Your cryptography might be stuck in 2010, and the worst part is, you may not even know it. That was the warning from Hart Montgomery, Technical Director at The Linux Foundation, in the latest episode of Shielded: The Last Line of Cyber Defense. While many organizations are focused on preparing for a quantum future, most still haven’t addressed their cryptographic past. In fact, legacy vulnerabilities like MD5 and single DES aren’t just part of the history books—they’re still running in production systems today.
Hart has spent years helping organizations modernize their cryptographic systems, and what he sees isn’t encouraging. “You see things like MD5 certificates, just really, really old cryptographic code,” he explains. “And it’s not just niche systems; 90% of closed-source software in this particular survey had software dependencies with potential security issues, which is even more frightening.”
That risk grows when you consider the complexity of modern software development. Much of today’s code is built from reused open-source components, a structure Hart memorably calls the “Open Source Hamburger.” A typical application includes an open-source framework as a base, a thin layer of custom code in the middle, and more open-source libraries stacked on top. “It turns out the custom code that most people write for these modern software projects is like quite small. It’s maybe 20% of the code in an overall project.” That means 80% of your software stack may be code you didn’t write and don’t fully control, and that’s where risk can quietly multiply.
The first step toward quantum readiness, Hart explains, is visibility—knowing what cryptographic components your systems rely on and where the risks are buried. That means building a software bill of materials (SBOM) and a cryptographic bill of materials (CBOM) to map both software dependencies and the cryptographic algorithms they use. These tools reveal outdated components or dormant libraries that may still contain insecure algorithms like MD5, SHA-1, or single DES, even if those components aren’t top-of-mind for your team.
From there, Hart advises targeting low-friction, high-reward areas as migration entry points. “All migrations are hard. Some migrations are easier than others.” For most organizations, that means starting with protocols like TLS handshakes or ephemeral key exchanges. These operations are small in size and infrequent relative to overall data flow, which makes them technically easy to upgrade with post-quantum algorithms and minimal performance impact. Messaging systems and applications like Signal and Apple’s iMessage have already made such transitions. So have cloud providers like AWS. These early wins help teams build momentum, prove value, and reduce the perceived complexity of post-quantum upgrades.
But visibility and quick wins are only the beginning. Hart emphasizes the importance of building crypto agility into your architecture now. In crypto-agile systems, developers don’t pick and implement algorithms themselves. Instead, they call approved cryptographic functions via centralized APIs, often maintained by a core security team. This “black box” model, already in use at companies like Google, IBM, and AWS, allows organizations to rotate algorithms or change parameters without rewriting core application logic. The result is a system that’s resilient and adaptable, even as threat models shift or new standards emerge.
Even so, many organizations still struggle to move the conversation forward internally. That’s where the “Harvest Now, Decrypt Later” threat model becomes a critical tool for executive buy-in. Hart puts it simply: Encrypted data sent today may be recorded by adversaries, ranging from nation-states to competitors, and decrypted later, once quantum computers become powerful enough. “However you’re using data, it’s probably being transmitted across the Internet today,” he says. “If a quantum computer comes out five years from now and you used some kind of elliptic curve-based key exchange to set up your secure connection, I can go back and decrypt all that data.” If you’re handling data that must remain secure for 5, 10, or 20 years, such as healthcare records, legal files, or classified communications, then planning needs to start immediately.
This risk becomes even more urgent when considering hardware timelines. Many organizations rely on smart meters, secure elements, embedded chips, or IoT devices that are designed to run for a decade or more. “That’s a tough one,” Hart admits. “And I am very, very worried about the small cryptographic hardware pieces.” These components often can’t be updated in the field, making them one of the longest lead-time vulnerabilities in your infrastructure. Planning, budgeting, and vendor coordination around hardware upgrades must begin well before quantum computers arrive.
Throughout the episode, Hart returns to the theme of consistency—in policy, enforcement, and architecture. The organizations that will navigate the quantum transition successfully are the ones that stop treating cryptography as a developer-level decision and start treating it as an enterprise capability. “Ideally, you’d like your developers to understand cryptography in sort of a black box way,” he explains. “You can say, okay. Call this function for your signatures. We’ll always make sure we have a high-security, efficient implementation in there.”
Quantum readiness doesn’t require a complete overhaul or a perfect forecast of when quantum threats will materialize. What it does require is a strategic shift. Start by mapping your cryptographic footprint. Build agility into your systems. Prioritize manageable upgrades. Prepare your hardware lifecycle now, not later. Most importantly, design systems that are capable of evolving with the threat landscape.
Because if your cryptography is stuck in 2010, quantum readiness isn’t a future initiative. It’s a pressing challenge, and the clock is already ticking.
You can hear the full conversation with Hart Montgomery on Shielded: The Last Line of Cyber Defense, available now on Apple Podcasts, Spotify, and YouTube Podcasts.
🎤Apple Podcasts
🎤Spotify
🎤YouTube Podcasts
About The Linux Foundation
The Linux Foundation is a nonprofit organization that fosters the growth of open-source software and collaborative development communities to drive innovation at scale. As a central hub for some of the world’s most critical open technologies, including Linux, Kubernetes, and Hyperledger, it provides a trusted platform for industry, academia, and government to build, maintain, and secure the software that powers global infrastructure. Through initiatives like the Post-Quantum Cryptography Alliance, the Open Quantum Safe Project, and ongoing supply chain security efforts, The Linux Foundation plays a pivotal role in advancing cryptographic resilience and shaping the future of secure, open digital ecosystems.