“This is the first time we knew a zero day is coming. It’s like if Y2K and Heartbleed had a baby, and we know it’s coming.” – Konstantinos Karagiannis
As the countdown toward post-quantum cryptography (PQC) accelerates, security leaders are recognizing that quantum readiness is not simply a matter of upgrading algorithms. It is the work of redesigning trust, identity, and integrity into the core of digital infrastructure. In the latest episode of Shielded: The Last Line of Cyber Defense, Konstantinos Karagiannis, Director of Quantum Computing Services at Protiviti and host of the Post-Quantum World podcast, joins Jo Lintzen to reset the conversation around the true risk ahead: not the decryption of old data, but the collapse of software trust through quantum-enabled code-signing attacks.
Karagiannis brings nearly two decades of experience analysing real attack surfaces not theoretical lab models and his view is shaped by an uncomfortable truth: the real quantum threat is not decrypting old messages years from now. It is forging identity at internet scale and weaponizing trust itself. And once trust breaks, there is no patch for reputational damage. Once authenticity collapses, recovery is not a five-day incident response, it is systemic failure.
The Real Target: Identity and Software Trust
The security community has spent years debating Harvest-Now-Decrypt-Later (HNDL), the idea that attackers are collecting encrypted data today in hopes of decrypting it once quantum machines mature. But Konstantinos argues that this framing distracts from the far more immediate and far more destructive reality: Harvest-Now-Forge-Later (HNFL).
If a quantum computer can reverse a private key, attackers won’t bother decrypting a handful of legacy emails. They will impersonate trusted vendors and push malicious software updates through legitimate channels.
As he puts it:
“All of a sudden, you, dear quantum computer user, are Microsoft or Apple… When something’s broken, it really is broken.”
This is the scenario that ends the Five-Day Rule, the assumption that defenders have time to detect abnormal behavior and respond. A forged update spreads instantly. Entire governments, infrastructure sectors, and cloud platforms fall in a single move.
Once identity is compromised, every downstream control loses meaning. Encryption becomes irrelevant because trust is already defeated.
Why Code Signing Becomes the Real Battleground
One of the most eye-opening moments in the conversation is when Konstantinos explains why attackers will not waste time trying to decrypt piles of old emails or archived backups. Real adversaries want scale. They want reach. They want a single move that compromises millions of systems in one sweep and code signing is the door that lets them in.
He puts it into perspective with a simple example:
if every laptop inside a government agency trusts updates signed by a specific vendor, and a quantum computer can recover that signing key, the attacker does not need to break into anything. They just publish an update. Everyone installs it. And suddenly, every inbox, device, and communication stream is exposed at once.
That is the part many people miss. It is not about secrecy or quiet interception. It is about trust being weaponised against itself.
Code signing is the backbone of:
- software updates that keep systems running,
- supply-chain components that power critical infrastructure,
- identity and access controls that enforce who is allowed to do what,
- cloud orchestration across financial and national systems.
Break that foundation, and every other defense built on top collapses with it.
That is why Konstantinos keeps repeating that PQC migration is not an encryption upgrade. It is the work of protecting the integrity of the software ecosystem and that is a different conversation entirely.
Shrinking Timelines and the Silence Problem
The pace of quantum development is accelerating faster than cryptographic transitions can occur. Vendors like IonQ have already projected key-breaking capability within 10 quarters, a timeline shorter than the migration cycles required for most global enterprises.
Yet many organizations still respond with variations of “We’ll look at it next year.” To Konstantinos, that passivity feels surreal given the visibility of the threat:
“This is the first time we knew a zero day is coming… and I get crickets from some folks.”
The industry has never had warning like this:
- Not Heartbleed.
- Not SolarWinds.
- Not Log4j.
Those were surprises. This one has a schedule. Ignoring a predictable zero day is not risk tolerance. It’s negligence.
Quantum as Advantage, Not Only Threat
A powerful counterbalance in the conversation is Konstantinos’ reminder that quantum computing is not a story built only on crisis. It is also one of potential.
He urges leaders not to approach quantum purely as fear-management, because the same technology that introduces risk will also open the door to breakthroughs in materials science, drug design, logistics optimization, climate modelling, energy systems, and financial engines that cannot be simulated today.
In his words:
“Don’t just view this as a fear thing. Explore the benefits of quantum too… There’s something these machines are going to do for your industry that might revolutionize and give you a lead.”
The companies that move first will have the advantage not only defensively but competitively. The decision window is narrow, and it will separate followers from leaders.
The Takeaway
What becomes clear through the conversation is that the quantum challenge is not a technical problem waiting for a patch. It is a trust problem. It touches identity, authenticity, national security, public confidence, and the stability of digital infrastructure.
Preparing for that future means real work:
- mapping where cryptography lives inside the business,
- identifying systems built on long-lived keys,
- understanding the impact radius of code signing compromise,
- pressing vendors for real timelines, not promises,
- treating post-quantum cryptography as resilience design, not compliance language.
The warning is already on the table. When the shift arrives, there will be no time to improvise.
Quantum disruption begins the moment someone can convincingly pretend to be you. And that is a different level of risk entirely.
You can hear the full conversation with Konstantinos Karagiannis on Shielded: The Last Line of Cyber Defense, available now on Apple Podcasts, Spotify, and YouTube Podcasts.
About Konstantinos Karagiannis
Konstantinos Karagiannis is the Director of Quantum Computing Services at Protiviti, where he leads efforts helping organizations develop real quantum use cases in optimization, machine learning, and simulation, and build realistic paths toward post-quantum cryptography migration. He has been with Protiviti for more than six years, serving previously as Associate Director of Quantum Computing Services. Before Protiviti, Konstantinos spent 13 years at BT, where he served as CTO of the Security Consulting Practice for BT Americas, and earlier as Global Technical Lead for Ethical Hacking, leading red-team operations and advanced cryptographic security testing. He is the host of Protiviti’s “Post Quantum World” podcast, recently featured at DEFCON with his talk Post-Quantum Panic: When will the cracking begin, and can we detect it? His work focuses on building real quantum computing solutions today while preparing enterprises for the accelerating risks of Q-Day.