“We sat down with Securemetric to understand post-quantum cryptography: what it is, who needs it most, and why the migration can’t wait for quantum computers to actually arrive.
SkyCloud Computing Editorial Team · May 2026″
Why does a computer that doesn’t exist yet threaten us today?
Imagine a thief who breaks into your safe not today, but ten years from now — using a key that doesn’t exist yet. That’s the essence of the threat pushing banks, governments, and critical infrastructure providers toward a quiet but fundamental overhaul of the way they protect data. It’s called post-quantum cryptography, or PQC, and the conversation is moving fast.
To understand what’s at stake, SkyCloud Computing spoke with Securemetric, a cybersecurity firm at the forefront of helping organisations prepare for a world where today’s encryption may no longer be enough.
The encryption that protects most of the internet — your bank login, your government records, the firmware running your router — relies on mathematical problems that are practically unsolvable for classical computers. RSA and ECC, the two dominant algorithms, have held up for decades because brute-forcing them would take longer than the age of the universe.
Quantum computers change that equation entirely. Rather than crunching through possibilities one at a time, they exploit quantum mechanical properties to test vast numbers of solutions simultaneously. A sufficiently powerful quantum computer could crack RSA encryption in hours.
The catch? That machine doesn’t exist yet. Quantum computers today are noisy, error-prone, and nowhere near the scale needed to break modern encryption. So why is the industry already in motion?
“Whether you believe quantum computers will break RSA or not, the market has no choice — regulations already demand post-quantum readiness.” — Securemetric
Two threats are already active, even without a working quantum computer. The first is called harvest now, decrypt later. Sophisticated attackers — often state-sponsored — are intercepting and storing encrypted data today, banking on the assumption that they’ll be able to decrypt it once quantum hardware matures. If your data has value in ten or twenty years, it’s already a target.
The second threat is trust now, break later. Digital signatures are used to verify that software, contracts, and firmware are legitimate. A quantum attacker could eventually forge those signatures retroactively — impersonating trusted sources, injecting malicious firmware, or invalidating long-lived legal documents.
Who is most at risk — and why they can’t wait
Not everyone faces the same level of urgency. Securemetric points to three sectors on the front line: banks and financial institutions, government agencies, and software vendors who rely on code signing to verify the integrity of their products.
What these sectors share is a combination of long-lived sensitive data and strict compliance obligations. A bank’s customer records or a government ministry’s classified communications may need to remain secret for decades. A signed firmware update for a medical device or power grid component may be trusted for the lifetime of that hardware.
For these organisations, the harvest-now-decrypt-later window is already open — every day they wait is another day of potentially compromised data accumulating in an adversary’s storage.
By 2030, US federal agencies and National Security Systems (NSS) must move to post-quantum cryptography (PQC) for high-priority systems to protect against “harvest now, decrypt later” attack.
The hidden chaos inside a large bank’s certificate infrastructure
Before any organisation can migrate to quantum-safe cryptography, it has to understand what it currently has. That turns out to be a bigger problem than it sounds.
In a typical large bank, certificates — the digital credentials that authenticate servers, applications, and devices — have historically been issued ad hoc. Individual developers, vendors, and IT teams each created their own, with no central oversight. The result is thousands of certificates scattered across internal systems, public-facing web apps, APIs, and devices, with no single team knowing where they all are or what algorithms they use.
Securemetric’s approach starts here: automated network scanning to build a complete inventory of every certificate in use, what algorithm it relies on, and whether it’s approaching expiry. From that inventory, risk-based prioritisation tells teams what to fix first — public-facing services and critical systems before internal tooling.
The urgency of this work is compounded by a separate but related trend. TLS certificates — the ones that secure web traffic with the padlock icon — are being issued with shorter and shorter lifespans. They’ve already dropped from over a year to around 200 days. This is not projection. The practice is officially approved by CA/Browser Forum (The Certification Authority Browser Forum). All CA and browser will execute this orders. CA will only issue certificate with 47 days by 15 march 2029. And browser will alert/warning user if they visit a website that still using certificate validity longer than 47 days.
Securemetric’s platform addresses this by automating the renewal and deployment of certificates. When combined with a private, PQC-enabled Certificate Authority — one that can issue quantum-resistant credentials using new NIST-approved algorithms like ML-DSA — the result is a system that can pivot an entire organisation’s cryptographic infrastructure from a central policy, without touching each individual server or device by hand.
What quantum-safe cryptography actually looks like in practice
The NIST (National Institute of Standards and Technology) in the US ran a years-long global competition to identify which quantum-resistant algorithms were robust enough to become international standards. The survivors — ML-DSA for digital signatures, ML-KEM for key exchange, and SLH-DSA as a backup — were subjected to intensive public scrutiny and attack attempts from cryptographers worldwide. These are now the foundation of PQC migration.
For most users, PQC changes nothing visible. Multi-factor authentication still works the same way: something you know (a password), something you have (a token or phone), and something you are (a fingerprint or face scan). What changes is the mathematics under the hood. A certificate-based login that previously relied on RSA or ECC now relies on ML-DSA — quantum-resistant from the ground up, but functionally identical from the user’s perspective.
The migration challenge isn’t conceptual. It’s operational. Large organisations can’t flip a switch. They need to move through an inventory phase, a prioritisation phase, a testing phase, and a gradual rollout — all while keeping existing systems running. Securemetric describes the next three to five years as the shift from awareness to execution: most organisations today have attended the briefings and understand the threat. What they now need is tooling to actually do the work.
The sovereignty question: not all algorithms are created equal
There’s a geopolitical layer to this story that often goes unmentioned in Western coverage. Countries including China, Vietnam, and Malaysia have developed their own national cryptographic algorithms — not as replacements for NIST standards, but as sovereign additions for use in defence, military, and national security contexts.
Malaysia’s post-quantum algorithm, KAZ-SIGN, is one example. It isn’t part of the NIST standard, meaning most commercial hardware security modules — the specialised chips that store and process cryptographic keys — don’t support it out of the box.
Securemetric has built the technical capability to extend commercial HSMs with custom algorithm support, effectively acting as a bridge between global NIST standards and sovereign national requirements. The rationale for national algorithms is a mix of practical security — closed-source algorithms are harder for outsiders to analyse — and strategic independence, reducing reliance on cryptographic infrastructure designed and controlled abroad.
The tradeoff is real: NIST algorithms have been tested by the global cryptographic community for years. National algorithms haven’t faced the same public scrutiny. Securemetric’s position is to support both, leaving the policy choice to their clients.
The regulation timeline that makes the debate moot
Whether or not a large-scale quantum computer materialises by 2030, the migration is happening regardless. The US government has set concrete deadlines: federal agencies will not procure software that isn’t PQC-ready from 2030, and are expected to have retired RSA and ECC entirely by the mid-2030s. These aren’t aspirational targets — they’re procurement requirements, and they cascade through every vendor that supplies government systems.
Securemetric sees growing demand from banks, critical infrastructure, and government agencies for PQC-enabled certificate authorities, certificate lifecycle management platforms, and HSMs capable of running quantum-resistant algorithms. The company’s view is that these will become the baseline infrastructure components of the next decade — not optional upgrades, but table stakes for operating in regulated sectors.
About Securemetric
Securemetric is redefining digital security for Southeast Asia and beyond. Fueled by innovation, unwavering commitment, and a team of visionary experts, we deliver advanced solutions that safeguard the digital journeys of businesses, governments, and communities.
Founded in 2007 and headquartered in Kuala Lumpur, Malaysia, Securemetric has rapidly grown its regional presence, establishing strong local teams in Indonesia, Singapore, Vietnam, and the Philippines. Our expertise spans the full spectrum of Mobile Security, Identity Security, Cryptographic Security, Data Security, and now, AI Security—enabling organizations to thrive securely in a hyper-connected world.
Original Article in Mandarin ITHome link: https://www.ithome.com.tw/pr/175894
