Quantum threats are real — is your security ready?
Advances in quantum computing present a significant threat to the security of modern digital communications. There’s no doubt that quantum computers will facilitate breakthroughs in a range of fields, from biopharma to financial services. But cybercriminals will also harness these powerful machines to break commonly used encryption techniques, putting vast amounts of sensitive data at risk.
We’ve been hearing about the threats that quantum computers present for some time, but nothing bad has happened yet. Why should we be concerned now?
First of all, healthy competition and substantial investment from major players, including Google, AWS, Microsoft, and IBM, are accelerating the development of quantum computers — and therefore accelerating the timeline for new cybersecurity threats.
But more importantly, attackers are already preparing for the quantum era. They are intercepting and storing currently encrypted communications and sensitive data with the intent of decrypting them in the future. This “harvest now, decrypt later” threat is a critical and immediate concern for all organizations.
Enter post-quantum cryptography (PQC). PQC defines the next generation of cryptographic algorithms, designed to resist attacks from powerful quantum computers. PQC helps ensure that confidential data remains secure even when current encryption methods become obsolete.
Experts in the field of cryptography and national cybersecurity bodies agree that the likelihood of breaking traditional cryptographic algorithms is 10 to 15 years away. But the immediate “harvest now, decrypt later” threat — plus the potentially lengthy process of implementing PQC across all systems — means that organizations must start preparing now for their post-quantum future.
Why quantum computing threatens today's encryption
Encryption is the cornerstone of digital security and is based on mathematical problems that classical computers find extremely difficult to solve. For decades, we've relied on public-key cryptography methods such as Rivest-Shamir-Adleman (RSA) and elliptic curve cryptography (ECC), trusting that mathematical complexity would keep our data safe. But quantum computers, with their ability to perform calculations at unimaginable speeds are set to threaten the confidentiality of encrypted data.
Quantum computers harness quantum mechanics to rapidly and simultaneously solve problems that are nearly impossible for classical machines. Algorithms like Shor’s algorithm will soon enable quantum computers to dismantle current encryption standards in seconds. For comparison, these same tasks would require many millions, or even billions of years for classical computers to complete.
Quantum computing is no longer theoretical. Right now, multiple companies are working on machines that will eventually have the ability to break the cryptographic mechanisms we’ve traditionally relied on to secure modern communications. Recent breakthroughs such as Google’s Willow quantum chip, Microsoft’s Majorana 1 chip, and Amazon’s Ocelot chip underscore the speed at which this technology is developing.
Experts predict a 10- to 15-year time horizon for the arrival of practical quantum computers is likely. But unexpected advances in large-scale, fault-tolerant quantum systems could potentially accelerate this timeline.
And again, there is an immediate threat that is happening right now. The "harvest now, decrypt later" strategy means that as soon as quantum computers are available, cybercriminals will have an enormous pool of data that they can decrypt and exploit. It's no exaggeration to say that the first large-scale use case for quantum computing could be the illegal decryption of massive amounts of stolen data.
Defending against quantum attacks with post-quantum cryptography
PQC represents the strongest countermeasure to quantum threats. This suite of encryption algorithms is specifically engineered to withstand attacks from both classical and quantum computers. Instead of integer factorization or discrete logarithm problems, PQC relies on mathematically complex problems that quantum computers can’t solve easily.
The push to adopt PQC is already underway. In 2024, the National Institute of Standards and Technology (NIST) locked in standards to guide this shift, covering everything from general data encryption to securing digital signatures. One standout is FIPS 203, based on the Module-Lattice-Based Key-Encapsulation Mechanism (ML-KEM), which establishes session keys in TLS connections to safeguard data. Meanwhile, new signature schemes FIPS 204 and FIPS 205 are proposed for replacing RSA and the elliptic curve digital signature algorithm (ECDSA) to block impersonation and tampering, though they come with trade-offs like bigger sizes and performance quirks that demand a gradual rollout.
How can you build a quantum-safe future?
Quantum security isn't simply about replacing outdated algorithms. Migration to PQC should be planned and implemented similar to any other technology transformation program and follow similar principles. The scale of transformation will depend on the size of each organization and the complexity of their infrastructure. This migration should part of a larger, strategic shift toward crypto agility — the ability to replace and adapt cryptographic algorithms without interrupting the flow of running systems, as NIST defines the term.
Here are four key considerations when planning your migration to PQC:
Step 1: Inventory your encryption landscape
Assess how and where your organization currently uses public-key encryption and digital signatures across all servers, networks, software, and applications. This provides visibility into potential quantum vulnerabilities.
Step 2: Secure data in transit
Protect data transmitted across networks by implementing quantum-resistant session keys. Address threats such as "harvest now, decrypt later" attacks by following evolving standards from organizations like NIST and the Internet Engineering Task Force (IETF). Thoroughly test these implementations to identify potential performance impacts or compatibility issues.
Step 3: Secure data at rest
Create a proactive strategy to safeguard stored data. Prioritize sensitive information that retains long-term value — such as intellectual property, personally identifiable information (PII), healthcare records, passwords, and strategic business data — to ensure ongoing confidentiality in the quantum era.
Step 4: Prepare for cultural change
Embed cryptographic agility into your organizational culture. Ensure systems, vendors, and partners can rapidly implement emerging quantum-resistant standards as soon as they become available. Regular training, clear communication, and dedicated cross-functional teams are crucial to managing these transitions effectively.
Plan for an extended implementation timeline
The future threat posed by quantum techniques in 10 to 15 years seems like a long way off. However, universal adoption of PQC will likely take that amount of time to implement.
Smaller local implementations will be much quicker to complete: Early capabilities based on FIPS 203 are available in commercial products today. Still, large, complex organizations will need to adopt lengthy discovery, planning, and implementation processes to ensure full coverage and resilience from quantum threats.
While those processes are underway, standards bodies will ratify PQC standards, and solution vendors will make products based on those standards commonly available. Established standards and a growing product ecosystem will significantly speed up the global rollout, implementation, and management of PQC-based systems.
Leading the transition to PQC
Cloudflare strives to be at the forefront of major technological shifts. From pioneering Universal SSL to championing widespread TLS 1.3 adoption, Cloudflare understands the significance and challenges of these technological transformations. And we recognize that the transition to quantum-resistant cryptography might be among the most impactful yet.
We understand this shift will be challenging, complex, and extensive for most organizations. Our strategy, therefore, focuses on seamless integration and swift adoption of PQC across our global network, allowing our customers to benefit immediately from our advancements.
Sites protected by Cloudflare’s Web Application Firewall (WAF) already leverage quantum-resistant security, protecting traffic in conjunction with browsers such as Chrome, Edge, and Firefox. Today, almost 40% of HTTPS traffic reaching our network benefits from these quantum-resistant protections.
We’ve also extended these same PQC protections to Cloudflare Tunnel, ensuring secure connections to enterprise applications and origin web servers that sit behind Cloudflare. By combining this post-quantum Cloudflare Tunnel with the use of quantum-safe browsers, organizations can maintain robust, quantum-resistant security throughout the entire data pathway — from user endpoint to application.
Recognizing the complexity and potential costs of integrating PQC into legacy systems, our approach minimizes the need for immediate, costly system-wide upgrades. Instead, organizations can leverage Cloudflare’s network to gain immediate quantum-safe protections while strategically planning and gradually migrating to comprehensive quantum-resistant security.
As quantum technology evolves, Cloudflare remains committed to ongoing innovation, collaboration, and global standardization efforts. Our aim is clear: ensuring your data remains secure against current and future quantum threats.
The time to act is now
Quantum computing isn’t a distant possibility — it's an imminent security risk. While the timeline for quantum computers remains uncertain, change is sure to come. With NIST's planned depreciation of RSA and ECDSA by 2030, organizations must start planning for the transition today.
Adopting a proactive, agile quantum-resistant strategy isn't merely about compliance; it's about securing your future. With Cloudflare, you can safeguard your data and position your organization ahead of the quantum curve. When it comes to quantum security, the time to prepare is now.
This article is part of a series on the latest trends and topics impacting today’s technology decision-makers.
Dive deeper into this topic.
Learn how to address emerging cyber security risks efficiently, with a 238% return on investment in the Forrester Consulting report The Total Economic Impact™ of Cloudflare’s connectivity cloud.
Get the report!Author
James Todd — @jamesctodd
Field CTO, Cloudflare
Key takeaways
After reading this article you will be able to understand:
Why quantum computing threatens current encryption methods
How to protect sensitive data from quantum-enabled attacks
How to implement cryptographic agility with post-quantum encryption