Why Security Engineers Must Act Now
Post-Quantum Encryption (PQE) is essential to be deployed well before 2030.
Encryption is one of the most critical defensive technologies in modern computing — protecting remote access, secure sessions, digital identities, key exchange, certificates, and stored sensitive data. Today’s widely deployed public-key cryptography (e.g., RSA, ECC, Diffie-Hellman) is safe only against classical computing attacks. However, quantum computing promises to break these assumptions, and world governments — including Australia — are already pushing organisations to prepare.
Refer to Australia Signals Directorate (ASD) articles – Planning for post-quantum cryptography and Stay ahead of the quantum threat with post-quantum cryptography
As SSH.com’s research shows, public key cryptosystems that underpin protocols like TLS, SSH, and IPsec are vulnerable to quantum attacks once sufficiently powerful quantum machines arrive.
1. The Quantum Threat to Classical Cryptography
Quantum algorithms like Shor’s algorithm threaten to break the mathematical foundations of RSA, ECC, and related public-key schemes. Once quantum computers of sufficient scale exist — often called Cryptographically Relevant Quantum Computers (CRQC) — current asymmetric cryptography will be broken, exposing past and future encrypted sessions to decryption.
Attackers don’t need quantum computers today to cause long-term harm: with a “harvest now, decrypt later” strategy, an adversary could intercept encrypted traffic today and decrypt it years later once quantum capabilities arrive.
2. Post-Quantum Cryptography (PQC): What It Is and Why It Matters
Post-Quantum Cryptography (also called quantum-safe cryptography) consists of algorithms that remain secure even against quantum attacks. Unlike quantum key distribution (QKD), PQC works on classical systems and fits into existing protocols and infrastructures.
PQC includes families like:
Lattice-based cryptography (e.g., Kyber, Dilithium)
Hash-based signatures
Code-based systems
These schemes leverage mathematical problems that quantum computers are not known to solve efficiently, making them suitable replacements for RSA/ECC in key exchange and signatures — the building blocks of secure communications.
3. Australian Government Regulatory Guidance: ASD & ACSC
In Australia, the government has already moved beyond theoretical caution and issued formal guidance on post-quantum cryptography:
3.1 The Information Security Manual (ISM) and PQC
The Australian Signals Directorate (ASD) has updated its Information Security Manual (ISM) to include guidance on post-quantum cryptography planning and transition.
The ISM’s guidancerecommends ceasing the use of traditional asymmetric cryptography (e.g., RSA, ECDH, ECDSA) by the end of2030.
Organisations are encouraged to adopt ASD-approved post-quantum cryptographic algorithms before this deadline.
This guidance is not just conceptual — it forms part of the baseline security controls for many Commonwealth agencies and regulators.
3.2 Explicit Transition Timelines
ACSC’s guidance suggests a phased timeline:
By end of 2026: Organisations should have adetailed PQC transition plan.
By end of 2028: Transition forcritical systems and data should have begun.
By end of 2030: The full transition to post-quantum cryptographic algorithms should be completed.
These milestones reflect the government’s understanding of both the quantum threat and the long lead times required to update cryptographic infrastructure securely.
4. Regulatory Risk and Compliance
Complying with ASD/ACSC guidance is increasingly a cyber governance and regulatory issue, not just a technical preference:
Organisations subject to the ISM (e.g., Commonwealth agencies and critical infrastructure providers) are expected to adopt PQC planning as part of their compliance requirements.
Boards and executive teams are now being advised to incorporate quantum readiness into risk frameworks — including supplier risk, data classification, and cryptographic lifecycle planning.
Failure to plan may expose organisations not only to future technical compromise but also to regulatory scrutiny, audit findings, and supply chain risk criticisms.
5. Industry and Global Standards Align With Government Expectations
The Australian Government’s stance is consistent with global efforts:
The National Institute of Standards and Technology (NIST) in the US has standardised quantum-safe algorithms.
International bodies (IETF, ETSI) are updating protocols (TLS, SSH, etc.) to support hybrid and post-quantum options.
These align with ASD’s call for cryptographic agility — the ability to pivot between algorithm suites without architectural overhaul.
6. Roadmap for Security Engineers (Practical Takeaways)
Security teams should treat PQC planning like any long-term infrastructure migration:
Inventory cryptographic assets across networks, services, applications, and devices.
Map public-key dependencies (e.g., certificates, key exchange, digital signatures).
Build cryptographic agility, abstracting crypto layers so algorithms can change easily.
Pilot and test PQC algorithms in non-production environments — hybrid deployments are valuable step stones.
Update procurement and supplier requirements to require support for ASD-aligned PQC standards.
Embed PQC planning into governance and reporting, so executive leadership understands risk and timelines.
This roadmap increasingly mirrors regulatory expectations as well as cryptographic best practices.
7. The 2030 Quantum Deadline Is Real — and Regulatory
Quantum computing may yet take years to reach practical maturity, but government guidance (especially in Australia) stresses that waiting is not an option. The clock toward 2030 is not just a technical benchmark — it’s becoming part of regulatory and compliance frameworks that will shape cybersecurity strategy across government, critical infrastructure, and enterprise sectors.
Security-conscious engineers should therefore treat post-quantum encryption not as a future academic problem but as an immediate planning priority.
8. The Final Wrap-Up – How SSH.com Solutions Help
The biggest challenge security professionals face with post-quantum cryptography is not awareness — it is execution. Engineers know the deadlines are coming (ASD, NIST and global guidance all point toward migration during this decade), but most environments cannot simply “rip and replace” cryptography overnight.
This is where real-world, deployable platforms become essential.
SSH.com’s NQX and Tectia Quantum-Safe Edition effectively address two different layers of the migration problem:
Network-level quantum-safe protection (NQX)
Secure access, file transfer and SSH workload protection (Tectia)
Together, they allow organisations to start preparing today without waiting for a complete cryptographic overhaul.
NQX — Making Data-in-Transit Quantum-Safe Today
SSH Communications Security positions NQX as a quantum-safe encryptor designed to protect Ethernet and IP traffic across untrusted networks.
From an engineering perspective, NQX helps prepare for 2030 because it solves several practical problems immediately:
Crypto-agility without hardware replacement
NQX is designed so new post-quantum algorithms can be introduced rapidly without replacing infrastructure, allowing engineers to evolve alongside standards rather than redesigning networks later.
This directly aligns with ASD and international “crypto-agility” guidance:
deploy now
update algorithms later
avoid future migration shock
Tectia Quantum-Safe Edition — Securing SSH and Operational Access
While NQX secures networks, Tectia Quantum-Safe Edition focuses on one of the most overlooked migration challenges:
SSH remains everywhere — automation, DevOps pipelines, backups, administration, file transfer, and machine-to-machine communications.
If SSH is not quantum-safe, long-lived privileged sessions and transferred data may still be vulnerable to “harvest now, decrypt later” risks.
