Key Takeaways
- Adversaries are already employing a “harvest now, decrypt later” strategy, collecting sensitive data today that could be decoded once quantum computers become capable.
- Modern critical‑infrastructure sectors (energy, finance, healthcare, communications) rely on encryption that remains secure only until quantum breakthroughs arrive, making immediate action essential.
- Transitioning to post‑quantum cryptography is complicated by legacy systems, the need to maintain uninterrupted operations, and the lack of a clear “in‑between” phase.
- Quantum‑specific threats go beyond breaking encryption; emerging risks such as malicious entanglement and quantum‑native vulnerabilities will appear as quantum hardware spreads.
- Wider access to quantum computing through networks and cloud‑like services lowers the barrier for adversaries to exploit harvested data, broadening the threat landscape.
- Human factors remain a critical defense line; workforce awareness, continuous training, and cross‑sector collaboration are vital to securing systems before large‑scale quantum capabilities arrive.
The Immediate Threat of Harvest‑Now‑Decrypt‑Later
The panel at the Vanderbilt Quantum Forum opened with a stark reality: the most consequential cybersecurity shift is not a future breakthrough but a present‑day adversary tactic known as harvest now, decrypt later. Adversaries are actively intercepting and storing encrypted communications, government records, industrial control data, and health information today, betting that forthcoming quantum computers will eventually break the cryptographic protectors safeguarding that data. Because much of this information has a long lifespan—think of classified state secrets, proprietary engineering designs, or lifelong medical histories—the risk of exposure is already embedded in the data that flows through current networks. Waiting for quantum hardware to mature would allow the harvested stockpile to grow unchecked, turning today’s innocuous‑looking traffic into a future liability.
Why Action Is Needed Despite Absent Quantum Computers
Moderator Doug Adams emphasized that the urgency does not stem from the availability of a quantum computer capable of cracking RSA or ECC today; it stems from the fact that the systems protecting our critical infrastructure still depend on classical encryption that will fail once quantum capability arrives. Adversaries are therefore exercising extreme patience, harvesting data now while they wait for the quantum moment. The panel stressed that waiting for a definitive “quantum‑ready” timestamp is a dangerous luxury; the moment the encryption becomes breakable, the already‑collected data will be instantly exploitable. Consequently, organizations must begin the migration to post‑quantum cryptography (PQC) now, treating the threat as an active, present‑temporized risk rather than a speculative future concern.
Challenges of Migrating to Post‑Quantum Cryptography
Jeremy Lawrence of EPRI highlighted that the decision to adopt PQC is straightforward, but the execution is fraught with practical obstacles. Critical infrastructure is built on layers of legacy equipment—SCADA systems, aging financial transaction platforms, and legacy medical devices—that were never designed with modern cybersecurity, let alone quantum resistance, in mind. Replacing or retrofitting these components without causing service disruption requires careful planning, extensive testing, and often a phased “in‑between” approach where classical and post‑quantum algorithms coexist. Lawrence warned that organizations must define what this transitional phase looks like, allocate resources for dual‑stack cryptography, and develop migration roadmaps that balance security gains with operational continuity.
Emerging Quantum‑Specific Risks and Threat Models
Mohamed Shaban cautioned that focusing solely on replacing current algorithms with PQC may miss deeper, quantum‑native vulnerabilities. While PQC addresses the known threat of Shor’s algorithm breaking factor‑based and elliptic‑curve cryptography, it remains rooted in classical mathematical assumptions. As quantum hardware proliferates, new attack vectors—such as malicious entanglement where adversaries manipulate quantum states to corrupt communications or induce decoherence—could arise. Furthermore, quantum computers themselves may become targets, introducing side‑channel risks, faults in quantum error correction, or exploitation of quantum cloud services. Shaban argued that the security community must begin exploring quantum‑native defenses, such as quantum‑key distribution (QKD) protocols verified in real‑world testbeds, and remain vigilant for threat models that will only become apparent once quantum systems are deployed at scale.
Expanding Quantum Access and Its Implications
Corey McClelland from IonQ shifted the conversation from hardware ownership to accessibility. He noted that the future of quantum computing is less about who possesses a physical quantum processor and more about how broadly quantum capability is delivered via networks, cloud platforms, and quantum‑as‑a‑service offerings. As access expands, the technical barrier for adversaries to run sophisticated algorithms—including those that could decrypt harvested data—drops dramatically. This democratization means that the threat is no longer confined to nation‑states with massive research budgets; smaller actors or even criminal groups could leverage cloud‑based quantum resources to exploit stored ciphertext. Consequently, organizations must align with emerging post‑quantum standards not only to protect data against future decryption but also to anticipate a wider array of potential quantum‑enabled attackers.
Human Factors, Workforce Readiness, and Collaborative Defense
Despite the technical focus, the panel repeatedly returned to the human element as a linchpin of defense. Lawrence emphasized that many cyber intrusions still begin with social engineering, phishing, or credential theft—vectors that quantum advances do not eliminate. Strengthening the human layer through ongoing training, awareness campaigns, and rigorous access‑control hygiene remains essential. Moreover, building a workforce fluent in both classical and quantum‑resistant cryptography is crucial; specialists alone cannot safeguard an entire enterprise. McClelland advocated for cross‑sector collaboration—universities conducting foundational research, industry providing real‑world testbeds, and government agencies establishing standards and incentives—to create a cohesive ecosystem where knowledge flows freely and defenses are continuously updated. Shaban added that shared testbeds allow stakeholders to validate quantum‑secure solutions under realistic conditions, accelerating adoption while revealing unforeseen challenges.
The Urgency of the Present Moment
The discussion converged on a simple but powerful conclusion: the Year of Quantum Security (YQS2026) is not a looming milestone on a distant calendar; it describes a shift already underway. By the time large‑scale, fault‑tolerant quantum computers become commonplace, vast quantities of sensitive data—much of it already harvested—will be waiting in adversarial vaults. The panel therefore urged organizations to treat the migration to post‑quantum cryptography as an immediate operational priority, to anticipate quantum‑specific threats beyond encryption breaking, to expand workforce readiness, and to foster collaboration across academia, industry, and government. Only by acting on the realities of today—rather than speculating about tomorrow’s quantum breakthroughs—can we safeguard the critical systems that underpin modern society.