Quantum supremacy: Cybersecurity’s ultimate arms race has China way in front

Imagine a vast, ancient library, the Library of All Secrets. Within its countless shelves reside every code, message, and hidden truth ever recorded. For centuries, these secrets have been safe, locked away behind intricate, almost unbreakable locks.

Now picture a new kind of key, shimmering and ethereal, called the “Quantum Key.” Unlike ordinary keys, this one doesn’t just turn one lock. It possesses an almost magical ability: It can try every possible lock combination simultaneously.

This new Quantum Key could unlock incredible new knowledge, solve ancient riddles, and advance understanding in ways never imagined. But in the wrong hands, it will render all those carefully guarded secrets, those vital codes protecting nations, businesses, and individuals immediately vulnerable.

[ See also: The CISO’s guide to establishing quantum resilience ]

This is the world we are rapidly approaching. Every email message and financial transaction is protected by encryption methods that quantum computing will render useless. In 2024 the Global Risk Institute estimated that within five years there is a 5% to 14% probability that quantum computers will be able to break RSA-2048 encryption.  Within 10 years, that probably rises to between 19% and 34%.

This existential threat is on the horizon, but many boards, and even CISOs, remain unconcern. It is a distant future in technology time, after all, and there are so many issues to address in the here and now. But when the time to remediate this issue being estimated at 7-plus years, organizations that have already started dealing with it may still be at major risk of catastrophic disaster.

Those estimates from the Global Risk Institute do not account for recent developments that indicate quantum’s acceleration. In February 2025, Chinese scientists achieved a major breakthrough with photonic quantum chips. Not long after, “Origin Wukong,” a Chinese quantum computer powered by a 72-qubit chip, fine-tuned a billion-parameter AI model. Earlier, in October 2024, Chinese researchers unveiled a method for breaking RSA encryption.

The quantum arms race

Much literature suggests that China is outspending western countries by a huge factor in quantum computing, with estimates pegged at $10B to $15B, versus the reported $1B the US plans to invest in the next five years. The EU is also slated to invest $1B, though over the next 10 years. Microsoft is targeting $1B as well. 

Unless my maths is wrong, the west as a block is not winning this arms race. China already publishes more research on quantum computing than any country in the world, including the US.

An advantage gained in quantum will translate into an immediate military advantage in communications and information processing. Every end-to-end encrypted message that feels currently protected will be “Emperor No Clothes” at some point, overnight.

Indeed, new quantum technology could provide undetectable weapon systems.

The DeepSeek/Qwen factor

What we learned from recent AI advances, such as DeepSeek and Qwen, that caught the world by surprise is that China’s technology is much more advanced than anyone anticipated. I’d argue that this is a leading indicator that China’s quantum computing capabilities are also in absolute stealth-mode development and ahead of the US.

China has invited proposals for post-quantum protection, and in February 2025, China invited proposals for Next-Generation Commercial Cryptographic Algorithms Program (NGCC).

While we have from NIST the ML-KEM (Module-Lattice-Based Key-Encapsulation Mechanism) as the recommended post-quantum protection, it is likely that China is concerned this can’t be trusted and wants to develop its own approach.

Just in the past few weeks NIST has also announced the recommended (also a mouthful) the Hamming Quasi-Cyclic (HQC) Algorithm as a backup cryptographic scheme. This approach is just in case ML-KEM has faults and weaknesses that are currently not apparent.

World’s largest zero day

Should China get there first, it is possible they will have a payday never before seen.  Every Bitcoin decrypted and taken. The risk of “harvest now, decrypt later” — in which data collected now from various healthcare, government, and financial services breaches will be unlocked later when the right key arrives — will be fully realized on all assets.

Such an event will create both economic and military dominance, with whoever cracks the code having all the keys to the castle. It would be an extreme ethical challenge not to take advantage of this shift for your own advantage. The No. 1 global power could very well be determined by this race, with no room for second place.

What CISOs can do about it

Your transition to quantum-resistant encryption must be mobilized now. While these new cryptographic algorithms have not been tested, there are some actions you can take now without waiting for validation.

1. Form a discovery team: Your will need funding and to establish a team to understand three key questions: What assets are vulnerable? Is there an inventory of encryption keys? Are these classified in terms of criticality?

•  Vet your vendors: You will also need to liaise with your third-party partners and vendors to ascertain whether they have a plan to implement post-quantum cryptography, what their timeline is, and how you will be able to certify this work.

• Assemble a team of experts: This 5- to 7-year program will require new skills and existing competency to ensure full remediation. This will mean bringing together a program director, project managers, payments SMEs, architects, developers, testers, business analysts, org change leaders, and cryptography SMEs.

These skills will become harder to find as more organizations wake up and realize the amount of work required. Because the risks are very real, there are massive incentives to get there — and hiring — first.

Which systems do I start with — and which can I ignore?

Because quantum computing primarily threatens cryptographic security, it’s not a risk to basic computation or data processing. Systems are only at risk if they rely on specific types of encryption (public key cryptography) for security.  As a result, critical infrastructure like power grids or traffic systems aren’t directly threatened. Their vulnerabilities would be more about security protocols needing updates rather than core functionality being at risk.

The most vulnerable systems include:

• Public key cryptography systems, those using RSA and ECC (Elliptic Curve Cryptography)
• Digital signatures used in secure communications
• SSL/TLS protocols that secure websites (HTTPS)
• Digital identity and authentication systems
• Secure messaging platforms and banking transaction systems
• Cryptocurrency systems that rely on current crypto methods

On the other hand, several legacy technologies will be safe from the quantum threat, including:

• Traditional databases (without encryption)
• Legacy systems (e.g., COBOL)

• Basic automation systems
• Systems with no cryptographic elements
• Older industrial control systems
• Non-networked computers

This is not Y2K

For those of us who were around for the year-2000 event, you may be thinking this sounds like a parallel of that period. The panic and preparation that was required to get ready was all a massive anticlimax. The economy kept working and planes did not fall out of the sky.

The significant difference is that we do not know exactly when this catastrophic event will occur, hence the preparation does not have a published exam date. We may all recall from our student days that surprise exams are much harder to pass than those you can dependably map out a plan to work towards.

One advantage however is that the quantum risk will still need to evolve, making the challenge not so much a sudden “cliff edge” like Y2K but a gradual technological development we can see coming and adapt to.

So, while both situations generated significant attention and concern, Y2K was more like a known deadline requiring mass updates, while quantum computing represents a longer-term technological shift we actively prepare for. The risks are real but more manageable with proper preparation. Still, the time to get started is now.