By Serge Droz (Senior technical advisor, Swiss Federal Department of Foreign Affairs), in conversation with Anastasiya Kazakova (Cyber Diplomacy Knowledge Fellow and Geneva Dialogue Project Coordinator, DiploFoundation).

Quantum computing occupies a unique position in cybersecurity policy: widely discussed, frequently cited in national strategies, and yet, according to many of the people who understand it best, profoundly misunderstood. As governments draft quantum-readiness roadmaps and the phrase ‘post-quantum cryptography’ enters the lexicon of cyber diplomats, a critical question comes to the fore: are we preparing for the right risks?

The Geneva Dialogue on Responsible Behaviour in Cyberspace focuses on the existing stress-testing cyber norms and cybersecurity practices against real-world challenges, including emerging technological developments. Quantum computing is one such challenge, and in this interview, Serge Droz, Senior Technical Advisor at the Swiss Federal Department of Foreign Affairs, examines how current norms and policy priorities hold up against it, offering a sharp counterpoint to the prevailing narrative. He introduces a perspective that invites a recalibration: while quantum risks to cryptography are in principle real, the timelines remain uncertain, and a disproportionate focus on quantum may come at the cost of addressing more immediate and well-understood challenges.

The gap between quantum expectations and technical reality 

The engineering challenges involved in building a practically useful quantum computer remain substantial. Estimates of when such machines might become available vary widely: from a few years, among the most optimistic projections, to more than a decade in what Serge describes as the ‘realist camp’. Even if quantum computers do arrive on the earlier end of that range, questions of usefulness relative to cost are likely to limit their application. To date, only two known algorithms (both discovered in the 1990s) demonstrate quantum supremacy. The landscape of practical quantum advantage, in other words, remains narrow.

This does not rule out breakthroughs. Fundamental research, by its nature, can produce black swans. But as Serge notes, that is true across all scientific fields, not just quantum computing. For policymakers, the challenge lies in calibrating attention to a risk whose probability and timeline remain genuinely uncertain, particularly when doing so may draw focus from problems, such as climate change, whose urgency and scale are well established.

However, quantum computing already dominates discussions among national cyber officials and features prominently in several countries’ cybersecurity strategies, including at the UN level. What explains the gap between technical realism and policy urgency?

Serge suggests that part of the explanation lies in how the new technologies are communicated. Specialists lacking sufficient subject matter expertise on the problem, he observes, often find it difficult to place technical developments in their proper context, and certain framings amplify concern. ‘Many more people have opinions about chaos theory than the theory of dynamical systems,’ he notes, ‘although these are the same thing.’ A phrase like ‘breaking all crypto’ carries weight precisely because it sounds alarming, and without the technical context, it can lead to responses driven more by urgency than by assessment. He draws a parallel to earlier cycles around cryptocurrencies, where expectations similarly outpaced the technology.

What breaking encryption would actually mean

To be clear about the stakes: if today’s asymmetric encryption were broken, the consequences would be severe. All secure communication would be at risk: from e-banking to the exchange of confidential government information, to the basic ability to verify that a banking website is authentic. Given that modern societies depend on secure communication in nearly every aspect of daily life, Serge characterises this as a potentially catastrophic event, one that could trigger a gigantic financial crisis.

The severity of this scenario is not in dispute. What is in dispute is its likelihood and its timeline, as well as whether the current policy response is proportionate.

What responsible preparation looks like

The probability that cryptographic systems will be broken by quantum computers is, in Serge’s assessment, certainly not zero, but small. Under the assumption that quantum computing becomes a practical reality in, roughly, ten years, a first step would be creating an inventory of devices relying on vulnerable algorithms. Most commodity technology, he argues, will already have been upgraded to quantum-safe algorithms by then. The real challenge lies with legacy systems.

The ‘store now, decrypt later’ scenario, in which adversaries collect encrypted communications today and decrypt them once quantum capability arrives, is often cited as a reason for urgency. However, Serge is sceptical about this. Such an adversary, he argues, would need gigantic storage capabilities and would then face the problem of identifying relevant information in the collected mass. Some counter that adversaries need only collect the interesting traffic in the first place, but this implies they already have the access and intelligence to triage, which means that the problem exists now and is entirely unrelated to a future quantum threat.

However, institutions are already moving: the US NIST, for instance, has released guidance on post-quantum cryptography, and technical solutions are already available. So is the real challenge now in implementation and migration? Where exactly are the actual blockers for cybersecurity practitioners and critical infrastructure operators? 

Serge responds to that by identifying two main challenges: visibility (i.e. knowing where vulnerable systems are) and the time required to update legacy infrastructure. On the migration itself, he seems to be positive: ‘The latter is on track, it’s something engineers are good at.’ The broader point is that the transition to post-quantum cryptography is best understood as a technical and operational task, one that benefits from sustained attention but does not necessarily require the framing of an imminent emergency.

Quantum computing and geopolitical dynamics 

There are legitimate questions about whether the pursuit of quantum advantage might deepen geopolitical fragmentation and competition (i.e. through secrecy, reduced scientific cooperation, or the stockpiling of vulnerabilities). Serge acknowledges these concerns but offers a nuance: quantum computing, at its current stage, is better understood as fundamental research than as a technology race comparable to AI development or semiconductor competition. The risks it poses, while worth monitoring, are less likely to materialise than it is sometimes suggested.

At the same time, he also draws attention to risks that are both concrete and addressable. Climate change, as mentioned earlier, is the most prominent example, but within computing, he highlights the 2038 time rollover – a well-documented technical problem that could disrupt critical systems if not addressed in time. His concern is not that quantum risks should be dismissed, but that they should be weighed alongside other priorities rather than treated as uniquely urgent.

Beyond cryptography: what’s the expected impact of quantum technologies?

Quantum technologies extend well beyond quantum computers. Progress in areas such as quantum sensing is steady and significant, and many modern devices already rely on quantum effects – from lasers to semiconductors. Comparable advances, as Serge observes, are also taking place in biology, neuroscience, and other scientific fields, all of which carry dual-use potential.

This points to a governance principle: rather than attempting to regulate each emerging technology individually, states should develop frameworks capable of responding to rapid technological change across domains. The values that states already promote such as human rights, the Sustainable Development Goals (SGDs) provide a foundation. These should guide the governance of quantum technology just as they should guide AI or advances in neuroscience.

Technology will continue to reshape both society and the nature of conflict, Serge highlights. But it is unlikely to reshape what is most fundamental (i.e. the desire to be human, and the enduring tension between cooperation and conflict). 

Speaking of geopolitics and international security, some frame quantum computing risks the way we once framed nuclear (i.e. as a threat exclusive to the most capable states, which changes the nature of the risk rather than eliminating it). Does such framing resonate? 

To this question, Serge observes significant  differences. Nuclear technology is fundamentally different: nuclear weapons pose an existential threat and require manufacturing infrastructure that can be detected and controlled. One cannot secretly build nuclear weapons. Quantum computers, by contrast, require mostly talented engineers and the overcoming of technical obstacles – a different kind of barrier entirely.

If quantum computers arrive too soon (which he considers unlikely), then breaking asymmetric cryptography would trigger a global crisis, one in which all parties would suffer. But the more persistent and less headline-grabbing danger, he argues, is the growing technological gap between states. Switzerland, Serge notes, feels strongly that new technologies should benefit all countries, not just the wealthy. This conviction underpins initiatives such as the Open Quantum Institute (OQI) and the International Computation and AI Network (ICAIN), both aimed at ensuring that quantum and AI capabilities do not become yet another axis of global inequality.

Conclusion: recalibrating the policy conversation

Serge’s core message is a call for proportionality. Quantum computing is not irrelevant to cybersecurity, but it is far from the most urgent challenge facing the field. The current policy discourse, shaped by dramatic language and speculative timelines, risks diverting attention and resources from problems that are both more immediate and more tractable.

For the Geneva Dialogue’s ongoing work on stress-testing cyber norms against emerging technologies, the interview raises a pointed question: when we assess whether existing norms and practices are ‘fit for purpose’ in a changing technological landscape, are we inquiring about the right technologies? The answer, Serge concludes, may require as much critical thinking about which risks we choose to prioritise, as about the risks themselves.