These include hash-based and code-based PQE approaches, as well as lattice-based PQE approaches. He noted that, “Many lattice problems are well-studied, and are considered resistant to classical and quantum attacks.” In fact, “three of the five post-quantum encryption proposals selected by NIST are lattice-based schemes.”
Planning For the Post-Quantum Future
How can you guide your organization into a post-quantum future? One of the first hurdles is gaining executive buy-in without triggering alarm fatigue. As Pope explained, the trick is “creating awareness without crying wolf because, when we start off working with our senior leadership, some of whom may have heard the warnings about post-quantum encryption, they may have that view of post-quantum encryption and Q-Day as being something that it's always kind of over the horizon.” Since speed is of the essence with quantum, the now really was yesterday.
Pope suggests that cybersecurity teams:
- Focus on strategy vs. urgency
- Balance uncertainty (around exact timing) with certainty when painting a picture of the road toward Q-Day
- Emphasize that harvest-now, decrypt-later is now underway
- Explain that the quantum computing field continues to advance
- Discuss with executive leadership some concrete examples of enterprise data that is potentially at risk
Developing An Actionable Post-Quantum Computing Plan and Timeline
Framing readiness as a competitive advantage, especially in industries where intellectual property is a prime target, can help shift the conversation from fear to foresight. Accordingly, Pope suggested taking specific action:
- Focus on the highest (immediate) priority, which in most cases is communications that may contain sensitive data with long-term value
- Consistently emphasize post-quantum security validation in vendor analysis and management processes
- Establish process for testing and validation of vendor claims of postquantum security for high- and medium-sensitivity use cases
- For lower-sensitivity data, migrate away from vendors/providers with no post-quantum remediation timeline
Pope summed up his talk with the following takeaways for cybersecurity practitioners and leaders:
- Q-Day isn’t here yet, but it’s on the foreseeable horizon
- Exposure to harvest-now, decrypt-later attacks is a present-day reality
- To avoid a costly “fire drill” later, IT leaders must:
- Proactively spearhead the creation of a prioritized action plan
- Engage vendors regarding post-quantum security
- Update skills and processes for long-term resilience
Preparing for the post-quantum era isn’t about panic. Instead, it’s about planning. By creating awareness, cybersecurity professionals can guide their organizations through a measured, strategic transition.
Learn more about the ISC2 Quantum Taskforce.
