Introduction

Australia is standing at the edge of a technological shift that could redefine cyber resilience. With quantum computing on the horizon, the very foundations of data security are under threat. While this technology promises enormous advances in areas like medical research, logistics and AI, it also has the potential to break the cryptographic systems that currently protect government, business and personal data.

Quantum computers exploit the principles of quantum mechanics to solve complex problems that classical computers cannot feasibly tackle. Quantum computers use the principles of quantum mechanics to process information in a way that uses qubits, which can exist in multiple states, as opposed to normal computers, which only use “zeros” and “ones”. This creates an exponential scale, which is what gives them their computational power.

Of particular concern in this area is their ability to crack widely used public key encryption algorithms such as RSA and ECC (elliptic curve cryptography). By the time a sufficiently powerful quantum computer becomes available, these encryption methods, which protect virtually all current digital communications, will be obsolete. As a result, these encryption systems could be broken in hours, not decades.

Recognising this, the Australian Government has flagged post-quantum cryptography (PQC) as an emerging area of national interest in their 2023–2030 Australian Cyber Security Strategy. One of the urgent shifts it highlights is the need to rethink data longevity as part of classification. Instead of just asking ‘how sensitive is this data,’ ask ‘how long does it need to remain secure?’

Data that must stay confidential for 10–30 years such as medical records, engineering data, and national infrastructure blueprints, are the most vulnerable. Because what is at stake is nothing less than the most valuable digital assets; intellectual property, private and sensitive data, authentication systems and secure communications.

The financial, operational and reputational damage from such exposures could be catastrophic, and unavoidable without proactive measures.

Why Post-quantum Cryptography Matters

Traditional cryptography relies heavily on mathematical problems that classical computers find difficult to solve. RSA encryption, for example, bases its security on the challenge of factoring large numbers, while elliptic curve cryptography depends on the discrete logarithm problem. Quantum computers, using Shor’s algorithm, can potentially solve these problems efficiently, rendering these protections obsolete.

Importantly, PQC differs fundamentally from quantum cryptography (quantum key distribution). While quantum cryptography uses quantum mechanical properties for secure communication, PQC uses mathematical algorithms designed to run on conventional computers but resist quantum attacks.

Many organisations mistakenly believe their current encryption standards will remain secure indefinitely or that quantum threats remain too distant to address. This misconception creates dangerous security gaps.

Implementing post-quantum cryptography not only offers critical strategic advantage for long-term data security but also safeguards sensitive information against future quantum computing threats, ensuring extended confidentiality and protecting against “harvest now, decrypt later” attacks.

Early adoption of PQC equips organisations to meet emerging regulatory compliance, simplifies future cryptographic transitions, and builds greater trust with customers, partners, and investors. Together, these benefits strengthen business continuity and risk management amid an evolving cyber threat landscape.

Crypto-Agility: The Bridge Between Now and Next

Changing cryptography in a complex IT environment isn’t like flipping a switch. For large organisations with sprawling, interconnected IT systems, it’s more like rewiring the plumbing in a skyscraper while people are still living in it. It takes time – years or even decade, and it demands clarity before commitment.

The biggest mistake I see business leaders making is either downplaying the urgency (“quantum is still years away”) or rushing into complete overhaul. Both paths are equally risky. The important question to ask is not ‘which algorithm should we use?’, but how do we stay agile enough to adapt as standards evolve?’ That starts with understanding which data must remain secure for decades, which systems are mission-critical, and where flexibility matters most.

Pilots are a powerful way to move from theory to practice. Running proofs of concept in areas like supply chain optimisation not only helps surface hidden challenges but also builds in-house expertise and a clearer view of ROI. But no organisation can make this transition alone.

Partnering with startups, academic researchers, and industry consortia enables shared learning, while cloud-accessible platforms such as IBM, Microsoft, AWS, and Google allow teams to experiment without the cost of owning hardware.

Keeping pace with evolving international standards, export controls, and government initiatives is just as critical. Early compliance and even participation in shaping those standards can turn a regulatory obligation into a competitive advantage.

Above all, PQC should never be treated as a siloed step. By aligning quantum initiatives with broader digital transformation efforts in AI, analytics, and high-performance computing, organisations can position quantum not as a costly experiment but as a complementary tool that strengthens resilience.

For Australian organisations, regulatory, operational and geopolitical pressures are already pushing cyber resilience to the top of their agenda. Post-quantum cryptography must also become a part of the conversation.

Because when quantum disruption arrives, resilience will not belong to those who rushed or delayed. The future of secure data demands preparation today.