The Wall Street Journal’s latest quantum explainer invites readers to “see the seemingly magical science behind quantum computing.” CSIRO calls entanglement “the magic of quantum computers.” Raconteur places it “somewhere between colonising Mars and fully automated workforces.” A dozen Medium posts this month describe superposition as “sorcery” and entanglement as a “quantum magic trick.”
This framing is not harmless. It is actively making organizations less safe.
The Sugar Bite Theory of Cryptographic Risk
Tell a child that cavities come from magical sugar bites and it works — for a while. Small children obey authority. They don’t need to understand the mechanism; they just need to be scared enough to comply. But the moment they start thinking for themselves, the story falls apart. They realize it was fear-based nonsense, and they stop brushing — not because they’ve decided cavities aren’t real, but because the explanation was never credible, so they dismiss the whole thing.
Now tell them the truth: bacteria feed on sugar residue, produce acid, and dissolve enamel over time. It’s a mechanical process with a mechanical countermeasure. Boring. But once you understand the mechanism, brushing isn’t something you do because someone told you to be afraid. It’s something you do because the logic is obvious.
The quantum threat to encryption is in the sugar-bite phase. The press is telling organizations to be scared of magic. That works in boardrooms that run on authority — “the CEO read a scary article, so we’re doing something.” It does not work in organizations where technical leaders think critically, because they can smell the fear-mongering, and they tune out. The threat gets dismissed along with the hype.
The fix is the same as with the child: replace the magic with the mechanism. The quantum threat is not mysterious. It’s a known mathematical weakness in the encryption methods that protect most of the internet, and the replacement methods are already built, standardized, and shipping in everyday software. Once you frame it that way, upgrading isn’t something you do because a newspaper scared you. It’s something you do because the logic is obvious.
The Threat Is Boring
Here’s what’s actually happening. Most internet encryption relies on math problems that are extremely hard for today’s computers to solve — factoring enormous numbers, for example. A sufficiently powerful quantum computer could solve those problems quickly using an algorithm published in 1994 called Shor’s algorithm. That would break the encryption protecting web traffic, email, banking, code updates, and virtually every secure connection on the internet.
There is nothing magical about this. It’s a known algorithm targeting known math. And the replacements are already here.
In August 2024, the U.S. National Institute of Standards and Technology (NIST) finalized three new encryption standards designed to resist quantum computers. The NSA’s timeline requires U.S. national security systems to start using quantum-resistant encryption by 2025 and use it exclusively by 2030. The UK’s National Cyber Security Centre told organizations in March 2025 to start upgrading immediately. Germany’s Federal Office for Information Security (BSI) published equivalent guidance and joined 17 European partners calling for sensitive systems to switch by 2030.
The institutional consensus is unambiguous: upgrade now.
The Response Is Boring Too
The quantum-resistant replacements aren’t theoretical. They’re already running.
OpenSSL, the encryption library behind much of the internet, shipped quantum-resistant key exchange as its default in April 2025. Go, one of the most widely used programming languages for server software, did the same in February 2025. Cloudflare has been offering quantum-resistant connections since 2024. Fastly and Akamai — two of the largest content delivery networks — followed in 2025. Chrome has supported it since November 2024.
This means organizations running current software are already using quantum-resistant encryption for many connections — often without knowing it. The encryption protecting their systems changed. The question is whether anyone noticed.
We looked. We mapped 28+ major technology vendors across seven product categories and checked what they claim against what their systems actually do. The gap is enormous. Cloudflare reports 52% quantum-resistant adoption at the network edge — the front door. Behind it, at the servers that actually hold the data, support is in the single digits.
That’s the real gap. Not quantum physics. Not qubit stability. Not cryogenic cooling. The gap is between what your systems are doing right now and what you think they’re doing.
Magic Creates Spectators
When the WSJ frames quantum computing as “seemingly magical science,” it positions the reader as an audience member watching something fascinating unfold on a distant stage. That framing is fine for the physics. It is catastrophically wrong for the security upgrade.
The Raconteur piece is instructive: it opens by placing quantum computing in the realm of science fiction, then pivots to the UK’s cyber security agency warning organizations to begin upgrading immediately. The cognitive dissonance is right there in one article — marvelling at the spectacle while the building inspector is knocking on the door.
Britain’s NCSC, the NSA, Germany’s BSI, and the G7 Cyber Expert Group are not issuing guidance about magic. They are issuing guidance about a specific, measurable infrastructure risk that has a specific, available fix. And every week of “quantum is magical” coverage converts that urgency into entertainment.
Trajectory, Not Magic
The useful question for any organization right now is not “when will quantum computers break encryption?” It is: are we getting better or worse?
Is the encryption on your public-facing systems quantum-resistant? What about your internal services? Are things improving quarter over quarter, or are you passively absorbing whatever defaults your software vendors ship?
These are infrastructure questions with infrastructure answers. They require scanning, measurement, and tracking — not a WSJ subscription. The compliance deadlines are published. The tools exist.
Brushing your teeth is not exciting. Neither is checking your encryption. But cavities don’t wait for you to find them interesting, and neither does cryptographic drift.