Quantum computer threat spurring quiet overhaul of internet security

SAN FRANCISCO — Cryptography experts say the race to fend off future quantum-computer attacks has entered a decisive but measured phase, with companies quietly replacing the internet plumbing that the majority of the industry once considered unbreakable.

Speaking at Cloudflare’s Trust Forward Summit on Wednesday, encryption leaders at IBM Research, Amazon Web Services and Cloudflare outlined how organizations are refitting cryptographic tools that safeguard online banking, medical data and government communications. The aim is to stay ahead of quantum machines that, once powerful enough, could decode the math protecting today’s digital traffic.

“Over the next five to 10 years you’re going to see a Cambrian explosion of different cryptographic systems,” said Wesley Evans, a product manager for Cloudflare’s research team, referring to an evolutionary period with a rapid diversification of animal life that occurred roughly 540 million years ago. 

“Whether it’s nationalized cryptography out of South Korea [or] new standards from [the National Institute of Standards and Technology], this is a time to think about not just, ‘how am I doing my post-quantum migration?’ but ‘how am I doing my whole crypto-agility platform?’ and ‘how am I thinking through my audits and inventory?’” he said. 

“Harvest-now, decrypt-later” attacks already target data that must remain secret for decades, panelists said. Adversaries are stealing data like encrypted medical records or defense contracts and storing it on cheap cloud servers in hopes of unlocking them once quantum code-breaking matures.

Cloudflare, which routes roughly 20% of global web traffic, said it has spent eight years weaving post-quantum algorithms into its backbone. The company now secures more than 40% of its daily HTTPS requests with so-called hybrid handshakes that combine traditional RSA keys and newer lattice-based methods.

Executives described the rollout as intentionally low-profile. “Trillions of requests per day are already running across Cloudflare’s network in a post-quantum secure manner,” Evans said. “We did it without users noticing a speed decrease, performance impact or incurring any additional cost.”

IBM researchers, who develop quantum hardware as well as defensive tools, cautioned that this change could possibly take a decade before it’s the norm. 

“Moving to a new generation of cryptography, quantum-safe or otherwise, will take us roughly seven to 10 years, maybe longer,” said John Buselli, a business development executive and offering manager for IBM Quantum Safe, additionally pointing out that relics of older code, such as SHA-1, linger long after formal retirement.

NIST is finalizing a first batch of post-quantum algorithms, including the key-encapsulation mechanism known as ML-KEM. Cloudflare and browser makers have already adopted preliminary versions while awaiting NIST’s final parameters. Developers also wrap new keys inside legacy RSA exchanges to guard against unforeseen side-channel flaws.

Beyond mathematics, panelists emphasized logistics. Enterprises must inventory where encryption lives, from custom apps to vendor appliances, then gauge how quickly each layer can swap libraries. Much of that code is “black box,” owned by suppliers that set their own schedules.

“The rate of change is going to be determined by the least agile piece of infrastructure you have,” Buselli said, likening the process to mapping out all the connections in an infrastructure upgrade instead of addressing just a single security issue.

The panel also urged companies to fold cryptography into broader modernization budgets. Boards may balk at paying solely for an invisible security upgrade, they said, but will authorize spending tied to performance gains such as those seen with the newest TLS 1.3 protocol.

No panelist offered a firm deadline for full retirement of RSA and elliptic-curve keys. Instead they described “a long journey” marked by quiet iterations and cooperative testing across browsers, servers and chipmakers.

“Cryptography is a multi-party game,” Evans said. “You’ve got to work with everybody to make sure it’s secure for everyone.”