The Quantum Countdown: Why Nation-States, Not Businesses, Might Be First to Weaponise the Future

The dawn of quantum computing promises breakthroughs that could revolutionise science, medicine, and engineering. Yet, amidst the optimism surrounding commercialisation, a far darker timeline is emerging: the weaponisation of this profound technology by hostile nation-states.

This stark warning comes from Nikesh Arora, CEO of cybersecurity behemoth Palo Alto Networks, who recently put a date on the threat during his firm's Q1 2026 earnings call. Arora suggested that whilst commercial businesses race to harness quantum power, nation-states are likely to achieve weapon capability even sooner, predicting this seismic shift could occur as early as 2029.

The Cryptographic Reckoning

Why does this date matter? Because the power of a large-scale, fault-tolerant quantum computer—a so-called Cryptographically Relevant Quantum Computer (CRQC)—is fundamentally destructive to current digital security. The vast majority of global data protection, including online banking, secure communications, and critical infrastructure, relies on public-key encryption standards like RSA and ECC. These protocols depend on mathematical problems that even today’s most powerful supercomputers would take millions of years to solve.

A CRQC, however, would be able to break this encryption in mere hours or days.

As Dr Fida Hasan, a lecturer in Cybersecurity at UNSW Canberra, puts it, the exponential leap in power is terrifyingly fast. “Quantum computers could potentially reduce the time required to decrypt and compromise cryptographic security systems from millions of years to days or even less.”

Crucially, the threat isn't distant. Adversaries are already employing "harvest now, decrypt later" (HNDL) tactics, stealing vast quantities of encrypted, sensitive data today, storing it, and patiently awaiting the arrival of the quantum decryption machine.

The UK's Deadline: 2035

In the UK, government bodies have treated this threat with serious urgency. The National Cyber Security Centre (NCSC) has warned large organisations and operators of Critical National Infrastructure (CNI) to prepare for a national transition to quantum-resistant standards.

The NCSC’s roadmap is clear and phased, aiming for complete migration to Post-Quantum Cryptography (PQC) by 2035. This journey is broken down into defined milestones: organisations must have completed their cryptographic discovery and built an initial plan by 2028, execute high-priority upgrades by 2031, and complete full migration by the final deadline.

NCSC Chief Technical Officer Ollie Whitehouse highlighted the gravity of the shift: “Quantum computing is set to revolutionise technology, but it also poses significant risks to current encryption methods.”

Professor of Cybersecurity at Surrey University, Alan Woodward, concurs, stressing that action is required immediately. “Now that there are new methods for public key encryption, it makes sense to migrate now rather than wait for the threat to becoming real.”

The Commercial Opportunity vs. The National Imperative

Arora’s warning, while dramatic, has a clear commercial underpinning. He suggests that if nation-states achieve weaponisation by 2029, most businesses will need to urgently replace their security appliances, creating a massive, necessary expenditure. Palo Alto Networks stands ready to capitalise, anticipating a rush of demand for its quantum-safe products, led by the belief that the market is finally primed for PQC adoption.

This demand, Arora hopes, will rival the commercial energy seen during the AI boom. He said: “From our perspective, AI and quantum are going to drive a lot more volume. So as the more bits that fly around, the more they need to be inspected, which means the need for bit inspection technologies is not going to go away.”

The cybersecurity sector has consistently seen resilient spending, fuelled by sophisticated nation-state actors. The quantum threat represents the most significant, fundamental overhaul of digital security systems in history.

The crucial question for business leaders and governments worldwide is this: are you treating PQC migration as a decade-long IT project, or as a critical national defence initiative with a looming 2029 deadline? Preparing for the quantum threat is no longer theoretical; it is an essential, present-day responsibility to safeguard data that must remain secret for decades to come.