At Marvel, we had secrets that, if disclosed ahead of the planned time, would cause significant damage to the brand and potentially also to projected revenues. The actors who attend the red carpet premiere have no idea what they’re going to see on screen. The scripts they were given had false scenes in them as a means of forensic watermarking that helps identify leaks. When you’re protecting 10-year story arcs and plans for what comes after phase 6 of the Multiverse Saga, you develop an appreciation for what needs long-term protection.
CISOs are directing attention to have quantum security risks added to the corporate risk register. It belongs there. But the problem to be solved is not a quick fix, despite what some snake oil salesmen might be pushing. There is no simple configuration checkbox on AWS or Azure or GCP where you “turn on” post-quantum cryptography (PQC) and then you’re good to go. This is a shared responsibility problem. Just as migrating to the cloud doesn’t magically make your infrastructure more secure, quantum vendors cannot solve this without significant developer engagement.
Here’s why this lands on developers: The majority of all internet traffic is not human-generated traffic from laptops to servers and back. It’s API traffic. Your company most likely delivers services using a host of third-party solutions, all accessed via APIs. So your API client needs to learn how to speak PQC algorithms just as much as that remote API endpoint needs to learn how to speak PQC algorithms. Otherwise, the connection will negotiate down to a common protocol that both can speak and it won’t be TLSv1.3 with PQC algorithms.
