Encryption is the invisible plumbing of the global economy. Every bank transfer, hospital record, stock trade and power-grid command depends on it. And yet, with the rise of quantum computing, that plumbing has developed a crack that’s widening fast.
Few people know more about that threat than Sridhar Muppidi, an IBM fellow and chief technology officer of IBM Security. A longtime researcher and architect of enterprise security systems, he advises companies and governments on how to prepare for next-generation threats. In his view, quantum computing represents an important technological breakthrough and a major test of long-term economic security.
Quantum machines promise enormous benefits in fields like drug discovery and climate science. But the same power that fuels those advances can break encryption standards that safeguard trillions of dollars in transactions and vast stores of sensitive data. Cybercriminals know this, which is why they’re already stealing encrypted data today to unlock and exploit once quantum computers catch up — a scheme known as “harvest now, decrypt later.”
Thus, as Muppidi says, the race is on. Experts warn that some widely used cryptographic algorithms could be broken between 2028 and 2032, well within the planning windows for government and business. The challenge is reminiscent of the Y2K threat in the years leading up to 2000: the feared meltdown was avoided not because the risk was overstated, but because early, coordinated action paid off.
I recently spoke with Muppidi who shared why the decryption threat will be as complex as Y2K, why designing crypto-agile systems that can adapt rapidly to new cryptographic standards is more than a one-time upgrade, and why the future of digital trust depends on starting now.
With the rise of quantum computing, how safe is the data that companies currently consider secure? How real is the threat that today’s encrypted data will be decrypted in the future?
It is definitely a real and immediate problem. The threat is called “retroactive decryption” — cybercriminals storing encrypted data now to decrypt later. The current reality is that people are already collecting encrypted data, especially financial data. We see that on the dark web. Current algorithms may become vulnerable within the next decade depending on quantum breakthroughs.
So the timeline is anywhere from 2028 to 2032. We should be worried about it right now. However, only about 5% of companies are preparing for it. It’s not a question of the sky falling immediately, it’s about the decisions we are making. It will cost us more if we don’t take advantage of what we know about quantum safety.
Where across the economy do you see the greatest areas of concern?
The biggest risks are in the financial and critical infrastructure sectors.
Financial markets are vulnerable because every transaction, from phone banking to bank-to-bank transfers, relies on RSA and ECC encryption that quantum computers can break. Because banks are so interconnected, the Bank for International Settlements has warned that quantum risk could undermine critical financial encryption, impacting global markets.
Power grids, communications, and transportation all use encrypted control systems. If quantum computers allow cybercriminals to break into power grids, they could shut down electricity, immediately knocking out the internet along with banking, hospitals, and other types of critical infrastructure.
The scenarios that worry me most? Attackers breaking into payment systems to manipulate stock trades, mass credit card fraud after decrypting years of stored banking data, and coordinated attacks that simultaneously shut down power, internet, and transportation.
How do these threats rank against other cyber risks, including those powered by AI?
Quantum and AI create different types of risk that need to be defended against at the same time.
Quantum threats work like data thieves — stealing information now to unlock later. AI-powered attacks work like smart burglars, constantly testing defenses and adapting in real time to break in.
The biggest concern is quantum and AI working together — using quantum computers to make AI attacks much faster and more powerful while also breaking encryption. This isn’t science fiction; researchers are already using quantum computers to improve AI systems.
Companies face a tough choice: AI attacks demand immediate attention and resources, while quantum threats need long-term planning because they could do much more damage. Financial institutions now consider quantum their biggest long-term threat and AI their biggest daily threat. That forces them to invest in both immediate defenses and future-proof encryption.
Achieving quantum-resistant encryption obviously isn’t as simple as flipping a switch. What lessons can we take from past transitions to a new technology?
You can’t quite equate it to Y2K but it’s a helpful way to explain the issue.
It’s not just the year that quantum computers break cryptography. It is a prolonged process to transition to a new cryptography regime. For Y2K, preparation was a multi-year process and cost about $100 billion, which is around $190 billion today. Unlike Y2K, quantum migration will require ongoing adaptation and revalidation, not a single deadline. But Y2K does show the massive scale that we should think about with YQK, and the earlier we start to address it, the better off we will be.
The scale of that effort is what leaders should keep in mind with quantum. Planning years in advance is the only way to reduce both risk and cost.
There is both cooperation and competition in the race to develop quantum computing. How do you see this shaping the race to achieve quantum-resistant cryptography?
It’s not a single entity or vendor problem. Major players, like the U.S. and the European Union, are investing quite a bit. China is making big investments. I believe the E.U. and the U.S. are establishing some joint quantum benchmarks. Companies like IBM, Microsoft and Google, as well as universities, are contributing.
This activity helps advance technology like the NIST standards for quantum-resistant cryptography. It’s worth noting that it took eight years to create these standards.
Transitioning to quantum-safe cryptography will be a multi-year effort across industries, governments, and supply chains. This needs executive oversight from the CISO and/or CTO and alignment across vendors and partners, since migration spans the entire enterprise ecosystem. Organizations should systematically discover and document all cryptographic assets and dependencies before migration begins. They should inventory cryptography, prioritize upgrades, and coordinate internally and externally. The later organizations start, the harder and more expensive it will be for everyone.
