There is a phrase circulating in intelligence and cybersecurity circles that sounds like science fiction until you understand what it actually means: “harvest now, decrypt later.” The concept is straightforward and alarming. Adversarial actors — state-level and otherwise — are actively capturing encrypted network traffic today, storing it, and waiting for quantum computers powerful enough to break the encryption that protects it. That future is not decades away. Most credible estimates now put cryptographically relevant quantum computers within a seven-to-fifteen year window. For data that needs to stay confidential for longer than that, the window is already closed.

This is not a hypothetical. It is an active threat, and it explains why the U.S. National Institute of Standards and Technology finalized its first post-quantum cryptography standards in 2024 — and why the migration deadline for federal systems is 2035. The private sector has no such mandate, which means most organizations are flying without instruments into one of the most significant cryptographic transitions in the history of computing.

Why the Threat Is More Urgent Than Security Teams Think

The traditional mental model for cybersecurity is reactive: you patch when vulnerabilities are exploited, you upgrade encryption when algorithms are broken. That model fails catastrophically for quantum threats because the encryption being broken tomorrow protects data being captured today. A financial institution protecting 30-year mortgage records, a healthcare system managing lifetime patient histories, a defense contractor handling long-cycle procurement data — all of them have data with sensitivity windows that extend well past the quantum threat horizon.

The specific algorithms at risk are RSA and elliptic curve cryptography (ECC), which underpin the vast majority of secure communication on the internet: HTTPS, TLS, SSH, PGP, and the certificate infrastructure that the modern web depends on. Both are vulnerable to Shor’s algorithm, which a sufficiently powerful quantum computer can run to factor large integers and solve discrete logarithm problems exponentially faster than classical hardware. The math has been understood since 1994. The hardware is catching up to it now.

The Post-Quantum Cryptography Standards — What NIST Actually Decided

After a six-year evaluation process involving 82 candidate algorithms, NIST finalized three post-quantum cryptography standards in August 2024. Understanding what was selected, and why, matters for any organization planning a migration.

1. ML-KEM (CRYSTALS-Kyber) — Key Encapsulation Mechanism

   The primary standard for key exchange and encryption. ML-KEM is based on the hardness of module lattice problems, which have no known efficient quantum algorithm. It is designed as a drop-in replacement for RSA and ECDH in TLS handshakes and is already being integrated into major browsers and web servers. Google and Cloudflare have been running hybrid deployments in production since 2023.

2. ML-DSA (CRYSTALS-Dilithium) — Digital Signature Algorithm

   The primary standard for digital signatures, replacing RSA-based and ECDSA signing. ML-DSA offers strong security with relatively compact signatures, making it suitable for the certificate infrastructure and code-signing workflows that organizations depend on. Migration here requires updating certificate authorities and PKI infrastructure, which is the most operationally complex piece of any post-quantum transition.

3. SLH-DSA (SPHINCS+) — Stateless Hash-Based Signatures

   A backup signature algorithm based on different mathematical hardness assumptions than ML-DSA. NIST selected it specifically to provide cryptographic diversity — if a lattice-based vulnerability is discovered, SLH-DSA remains secure. It is slower and produces larger signatures, so it is primarily used in long-lived contexts where performance is less critical.

What the Migration Actually Looks Like in Practice

The organizations moving fastest on post-quantum migration share a methodical approach that starts with inventory, not implementation. Before any algorithm gets replaced, security teams need a complete picture of where cryptography lives in their environment. This is harder than it sounds. Cryptography is embedded in TLS certificates, SSH keys, VPN configurations, code-signing infrastructure, database encryption, hardware security modules, IoT device firmware, and third-party API dependencies — much of it undocumented and poorly tracked.

The concept of “crypto agility” has moved from aspirational design principle to operational necessity. Systems architected to make cryptographic algorithm substitution straightforward — where the algorithm is a configuration parameter rather than a hardcoded dependency — are orders of magnitude easier to migrate than legacy systems where RSA is baked into application logic. Most organizations have both kinds. The legacy systems are where the real risk lives.

The Vendors Already Moving — and the Platforms That Are Lagging

The pace of post-quantum adoption varies sharply across the technology stack. Understanding where the progress is real and where it is marketing copy matters for anyone trying to build a credible migration plan.

Cloud providers are ahead of the curve. Amazon Web Services began offering ML-KEM in its KMS and key exchange protocols in 2024. Google Cloud has hybrid post-quantum TLS running in production. Microsoft Azure has published a post-quantum migration roadmap and begun integrating PQC into its identity platform. For organizations already running cloud-native workloads, a significant portion of the migration may happen automatically as hyperscaler defaults shift.

Enterprise software vendors are a mixed picture. The major database vendors have announced PQC roadmaps but most are not yet in production. Networking equipment vendors are further behind: many enterprise firewalls, VPN appliances, and load balancers will require firmware updates or replacement to support post-quantum cipher suites in TLS 1.3. Legacy on-premises software in healthcare, manufacturing, and financial services — systems that may not receive updates — represents the most significant unmitigated exposure.

The Honest Bottom Line: What You Should Do Now

The post-quantum threat is real, the timeline is compressing, and the NIST standards are now finalized — meaning there is no legitimate reason to wait for the cryptographic landscape to stabilize further. What organizations need is a structured way to execute the migration without disrupting the systems their business runs on.

The migration will take years, not months. The organizations that are best positioned are the ones that started the inventory phase now, identified their highest-risk data assets, and built post-quantum support into their next infrastructure refresh cycles rather than treating it as a special project. This is engineering work, not a vendor product sale — but the right tooling can compress the timeline significantly.