Australia warned over quantum cyber security risks

The Australian Information Security Association has warned that government and critical infrastructure organisations are underestimating the cyber risks posed by advances in quantum computing. It says many need to start planning now for a shift to post-quantum security.

The warning comes amid broader concern about cyber resilience in Australia, with reported incidents still running high. The Australian Signals Directorate's latest Annual Cyber Threat Report recorded more than 87,400 cybercrime reports in a single financial year - about one every six minutes.

AISA said the threat from quantum computing may appear distant, but many organisations are overlooking the work needed to keep systems secure over the long term. It pointed to the need to identify where vulnerable encryption is in use and map out how those systems will be upgraded.

That task is likely to be more complicated than many leaders expect, particularly in government environments and operational technology settings where software updates can already be difficult to manage. Older systems, unsupported products and equipment that cannot be physically upgraded could all slow the shift to quantum-resistant security.

Dr Rajiv Shah, AISA board member, said the timetable is already tight for many organisations. "The Australian Cyber Security Centre has recommended that organisations should have developed such a plan by the end of 2026 - less than seven months away," said Dr Rajiv Shah, AISA board member, PhD-qualified quantum physicist and cyber industry veteran.

He said poor visibility over assets and data remains a major obstacle. "The problem is that, as we see from many recent cyber incidents, organisations often do not have a good understanding of their IT assets and their data. Identifying what needs upgrading to be quantum-resistant, making that plan and implementing it, is likely to take much longer than they anticipate. They might think they just need to apply the upgrades from their vendors, but we already see that governments and operational technology systems struggle to keep their software up to date. Then there is the problem of systems which are no longer supported, or which can't physically be upgraded. How will you decide what to do about those?" Shah said.

Strategic challenge

The warning reflects a broader debate in cyber policy circles over how quickly institutions should prepare for the eventual impact of quantum computing on encryption. Existing cryptographic systems are not expected to fail all at once, but specialists increasingly argue that the transition to post-quantum methods will take years because of the scale of digital infrastructure involved.

Shah framed the issue as a strategic challenge for governments rather than a narrow technical problem. "If we don't start putting the work in now, quantum computing could fundamentally reshape cyber security," he said.

He added that it should be treated as a long-term planning exercise rather than an emergency response. "This is not about panic or fear. It is about recognising that the transition to post-quantum security will take years of planning, investment and coordination across government and industry," he said.

Internationally, governments including those in the United States and the United Kingdom have stepped up work on post-quantum cryptography standards and migration planning as part of broader cyber resilience efforts. That has increased pressure on Australian agencies and critical infrastructure operators to assess their exposure to older forms of encryption.

The challenge goes beyond replacing algorithms. Organisations may need to catalogue assets, understand where cryptography is embedded in applications and devices, assess supplier readiness, and prioritise systems that support essential services. In sectors such as energy, transport, finance and government administration, many systems have long operating lives and complex dependencies, making large-scale change difficult.

Policy balance

AISA also cautioned against a rushed regulatory response. While stronger direction from government could prompt organisations to act, Shah said poorly designed compliance measures could create new problems if they encourage superficial fixes or add complexity to already fragile systems.

He said existing Australian risk frameworks may provide a more practical starting point than new mandates. "The Australian Government may want to consider how to encourage organisations to take the threat seriously while avoiding knee-jerk reactions or compliance directives that could create unwelcome consequences," he said.

He added: "Rushed or botched implementations that make systems more complex may actually make them less secure. Cyber security is about doing the hard work, identifying and prioritising risks, not just ticking boxes. Australia has good regulatory frameworks for risk management, such as the Security of Critical Infrastructure Act and APRA's approach to regulating the financial services sector, so we should think about how to leverage these."