Lag in quantum safety leaves directors exposed

Australia leads in quantum computing, but lags in quantum safety. Directors need to safeguard their organisations now, says the former head of Telstra Labs, Andrew Scott GAICD.

Opinion

Based on my conversations with directors and board advisers over the past year, one of the most important cybersecurity issues is one that most Australian directors haven’t heard about yet — quantum safety. If this isn’t managed, all of an organisation’s data sent over the internet might be leaked by cybercriminals in several years’ time. For some organisations, this is an existential threat.

Australia is a world leader in quantum computing, but we lag in quantum safety. Quantum computers will make possible all manner of drug discovery, materials design and business optimisation, but it will also break the security of the internet. To become quantum-safe, an organisation needs to migrate away from traditional internet security measures and adopt “post-quantum” solutions. A key technology here is post-quantum cryptography (PQC). This migration exercise can take several years for large or complex organisations.

At the end of 2024, the Australian government set a time frame for when it would require its IT suppliers to be using PQC. The ISM (information security manual) guidelines now specify that any IT development or procurement will need to be quantum-safe by 2030. Many state governments and large corporations also align to the ISM, so this timeframe will have wide influence.

Director awareness

The importance of directors understanding this topic was reinforced at the recent inaugural AICD Tech Governance Forum. Former Telstra CEO Andy Penn, who also chaired the government’s Expert Advisory Board on cybersecurity, shared a final takeaway that quantum-resilient encryption (also known as PQC) is important for boards to “get on top of”. With the director’s role in taking a longer-term perspective, boards should be having discussions about how their organisations will fund and resource a multi-year program to become quantum-safe before 2030. It will require coordinating with IT suppliers and upskilling technical staff, but is less complex than many IT transformations. It should be achievable if organisations begin the work, rather than delay it.

The major tech firms are making the same recommendation. For example, Microsoft says, “Migration to quantum-safe cryptography will take time, and the time to start planning is now”. IBM says, “The need to adopt quantum-safe solutions is urgent”. Google says, “Board members should speak with their CISO, CIO and CTO about developing a PQC strategy”. And Gartner says, “It’s worth starting the PQC transition now.”

Immediate risk

The key near-term risk is known as a “harvest now decrypt later” (HNDL) attack. A cybercriminal captures the encryption-protected internet traffic today, sits on it until a suitable quantum computer becomes available, then rips off the security to get at the confidential or private data inside. These sessions might be VPN connections to an intranet or data centre, or simply secure web browser sessions with an organisation’s HR, payroll or email system. A cybercriminal or other malicious actor may not know what is in the session, but capture it anyway, because they are targeting an organisation or individual.

A key consideration is how long any captured confidential or private information remains valuable. Organisations in sectors such as government, finance, law or healthcare typically handle data that will be confidential or private for longer than a decade. However, organisations in other sectors often handle similar information, such as health records in employee databases, joint venture agreements, confidential settlements or discussions between CEOs and chairs. If such data is captured before migrating to a quantum-safe solution, and is still valuable when a suitable quantum computer appears, the organisation could have a real problem.

Quantum computers may sound like science fiction, but directors have a responsibility to act immediately.

Andrew Scott was previously Head of Telstra Labs and now runs Far Phase to educate directors on technology.

This article first appeared under the headline 'On the front foot for the future' in the August 2025 issue of Company Director magazine.