QUANTUM COMPUTING & ENCRYPTIONDecrypting Tomorrow’s Threats: Critical Infrastructure Needs Post-Quantum Protection Today

By Jason Van der Schyff

Published 24 April 2025

Some argue we still have time, since quantum computing capable of breaking today’s encryption is a decade or more away. But breakthrough capabilities, especially in domains tied to strategic advantage, rarely follow predictable timelines. The time to act on the quantum computing threat was yesterday. The next best time is now.

Some argue we still have time, since quantum computing capable of breaking today’s encryption is a decade or more away. But breakthrough capabilities, especially in domains tied to strategic advantage, rarely follow predictable timelines. Just as nuclear research leapt from theory to practical application with little warning, quantum computing could deliver similar surprises. That uncertainty makes waiting a dangerous gamble.

For years, adversaries have quietly intercepted and stored encrypted data from critical infrastructure networks, betting that when quantum decryption arrived, they’d already have the material. This strategy, known as ‘harvest now, decrypt later’ (HNDL), is no longer hypothetical. It’s an operational reality. And what’s at stake is not just state secrets or financial data, but the control systems that power modern life.

Operational technology (OT) systems—responsible for electricity, water, transport, manufacturing and defense—are particularly exposed. These environments depend on long-lived data, including configuration files, schematics and control logic, that rarely change. In the wrong hands, this information becomes a blueprint for infiltration, disruption or sabotage. Many OT systems still rely on encryption standards that are widely expected to fall to quantum decryption well within the life of the data they protect. In this context, encryption that’s ‘good enough for now’ becomes a strategic liability.

Cyber authorities across Five Eyes, NATO, and the Gulf Cooperation Council are increasingly treating quantum risk as a present-tense issue. In Australia, the 2018 Security of Critical Infrastructure Act and its ongoing reforms have elevated cyber risk from a technical issue to a board-level responsibility. The next logical step is embedding cryptographic resilience into that framework. Long-term confidentiality is no longer a luxury—it’s a foundation of national security, and one that extends to both public and private sectors.

Traditional OT cybersecurity rightly focuses on segmentation, uptime and predictable control behavior. But these principles must now expand to include cryptographic survivability. It’s not enough for systems to withstand tampering today. They must remain secure five or 10 years from now, when today’s encrypted traffic could be cracked wide open.

Consider a hostile actor targeting the supervisory systems of regional utilities or firmware update paths for industrial controllers. Even if encrypted, the data need not be decrypted today. HNDL means it needs only to be stored. Once quantum decryption is feasible, attackers could reconstruct topologies, emulate trusted behavior, or craft malware that mimics legitimate operations. The breach may have already occurred; we just haven’t seen the consequences yet.

Nor are only the crown jewels at risk. Protocol maps, telemetry logs and vendor documentation can all yield strategic insights. Anything that reveals how a system behaves, recovers or updates could be exploited to undermine it.

Some governments are moving early. In the US, the National Cybersecurity Strategy and the National Institute of Standards and Technology’s post-quantum standardization program provide a roadmap for transition. Australia’s Critical Infrastructure Risk Management Program similarly positions quantum readiness within a broader push for cyber maturity. But real-world implementation, especially across OT, is still patchy.

Meeting the quantum threat requires governments, regulators and industry to work in concert. This starts with mandating post-quantum cryptography for critical communications, especially in domains where data must remain confidential for the long term. This isn’t a premium feature. It’s a baseline for strategic continuity.

Next, we need investment in quantum-resistant data tunnels, built to operate in contested or degraded environments. These secure channels must be independent of lower-trust networks and resilient even in black-start or disconnected conditions.

Supply chains must also be reassessed. Firmware signing, vendor update mechanisms and remote access protocols must be evaluated for quantum-resilience. A system is only as strong as its weakest trusted component.

Front-line staff, particularly field technicians and engineers, must be trained to spot subtle anomalies. HNDL-style breaches won’t trip conventional alarms. But informed human operators are often the first to notice when something feels wrong, before systems do.

Finally, contingency planning must evolve. If data loss today could be weaponized years from now, response plans must treat that loss as a latent threat, not a closed incident. Recovery isn’t enough; organizations must anticipate re-exploitation on longer timelines.

The most dangerous cyberattack may not be the one we can’t detect; it’s the one we’ve already forgotten.

HNDL forces a change in mindset. It shifts the conversation from recovery to irreversibility. Once sensitive data is lost, it can’t be made safe again. It can be only mitigated, redesigned, or prepared for impact. Quantum threats are not abstract. They are real, cumulative and already embedded in the systems we depend on.

The fuse is lit. We don’t know how long it is. But we do know this: the time to act was yesterday. The next best time is now.

Jason Van der Schyff is a consulting technologist whose work spans secure infrastructure, strategic supply chains and sovereign industrial capability within the AUKUS and Indo-Pacific context. This article is published courtesy of the Australian Strategic Policy Institute (ASPI).

Leave a comment

Register for your own account so you may participate in comment discussion. Please read the Comment Guidelines before posting. By leaving a comment, you agree to abide by our Comment Guidelines, our Privacy Policy, and Terms of Use. Please stay on topic, be civil, and be brief. Names are displayed with all comments. Learn more about Joining our Web Community.