Australia’s peak cyber security body has warned that organisations are underestimating the scale and urgency of the transition to post-quantum cyber security, as advances in quantum computing threaten to undermine existing encryption systems in the next four years.
Speaking at CyberConnect Canberra, the Australian Information Security Association (AISA) said governments, critical infrastructure operators, and major enterprises need to begin planning immediately for the migration to quantum-resistant security systems.
The warning comes amid escalating cyber threats across Australia. According to the latest Annual Cyber Threat Report from the Australian Signals Directorate, more than 87,400 cyber crime reports were made during the last financial year – equivalent to one report every six minutes.
Rajiv Shah, AISA board member and a PhD-qualified quantum physicist, said many organisations still lacked visibility into the systems and data that would need to be upgraded to withstand future quantum attacks.
“The Australian Cyber Security Centre has recommended that organisations should have developed such a plan by the end of 2026 – less than seven months away,” Shah said.
“The problem is that, as we see from many recent cyber incidents, organisations often do not have a good understanding of their IT assets and their data. Identifying what needs upgrading to be quantum-resistant, making that plan and implementing it, is likely to take much longer than they anticipate.”
Shah said the migration challenge extended beyond simply applying software updates, particularly for governments and operators managing legacy operational technology systems and unsupported infrastructure.
“They might think they just need to apply the upgrades from their vendors, but we already see that governments and operational technology systems struggle to keep their software up to date,” he said.
“Then there is the problem of systems which are no longer supported, or which can’t physically be upgraded. How will you decide what to do about those?”
AISA said quantum computing represented a long-term strategic cyber security challenge that would require years of coordinated planning, investment, and risk management across both government and industry.
While experts do not expect a single moment when all existing encryption suddenly becomes obsolete, Shah warned that organisations need to prepare now for a gradual increase in cyber risk as quantum computing capabilities mature.
“The Australian government may want to consider how to encourage organisations to take the threat seriously while avoiding knee-jerk reactions or compliance directives that could create unwelcome consequences,” Shah said.
“Rushed or botched implementations that make systems more complex may actually make them less secure. Cyber security is about doing the hard work, identifying and prioritising risks, not just ticking boxes.”
Want to see more stories from trusted news sources?Make Cyber Daily a preferred news source on Google.
David Hollingworth
David Hollingworth has been writing about technology for over 20 years, and has worked for a range of print and online titles in his career. He is enjoying getting to grips with cyber security, especially when it lets him talk about Lego.