TLCTC
Blog / Strategic Analysis

Quantum Computing and AI: New Magic, Same Threats

Why emerging technology doesn't rewrite threat taxonomy—but velocity might rewrite your control architecture.

BK
Bernhard Kreinz
15 min read

The Hype Problem

Every few years, a technology emerges that supposedly "changes everything" about cybersecurity. Today it's quantum computing and AI. The narrative is familiar: "Quantum will break encryption!" "AI will create unstoppable attacks!"

The fear, uncertainty, and doubt are real. The analytical clarity is not. Until we separate three fundamentally different questions, we can't think clearly about what's actually changing—and what isn't.

Perspective The Question TLCTC Application
TARGET Can this system be attacked? All 10 clusters apply. It's an IT system.
CAPABILITY Does this technology give actors new tools? Both attackers AND defenders gain new capabilities.
VELOCITY Does this change attack speed? This is where structural control failure emerges.

Perspective 1: Quantum and AI as Targets

A quantum computer is an IT system. Full stop. Strip away the mystification and you find:

  • Hardware — Superconducting qubits, trapped ions, photonics, dilution refrigerators. Physical systems subject to physical interference. (#8 Physical Attack)
  • Signaling — Quantum networks, QKD systems, control signal pathways. Communication channels that can be intercepted or manipulated. (#5 Man in the Middle, #8 Physical Attack)
  • Software — Classical control systems, error correction algorithms, hybrid quantum-classical interfaces, orchestration layers. Code with bugs. (#2 Exploiting Server, #3 Exploiting Client, #7 Malware)
  • Identity & Access — Who can submit jobs? Who can access results? How are quantum cloud services authenticated? (#4 Identity Theft)
  • Supply Chain — Quantum hardware vendors, calibration software, third-party algorithms. (#10 Supply Chain Attack)

Axiom I applies: Generic IT assets; sector labels don't create threat classes. There is no Cluster #11 for quantum. There is no Cluster #12 for AI.

Perspective 2: Quantum and AI as Capabilities

AI and quantum computing sit on the cause side as threat amplifiers. They do not create new threat clusters—they increase the likelihood and velocity of existing clusters succeeding.

RISK EVENT 10 Threat Clusters AI / Quantum as CAPABILITY (Amplifiers) Data Risk Events (CIA: LoC, LoI, LoA) Business Risk
Figure 1: AI and Quantum Computing as Threat Amplifiers on the Bow-Tie Cause Side.

Attacker Capabilities

Technology Capability Gain Cluster Impact
Quantum Computing Shor's algorithm breaks RSA/ECC; Grover's algorithm weakens symmetric crypto Existing #5 interceptions become decryptable; cryptographic controls fail
AI/ML Automated reconnaissance, adaptive exploitation, synthetic content generation, detection evasion #9 exploits human psychological factors with higher efficiency; #7 polymorphic malware evades signatures

Defender Capabilities

Technology Capability Gain Control Enhancement
Quantum Computing Quantum key distribution (QKD), quantum random number generation, post-quantum cryptography Stronger cryptographic foundations for #5 prevention
AI/ML Anomaly detection at scale, automated threat hunting, behavioral analysis, predictive risk modeling Detection speed for all clusters, particularly #4, #7, #9

The "Store Now, Decrypt Later" Attack Path

The threat is happening now—only the consequence is deferred.

#5 + [DRE: LoC (deferred Δt=years)]
Element Meaning
#5 Man in the Middle — interception exploiting lack of end-to-end protection
+ Simultaneous occurrence
[DRE: LoC] Data Risk Event: Loss of Confidentiality
(deferred Δt=years) Consequence materializes when cryptanalytic capability arrives
Traditional Framing TLCTC Framing
"Quantum is a future threat" "Quantum weaponizes ongoing #5 attacks"
"We have time before Q-Day" "Every #5 intercept today is a LoC event with deferred impact"
"Monitor quantum progress" "Inventory current #5 exposure; prioritize PQC migration"

Perspective 3: The Velocity Asymmetry

TLCTC Velocity Classes

Velocity Class Δt Range Defense Mode Required Typical Controls
VC-1: Strategic Days → Months Log retention, threat hunting Hunting cycles, long-term correlation
VC-2: Tactical Hours SIEM alerting, analyst triage SOC SLA, human investigation
VC-3: Operational Minutes SOAR/EDR automation Automated response, rapid containment
VC-4: Real-Time Seconds → ms Architecture, circuit breakers Prevention-only; detection too slow
Structural Failure Rule

If a critical transition is VC-3 or faster, purely human response is structurally insufficient for prevention at that edge. Controls must be automated or architectural.

AI's Velocity Impact

Cluster Traditional Velocity AI-Enabled Velocity Shift
#9 Social Eng. VC-2 (hours: craft message) VC-3 (minutes: automated profiling) Human triage breaks
#7 Malware VC-2 (hours: develop/test) VC-3/4 (min/sec: polymorphic) Signatures become irrelevant
#4 Identity Theft VC-2 (hours: credential stuffing) VC-3 (minutes: automated testing) Alert-response is structurally too slow

Defender Control Speed (DCS)

The DCS metric quantifies the velocity mismatch:

DCS = MTTD / Attack Velocity (Δt)
DCS Value Interpretation
< 1.0 Defender faster than attacker. Control effective.
= 1.0 Matches attack speed. Marginal; no buffer.
> 1.0 Attacker wins transition. Control structurally ineffective.

Example: AI-enabled #9 → #7 attack chain

Metric Human Attacker (VC-2) AI Attacker (VC-3)
Attack Δt 4 hours (14,400 sec) 10 minutes (600 sec)
Defender MTTD 2 hours (7,200 sec) 2 hours (7,200 sec)
DCS 0.5 ✓ (effective) 12.0 ✗ (structurally fails)

The Strategic Imperative

Maintaining DCS < 1.0 in a VC-3 environment requires:

  • Automated detection — Machine-speed threats require machine-speed detection.
  • Automated response — Human approval loops break at VC-3+.
  • Architectural controls — For VC-4 transitions, only prevention works.

The 10×5 Control Matrix for Emerging Tech

Quantum Impact: #5 Man in the Middle

CSF Function Control Objective Quantum-Era Action
IDENTIFY Know exposure to #5 Inventory PKE assets; classify data by lifecycle.
PROTECT Prevent #5 exploitation Implement PQC; crypto-agility architecture.
DETECT Identify #5 attempts Monitor for SNDL patterns; bulk exfiltration triage.
RESPOND Contain #5 impact Rapid algorithm rotation; key revocation.
RECOVER Restore from breach Re-encrypt with PQC; rotate compromised keys.

AI Impact: #9 Social Engineering

CSF Function Control Objective AI-Era Action
IDENTIFY Know exposure to #9 Map human-exposed roles; identify targets.
PROTECT Reduce success rate Hardware tokens; out-of-band verification.
DETECT Identify #9 attempts AI triage for synthetic content; anomaly detection.
RESPOND Contain success Automated isolation at machine speed.
RECOVER Restore from breach Post-incident analysis; model updates.

AI Impact: #7 Malware

CSF Function Control Objective AI-Era Action
IDENTIFY Know exposure to #7 Map execution environments and surface.
PROTECT Prevent execution App allowlisting; hardware attestation.
DETECT Identify activity Behavioral EDR; AI-driven anomaly detection.
RESPOND Contain spread Automated isolation (< 1 minute).
RECOVER Restore from infection Immutable infrastructure; rapid rebuild.

Velocity-Aligned Control Selection

If Attack Velocity Is... Then Controls Must Be...
VC-1 (Strategic) Human-led, strategic planning acceptable.
VC-2 (Tactical) Human-led with SLA, triage queues viable.
VC-3 (Operational) Automated or pre-authorized; human approval fails.
VC-4 (Real-Time) Architectural only; detection-based fails.

Summary: What's Changed, What Hasn't

Category What Has NOT Changed What HAS Changed
Taxonomy The 10 clusters remain complete. Sector labels remain just labels.
Risk Events LoC, LoI, LoA remain constant. SNDL means LoC happens at time of #5 intercept.
Velocity The concept of Δt notation. AI shifts cluster exploitation from VC-2 to VC-3.
Controls NIST CSF functions hold. Human-speed controls structurally fail at VC-3+.

The Action Framework

Layer Strategic Question Operational Action
TARGET Have I threat-modeled AI/Quantum assets? Apply 10 clusters. They are IT systems.
CAPABILITY Am I adopting defender symmetrical capability? PQC transition. AI-augmented detection.
VELOCITY Can controls maintain DCS < 1.0 at VC-3? Automate DETECT/RESPOND. Architectural PROTECT.

Conclusion

Quantum computing and AI don't create new threat clusters. TLCTC's 10 clusters remain sufficient because they describe generic vulnerabilities—the fundamental weaknesses in IT systems that don't change when the physics changes.

  1. New targets — Systems requiring modeling discipline.
  2. Deferred consequences — SNDL means breaches today.
  3. Velocity asymmetry — AI invalidates human-speed controls.

The framework holds. The physics changes. The taxonomy doesn't. But if your DCS exceeds 1.0 in a VC-3 environment, your control architecture has already failed—you just don't know it yet.

About TLCTC

The Top Level Cyber Threat Clusters framework is an open (CC BY 4.0) taxonomy that classifies cyber threats by the generic vulnerability exploited. It serves as a translation layer between risk management, security operations, and secure development.