Post-Quantum Cryptography Upgrades the Lock, Not the Architecture
Post-Quantum Cryptography Upgrades the Lock, Not the Architecture
Publish Date: 2026-05-20 05:14:00
Source Domain: www.cybersecurity-insiders.com
Using an unordered list, summarize the following article with between 4 and 8 key points.
Harvest Now, Decrypt Later (HNDL), is 1940s-era signals intelligence that predates modern cyber espionage. HNDL involves collecting encrypted data today, storing it, and waiting until brute-force computing power, implementation flaws, or cryptographic breakthroughs make it readable. This wildly successful methodology has continued unabated ever since and is accelerating with the continued scaling of quantum computers.
Recent announcements by Google and others advise we are only 2 to 3 years from the point where they can break the algorithms used to establish virtually all secure digital communications. Indeed, the estimated qubit threshold keeps falling. At the same time, AI is accelerating the discovery of new mathematical methods and attack techniques, which when combined with quantum computers promise to deliver surprising novel methods in the coming years.
We built the internet on 1970s-era architecture, for cybersecurity and infrastructure networks that we had more than 50 years ago. Replacing the algorithms that companies, governments, and individuals rely on with post-quantum cryptography (PQC) is a lock upgrade, not a security transformation. The harder problem is that our entire cryptographic architecture still depends on distributing keys through systems that adversaries can observe, harvest, and exploit later. It doesn’t address the flaw we inherited from decades ago when there were few, if any, alternatives. HNDL is unsolved and will continue indefinitely, which is the entire basis of the guidance to be crypto-agile—make sure PQC is easily replaceable in the future.
It’s always the next CISO’s problem
We use the same technology to secure cat videos on YouTube as we do for all our banking transactions, our government secrets, and everything else. It’s a one-size-fits-all, hope-for-the-best approach. That can’t sit right with anyone who has anything sensitive in digital form.
There are no consequences. When was the last time you saw a CEO walked out of their office in handcuffs because of a cybersecurity breach? In 2015, the US experienced one of the largest exposures of government data in history: security clearance records held by the Office of Personnel Management. Who got punished? Nobody.
CISOs are dealing with plenty of immediate fires. Anything on the horizon becomes the next person’s problem. Since PQC seems like such a “hard” thing, they assume they will get the implementation wrong and be punished for it, and therefore most are unwilling to do it. Unsurprisingly, an Ians Research survey found that 52% of CISOs report that their scope is no longer fully manageable.
The industry suffers from an incentive misalignment. With more than two-thirds of CISOs open to making a career move within the next 12 months, the focus shifts to short-term wins and defensible choices—no one ever got fired for buying Microsoft. They’re mowing the lawn for the next guy. Few want to do risky lifts, like championing a foundational architectural overhaul or planning 5 to 10 years out. Many are content to buy the consensus-safe solution that satisfies immediate requirements. Conversely, CISOs who take PQC seriously will have job security for life.
In the intelligence community, we would never rely on one solution for unclassified, secret, and top-secret data. The intel community spares no expense on infosec when lives are on the line, not just lost data. Multiple different systems on completely separate physical networks compartmentalize any potential damage and limit the blast radius of a compromise. You can’t send an email from a top-secret network to a secret or unclassified network. If somebody accidentally sends me a document I’m unauthorized to access, I can’t open it. It’s encrypted in a way that makes it unusable to me. Meanwhile, anyone with a Gmail account can decrypt an attachment that I accidentally sent them.
If we don’t build some version of that strictly tiered IC architecture for the private sector, we’re only going to keep seeing security snafus.
PQC is not the end all be all
There’s a false sense of security that if we just transition to PQC, this all goes away. That’s simply not true.
PQC is going to fail for many reasons—software bugs, corrupted libraries, poor entropy for keys, and even the possibility of a mathematical weakness. We’re going to have poor implementations; that’s a given. In 2022, researchers broke the PQC finalist SIKE algorithm using a single classical laptop in about an hour without a quantum computer. This is going to go on indefinitely until we change the architecture to eliminate the need for encryption key transmission and make this problem go away completely. Otherwise, we’re just putting a band-aid and bubblegum on the problem until it comes up again.
The AI boom makes this unbelievably worse as we turn over control of all our infrastructure. Using agents just trades supposed productivity and convenience for a ballooning attack surface. When you turn over all your keys, API tokens, and everything you’ve ever done to OpenClaw or a pool of agents, you don’t just lose control of your chat app account. You’re handing over the keys to your entire life. Your data can go upstream all the way to the AI factory where the inference is done, creating the ultimate honeypot. If we don’t secure those big pieces, your and your company’s data can move laterally, downstream, and upstream at a level that we’ve never seen before.
Consider what Salt Typhoon did in 2024. The Chinese hacking group broke into US telecom companies and internet service providers and was on the backbone network of all of US internet infrastructure, where it could filter the data that China was most interested in, collect it, sit on it, and build more access points for later. The group was also on the FBI’s FISA coverage of the Chinese hackers of the same network, where our adversaries could even monitor the response! When the first cryptographically relevant quantum computer comes online, they’ll operationalize all that data and in China’s case, monetize it.
And unlike in the Cold War era, when you had to tap a piece of fiber or get into a copper wire in the Soviet Union, this is all now done remotely.
The other false sense of security I hear is, “I’m not that interesting to them. Why would they hack into my phone or router?” Well, of course, you’re not the President of the United States or the Secretary of Defense, so they won’t bother. For you, they get everything that you do through the huge data pipes upstream from your home. A file on every American is a Chinese collection requirement and IC mandate.
Nation-states access ISPs and sit on the data they harvest, which costs them almost nothing to store. A sufficient targeting package on anyone requires only snapshots of their life and data, not a perfect record of everything they’ve said and done.
And because we’re an open society, we know when many of these systems are penetrated and corrupted, but that’s just the tip of the iceberg. We only discover a small percentage of what has really been breached.
Prepare for the unknowable
As we transition to this new generation of cryptography and AI, we’re getting dragged into the black water. We don’t have any way of predicting what’s going to happen and the techniques that will be invented, but that’s not a reason to panic.
If what happened to SIKE also happens to ML-KEM, the latest PQC standard for data encryption, there’s no backup plan. Given that anyone can use AI tools today to sift through old papers, make new connections, and achieve mathematical breakthroughs, weaknesses will be discovered sooner rather than later, especially as cybersecurity software is more vibe coded. We simply didn’t have that scale of automated research computers to make such discoveries this quickly before.
Cryptographic agility—the ability to swap from a broken algorithm to a better one—does not help if we don’t update the architecture. If it will all be decryptable one day, that’s no consolation for anyone whose data has been harvested, whether it’s through classical RSA or modern PQC. There’s no easy button. More durable solutions need to be applied to our most sensitive data and networks, not just the basics we use for social media and entertainment.
Join our LinkedIn group Information Security Community!
