The DeepSeek/Qwen factor: What we learned from recent AI advances, such as DeepSeek and Qwen, that caught the world by surprise is that China’s technology is much more advanced than anyone anticipated. I’d argue that this is a leading indicator that China’s quantum computing capabilities are also in absolute stealth-mode development and ahead of the US.China has invited proposals for post-quantum protection, and in February 2025, China invited proposals for Next-Generation Commercial Cryptographic Algorithms Program (NGCC).While we have from NIST the ML-KEM (Module-Lattice-Based Key-Encapsulation Mechanism) as the recommended post-quantum protection, it is likely that China is concerned this can’t be trusted and wants to develop its own approach.Just in the past few weeks NIST has also announced the recommended (also a mouthful) the Hamming Quasi-Cyclic (HQC) Algorithm as a backup cryptographic scheme. This approach is just in case ML-KEM has faults and weaknesses that are currently not apparent.
World’s largest zero day: Should China get there first, it is possible they will have a payday never before seen. Every Bitcoin decrypted and taken. The risk of “harvest now, decrypt later”, in which data collected now from various healthcare, government, and financial services breaches will be unlocked later when the right key arrives, will be fully realized on all assets.Such an event will create both economic and military dominance, with whoever cracks the code having all the keys to the castle. It would be an extreme ethical challenge not to take advantage of this shift for your own advantage. The No. 1 global power could very well be determined by this race, with no room for second place.
What CISOs can do about it: Your transition to quantum-resistant encryption must be mobilized now. While these new cryptographic algorithms have not been tested, there are some actions you can take now without waiting for validation.
Form a discovery team: Your will need funding and to establish a team to understand three key questions: What assets are vulnerable? Is there an inventory of encryption keys? Are these classified in terms of criticality?
- Form a discovery team: Your will need funding and to establish a team to understand three key questions: What assets are vulnerable? Is there an inventory of encryption keys? Are these classified in terms of criticality?
Vet your vendors: You will also need to liaise with your third-party partners and vendors to ascertain whether they have a plan to implement post-quantum cryptography, what their timeline is, and how you will be able to certify this work.
Assemble a team of experts: This 5- to 7-year program will require new skills and existing competency to ensure full remediation. This will mean bringing together a program director, project managers, payments SMEs, architects, developers, testers, business analysts, org change leaders, and cryptography SMEs.These skills will become harder to find as more organizations wake up and realize the amount of work required. Because the risks are very real, there are massive incentives to get there, and hiring, first.
Which systems do I start with, and which can I ignore?: Because quantum computing primarily threatens cryptographic security, it’s not a risk to basic computation or data processing. Systems are only at risk if they rely on specific types of encryption (public key cryptography) for security. As a result, critical infrastructure like power grids or traffic systems aren’t directly threatened. Their vulnerabilities would be more about security protocols needing updates rather than core functionality being at risk.The most vulnerable systems include:
Public key cryptography systems, those using RSA and ECC (Elliptic Curve Cryptography)Digital signatures used in secure communicationsSSL/TLS protocols that secure websites (HTTPS)Digital identity and authentication systemsSecure messaging platforms and banking transaction systemsCryptocurrency systems that rely on current crypto methodsOn the other hand, several legacy technologies will be safe from the quantum threat, including:
Traditional databases (without encryption)Legacy systems (e.g., COBOL)
Basic automation systemsSystems with no cryptographic elementsOlder industrial control systemsNon-networked computers
This is not Y2K: For those of us who were around for the year-2000 event, you may be thinking this sounds like a parallel of that period. The panic and preparation that was required to get ready was all a massive anticlimax. The economy kept working and planes did not fall out of the sky.The significant difference is that we do not know exactly when this catastrophic event will occur, hence the preparation does not have a published exam date. We may all recall from our student days that surprise exams are much harder to pass than those you can dependably map out a plan to work towards.One advantage however is that the quantum risk will still need to evolve, making the challenge not so much a sudden “cliff edge” like Y2K but a gradual technological development we can see coming and adapt to.So, while both situations generated significant attention and concern, Y2K was more like a known deadline requiring mass updates, while quantum computing represents a longer-term technological shift we actively prepare for. The risks are real but more manageable with proper preparation. Still, the time to get started is now.
First seen on csoonline.com
Jump to article: www.csoonline.com/article/3979036/quantum-supremacy-cybersecuritys-ultimate-arms-race-has-china-way-in-front.html
