Why post-quantum encryption should be treated as critical infrastructure

“We used to lock the front door at night,” a senior executive at a leading financial services institution remarked to me recently. “Now Tom Cruise is shimmying in through the chimney but we’re still arguing about which lock to buy.”

This Hollywood-inspired anecdote brings to life the towering challenge facing the men and women heading the world’s finance, energy, telecoms, retail, healthcare and industrial operations. The technology infrastructure that connects their systems depends on security standards developed half a century ago when our future action hero was still at school.

Today, nations and corporations are building an AI-powered future on digital foundations that are simply not designed for the scale, speed or sophistication of new and emerging security threats from cyber-attacks and, soon enough, quantum-powered super-computers. As AI adoption steps up around the globe, a vulnerability gap is growing between progress and protection.

Let’s continue with the financial services example, given the sector is responsible for assets reaching $470 trillion worldwide and underpins everything. Take the UK, where the City of London acts as a primary hub of the global economy. Yet despite national commitments to migrate systems to post-quantum encryption, regulators currently lack the capacity to drive the changes needed, according to Sitehop research based on freedom of information requests.

Why do people rob banks? Because that’s where the money is, as Willie ‘the Actor’ Sutton, one of the most notorious bank robbers of the 20th century, is supposed to have said. The reality inside those institutions is alarming. One senior executive at a major financial institution told me how he had spent years trying to get his security operations under control but has never reduced his list of known, unresolved liabilities below the low thousands. At board level, the conversation has changed from whether they will be attacked to how quickly they can recover as the language shifts from security to resilience.

All this is before quantum computers, which could be online before the end of the decade. Earlier this year, Google set the deadline of 2029 for post-quantum migration to secure the future. That’s from one of the world leaders in the race to develop quantum computing hardware. But the quantum threat is already here in the form of so-called “harvest now, decrypt later” attacks that hoover up data in preparation for the arrival of computers that can smash classical encryption and steal their most precious assets.

It barely needs stating that AI is everywhere. According to Microsoft, nearly one in six people worldwide now use chatbots. McKinsey found that more than three-quarters of enterprises use AI in at least one business function and that’s only going to grow. Banks use AI for fraud detection, credit decisions and market operations. If those systems fail, the impact spreads instantly across payments, lending and economic activity. Grid operators, retailers, telecoms and supply chains are equally dependent. When AI-powered infrastructure fails, the consequences reach far beyond individual businesses into everyday life. AI is quickly becoming embedded in the hidden architecture that holds societies together.

As it stands, most investment in cyber-security focuses on software controls such as firewalls, endpoint protection, ID systems, security monitoring and AI-powered detection. But these rely on underlying infrastructure. As we have already established, you can have the best locks on your building but if bridges, roads and power stations fail, the city stops functioning. The next frontier is building quantum-safe encryption directly into the network layer (the pipes through which all data moves) rather than relying totally on software patched on top of ageing infrastructure. Hardware is more sustainable, more efficient and less costly to own and operate over time than software.

Post-quantum encryption should be treated as critical national infrastructure. Yet in our example of the financial services industry, we find there are two camps. Some institutions view this as a live threat while too many others are still waiting for proof of concept. The guidance from regulators is crystal clear: build cryptographic inventory by 2028, migrate critical assets by 2030 and all assets by 2035. In the meantime, data in transit, particularly VPN connections, is the most exposed but the most straightforward to protect first. That minimum viable resilience, as we call it, gives nations and corporations a foundation to build on. It would put them in the strongest position to defend their interests and stay ahead of hostile actors.

If the sector that has the money – as bank robber Willie Sutton put it – can demonstrate that quantum-safe resilience is achievable, others will follow. It needn’t be Mission Impossible.

Each year, the World Economic Forum recognizes 100 early-stage start-ups whose cutting-edge technologies have the potential to transform industries and improve lives. Meet the innovators shaping the future: https://initiatives.weforum.org/technology-pioneers/home