When does modern security actually break? An honest assessment with timelines, probabilities, and what you should do.
No doom. No hype. Just the math, the expert estimates, and the uncomfortable parts nobody wants to talk about.
The 60-second version: Everything secure online — your bank login, VPN, email, Bitcoin wallet — relies on math problems that are impossible for today's computers to solve fast enough. Quantum computers use fundamentally different physics (superposition, entanglement) to approach these problems in a completely different way.
There are two types of encryption. Quantum threatens one far more than the other. Understanding the difference is the whole game.
| Symmetric (AES) | Asymmetric (RSA / ECC) | |
|---|---|---|
| What it does | Same key locks and unlocks. Used for encrypting data at rest (files, drives). | Public key locks, private key unlocks. Used for key exchange, HTTPS, crypto wallets, signatures. |
| Quantum attack | Grover's algorithm — quadratic speedup only | Shor's algorithm — exponential speedup |
| Impact | AES-256 drops to equivalent of AES-128. Still extremely secure. | RSA-2048 goes from "billions of years" to "hours to days." Existential threat. |
| Verdict | Survives. Just use bigger keys. | Broken. Must be replaced entirely. |
A common question: if a quantum computer is trying keys, how does it know when it's found the right one? Several methods work simultaneously:
Nation-states are already recording encrypted traffic — diplomatic communications, military transmissions, corporate secrets, financial data — with the intention of decrypting it once quantum computers arrive. The NSA, Google, and others have confirmed this is happening.
Even if quantum computers are 10-15 years away, data encrypted today could be unlocked in 2035 or 2040. For anything with long-term secrecy requirements, the quantum threat isn't future-tense. It's a present-tense collection problem with a future-tense decryption solution.
Nearly every digital system you interact with depends on RSA or ECC. If Shor's algorithm becomes practical, all of these are exposed simultaneously:
Quantum computing has been "5-10 years away" for 20 years. Here's what the people actually building and defending against it are saying.
| Source | Estimate | Confidence |
|---|---|---|
| NSA | ~2035 deadline set for full migration | High (they're acting on it) |
| NIST | Early-mid 2030s | Moderate |
| IBM | By 2030 or early 2030s | Medium-high |
| Could happen by 2029. At least 10% probability by 2032, rising steeply after. | Medium (urging immediate migration) | |
| China | Possibly 2030s, maybe sooner (opaque) | Unclear |
| Academic consensus | Median ~2035, range 2030-2040 | Moderate |
| Michele Mosca | 50% chance by 2031 | Medium (optimistic end) |
| Scott Aaronson | "Not this decade," possibly 2035-2040 | Medium (respected skeptic) |
Current state: Leading quantum computers have 100-400 physical qubits. Breaking RSA-2048 needs roughly 10,000 logical qubits (or approximately 1 million physical qubits with error correction). The gap is enormous — but closing.
The lab-to-threat gap: Once a lab demonstrates RSA-2048 cracking, the jump to a practical threat takes months, not years. The hard part is the first demonstration. After that, it scales fast.
Headlines in late 2024 hyped Google's Willow quantum chip, claiming it solved a problem in 5 minutes that would take a classical computer "10 septillion years." Sounds terrifying for encryption. It wasn't.
Willow solved a contrived benchmark (random circuit sampling) specifically designed to favor quantum computers. It did not break any encryption. It did not solve any practical problem. The real achievement was engineering: error rates decreased as qubits were added — a critical milestone for scaling, but still far from cryptographic relevance.
The gap between "quantum computer does something classical can't" and "quantum computer breaks encryption" remains very large. But Willow showed the engineering is heading in the right direction.
Quantum computing predictions have been consistently too conservative, not too aggressive. In 2019, breaking RSA-2048 was estimated to require 20 million qubits. By 2025, algorithmic improvements reduced that to roughly 10,000 — a 2,000x reduction in six years. IBM has hit every qubit milestone on schedule. Google crossed the error-correction threshold years earlier than most academics expected.
This puts quantum in the same category as AI — where the track record shows predictions consistently underestimate the pace of progress. The 2035 median estimate could easily become 2032 with a single algorithmic breakthrough. This is a key reason the "harvest now, decrypt later" threat is so urgent: even if you think you have until 2035, history says you probably have less time than you think.
The gap between the prepared and the unprepared is already widening. Some organizations started years ago. Others haven't started at all.
| Category | Vulnerability | Migration Status | Worst Case |
|---|---|---|---|
| Banking / SWIFT | High | Early stages | Trust collapse in financial transactions |
| Bitcoin | Very High | No migration yet | Massive theft, potential currency collapse |
| Ethereum | Very High | No migration yet | Entire DeFi ecosystem looted |
| Consumer VPNs | High | Nothing yet | Privacy breaches at scale |
| Corporate VPNs | High | Testing phase | Corporate espionage bonanza |
| Government Classified | Variable | Active migration | Intelligence catastrophe |
| Healthcare Records | High | Largely unprepared | Privacy breaches, blackmail potential |
| Corporate Trade Secrets | High | Minimal effort | Economic espionage at industrial scale |
| IoT Devices | High | Largely unprepared | Widespread device compromise |
| Code Signing | Very High | Early stages | Global malware pandemic |
| Personal Email/Messaging | High-Medium | Nothing yet | Retrospective privacy loss |
ML-KEM (Kyber) — for key encapsulation / encryption
ML-DSA (Dilithium) — for digital signatures
SLH-DSA (SPHINCS+) — hash-based backup signature scheme
| Who | Status |
|---|---|
| Chrome | Testing hybrid PQC TLS handshakes (classical + quantum-safe simultaneously) |
| AWS / Azure | PQC options available in some services |
| Banking / SWIFT | Planning and pilot phase; SWIFT has active working groups |
| Bitcoin | No action. Community considers it a "future problem" |
| US Government | 2035 mandatory deadline (NSA CNSA 2.0 suite) |
| European Union | 2030 target for government systems, 2035 for others |
90% of companies have no PQC plan. Not "haven't started migration" — they don't even have a plan to make a plan.
The Trump administration scrapped some Biden-era PQC acceleration efforts, adding political uncertainty to an already slow process.
We're at roughly 1995 in Y2K terms — some awareness among technical people, minimal action by most organizations, no sense of urgency from the public. Y2K cost an estimated $300 billion globally to fix, and that had a hard deadline everyone could see.
The quantum deadline is fuzzy, which makes it harder to mobilize against. If Q-Day is 2035, we need to be in full swing now. We're not.
Not an internet apocalypse, but serious incidents hitting those who lag. Major systems (banks, governments, big tech) will probably be mostly migrated in time. They have the resources and the awareness.
But there will be plenty of stragglers: legacy IoT devices, older enterprise software, cryptocurrency networks that delayed too long, small financial institutions that couldn't afford the upgrade. Some hacks will succeed spectacularly on unprepared targets while others who upgraded early are fine.
Think less "global meltdown" and more "a bad year for everyone who procrastinated."
This is the scenario that should concern security professionals most. Anthropic's Mythos project found thousands of zero-day software vulnerabilities using AI. Quantum breaks the encryption protecting those systems.
Together: AI finds the holes, quantum breaks the locks. Defense gets hit from two sides simultaneously. The attack surface multiplies.
| Q-Day before 2030 | ~5-10% — possible but unlikely. Would require a major breakthrough. |
| Q-Day before 2035 | ~30-50% — the danger zone. This is when it gets real for most planning purposes. |
| Q-Day before 2040 | >70% — near-certain by the end of this range. |
| Lab demo to threat | Months, not years. Once someone demonstrates RSA cracking, the gap closes fast. |
| Migration pace | Behind schedule. Standards are ready. Implementation is not. |