For cyber adversaries, the clock is already ticking. State-backed hackers are stealing encrypted data now to unlock it later, once quantum computers are powerful enough to break today’s encryption.

The strategy—known as “harvest now, decrypt later”—means that even if stolen information is unreadable today, it could be exposed in the future, potentially revealing decades of sensitive communications, financial transactions, or intellectual property in a single breach.

This looming threat has transformed post-quantum cryptography (PQC) from an academic topic into a strategic priority for governments and industries. The race is no longer about whether to migrate to quantum-safe systems, but how quickly and effectively it can be done—and how to ensure that the process strengthens overall cybersecurity rather than becoming just another compliance exercise.

Gharun S. Lacy, Deputy Assistant Secretary in the Directorate of Cyber and Technology Security at the U.S. Department of State, said the danger is far from theoretical in his world. He leads efforts to secure more than 270 diplomatic missions worldwide, where foreign adversaries are actively collecting encrypted material for future exploitation.

“From a nation-state perspective, this is a slightly different and more interesting problem,” he said. “We know nation-state actors sit at our boundary, collect encrypted information to decrypt later, and it becomes a different risk proposition for us.”

For the State Department, the value of intercepted diplomatic data can extend decades beyond its creation. Some communications reveal negotiation strategies or security commitments that remain relevant years after they were made.

“The shelf life of that information is a lot longer than the shelf life of tactical information,” Lacy said.

If such material were suddenly decrypted, it could undermine U.S. policy, give adversaries predictive insight into future decisions, and compromise alliances, he added.

Lacy leverages the heightened interest in quantum threats to reinforce core security practices throughout the department.

“It gives me a great excuse to focus on the basics,” he said. “If you are worried about quantum, then we start by making sure your operational security is strong. If you are asking about quantum-resistant cryptography, then we make sure you have an accurate asset inventory so that when the NIST (National Institute of Standards and Technology) regulations come out, we know exactly where to deploy those capabilities.”

He also stressed that technology arguments alone will not secure executive buy-in.

“If you can’t find a real value proposition for that particular client, it may not be there,” he said.

In his environment, that value proposition is framed around protecting U.S. national interests, not just upgrading cryptography. Without such a link to mission or business priorities, he warned, leadership engagement will be shallow and migration efforts will falter.

Regulation and prioritization as catalysts

At the Commercializing Quantum Global 2025 conference in London, the panel agreed that deadlines from the U.S. NIST and the UK’s National Cyber Security Centre have pushed PQC onto boardroom agendas. However, they warned that waiting for 2035 or similar milestone dates is a risky approach.

As Lacy put it, “Anything important enough to protect ten years from now is important enough to protect right now.”

Some regulators are using incremental measures to force early engagement without requiring costly full migrations in one step.

Israel’s central bank, for example, has ordered financial institutions to hold board-level PQC discussions, ensuring executives start prioritizing critical systems and mapping multi-year plans. This kind of staged commitment, the panel noted, can be more effective than setting a distant deadline that encourages delay.

Many participants endorsed a phased approach, with critical assets protected within three years, secondary systems within five years, and a complete migration thereafter. This sequencing enables budget alignment, vendor coordination, and testing without interrupting essential services.

It also reflects a practical reality described by IBM Quantum CTO Michael Osborne, who has noted there is not enough funding worldwide to migrate every system simultaneously.

Phasing also helps organizations identify and solve problems early. Initial deployments often reveal interoperability issues, performance impacts, or governance gaps, which can then be corrected before the next wave of systems is upgraded.

Technical constraints and legacy protocols

The engineering challenge of migrating to PQC is significant.

Legacy protocols such as UDP (User Datagram Protocol) are valued for their speed and efficiency in transferring real-time data, but they offer limited payload capacity.

This makes it challenging to introduce quantum-safe algorithms without harming performance in latency-sensitive systems. Such constraints are especially acute in 5G and SD-WAN environments.

SD-WAN, or Software-Defined Wide Area Networking, optimizes network traffic and provides flexible, efficient connectivity across multiple sites. When paired with 5G’s high bandwidth and low latency, it offers a powerful wireless transport option, particularly for remote or challenging locations.

Telecommunications operators are trialling multiple algorithms through European research programmes to see which can be deployed without compromising service quality.

Patricia Díez Muñoz, Head of Network Security Strategy at Telefónica, explained that these trials sometimes show specific algorithms cannot meet operational requirements, forcing redesigns or delays.

At Telefónica, her team is adopting a hybrid model—running PQC alongside existing cryptography during the transition—and a staged schedule: upgrading critical systems over three years, medium-priority systems by year five, and completing the full migration later.

“You cannot do everything now,” she said. “The criticality of this risk assessment will guide us on the next steps.”

Other panelists stressed that quantum migration should align with wider security priorities. They described PQC not as an isolated threat, but as a driver for reviewing asset inventories, governance, and incident response capabilities—areas that often require attention regardless of the quantum of risks.

Itan Barmes, Global Quantum Cyber Readiness Lead at Deloitte, observed that some organizations, particularly in the private sector, identify cryptographic weaknesses but choose to accept the risk because replacing legacy systems would be too costly or disruptive. While this may be defensible for low-value systems, he warned that regulators will likely mandate upgrades for critical infrastructure.

Charlie Markham, Cryptography and Quantum Technologies Specialist at the UK Financial Conduct Authority, said the PQC shift should be viewed as “a reset and rethink moment” for cybersecurity, providing organizations with the opportunity to modernize cryptographic management, update asset inventories, and enhance governance as part of a broader operational resilience agenda.

From crisis driver to standard practice

The “harvest now, decrypt later” message resonates strongly in government and defense because the value of sensitive data can span decades. In the commercial sector, the immediate risks of compromised authentication systems, digital signatures, or payment channels can be even more compelling for executives.

Several panelists predicted that PQC will eventually become part of routine security practice, with the “quantum” label fading as it is absorbed into standard technology cycles. Until then, however, the urgency around quantum threats remains a powerful tool for securing funding and cross-departmental cooperation.

For Lacy, the measure of success will be whether the next major cryptographic threat—quantum or otherwise—finds his organization prepared.

“The bad guy is always going to be a half-step ahead,” he said. “Our goal is to make sure those elements that are caught off guard aren’t the most critical ones.”

The panel’s consensus was clear: the timeline to prepare is shrinking, and the work is extensive.

A credible PQC strategy will combine hybrid adoption, staged migration, targeted regulation, and a clear link to mission or business value. Those who act now will protect their most important assets and improve their overall resilience. Those who wait may find that the future has already been decrypted.