Benji Crooks, Marketing Director at Public Sector Network, sat down with Craig Costello, Professor of Computer Science at Queensland University of Technology, to discuss the looming quantum threat to today’s encryption, why the standards are already here, and what governments and vendors should do now to meet the 2030 transition timeline. Craig will be speaking at Government Cyber Security Showcase Queensland 2026 as part of Government Innovation Week Queensland on Thursday, 10 September 2026, presenting "The Future of Encryption: Preparing Government for the 2030 Post-Quantum Shift".
Benji Crooks: That’s all good. I started recording now, so let’s go straight into it. If you could just introduce yourself—your role, the company you work for—and what you’re going to be speaking on at Government Innovation Week.
Craig Costello: Yeah. So my name’s Craig Costello. I’m a professor of computer science at the Queensland University of Technology. My main field of research is in post-quantum cryptography—so that’s encryption that’s hopefully going to remain secure in our quantum future, our potentially not-so-distant quantum future.
That’s what I’ll be talking about at the meetings later in the year: how industry and government and people can respond to this looming threat of quantum computers that are going to potentially break our current encryption techniques.
Benji Crooks: I guess that’s a really good place to start. Setting the scene for what’s coming down the road for governments—could you set the scene for us in a non-alarmist way?
Craig Costello: There’s a threat that’s been evolving over the years since the mid-1990s when someone pointed out that if a large-scale quantum computer is ever built, then two or three of the methods that we use to encrypt our data to keep it secure online are going to be under threat.
These methods—public key encryption—are foundational to securing our digital lives. On classical computers, breaking them should take longer than the age of the universe. But if a large-scale quantum computer is built, the problems these cryptosystems rely on become efficient to solve—within minutes, seconds, or hours.
Benji Crooks: As I was reading, there seems to be this fast-paced approach to implementation, but historically there used to be a lot of governance around cryptography. How do you deal with that fast-paced growth and the roadmap against governance that still exists?
Craig Costello: It can still be a bottleneck in practice—the time it takes to get things implemented, approved, and rolled out correctly.
Queensland and Australia are starting to make moves. The Australian government has put forward aggressive timelines for when it would like to see the nation upgrade encryption to be post-quantum or quantum safe, and Queensland will hopefully follow suit. From what I can see, we and many others are still lagging—but hopefully over the next few years organisations in Queensland take notice and start upgrading.
Benji Crooks: Where do you think the shift has come from, and what’s one of the biggest misconceptions you see?
Craig Costello: In security, legislation is often the bottleneck. In Queensland, there’s still a gap between where academic cryptographers and cybersecurity experts think legislation should be and where it currently is—and that’s very natural.
There are a few forcing functions for Queensland. One is the Olympics. Another is the fact that Queensland and Australia are punching above our weight in quantum investment and expertise. The Queensland Government has invested significantly in quantum endeavours. Given that, we’re in a prime position to make sure we’re quantum safe—because if we’re investing in building quantum computers and advancing quantum technology, it would be foolish not to also look at the downsides quantum computers could introduce into our ecosystem.
Benji Crooks: I might get this wrong, but there are approved standards—does that hamper progress because it doesn’t take into account new inventions or progression?
Craig Costello: No. The quantum threat to encryption is a very real problem—and it’s becoming more imminent as the months and years roll on. Unlike some threats, like AI where we don’t know where it’s going, in this case we know the threat. We know exactly what it can break and how.
And fortunately, we also know the solution. Our cryptography community has been working for decades, and the new wave of standards are basically the first wave of the solution. A couple of years ago the US government endorsed the first wave of post-quantum cryptography standards, and the Australian government has followed suit and recommended those standards for deployment. They’re the first real endorsed, tried-and-tested solution we’re agreeing we should put in place before it’s too late.
Benji Crooks: So it’s not that we don’t have standards—it’s uptake across agencies?
Craig Costello: You’ve hit the nail on the head. The solution’s there. It’s sitting there. The Australian government has said: start planning now in 2026, start implementing by 2028, and be rolled over by 2030.
There’s been some movement even very recently that may bring that timeframe closer because of advancements in quantum computing. Google, for example, said they’re going to have everything upgraded by 2029, and others are following suit. So 2030 now looks very reasonable.
But it’s about getting organisations to do it. In cybersecurity this often comes back to governance and policy. If it’s mandated and there are consequences, organisations are forced to do it. If it’s not mandated, there are competing priorities, and cybersecurity isn’t always at the forefront. It gets left until the hand is forced.
Benji Crooks: You’ll be speaking at our event and there may be people hearing this and realising they’ve done nothing so far. What are two to three things they can take away and implement straight away?
Craig Costello: It’s okay if you haven’t done anything—there’s not a quantum computer breaking encryption right now. But this is the year to start planning.
First: get the conversation going. Put someone—at least one person, preferably a team—in charge where part of their job is to lead the post-quantum transition.
Second: do an inventory scan of your network and enterprise to see where vulnerabilities are. Often people don’t really know what they’re using and where, which is a problem. The first step in planning is to look at your inventory and identify where the problems will exist.
And I’d also say: collect your vendors. The big players—Apple, Google, Microsoft, Amazon—are already doing it. One day you’ll upgrade software and it’ll be post-quantum encrypted. The harder part is the parts of your enterprise not looked after by those big players, including smaller vendors who may not have the capability to upgrade yet.
Benji Crooks: That’s interesting—keeping on top of suppliers is often the hardest job in cyber.
Craig Costello: Exactly. And there’s another subtlety: niche legacy parts of critical infrastructure using 30-year-old techniques are the hardest—where hardware is baked in and it’s not just a software patch.
So understanding where vulnerabilities are and how much upheaval it will be to upgrade is the best place to start. According to the Australian government, if you’re planning and having discussions in 2026, you’re on track. If you’re not having the conversation this time next year, you might be falling behind.
Benji Crooks: Do you see everyone meeting the 2030 deadline?
Craig Costello: Absolutely not. I can’t name any IT project that runs on schedule—cybersecurity or otherwise. Historically, security is often the afterthought. We push security-by-design, but that’s not always how it happens. It’s understandable—people want to ship products, and security only becomes a priority after something goes wrong, which is too late.
So whether everyone will be done by 2030—I’d bet no. But don’t be one of those organisations. Be one of the ones that are secure.
Benji Crooks: What’s one thing you’d like attendees to take away?
Craig Costello: If you work for an organisation that hasn’t had this discussion yet, table it at your next executive meeting.
And don’t get caught up in the hype. Quantum computers are coming, but they’re good at some very niche things. It just so happens that two of those niche problems are the ones we built public key cryptography on.
There’s also a misconception that you need quantum hardware to implement the solution. You don’t. Even though it has “quantum” in the name, post-quantum cryptography is all classical. The only difference is: with the old stuff, we know of a quantum attack that breaks it. With the new stuff, we don’t.
Benji Crooks: One final cheeky question—won’t there be a high-risk period between now and the deadline while everyone implements it?
Craig Costello: Yes, that could happen. There’s a spectrum of beliefs—from people who think a foreign government already has a large-scale quantum computer, to people who think it’ll never happen. What I’ve seen is even skeptics are moving toward admitting it’s a real threat and we need to take action quickly.
It could happen before 2030 that there’s a breakthrough in quantum hardware and someone builds a large-scale quantum computer.
But the other threat, and in some ways the more pressing one, is “harvest now, decrypt later”. You don’t need to wait. You can store encrypted traffic now, keep it, and wait until you have a quantum computer to break it later. If you have data that needs to be safe 10–15 years into the future—healthcare data, genomic data, sensitive legal data—that’s a real concern. While encryption isn’t quantum-safe, data captured today could be crackable in a few years when a quantum computer arrives.
Hear Craig Costello at Government Cyber Security Showcase Queensland 2026 as part of Government Innovation Week Queensland on Thursday, 10 September 2026. Craig will outline what the post-quantum transition means for public sector encryption, why the standards already exist, and what agencies should prioritise now to avoid falling behind the 2030 shift.
Help your peers
Share what you've learned with fellow public servants