Key Takeaways
- Featured guest: Dustin Moody, mathematician leading post-quantum cryptography standardization at NIST
- Quantum threats are already active through harvest now, decrypt later attacks
- 2035 is the finish line for quantum-safe migration, not the starting point
- A cryptographic inventory is the first critical step
- Crypto agility must be embedded into future systems
- Hybrid cryptography can support transition but requires careful evaluation
The 2035 Deadline Is Closer Than You Think
The quantum threat is no longer theoretical. As adversaries engage in “harvest now, decrypt later” attacks, collecting encrypted data today with the intent to decrypt it once quantum computers mature, the need to shift to post-quantum cryptography (PQC) has become urgent and unavoidable.
While some organizations are still waiting for finalized standards or compliance mandates, the stark reality is that by the time those arrive, it may already be too late.
Dustin Moody, the mathematician leading the post-quantum cryptography standardization project at NIST, has been at the forefront of this shift since 2016. In a recent episode of Shielded: The Last Line of Cyber Defense, he delivered a direct message to organizations of all sizes: The time to act is now.
“The standards are here,” he explains. “And now maybe some people think, okay, we’ve got the standards, we’ll just switch over. Be a real easy, quick thing… But I don’t believe it’s going to end up being just a quick, easy, simple transition.”
What Is Post Quantum?
Post-quantum cryptography refers to cryptographic algorithms designed to remain secure against attacks from both classical and quantum computers. Traditional public-key encryption systems such as RSA and elliptic curve cryptography rely on mathematical problems that quantum computers are expected to solve efficiently. Once that happens, encrypted data protected by these systems becomes vulnerable.
Post-quantum cryptography introduces new mathematical approaches that are resistant to quantum attacks. These algorithms are being standardized by NIST to help governments and organizations transition before large-scale quantum computers become operational.
In short, what is post quantum security? It is the shift toward quantum-resistant encryption that protects data not only today but decades into the future.
Why Waiting Is a Strategic Risk
The 2035 deadline is not the beginning of the migration process. It is the finish line.
For large enterprises with complex infrastructure and deeply embedded cryptographic systems, migration to post-quantum cryptography may take ten years or more. Organizations that delay risk rushed implementation, operational disruption, and exposure to harvested encrypted data.
Moody confirms that U.S. government agencies are already observing harvest now, decrypt later behaviour.
“It is a real attack. It’s ongoing now,” he notes. “Adversaries are actively scooping up data with the idea that in the future they will be able to unlock it.”
This is especially concerning for data with a long lifespan, including medical records, legal documents, financial contracts, intellectual property, and national security information. If the data will still be sensitive in ten or fifteen years, it is already at risk.
Step One: Build a Dedicated PQC Team
According to Moody, post-quantum readiness begins with structure and leadership. Organizations must assign executive ownership, allocate dedicated resources, and establish a cross-functional team.
Post-quantum migration cannot be buried inside an IT backlog. It requires board-level visibility and a defined roadmap.
Step Two: Conduct a Cryptographic Inventory
Before migrating anything, organizations must understand where cryptography is used across their environment. This includes internal applications, third-party services, APIs, cloud platforms, legacy systems, and embedded hardware.
Most companies do not have complete visibility into their cryptographic footprint. Without this inventory, any transition plan is built on assumptions.
Step Three: Design for Crypto Agility
Inventory alone is not enough. Systems must be built with crypto agility — the ability to replace and adapt cryptographic algorithms across protocols, software, hardware, and infrastructure without interrupting operations.
This capability is foundational to long-term resilience. The quantum era will require ongoing algorithm updates, not a one-time migration.
Should You Use Hybrid Cryptography?
Hybrid cryptography combines classical algorithms with quantum-safe algorithms during transition. This approach offers conservative protection but introduces complexity. As Moody explains, combining two systems can create new angles of attack.
Organizations must evaluate operational overhead, implementation risk, vendor readiness, and long-term scalability. Hybrid strategies may serve as a bridge, but they are not a permanent solution.
Your 12-Month Post-Quantum Action Plan
Moody does not recommend tearing everything down overnight. The next 12 months should be focused on momentum — building awareness, allocating resources, and embedding post-quantum readiness into your broader security strategy.
Here is a practical roadmap based on his guidance:
- Build a team and have someone in charge of it
- Put together a roadmap for your organisation
- Begin doing risk assessments
- Start talking to vendors
- Start talking to your customers
- Start talking to your suppliers and make sure they are aware
Early movers gain control over their timeline, reduce the risk of rushed migrations, and strengthen long-term resilience.
Post-Quantum Is a Strategic Imperative
What is at stake is not just technical security. It is long-term resilience, trust, and competitive positioning. Organizations that begin now reduce regulatory risk, strengthen customer confidence, avoid emergency transitions, and build durable security foundations.
Moody’s message is direct. Do not wait for another round of standards. Do not wait for competitors to move first. Do not wait until encrypted data is compromised.
Understanding what is post quantum security is the first step. Acting on it is the critical next move.
“It’s gonna be hard,” he says, “but we gotta get it done.”
Listen to the Full Conversation
You can hear the full conversation with Dustin Moody on Shielded: The Last Line of Cyber Defense, available now on: