Safe Mode Podcast: "What Security Teams Should Do to Prepare for the Quantum Computing Future"

Date: November 13, 2025
Host: Greg Otto
Guests: Rebecca Krauthamer (CEO, Q Secure), Tim Stark (Senior Reporter, CyberScoop)

Episode Overview

This episode of Safe Mode Podcast explores the impending impact of quantum computing on security and encryption, focusing on what security teams—especially in government and enterprise—should do to prepare for a post-quantum future. Greg Otto discusses trends in quantum technology, current U.S. government response, the realities of cyber deterrence, and actionable steps organizations can take today to protect critical assets, featuring in-depth insights from quantum security expert Rebecca Krauthamer.

Key Discussion Points & Insights

1. The New Era of Cyber Deterrence and Attribution (00:34–12:34)

Mixed Messaging on Cyber Operations

• Trump Administration’s Stance: Tim Stark reports the administration is adopting a more blunt, “hit back harder” approach in cyber policy, while former President Trump openly acknowledges that cyber espionage is a global norm:

  "When asked specifically about salt typhoon and then getting into our telecom networks, [Trump’s] response was, I mean, we, we do that, too. What's the big deal? It's a nasty world. This is just the way the world works." – Tim Stark, (01:30)

• Contradictions & Demystifying Cyber: Policy experts see value in demystifying cyber operations rather than maintaining denial.

  "It's overdue for us to be talking about these things that everybody knows we do...having more open discussions about this thing." – Tim Stark, (03:32)

• Global Acknowledgment: Similar candidness now appears in remarks by world leaders, signaling a potential shift toward openness in cyber dialogues.

Challenges in Deterrence

• Limitations of Deterrence:

  "You can't really deter cyber espionage...what consequences are you going to put on somebody to make them go, yeah, okay, we're scared. We're not going to do this anymore? Right now, that doesn't seem to exist." – Tim Stark, (07:56)

• Role of Openness:

  "Maybe we can get to a better place if we all just acknowledge, okay, this is happening." – Greg Otto, (05:04)

Notable Moment

• On Changing Attitudes:

  "Just the acknowledgment, even if it's an offhand joke, to say, I might have a back door on it. ...That's different in and of itself." – Greg Otto, (11:01)

2. Quantum Computing’s Accelerating Reality (12:35–16:56)

Concrete Signs of Progress

• Quantum Moves from Hype to Reality:

  "When you start hearing those things...like HSBC and IBM talking about using it for bond swapping...that's the exciting moment." – Rebecca Krauthamer, (14:57)

• Recent Milestones: The UK-based company Quantinuum unveiled the world’s most powerful error-corrected quantum computer (~50 qubits), signaling exponential gains in computing power.

The Scaling Challenge

• Exponential Growth:

  "If I have a 50 qubit quantum computer, I add one more qubit—51—is twice as powerful as a 50 qubit." – Rebecca Krauthamer, (16:21)

3. Post-Quantum Cryptography (PQC): What Security Teams Must Do (17:43–29:52)

The Quantum Threat explained

• Quantum computers threaten to break classical encryption, putting long-duration secrets (military, personal, financial data) at risk, especially from "harvest now, decrypt later" attacks.
• "Q Day" refers to the day a quantum computer capable of breaking current encryption becomes operational.

  "Silence will be the celebration...it is more and more urgent that government agencies adopt now in anticipation of, of that day coming closer and closer." – Rebecca Krauthamer, (21:08)

Timelines & Urgency

• Timelines Shrinking: Once thought to be 2035+, the consensus now puts Q Day potentially by 2028, heightening urgency for transition.
• Migration Requirements:
  • By Jan 1, 2027: No new national security system acquisitions without PQC.
  • By 2030: High-value systems must be migrated.
  • By 2035: All systems, including low-priority assets. (23:08–23:41)

Practical Steps for Security Teams

• Inventory and Prioritize:
  • Publish and maintain an inventory of encrypted systems, reporting what is not quantum safe.
  • Key guidance: "Pick the stuff that you know you wouldn’t want China to have read access to and start immediately." – Rebecca Krauthamer, (24:56)
• Just Start: Avoid being paralyzed by endless planning—begin with the most sensitive assets and move incrementally.

Legislation and Best Practices

• Pending Law: Quantum Security Migration Strategy Act of 2025 would require agencies to pick and migrate one high-sensitivity system to PQC by the end of next year as a blueprint for wider migration. (25:38–26:52)
• Simplicity over Perfection:

  "You do not need to build a comprehensive cryptographic bill of materials before you start migrating. You should be building it as you actively migrate systems to post quantum." – Rebecca Krauthamer, (29:32)

4. Handling the Complexity: Cryptographic Bill of Materials & Hybrid Solutions (26:52–33:26)

Know Your Crypto

• Cryptographic Bill of Materials (CBOM):
  • Akin to software bills of materials (SBOM), CBOMs help organizations know what cryptography they have and where.
  • It’s no longer acceptable to not know which (potentially obsolete) encryption algorithms are where in your stack.

  "It's critically important...it's gotta be standard...it's not acceptable for us not to one, know what encryption is used where, and two, not be able to change on the fly." – Rebecca Krauthamer, (27:52–28:44)

Hybrid/Staged Migration Works

• Hybrid models are effective: Overlay PQC on top of existing classical encryption—no need for huge code rewrites.

  "What they need to be thinking about is, yes, this one staged—pick the systems that are most sensitive." – Rebecca Krauthamer, (31:46) "If you're changing your code, you're probably on the wrong path." – (33:23) "Some is absolutely better than none." – (33:26)

5. Quantum in the Field: Autonomous & Embedded Systems (33:29–36:35)

• Applicability: Quantum-safe encryption is needed everywhere—communication between any two endpoints (phones, drones, satellites).
• Transparency: End users shouldn't notice changes; it should “just work.”

  "What encryption should look like is that you shouldn't have to think too much about it. ...If you need to change it, you can." – Rebecca Krauthamer, (34:32)

Memorable Quote:

"In the next 10 years, everyone’s going to have their own WikiLeaks moment." – former CIA CTO, cited by Rebecca Krauthamer, (36:06)

6. Real-World Warning Signs: How Will We Know Q Day Has Happened? (36:35–39:44)

• Historical Analogy: Like WWII code-breaking, the breakthrough will be a secret.

  "They did not release a press release and they went as far as to take strategic losses that they knew were coming in order to keep that secret private." – Rebecca Krauthamer, (37:31)

• Potential Signs:

  • Unusual activity in cryptocurrency (first public keys to fall)
  • Attacks or data leaks from banks, telecoms, or the energy sector

  "Anytime there's a public key exposed...as soon as [a] cryptographically relevant quantum computer comes online, if there's funny behavior that we see in the cryptocurrency space, that's a very strong indicator." – (38:38)

  • But: For most, the signs will be subtle or hidden.

• Final Thought:

  "Either a rug pull or the lights go out. Neither of those sound great." – Greg Otto, (39:21)

Notable Quotes & Timestamps

• "When Rebecca said that to me...No, and I'll look out for that over the next 12, 18 months. Three weeks later, HSBC makes their announcement...Yeah, Rebecca was, was right in saying that the future was closer than ever." – Greg Otto, (14:00)
• "Silence will be the celebration, exactly." – Rebecca Krauthamer, (21:08)
• "What we need to make sure more people understand is it is also a solved problem. We have that encryption that we know is quantum safe. And you don't need a quantum computer to fight a quantum computer; you just need to adopt that new type of encryption." – Rebecca Krauthamer, (19:41)

Summary Table: Key Segments & Timestamps

| Timestamp | Segment Title | Main Topics Covered | |-------------|----------------------------------------------------|------------------------------------------------------| | 00:34–12:34 | Cyber Deterrence, Attribution & Policy Trends | US/China cyber ops, esp. mixed admin messaging | | 12:35–16:56 | Quantum’s Arrival: Real-world Benchmarks | Practical signs of quantum computing’s maturity | | 17:43–29:52 | PQC Urgency: Timelines, Compliance, and How-To | Migration strategies, timelines, practical advice | | 29:52–33:26 | Crypto Inventory, Hybrid Approaches | CBOM, overlay encryption, staged migration | | 33:29–36:35 | Autonomous/Embedded Systems, User Transparency | Quantum in weapons, drones, satellites | | 36:35–39:44 | Q Day Detection: What to Watch For | Warning signs, cryptocurrencies, critical infra |

Final Takeaways

• Quantum computing is now a near-term, not distant, risk for data protection and security.
• Transition to PQC should be prioritized by sensitivity—start with what you cannot afford to lose or reveal.
• Don’t wait for the perfect plan: Begin migration now, focus on high-value assets, and build material inventories along the way.
• Hybrid approaches (overlay PQC) are practical and effective; widespread code rewrites are not necessary for most.
• Q Day will not be announced; indications will be subtle—monitor critical sectors and cryptocurrency for early signs.
• Transparency and adaptability in encryption management are key for the years ahead.