The Quantum Panic Is Real, But We're Fighting the Wrong Enemy
While Big Tech chases Q-Day monsters, hackers are already inside—with methods that don't need quantum computers at all
The quantum apocalypse is coming. Or so the story goes. Tech executives are sweating about the day quantum computers crack modern encryption, governments are mandating post-quantum cryptography, and everyone’s suddenly an expert on lattice-based algorithms.
But here’s what’s actually happening: while we’re all staring at the sci-fi threat on the horizon, adversaries are kicking down the door using methods that worked in 2010 and still work today.
The evidence is scattered across this week’s headlines, and it paints a picture that should terrify us more than any theoretical quantum threat.
The Q-Day Obsession
Recent advances are pushing Big Tech closer to the “Q-Day danger zone.” That’s real. The timeline is compressing. Within a decade—maybe sooner—quantum computers could theoretically render current encryption obsolete. AES-128 is “just fine” in a post-quantum world, researchers insist, but the broader point stands: we’re in a transition period where bad actors are absolutely incentivized to steal encrypted data now and decrypt it later, once quantum computers mature.
This isn’t paranoia. It’s basic math. A sophisticated adversary with resources—say, a nation-state—can vacuum up your encrypted traffic today and sit on it like a digital squirrel, waiting for the technology to crack it open in 2032. Your healthcare records, your financial data, your military communications—all potentially compromised.
So yes, we should care about quantum-resistant encryption.
But we shouldn’t care only about quantum-resistant encryption.
Photo by Google DeepMind / Pexels
The Thing That’s Actually Killing Us
A US-sanctioned currency exchange got hit with a $15 million heist allegedly orchestrated by “unfriendly states.” Rituals, a cosmetics retailer with 41 million customers, had membership data breached. And Iran-linked hackers are actively disrupting operations at US critical infrastructure sites.
None of these attacks required a quantum computer.
The UK’s cybersecurity chief just warned that 100 countries now have access to spyware capable of hacking people’s phones. One hundred. That’s not a future threat—that’s the present, and it’s getting worse. Businesses and critical infrastructure are “underestimating” the threat, the chief said. Translation: you’re getting owned and you don’t even realize it.
Here’s my read: the quantum panic is a luxury problem.
It’s the kind of thing well-funded tech companies can spend engineering cycles on, publish whitepapers about, and use to justify hiring more cryptography teams. Meanwhile, the actual threat—nation-states running spyware networks, criminals stealing millions through conventional hacks, adversaries exploiting human vulnerability instead of mathematical complexity—that’s happening right now, at scale, and we’re still not organized about it.
It’s like installing a state-of-the-art security system while someone’s already living in your attic.
Why This Matters for Big Tech (And It Does)
Three separate threads in this week’s headlines hint at a deeper tech sector panic:
Broadcom’s reputation is so bad that VMware customers are actively migrating away, with “negative” views driving thousands of migrations. This isn’t about security directly, but it shows how quickly trust evaporates when customers feel exposed or abandoned. One bad security incident, one perception of poor response—that’s your customer base walking.
OpenAI’s partnership with Infosys to bring AI tools to businesses is presented as a productivity play, but read between the lines: it’s also a distribution strategy into enterprise infrastructure. Which means OpenAI’s tools—and their security posture—are now baked into clients’ core workflows. If OpenAI gets breached, thousands of companies’ development pipelines get breached with it.
Rivian’s R2 is ramping production despite tornado damage to the factory. Why mention this in a cybersecurity column? Because connected vehicles are attack surface. Every modern car is a rolling computer with LTE connectivity, GPS tracking, and infotainment systems. The more vehicles Rivian ships, the more targets exist for the same nation-state actors already hitting critical infrastructure.
Photo by UMA media / Pexels
The Real Vulnerability
Here’s what keeps me up at night: we’re building increasingly complex, interconnected systems and our security model is still “encrypt the data at rest and in transit, then pray.” That worked when systems were isolated. It doesn’t work now.
The spyware problem is the clearest example. A phone-hacking tool doesn’t care about your AES-256 encryption if it just records your keystrokes before you encrypt anything. Quantum computers won’t help you there. Neither will better cryptography.
The currency exchange heist didn’t happen because the encryption was weak. It happened because someone got inside the network—and once you’re inside, conventional encryption is just theater.
The critical infrastructure disruptions attributed to Iran-linked hackers? Same story. Spyware, phishing, credential theft, privilege escalation. The 1990s playbook still works perfectly well.
My Actual Prediction
I think we’re going to see a major incident in the next 18-24 months that forces a reckoning. Not a data breach. Those happen weekly. I mean something that disrupts a city-scale critical system—power grid, water treatment, hospital network—traced directly back to spyware or nation-state intrusion using conventional methods.
When that happens, the conversation will shift overnight from “are we ready for quantum computers?” to “why didn’t we lock down phone access to critical systems?” Boards will demand zero-trust architecture. CISOs will get fired. Thousands of companies will realize their insider threat programs are theater.
The irony is that solving the current problem—locking down existing attack vectors, implementing proper access controls, treating phones and contractor devices as genuine threats—is 90% of the work needed to also be resilient against quantum threats. We’re not choosing between two different futures. We’re either building secure systems now, which will still be comparatively secure in 2035, or we’re not.
Cathie Wood’s ARK just made its first lead investment in Lucra, a corporate loyalty program reimagined as eSports. I mention this because it shows where speculative capital is flowing: gamification, engagement mechanics, new consumer experiences. Not boring infrastructure security. Not the un-sexy work of actually defending critical systems. That’s always the last priority until it’s the only priority.
What I’m Watching
1. The next major critical infrastructure incident and how it gets attributed
If it traces back to spyware, phone compromise, or conventional intrusion (not quantum-era techniques), expect a legislative response within 6 months. Watch for new mandates around phone/device access to critical systems. That’s the real early warning that the security posture shift has begun.
2. Enterprise security budget reallocation through Q4
CISOs will start shifting spending from post-quantum crypto initiatives toward zero-trust architecture, insider threat programs, and endpoint detection. Watch Gartner’s Magic Quadrant updates and analyst coverage—if zero-trust adoption accelerates beyond the current 35-40% of enterprises, that’s your signal the mindset has shifted.
3. Whether OpenAI’s Infosys partnership includes joint liability for security incidents
If OpenAI gets breached and Infosys clients are affected, who’s responsible? That contract language matters. If OpenAI’s lawyers are pushing for carve-outs, that tells you something about their confidence in their own security posture.
4. The spyware total addressable market
We know 100 countries have access to surveillance tools. We don’t really know how much they’re spending annually or how many targets are affected. If a major investigation quantifies this market as $10B+, that’s a sign the threat is bigger than anyone’s publicly admitting.
The quantum future is coming. But the present is actively hostile, and we’re still not fighting back properly.