This is part of a series of articles in our special report on technology in family offices. To see all the articles, click here.
If you’re of a certain vintage, you will recall the Y2K countdown: widespread worry that as calendars rolled over to the year 2000, computer systems everywhere could crash when internal processes that used two-digit dates switched from 99 to 00. For several years ahead of the putatively big moment, organizations across the globe frantically updated code to be ready.
Fast-forward a quarter century and IT experts now anxiously await a new technological turning point that could wreak even more havoc on the world—except this time, no one knows when the clock will strike midnight.
It’s known as “Q-Day,” the moment when quantum computers become capable of breaking today’s highest encryption standards. In contrast to traditional computers’ “bits,” which process information in a binary state of either 1 or 0, “qubits” (short for “quantum bits”) use the mind-bending quality of quantum mechanics known as supposition to process many possibilities simultaneously, which enables exponentially faster and more complex problem-solving.
If or when that power is applied to encryption, all the best ways we currently have to store and transmit sensitive information—from financial and healthcare systems to state secrets—become vulnerable.
“Q-Day is becoming more and more imminent,” says Mike Krygier, founder and CEO of DeepCove Cybersecurity, based in Toronto. “Some people are asleep on this, and it could be a rude awakening when that technology becomes available.”
A quantum timebomb
Predictions vary widely as to when that day will arrive. The 2024 Quantum Threat Timeline Report, produced by the Toronto-based Global Risk Institute based on insights from 32 leading global quantum computing experts, estimates a 17 per cent to 34 per cent probability that it occurs by 2034.
That may sound like a problem for another day, but some researchers think Q-Day will arrive in the next five years.
I would not be shocked if Q-Day arrives in 2027.
Bruce Watson
“Some of the smartest people in the field are thinking more like 2028,” says Bruce Watson, chief experience officer and quantum researcher at Waterloo-based startup Qorsa, who works with the National Security Centre of Excellence in Ottawa and has advised the federal government on post-quantum cryptography.
“There have been continuous breakthroughs. This timeline has already marched closer several times, and it’s never receded,” Watson says. “I would not be shocked if Q-Day is in 2027.”
Qubit quandary
Krygier and Watson say the time to prepare is now. As theoretical as it may be currently, researchers are confident that a sufficiently powerful quantum computer will be capable of decrypting public key encryption methods such as RSA or ECC in 24 hours or less, compared to the thousands of years it would take classical computing.
Two factors are at play: the algorithms quantum computers would use to crack current encryption keys, and the number of qubits a quantum computer would need to be to run that algorithm. As researchers steadily improve algorithms that require fewer qubits, commercially available quantum computers are increasing in power and capabilities. At some point, those two trends will intersect. “It’s not some sci-fi question of ‘Will it arrive?’” says Watson. “It’s just a matter of scalability.”
Fortunately, quantum computers will not be on the shelves at Best Buy any time soon. Expensive, temperamental and highly specialized, they will initially be the domain of wealthy countries like the U.S. and China. “In the first year, only nation-states trying to break the secrets of other nation-states are going to spend that kind of money,” says Watson.
That problem is above a family office’s pay grade, but there are other risks. Tech giants like Amazon, Google, IBM and Microsoft, which have made some of the key breakthroughs, could make quantum computing available more broadly via the cloud, albeit at a high price. Watson worries that any corporation or large family office presenting a sufficiently juicy payday would quickly become vulnerable to cybercriminals willing to pay. “They would be among the first potential targets once quantum computing becomes available to anyone with a big enough credit card,” he says.
Laying the groundwork
Action is being taken. Government agencies and major companies, especially in finance, are devising ways to upgrade to post-quantum cryptography (PQC), stronger encryption algorithms developed by the National Institute of Standards and Technology (NIST) based on mathematical problems thought to be resistant to quantum computers.
It’s a massive undertaking, says Krygier. “It’s a challenge just identifying where all this encrypted data is stored, where it is transmitted, which [cryptography] keys are used,” says Krygier. “Quite a lot of compute power and storage will be necessary to re-encrypt all of this data.”
For family offices, post-quantum security will require refreshing IT infrastructure. Government organizations and industry working groups, including the Canadian Centre for Cyber Security, are releasing guidance documents. The Post-Quantum Cryptography Coalition, backed by Microsoft and IBM, recently published a migration roadmap and inventory workbook.
Major technology players have begun preparing their products to either ship with PQC algorithms embedded in their systems or be ready to update at a later date. Software migrations are now rolling out as updates become available. “Do not underestimate how large the migration will be,” cautions Watson. “The whole system is only as secure as the weakest link.”
Watson recommends that any new hardware purchased should be quantum-ready, including servers, laptops, storage devices, smartphones, even entertainment systems. At minimum, the manufacturer should offer to update software as PQC becomes available.
Some data already at risk
But it’s already too late for some data. Security analysts say that bad actors—either nation-states or large crime groups—have been using a “harvest now, decrypt later” strategy. They are siphoning up encrypted data as it is securely transmitted and storing it until that day in the future when they have access to quantum computing capable of cracking the algorithm.
Anything you would like to remain secret for at least five years, if not to until the end of your life—that’s where the problems now start to arise.
Bruce Watson
Bank passwords circa 2025 likely won’t matter by that time, but of larger concern are long-term sensitive documents, such as those related to trusts, medical history, or even DNA data. “Anything you would like to remain secret for at least five years, if not to until the end of your life—that’s where problems now start to arise,” says Watson. Not that you can do anything about it, he concedes: “But just be aware. It is worth having an inventory of what has been transmitted in bulk over time.”
Going forward, Waterson recommends family offices ensure any large-scale data transfers are PQC-encrypted. “Or simply put the data on a hard disk and send it on a plane,” he says.
As for Krygier, he encourages family offices to start asking their IT vendors at all levels if they have a plan for post-quantum cryptography—because many do not. “I recently asked a very large company whose software manages trillions of dollars of assets [and] they didn’t have one, which was quite scary,” he says.
“Anytime the word ‘encryption’ is mentioned by any vendor, your next question should be, ‘What’s your plan for post-quantum cryptography?’ And that plan should not be 15 years out, but within a three-to five-year timeframe,” he says, before adding ominously: “If not even sooner.”
The Canadian Family Offices newsletter comes out on Sundays and Wednesdays. If you are interested in stories about Canadian enterprising families, family offices and the professionals who work with them, but like your content aggregated, you can sign up for our free newsletter here.
Please visit here to see information about our standards of journalistic excellence.