
Quantum computing risk
A new type of computer is on the horizon: a quantum computer. This has been labeled the quantum computing risk. This computer is supposed to be so powerful that it can break all current forms of encryption and end privacy and security as we know them. The question is: is this hype, FUD, or a real risk we should all be worried about? If you know anything about us, you know that we don’t believe in telling you what to think; we believe in giving you the data you need to make your own informed decision. If you are wondering what FUD is, it stands for fear, uncertainty, and doubt, and it is about causing those three things in folks for the sole purpose of spreading them. We’ve published a few articles on this topic before; take a look at the „What is FUD“ and „Debunking FUD“ articles for more.
For the last five years or so, there have been articles predicting that quantum computers will be available in the next five years, but those predictions haven’t held up too well. There is, though, no doubt that serious progress is being made in this space, so quantum computers are absolutely real and will be available sooner or later. We need to dissect what „available“ means, and we will do that in a bit.
What is Quantum computer
First, let us dig into what a quantum computer is and what it does. Quantum computing is not a faster general-purpose computer. It’s a specialized co-processor that’s only dramatically better than classical computers for a narrow set of specific problem types, like molecular simulation, certain optimization problems, and breaking encryption. For the vast majority of workloads a typical company runs (databases, web apps, analytics, ERP, CRM, etc.), quantum computers offer zero advantage and plenty of disadvantages. Classical computers will still handle 99% of everyday tasks; quantum is designed to complement them for niche tasks, not replace them. The „solving problems thousands of times faster“ headlines apply only to very specific use cases.
The Threat
The breaking encryption part is real and very concerning, but the question is to whom. For starters, if you have secrets that need to remain secret for the next 20 years and beyond, you need to start preparing today. For 99.99999% of folks and companies, this does not apply. The vast majority of data being encrypted today will be obsolete and irrelevant in 5 years, long before quantum computers are even close to being viable. In scientific papers, this is called the „harvest now, decrypt later“ issue. And as we’ve outlined, this isn’t something most folk should worry about. For those who need to be worried about it, they are likely not reading this blog and have already studied the NIST PQC papers with the solution.
Harvest now, decrypt later scenario
Let’s dig into this „harvest now, decrypt later“ issue, what it is, how it works, and why it matters. Let’s shorten the name to HNDL. For those not experts in networking, it’s important to understand the basics. Anything you send between two computers, whether over the office network or the internet, is broken into many small packets, put on the wire, and then reassembled at the other end. Anyone listening on the wire can capture those packages, reassemble them, and have a copy of what was being transmitted. This is the scenario upon which the HNDL threat is based. If the traffic is encrypted, even if someone captures and reassembles the packets and, in a sense, has a copy of what was transmitted, they can’t read it because they don’t have the key. Just like a physical lock, encryption relies on keys to lock and unlock the secrets.
For encryption to work in communication scenarios, there must be a secure way to exchange keys online. How this works is explained in our article, „Internet connection security: HTTPS and VPN„. Today, this is perfectly safe, but it’s here that the HNDL issue arises and where quantum computing poses a real threat to cybersecurity. There is a well-known vulnerability in Transport Layer Security (TLS), which underpins all internet security today, including all key exchange protocols. However, as discussed in previous articles and our training, just because you have a vulnerability doesn’t mean you have a risk. You need to have means, opportunity, and motive before a vulnerability can become a risk. Today’s computers don’t have the computing power to exploit this vulnerability in the TLS protocol, but quantum computers are said to have more than enough power to turn it into a risk. The good news is that those computers are a decade or two from having that capability.
The risk then is that someone is listening in on your network transmissions, capturing everything being said, both the encrypted data and the key exchange, then storing it for a decade or two. Once quantum computers are available, they will use them to break the key exchange, thereby obtaining the key and unlocking the secret. This only applies to data in transit. For data at rest, the technical term for any data saved on a hard disk, any harvest action would involve actually stealing the disk, which is a much harder problem. In most cases, hard drives are not encrypted with a key obtained from a key exchange. If it is, and the public key is truly public and you lose the drive, then you’re in trouble. But none of that is standard or best practice. So as long as you follow best practices, data encrypted on hard drives or removable media should not be at risk.
So if you have data that needs to remain secret for decades to come, meaning anyone getting a copy today could use it in a decade or two, with significant operational impact, don’t send that data over networks where you can’t be sure no one is listening. Store on fully encrypted hard drives following current best practices. If you need to send the data outside your trusted zones, copy it to encrypted removable media, such as drives from Kobra Infosec, and send it to another location via physical couriers. Moreover, make sure all backups are stored on equally secure, encrypted media.
Other quantum computing risk scenarios
Anyway, let’s get back to the main point. The scenario that actually matters for most organizations is the live attack, the point at which a quantum computer can break encryption in real time or near-real time. That’s when:
- Someone intercepts your HTTPS traffic and reads it on the fly
- Your VPN is no longer private
- Ransomware actors can break into systems that rely on asymmetric encryption for access control (the type of encryption used by TLS).
This is the scenario that needs a little more digging. Let’s first look at the environmental requirements for a quantum computer. Today’s quantum computers need to operate at temperatures between 0 and 2 degrees Kelvin, which is colder than -271 degrees Celsius or -456 degrees Fahrenheit. This simple requirement is not easily achieved, and only very specialized labs have reached that level of cold. I read somewhere that this is colder than outer space by a factor of roughly 180.
This kind of cold is expensive, rare, and cannot be mass-produced today. You can’t simply stroll out to your local cooling vendor and order a unit to get your basement down to this level of cold. The heat generated by the computer and all the cabling required compound this problem. To change this problem would require a scientific breakthrough that violates all current laws of physics, including any theoretical ones.
So chances are good that’s not happening in our lifetime. That being said, breakthroughs happen when you least expect them, so we never know. The other requirement is absolute silence and vibration less than 400 micrometers per second; that is about the size of a grain of sand. If the air around the computer moves by more than a grain of sand or the platform it is on moves that much, you have a huge problem.
I haven’t fully grasped how quantum computers actually work, but it’s an entirely new way of computing; this isn’t just a new type of CPU. You seem to need a PhD in quantum physics to really get how this works. There is something called a quantum state that the computer needs to achieve to even function, and the two environmental factors mentioned above must be present before this can be attempted. Even just a hum undetectable to the human ear, or vibration at over 400 micrometers per second, will literally crash the quantum computer. As I said, I’m struggling to wrap my head around this, but I can understand that it is a monumental problem that will require a dedicated, purpose-built data center. This significantly reduces the chances that this type of computer will be readily available. Time will tell how much progress will be made on this front in the coming years.
Given the expected scarcity of quantum computers for the first few decades, the live capture scenario isn’t really feasible. To decrypt in near real time, you need to capture the traffic and send it to the quantum computer in real time, which poses a long list of technical challenges, plus requires a lot of computing time from the quantum computer.
There is chatter that those with enough funds can rent time on a quantum computer, much like how the mainframes used to work back in the day. The most likely scenario is that such a time slice will cost no less than one million US dollars per hour, if not by minute. This is the scenario that is being talked about when folks say quantum computers will be available in 5-10 years’ time.
So if you’ve got a secret that someone might be willing to shell out a few dozen million US dollars to get their hands on, you might want to start preparing. Otherwise, I wouldn’t worry about it.
Conclusion
This so-called quantum computing risk is the purest form of FUD there is. Even saying it is theoretically a problem is a bit of a stretch. The only thing worth worrying about is if you’ve got data that must remain confidential for decades to come, then you are vulnerable to the „harvest now, decrypt later“ issue, and you should already be working on your remediation plan. For anyone else, there is nothing to worry about.
That bullet list above, those don’t actually need quantum computers to be a threat. Let’s look at that:
- Someone intercepts your HTTPS traffic and reads it on the fly by installing malware on your computer. The threat actor got you to open up an email attachment, which installed the malware, likely while you thought you were playing a game.
- Your VPN is no longer private. Same scenario as above.
- Ransomware actors can already break into systems that rely on asymmetric encryption for access control by phishing for the encryption key.
By the time quantum computing is readily available, the live-capture scenario won’t be possible, since all crypto protocols will have been updated by then.
The only scenario worth worrying about is the HNCL scenario described above, which applies only to those with secrets that someone is willing to steal today and then wait 20 years to use. Even for that very narrow scenario, there is a very actionable compensating control (technical term for an action plan) available today that can eliminate that risk factor.
As always, if you have any questions or need help with this, please reach out, and we’ll be more than happy to help.

