{"id":14969,"date":"2025-10-16T11:24:00","date_gmt":"2025-10-16T11:24:00","guid":{"rendered":"https:\/\/newestek.com\/?p=14969"},"modified":"2025-10-16T11:24:00","modified_gmt":"2025-10-16T11:24:00","slug":"theres-no-such-thing-as-quantum-incident-response-and-that-changes-everything","status":"publish","type":"post","link":"https:\/\/newestek.com\/?p=14969","title":{"rendered":"There\u2019s no such thing as quantum incident response \u2013 and that changes everything"},"content":{"rendered":"
\n
\n
\n
\n
\n
\n
<\/div>\n<\/section>\n

One of the key elements to detecting cyberattacks is the concept of observability. We can literally see the packets of data being thrown towards a website when a DoS attack is taking place. The \u201cboom\u201d of the attack is visible and observable. But when a cryptographically relevant quantum computer is utilized to break into encrypted traffic flows, the attacker \u201csnoops\u201d the traffic and stores a copy somewhere else where it can be processed later with impunity, which makes the act both not observed and not observable.<\/p>\n

This is what I call the \u201csilent boom,\u201d and it will most definitely be a plate tectonic shift in the world of secrets and privacy, disrupting the balance of power for every nation, every industry and every individual.<\/p>\n

The evidence isn\u2019t theoretical. According to network security firm Qrator Labs, there were approximately 13,626 BGP hijack attacks<\/a> in the second quarter of 2024 and 13,438 in the third quarter. Not all are malicious, but enough create that \u201cscenic route\u201d through Chinese-owned or Russian-owned IP addresses that makes security professionals nervous about store-now-decrypt-later attacks.<\/p>\n

At Marvel, we had secrets that, if disclosed ahead of the planned time, would cause significant damage to the brand and potentially also to projected revenues. The actors who attend the red carpet premiere have no idea what they\u2019re going to see on screen. The scripts they were given had false scenes in them as a means of forensic watermarking that helps identify leaks. When you\u2019re protecting 10-year story arcs and plans for what comes after phase 6 of the Multiverse Saga, you develop an appreciation for what needs long-term protection.<\/p>\n

This is a developer problem, not a CISO shopping problem<\/h2>\n

CISOs are directing attention to have quantum security risks added to the corporate risk register. It belongs there. But the problem to be solved is not a quick fix, despite what some snake oil salesmen might be pushing. There is no simple configuration checkbox on AWS or Azure or GCP where you \u201cturn on\u201d post-quantum cryptography (PQC) and then you\u2019re good to go. This is a shared responsibility problem. Just as migrating to the cloud doesn\u2019t magically make your infrastructure more secure, quantum vendors cannot solve this without significant developer engagement.<\/p>\n

Here\u2019s why this lands on developers: The majority of all internet traffic is not human-generated traffic from laptops to servers and back. It\u2019s API traffic. Your company most likely delivers services using a host of third-party solutions, all accessed via APIs. So your API client needs to learn how to speak PQC algorithms just as much as that remote API endpoint needs to learn how to speak PQC algorithms. Otherwise, the connection will negotiate down to a common protocol that both can speak and it won\u2019t be TLSv1.3 with PQC algorithms.<\/p>\n

Without significant engagement from developers, QA teams and product owners, the quantum decryption risk will remain in play. You cannot transfer this risk by adding more cyber insurance policy coverage. The entire cyber insurance industry itself is in a bit of an existential doubt situation regarding whether cybersecurity can reasonably be insured against, given the systemic impacts of supply chain attacks that cascade across entire industries.<\/p>\n

What can developers actually do? Three concrete steps this quarter:<\/p>\n