Walking past IBM's offices on York Road, just a short walk from Waterloo Station, I spotted the IBM Quantum System One on public display. Like many people, I initially wondered whether it was simply a replica or a marketing exhibit.
The answer is no.
This is a genuine IBM Quantum System One, housed within a sophisticated dilution refrigerator designed to keep its superconducting quantum processor at temperatures only a fraction of a degree above absolute zero.
The striking gold structure that catches everyone's attention is not the quantum processor itself. The processor is tiny compared with the surrounding equipment and sits deep inside the system. Much of what you can see exists to cool, control and protect the processor from heat, vibration and electrical interference.
It is a fascinating sight and well worth stopping to admire when passing through Waterloo.
More Than a Display
What many people do not realise is that IBM's quantum technology is not simply something to observe through glass.
Through the IBM Quantum Platform, researchers, developers, students and organisations can access IBM quantum computers remotely through the cloud.
IBM currently offers access to quantum processing units, or QPUs, alongside documentation, tutorials, learning resources and software tools. Its platform also provides a limited amount of free execution time, allowing users to experiment with real quantum hardware rather than relying only on simulators.
Developers can create and execute quantum circuits using Qiskit, IBM's open-source software development kit for quantum computing.
For developers, the basic installation begins with:
pip install qiskit
pip install qiskit-ibm-runtime
The IBM Quantum Platform includes resources covering quantum information science, optimisation, Hamiltonian simulation and machine learning. It also offers tools such as Composer, which allows users to construct and run quantum circuits visually.
Quantum computing is no longer confined entirely to specialist laboratories. Developers and researchers can already gain practical experience with real quantum hardware.
Why Does a Quantum Computer Need to Be So Cold?
IBM's systems use superconducting qubits, which are extremely sensitive to their surroundings.
At ordinary temperatures, heat and electrical noise would disrupt the fragile quantum states needed for computation. The dilution refrigerator therefore cools the processor through several stages until it reaches temperatures close to absolute zero.
This extremely controlled environment allows the qubits to retain their quantum properties long enough for calculations to be performed.
It is an extraordinary feat of engineering.
Will Quantum Computers Break Today's Encryption?
This is the question cybersecurity professionals hear most often.
Not today.
Current quantum computers do not have the scale, reliability or fault tolerance required to break the public key cryptography used across banking, virtual private networks, digital certificates, software signing and secure communications.
However, a sufficiently powerful and fault-tolerant quantum computer could theoretically use Shor's algorithm to undermine widely used public key algorithms, including:
- RSA
- Elliptic Curve Cryptography, or ECC
- Diffie-Hellman key exchange
- Elliptic Curve Diffie-Hellman
That does not mean organisations should panic. It does mean they should begin preparing before such capability exists.
Post-Quantum Cryptography Is Already Here
The transition towards quantum-resistant cryptography is already under way.
In August 2024, the U.S. National Institute of Standards and Technology published its first three finalised Post-Quantum Cryptography standards.
- FIPS 203: ML-KEM for establishing shared secret keys.
- FIPS 204: ML-DSA for digital signatures.
- FIPS 205: SLH-DSA for stateless hash-based digital signatures.
These standards give governments, technology providers and organisations a foundation for moving towards cryptographic methods designed to resist both conventional and quantum-enabled attacks.
The Risk Is Not Only in the Future
One important concern is sometimes described as harvest now, decrypt later.
An attacker may collect encrypted information today in the hope of decrypting it in the future, once more capable quantum technology becomes available.
This matters most where information must remain confidential for many years, such as:
- Government and defence information
- Intellectual property and trade secrets
- Long-term commercial agreements
- Personal, medical or financial records
- Critical infrastructure designs
- Authentication and identity information
The urgency of Post-Quantum Cryptography (PQC) planning should therefore be based not only on when a cryptographically relevant quantum computer may arrive, but also on how long an organisation's data must remain protected.
What Should Organisations Be Doing Today?
For most organisations, the first challenge is not selecting a new algorithm. It is understanding where cryptography is already being used.
Cryptographic dependencies may be embedded within applications, network protocols, certificates, hardware, cloud services, APIs, supplier products and legacy systems.
You cannot migrate what you have not identified.
1. Build a cryptographic inventory
Identify where encryption, digital signatures, certificates, key exchange mechanisms and cryptographic libraries are used.
The inventory should cover:
- Applications and databases
- Web services and APIs
- TLS certificates
- VPNs and remote-access technologies
- Identity and authentication platforms
- Code-signing and software-update processes
- Hardware security modules
- Cloud services
- Third-party and supplier solutions
- Operational technology and embedded devices
2. Identify quantum-vulnerable algorithms
Determine where RSA, ECC, Diffie-Hellman and related public key algorithms are used.
Do not assume that a certificate-management database alone provides a complete view. Cryptography may also be hard-coded into applications, libraries, firmware and external services.
3. Map cryptography to business services
A technical inventory is useful, but it becomes more valuable when linked to critical business services.
Organisations should understand:
- Which important services depend on vulnerable cryptography
- What information those services protect
- How long that information must remain confidential
- What would happen if the cryptography could no longer be trusted
- Which suppliers or platforms must be upgraded first
4. Design for cryptographic agility
Cryptographic agility is the ability to replace algorithms, protocols, certificates and keys without rebuilding an entire system.
New systems should avoid unnecessary dependencies on a single algorithm or cryptographic implementation. Cryptographic choices should be configurable, documented and capable of being updated as standards and threats evolve.
5. Engage suppliers
Organisations depend heavily on software vendors, cloud providers, network suppliers and managed service providers.
Useful questions include:
- Where does your product use RSA, ECC or Diffie-Hellman?
- Do you maintain a cryptographic bill of materials?
- What is your roadmap for supporting NIST PQC standards?
- Will customers need new hardware or software?
- Will hybrid classical and post-quantum modes be supported?
- How will certificates, keys and protocols be migrated?
- What testing has been completed for performance and interoperability?
6. Test before large-scale migration
Post-quantum algorithms can have different key sizes, signature sizes, processing requirements and network implications.
Organisations should test their effect on applications, protocols, devices and infrastructure before committing to widespread deployment.
7. Establish governance and ownership
PQC migration is not solely a security engineering problem. It may require coordination across:
- Cybersecurity
- Enterprise architecture
- Infrastructure and cloud teams
- Application development
- Procurement
- Legal and privacy teams
- Risk and compliance
- Business service owners
Clear ownership, funding, milestones and reporting will be essential for what is likely to become a multi-year transformation programme.
A Practical Post-Quantum Cryptography Roadmap
A proportionate roadmap could follow four stages.
Discover
- Build the cryptographic inventory
- Identify vulnerable algorithms
- Map dependencies to critical services
- Assess long-term confidentiality requirements
Prioritise
- Rank systems by business criticality and data sensitivity
- Identify difficult-to-replace legacy technology
- Assess supplier readiness
- Determine where harvest-now-decrypt-later risk is greatest
Prepare
- Introduce cryptographic agility requirements
- Update procurement and architecture standards
- Establish governance and ownership
- Begin laboratory testing and controlled pilots
Migrate and validate
- Deploy approved algorithms using a risk-based sequence
- Validate interoperability and performance
- Retire vulnerable cryptographic dependencies
- Collect evidence that migration has been completed successfully
Final Thoughts
Standing in front of IBM Quantum System One was a fascinating reminder that the future often arrives quietly.
Today's immediate cybersecurity priorities remain ransomware, identity compromise, supply chain risk, exposed services and weak security controls. Quantum computing does not replace those priorities.
However, responsible security leadership also means recognising risks that require years of preparation.
Quantum computing is no longer confined entirely to theoretical research. Developers and researchers can already access real quantum processors through services such as the IBM Quantum Platform.
That does not mean organisations need to rush into an uncontrolled migration. It means they should begin understanding their exposure, improving cryptographic agility and establishing a structured roadmap.
The organisations that start mapping their cryptographic landscape today will be better prepared when quantum-safe migration becomes a business requirement rather than a future consideration.


No comments:
Post a Comment