Quantum Threat Timeline

Definition

The projected schedule for when cryptographically relevant quantum computers (CRQCs) will become capable of breaking current public-key cryptographic systems, guiding urgency for post-quantum migration planning.

Technical Details

Expert estimates vary: optimistic projections suggest a CRQC breaking RSA-2048 could emerge by 2030-2035; conservative estimates extend to 2040+. The 'harvest now, decrypt later' threat means organizations with long-lived sensitive data must act before CRQCs arrive. NIST, NSA (CNSA 2.0), and CISA have all issued guidance recommending post-quantum migration beginning now, with 2030-2035 as target completion dates for critical systems.

Practical Usage

CISOs should use the quantum threat timeline to build a cryptographic inventory, classify data by sensitivity lifetime, and prioritize post-quantum migration for systems protecting data that must remain confidential beyond the estimated CRQC arrival date. Migration to NIST PQC standards (FIPS 203/204/205) should be treated as a multi-year infrastructure program.

Examples

• NSA's CNSA 2.0 (2022) mandates post-quantum algorithm adoption for national security systems by 2035.
• A financial regulator requires banks to complete post-quantum cryptography inventories by 2026 in response to the HNDL threat.
• A CISO presents a quantum risk heat map to the board, showing which data assets require immediate PQC migration vs. longer-term planning.

Related Terms