Why quantum threats demand our attention this Cybersecurity Month

October is Cybersecurity Awareness Month, a month dedicated to educating and encouraging action from the public to protect themselves from digital threats. This year, however, I am struck by the need for the cybersecurity industry to look inwards and reflect on the threats it faces - not just the ones on our doorstep, but those on the horizon. 

Before ChatGPT exploded onto the scene, niche communities building and testing AI models shared blogs and technical breakthroughs with each other. Quantum computing, which will disrupt the foundations of modern encryption, is in a similar position today. 

In August this year, researchers revealed serious weaknesses in the encryption algorithms embedded in TETRA radio systems used by police, military, and critical infrastructure across Europe, Middle East, Asia and beyond.  

For decades, TETRA radios were marketed as secure. Yet when researchers finally analyzed them in 2023, they found shocking weaknesses: the TEA1 algorithm had an effective key strength of only 32 bits - crackable in under a minute on a laptop and a widely used end-end scheme effectively cut AES-128 to an effective 56 bits.

These weren't failures caused by advancing computing power, they were design and configuration choices that left no safety margin from day one. The systems were always vulnerable; we just didn't know it.

While quantum computing presents a different challenge (it will break currently strong encryption rather than expose already-weak systems) the lesson is similar: when cryptographic safety margins disappear, failure is catastrophic and abrupt. This is why adversaries are already conducting 'harvest now, decrypt later' attacks, storing encrypted data to decrypt once quantum computers arrive. The threat isn't just future; it's present.

Preparing for the quantum era

Once quantum machines can run Shor's algorithm at scale, widely deployed public key systems - RSA, ECC etc. - will be rendered obsolete. The industry is already engaged in developing and testing post-quantum cryptography (PQC) standards through bodies such as NIST (National Institute of Standards & Technology). Yet adoption lags, and awareness outside academia and the cybersecurity industry circles remains low.

The critical factor here is time. It is not a truly simple exercise to migrate from a traditional encryption system to PQC standards (unless you already have an agile system in place). A PQC migration project includes:

• Creating an inventory of cryptographic assets: Understand where vulnerable algorithms underpin your critical infrastructure and data flows.
• Engaging with PQC standards: Track the progress of NIST and ISO and test candidate algorithms in your environment.
• Demanding transparency: Rely on open, peer-reviewed encryption schemes, wherever possible.
• Planning for agility: Build cryptographic agility into systems so that algorithms can be replaced as standards evolve.

Cybersecurity professionals pride themselves on vigilance, but history suggests we are more often reactive than proactive. This Cybersecurity Awareness Month, let's broaden the conversation. Yes, educate users on safe passwords and passkeys. But also begin preparing for the post-quantum world. Because unlike the explosive changes AI has brought to our industry, quantum computing is something we have seen coming for many years. We must get this transition right.