What Happens When You Don't Migrate to Post-Quantum Cryptography

There is a particular kind of institutional failure that does not announce itself. It does not arrive as a breach notification or a regulatory fine. It arrives years later, when encrypted data that was intercepted in 2024 is decrypted in 2034 by a machine that did not exist when the data was captured. By then, the damage is irreversible, the liability is retroactive, and the organization that failed to act has no defense except to explain why it ignored a threat that was publicly documented, widely discussed, and explicitly addressed by federal standards.

This is not a hypothetical scenario. It is the operational reality of harvest-now-decrypt-later, and it is already underway.

The Mechanics of Harvest-Now-Decrypt-Later

Every encrypted communication that traverses the internet today can be intercepted and stored. Nation-state intelligence agencies have been doing this at scale for decades. The NSA's upstream collection programs, documented in public reporting since 2013, capture vast quantities of encrypted traffic from fiber optic backbone links. China's Ministry of State Security operates similar capabilities. Russia's SORM system provides lawful intercept at the ISP level, but the infrastructure enables bulk collection far beyond its stated purpose.

The encryption protecting this traffic today is primarily RSA-2048, ECDH with P-256 or P-384, and AES-128 or AES-256 for symmetric encryption. Against classical computers, this encryption is secure. A brute-force attack against AES-256 would require more energy than the sun produces in its lifetime. RSA-2048 factoring would take classical computers longer than the age of the universe.

Against a cryptographically relevant quantum computer (CRQC), the picture changes entirely. Shor's algorithm reduces the factoring problem from exponential to polynomial time. An RSA-2048 key that would take a classical computer billions of years to factor could be broken by a sufficiently large quantum computer in hours. ECDH falls even faster: the elliptic curve discrete logarithm problem that provides 128-bit classical security provides effectively zero security against a quantum adversary running Shor's algorithm.

The symmetric algorithms fare better. Grover's algorithm provides only a quadratic speedup against symmetric ciphers, meaning AES-256 retains 128-bit security against quantum attack. But symmetric keys are typically established through asymmetric key exchange. If the key exchange is broken, the symmetric key is recovered, and the entire communication is decrypted.

This is the harvest-now-decrypt-later threat model. An adversary does not need a quantum computer today. They need storage capacity today and a quantum computer eventually. Storage is cheap and getting cheaper. A petabyte of storage costs less than $20,000. The encrypted traffic of a major financial institution for an entire year might occupy a few petabytes. For a nation-state intelligence budget measured in billions, the storage cost is a rounding error.

What Data Is Already Compromised

The uncomfortable reality is that any data transmitted over the internet using RSA or ECC key exchange is potentially compromised from the moment a CRQC becomes operational. The question is not whether the data was intercepted. The question is whether it was intercepted by an adversary with both the capability and the motivation to store and later decrypt it.

For most consumer communications, the answer is probably not. Nation-states do not have unlimited storage, and they prioritize collection based on intelligence value. But for certain categories of data, the probability of collection approaches certainty.

Government classified communications, even at the unclassified but sensitive level, are high-priority collection targets. Diplomatic cables, military logistics, intelligence assessments, and policy deliberations all have intelligence value that persists for decades. The NSA itself acknowledged this threat in 2015 when it announced the CNSA suite transition, effectively admitting that its own algorithms were vulnerable to future quantum attack.

Financial data is another high-value target. Wire transfer instructions, merger and acquisition communications, trading strategies, and settlement data all have immediate commercial value if decrypted. But the long-term value is also significant: understanding the financial positions and strategies of major institutions provides strategic intelligence that remains valuable for years.

Healthcare data has the longest sensitivity horizon of any data category. A patient's genetic information is sensitive for their entire lifetime and potentially for their descendants' lifetimes. Medical records created today will still be sensitive in 2060. If that data was transmitted using RSA key exchange in 2024, and a CRQC becomes operational in 2034, the data is exposed for the remaining decades of the patient's life.

Legal communications present a particularly acute vulnerability. Attorney-client privileged communications are among the most sensitive data in any organization. The privilege extends indefinitely, and its breach can waive the privilege retroactively across entire subject matters. If a nation-state adversary can decrypt privileged communications from 2024, the implications for ongoing litigation, regulatory investigations, and corporate governance are severe.

The Regulatory Countdown

The United States government has not been subtle about its expectations. The regulatory and policy framework for post-quantum migration is already in place, and the deadlines are approaching.

National Security Memorandum 10 (NSM-10)

Signed in May 2022, NSM-10 established the requirement for federal agencies to inventory their cryptographic systems and develop migration plans. The memorandum explicitly identified the quantum computing threat and directed agencies to prioritize migration of systems that protect the most sensitive data. The inventory requirement was not optional. It was a presidential directive.

OMB Memorandum M-23-02

Released in November 2022, M-23-02 provided the implementation guidance for NSM-10. It required federal agencies to submit cryptographic system inventories by May 2023 and to develop migration project plans. The memorandum established that agencies must be prepared to migrate to post-quantum cryptography as soon as NIST standards are finalized. Those standards are now final.

CNSA 2.0

The NSA's Commercial National Security Algorithm Suite 2.0, released in September 2022, provides the most concrete timeline. CNSA 2.0 specifies that National Security Systems must begin transitioning to post-quantum algorithms immediately. Software and firmware signing must use post-quantum algorithms by 2025. Web services and cloud environments must transition by 2025. VPN and network equipment must transition by 2026. All remaining systems must complete transition by 2030. These are not aspirational goals. They are requirements for systems that process classified information.

NIST FIPS 203, 204, and 205

NIST finalized the post-quantum cryptographic standards in August 2024. FIPS 203 (ML-KEM) standardizes lattice-based key encapsulation. FIPS 204 (ML-DSA) standardizes lattice-based digital signatures. FIPS 205 (SLH-DSA) standardizes hash-based signatures. These are not draft standards awaiting finalization. They are published, final standards with assigned FIPS numbers. The "we're waiting for the standards" excuse expired in August 2024.

State and International Regulation

The regulatory pressure is not limited to federal agencies. New York's Department of Financial Services (DFS) has signaled that its cybersecurity regulation (23 NYCRR 500) will incorporate quantum risk assessment requirements. The European Union's NIS2 directive includes cryptographic resilience as a requirement for essential entities. Singapore's MAS has issued guidance on quantum computing risk in financial services. The regulatory net is tightening globally, and organizations that have not begun migration planning will find themselves scrambling to comply with multiple overlapping deadlines.

The Cost of Retroactive Exposure

When a quantum computer decrypts previously encrypted data, the exposure is retroactive. It does not matter that the data was encrypted at the time of transmission. It does not matter that the encryption was considered adequate by the standards of the day. What matters is that the data is now exposed, and every obligation that attached to that data at the time of its creation still applies.

Consider a healthcare organization that transmitted patient records using TLS 1.2 with RSA key exchange in 2024. The records were encrypted in transit, satisfying HIPAA's encryption requirements as understood at the time. In 2034, a quantum computer decrypts the intercepted traffic. The patient records are now exposed. The HIPAA breach notification obligations apply. The penalties apply. The class action litigation applies. And the organization's defense, that the encryption was adequate at the time, will be evaluated against the fact that NIST published post-quantum standards in 2024 and the organization chose not to implement them.

This retroactive exposure creates a liability that compounds over time. Every day that an organization continues to transmit sensitive data using quantum-vulnerable cryptography, it increases the volume of data that will be exposed when (not if) a CRQC becomes operational. The liability is not a future event. It is being created right now, with every TLS handshake that uses RSA or ECDH key exchange.

The Insurance Implications

Cyber insurance is the canary in the coal mine for emerging risk. Insurers are the first to quantify threats that the rest of the market prefers to ignore, because they are the ones who will pay when the threat materializes.

Major cyber insurers are already incorporating quantum risk into their underwriting processes. The question "Do you have a post-quantum migration plan?" is appearing on renewal applications. Within three years, the question will shift from "Do you have a plan?" to "Have you implemented post-quantum cryptography for your most sensitive data?" Organizations that cannot answer affirmatively will face higher premiums, reduced coverage, or outright coverage exclusions for quantum-related breaches.

The HATS (H33 AI Trustworthiness Standard) framework provides insurers with a standardized way to assess an organization's cryptographic posture. HATS is a publicly available technical conformance standard for continuous AI trustworthiness; certification under HATS provides independently verifiable evidence that a system satisfies the standard's defined controls. Organizations with HATS certification can demonstrate to insurers that their cryptographic infrastructure meets post-quantum requirements, potentially reducing premiums and securing broader coverage.

The Competitive Disadvantage

Post-quantum migration is not merely a defensive measure. It is becoming a competitive differentiator, particularly in industries where trust and data security are primary selection criteria.

Government contractors that cannot demonstrate post-quantum capability will be excluded from contracts that require CNSA 2.0 compliance. Financial institutions that cannot attest to quantum-resistant key exchange will face counterparty risk concerns from partners who have already migrated. Healthcare organizations that process genetic data without post-quantum protection will face questions from patients, regulators, and litigators about why they chose to leave lifetime-sensitive data vulnerable to a known threat.

The organizations that migrate early gain a competitive advantage. They can credibly claim quantum resistance in their security marketing. They can demonstrate compliance with emerging regulations before those regulations carry enforcement penalties. They can serve as trusted partners for government and financial institutions that require quantum-resistant counterparties.

Why Organizations Delay

Despite the clear and present threat, most organizations have not begun post-quantum migration. The reasons are predictable and, in every case, insufficient.

Perceived Complexity

The most common reason for delay is the perception that post-quantum migration requires a complete rebuild of cryptographic infrastructure. This perception is wrong. Modern PQ solutions, including H33's overlay approach, allow organizations to add post-quantum protection without replacing existing systems. The H33-74 attestation primitive provides post-quantum attestation as an API call, not a systems integration project.

Waiting for Maturity

Some organizations claim they are waiting for post-quantum algorithms to "mature" before implementing them. This argument was reasonable in 2022, when the standards were still in draft. It is not reasonable in 2026. FIPS 203, 204, and 205 are final, published standards. They have undergone over seven years of public review. The algorithms have been implemented in major cryptographic libraries including OpenSSL, BoringSSL, and liboqs. The maturity argument is now just procrastination with a technical-sounding justification.

Budget Constraints

Budget is a legitimate constraint, but it must be weighed against the cost of a retroactive breach. The cost of implementing post-quantum cryptography today is measured in engineering effort and infrastructure investment. The cost of a retroactive breach in 2034 is measured in regulatory fines, litigation settlements, customer notification costs, reputational damage, and loss of competitive position. In every credible analysis, the cost of migration is orders of magnitude less than the expected cost of inaction.

The Quantum Timeline Uncertainty

The most intellectually honest objection is timeline uncertainty. No one knows when a CRQC will become operational. Estimates range from 2030 to 2040, with some researchers suggesting it could be sooner and others suggesting it could be later. But this uncertainty cuts both ways. If the timeline is uncertain, you cannot be certain that you have ten years. You might have five. You might have three. And for data that must remain confidential for decades, the timeline to CRQC is irrelevant because the data is being intercepted now.

The Migration Path That Does Not Require Rebuilding

The single most important development in post-quantum migration is the emergence of overlay approaches that provide quantum resistance without requiring organizations to replace their existing cryptographic infrastructure.

H33's approach exemplifies this. The H33-74 attestation primitive provides post-quantum attestation for any data, any computation, any event, through a simple API call. The attestation uses three independent post-quantum signature families: ML-DSA (FIPS 204), FALCON, and SLH-DSA (FIPS 205). The result is distilled into 74 bytes that can be stored, transmitted, and verified anywhere.

This overlay approach means organizations do not need to replace their TLS infrastructure. They do not need to re-key their databases. They do not need to rewrite their applications. They add a post-quantum attestation layer on top of existing systems, providing quantum resistance for the most sensitive data while they plan and execute a broader migration at their own pace.

The hybrid approach, where post-quantum algorithms run alongside classical algorithms, is explicitly recommended by NIST for the transition period. H33's three-family signing goes further by using three independent hardness assumptions (MLWE lattices, NTRU lattices, and stateless hash functions), ensuring that a breakthrough against any single algorithm family does not compromise the attestation.

What Inaction Looks Like in 2034

Let us project forward to a concrete scenario. It is 2034. A cryptographically relevant quantum computer has been operational for six months. An intelligence service decrypts a cache of intercepted traffic from 2026.

In the decrypted traffic, they find wire transfer instructions from a major bank. Merger communications between two publicly traded companies. Patient records from a hospital system. Privileged legal communications from a law firm advising a Fortune 500 client. Source code for a defense contractor's weapons system. Authentication credentials for a government agency's classified network.

Each of these disclosures triggers its own cascade of consequences. The bank faces regulatory investigation and customer lawsuits. The merged companies face SEC scrutiny for potential insider trading by anyone who had access to the decrypted communications. The hospital faces HIPAA enforcement and class action litigation. The law firm faces malpractice claims and potential disbarment proceedings. The defense contractor faces criminal referrals for failure to protect classified information. The government agency faces a comprehensive security breach that compromises not just data but operational capability.

Every one of these organizations will be asked the same question: when did you know about the quantum threat, and what did you do about it? The answer, for organizations that have not begun migration in 2026, will be devastating. The standards were published. The threat was documented. The solutions were available. The choice not to act was a choice to accept the risk of catastrophic retroactive exposure.

The Institutional Failure Pattern

History provides numerous examples of institutional failure to respond to known, documented, slow-moving threats. The pattern is consistent: the threat is identified, experts warn about it, standards and regulations are developed, early adopters migrate, and the majority waits until the threat materializes. The majority then suffers consequences that were entirely predictable and largely preventable.

Y2K is the closest analog, but it differs in one critical respect: Y2K had a fixed, known deadline. Organizations knew that January 1, 2000 would arrive on schedule, and they migrated accordingly (often at the last minute, but they migrated). The quantum threat does not have a fixed deadline, which paradoxically makes it harder to motivate action despite the fact that the consequences of inaction are worse.

The organizations that will be judged most harshly are not those that tried and failed to migrate. They are those that decided the problem was someone else's to solve, or that the timeline was far enough away to justify delay, or that their existing encryption was "good enough." These are the organizations that will face the full weight of retroactive liability when the quantum threshold is crossed.

What You Should Do Today

The first step is inventory. You need to know what cryptographic algorithms are in use across your organization, where your most sensitive data flows, and which systems are most vulnerable to harvest-now-decrypt-later. This inventory is required by OMB M-23-02 for federal agencies, but every organization should conduct it regardless of regulatory obligation.

The second step is prioritization. Not all data has equal sensitivity horizon. Focus first on data that must remain confidential for more than ten years: healthcare records, legal communications, financial data, intellectual property, authentication credentials, and any data subject to regulatory retention requirements.

The third step is implementation. Begin with an overlay approach that provides post-quantum protection for your most sensitive data without requiring a full infrastructure rebuild. Add post-quantum attestation to your most critical workflows. Implement hybrid key exchange for your most sensitive communications. Use NIST's migration guidance to plan the broader transition.

The fourth step is verification. Ensure that your post-quantum implementation actually provides the security you need. Use independent verification, not self-assessment. The HATS standard provides a conformance framework for continuous cryptographic verification that can be audited by third parties.

The cost of these steps is measured in weeks of engineering effort and thousands of dollars in infrastructure investment. The cost of not taking these steps is measured in retroactive liability that could reach hundreds of millions of dollars when the quantum threshold is crossed.

The math is not ambiguous. The threat is not theoretical. The standards are not pending. The only remaining variable is whether your organization will be among those that acted, or among those that will spend the next decade explaining why they did not.