Introduction
Quantum computing seeks to leverage quantum mechanics to accelerate specific and complex computing tasks. Quantum computers are more efficient with certain computations than classical computers, making them a powerful complement to high-performance computing.
Despite advancements in quantum technologies, classical computers are still essential for everyday tasks. Quantum computers will depend on them for functions like controlling operations and reading results. This means quantum computers won’t fully replace classical computers.
A sufficiently powerful quantum computer could break classical asymmetric encryption methods by performing calculations that are currently too complex for classical computers. Such capable systems are known as cryptographically relevant quantum computers (CRQC).
This guidance is part of a series of quantum technology primers. To learn more, refer to our guidance on quantum.
About quantum computing
While a classical computer uses bits (0s and 1s) to process data, a quantum computer uses qubits (quantum bits). Qubits allow quantum computers to perform certain tasks much faster than classical computers, or complex calculations that would otherwise be infeasible.
For example, imagine searching for a specific name in a long list. A classical computer follows a step-based process to find the name. A quantum computer could, in special cases, use quantum principles like superposition to make the search faster and more efficient.
The impact on cyber security
Quantum computing has the potential to disrupt some current cryptography. As CRQCs emerge, organisations will need to rely on quantum-resistant cryptography — known as post-quantum cryptography (PQC) — to maintain the security of systems and data.
It is crucial that organisations understand the risks and challenges quantum computing poses. Rapid advancements in quantum computing are narrowing the window to prepare, making early action crucial to avoid future vulnerabilities.
As quantum computing becomes more prevalent, it may bring unforeseen disruptions to the cyber security landscape. This includes quantum processing units potentially being integrated into classical computing environments. Organisations should monitor quantum computing developments and remain ready to respond to novel threats.
Quantum computers are likely to remain specialised, high-cost systems comparable to mainframes. Network segmentation and controlled access to quantum resources will be critical to reducing attack surface and preventing misuse.
Cyber security risks
Quantum computing introduces a range of cyber security considerations for network owners. While a CRQC does not yet exist, following proactive cyber security best practices is more secure than relying on reactive measures.
The following are some potential risks organisations should factor into their cyber security plans and posture.
Cryptographic vulnerability resulting from cryptographically relevant quantum computers
CRQCs represent a future generation of quantum computers, capable of solving specific and complex problems that are infeasible for classical computers. They may need many millions of physical qubits to remain connected and perform useful calculations while generating almost no noise.
The presence of a CRQC will, at first, threaten the security of systems that rely on classical asymmetric cryptographic algorithms. This poses a major risk to encrypted data, secure communications and digital signatures.
To mitigate these risks, organisations should start transitioning to quantum-resistant algorithms by planning for post-quantum cryptography. Early action not only strengthens resilience but also aligns with cyber security best practice, helping protect systems and assets from the potential impact of a CRQC before it emerges.
'Harvest now, decrypt later’ attacks
'Harvest now, decrypt later' (HNDL) is an attack method where malicious actors collect encrypted data even if they cannot decrypt it yet. They store this data to decrypt it in the future using technologies that will be more powerful, such as a CRQC.
HNDL attacks are of particular concern for current encrypted data that is highly sensitive or classified. Organisations should assume that any encrypted data collected today could become readable in the future. This highlights the need for organisations to plan for their PQC transition early.
Supply chain risks
Quantum technologies may depend on specialised materials or vendors. The associated hardware and firmware could be prone to tampering, counterfeit parts or malicious implants.
Organisations should consider establishing a verifiable chain of trust across hardware, firmware and software components to support supply chain integrity. It is important to assess vendors for secure development practices and require transparency across the supply chain.
Cloud application programming interface vulnerabilities
Some vendors offer quantum-computing services through hosted cloud platforms. This allows remote access to quantum processors through an application programming interface. These access points can introduce vectors for exploitation, resulting in unauthorised access or use, manipulation of quantum jobs, or denial-of-service attacks.
Both vendors and their customers should consider applying strong authentication and access controls to the security layers around quantum technologies. Using rate-limiting, and continuous monitoring can also help detect abnormal activity. These measures reflect a shared responsibility model, requiring both parties to manage their respective roles actively to ensure secure and trustworthy use of cloud services.
Lack of expertise and resources
Organisations may struggle to find, train and retain staff with sufficient expertise in quantum computing and PQC. A gap in skills can lead to delays in PQC transition, misconfigurations, and implementation errors.
Organisations should consider investing in targeted training and certification programs. Complement these efforts by forming cross-disciplinary teams that combine expertise in cryptography, quantum technologies, software development, engineering, and network architecture.