Someone may already have a copy of your encrypted files, sitting on a server somewhere, perfectly preserved, waiting for hardware that does not exist yet but will.

Not a thriller premise. Not a speculative scenario for 2040. This is called a harvest-now, decrypt-later attack, and it is happening right now, while you are reading this sentence. The question worth sitting with is not whether quantum computing will eventually matter to your security posture. The question is whether you have already lost data you do not know you have lost.

That is where this debate actually starts.

The Real Story Behind the Headlines

Two camps have formed around quantum computing and cybersecurity, and they are talking past each other in ways that cost real organizations real money.

Side A says the threat is overblown. Quantum computers capable of breaking current encryption, specifically RSA-2048 or AES-128, remain years or decades away from practical deployment. IBM’s 433-qubit Osprey processor, announced in 2022, sounds impressive until you learn that cryptographically relevant attacks would require millions of stable, error-corrected qubits, according to a 2022 estimate published by Google’s quantum AI team. The hardware simply is not there. Panic-driven migrations, Side A argues, waste budget that could address actual, present-day threats.

Side B says waiting is precisely what adversaries want you to do. The harvest-now threat does not require a quantum computer today. It requires only that someone intercepts and stores your encrypted traffic now, then decrypts it later when the hardware catches up. For data with a long sensitivity shelf life, patient records, intellectual property, classified communications, the clock started years ago. Side B points to a 2023 report from the Cybersecurity and Infrastructure Security Agency (CISA) warning that organizations with long data lifecycles should treat post-quantum migration as an active project, not a future roadmap item.

So who is right? Both, partially. But one of them is asking the wrong question.

The Industries Already in the Room

Think of it this way: if quantum computing were a new highway under construction, most companies are still debating whether to buy a car. A handful have already moved in next to the on-ramp.

Finance is the most aggressive early mover. JPMorgan Chase published research in 2022 on quantum key distribution (QKD) networks tested in live environments. HSBC ran its first quantum-secured gold tokenization transaction in 2023. These are not pilot programs tucked into a lab. They are production-adjacent tests inside regulated financial infrastructure.

Pharmaceuticals and biotech are using quantum computing for molecular simulation, with IBM and Pfizer collaborating on protein-folding models that classical computers handle poorly. The security implication is significant. Proprietary drug compound data transmitted today using classical encryption is exactly the kind of high-value, long-shelf-life intellectual property that harvest-now attacks target.

Defense and government have moved furthest on the security side. The U.S. National Security Agency announced in 2022 that it would require post-quantum cryptography for all National Security Systems by 2035, with interim milestones starting in 2025. When the NSA sets a deadline, it tends to know something about the threat environment that it cannot fully disclose publicly. Ask yourself why a 2035 mandate was published in 2022, with work beginning in 2025. That timeline implies current exposure, not hypothetical future risk.

Did You Know: In 2024, the National Institute of Standards and Technology (NIST) finalized its first set of post-quantum cryptographic standards, including CRYSTALS-Kyber for key encapsulation and CRYSTALS-Dilithium for digital signatures. These are not drafts. They are published, implementable standards available right now.

The Human Cost of Waiting

Marcus Chen, CISO at a regional hospital network in the Pacific Northwest, described a moment in early 2024 that clarified the issue for him. During a third-party vendor audit, his team discovered that a cloud storage provider they had used from 2019 to 2022 had experienced a quiet data exfiltration. The stolen files were encrypted. No patient data had been exposed in any readable form. The vendor called it a contained incident. Chen told his board something different. He told them the incident was not contained. It was deferred. The files existed somewhere, intact, waiting. His board approved a post-quantum migration budget within sixty days.

That moment, a CISO staring at an audit report for data that was technically still safe but practically already gone, is what this debate looks like when it lands in a real organization.

The Cybersecurity Implications, Spelled Out

Here is what this actually means for you. Current public key infrastructure, the system securing most web traffic, financial transactions, and enterprise communications, relies on mathematical problems that quantum computers can solve efficiently using an algorithm called Shor’s algorithm. RSA, ECC, and Diffie-Hellman are all vulnerable to a sufficiently powerful quantum machine. When did you last ask your security vendor whether their product supports CRYSTALS-Kyber or any NIST-approved post-quantum alternative?

The answer, for most enterprise buyers, is never. Because most vendors are not advertising this part.

Symmetric encryption like AES-256 is more resilient, requiring only a key-length doubling to maintain security against Grover’s algorithm. But your organization almost certainly uses asymmetric encryption for key exchange, authentication, and certificate infrastructure. That is the exposure surface.

Warning: If your vendor contracts reference RSA or ECC encryption without a post-quantum migration clause or roadmap, your data protected by those contracts today may be vulnerable to retrospective decryption once quantum hardware scales. This is not a theoretical risk for data with a sensitivity window longer than five to ten years.

Pro Tip: NIST’s post-quantum cryptography standards are publicly available and free to access at csrc.nist.gov/projects/post-quantum-cryptography. The finalized standards document, NIST IR 8413, lists which current algorithms are flagged as vulnerable and which approved replacements are ready for implementation. If a breach happened today using data stolen three years ago, would your current vendor even flag it?

My Position: Side B Is Right, but Asking the Wrong Question

The debate framed as “is quantum a real threat now” is a distraction. The correct question is: how long does your data need to stay confidential? If the answer is more than five years, you are already operating in a post-quantum risk environment, whether or not a quantum computer has broken anything yet.

I dug into the actual research so you do not have to, and here is what I found: the organizations treating this as a future problem share one assumption that does not hold. They assume the threat begins when the hardware matures. It does not. It began the moment adversaries started storing encrypted traffic they could not yet read. For some organizations, that moment was years ago.

The sides are not really disagreeing about technology. They are disagreeing about when risk begins. One side says risk begins at decryption. The other says it begins at capture. Only one of those views accounts for how sophisticated, patient threat actors actually operate.

Your Next 3 Steps

Step 1: This week. Pull every active vendor contract that involves data storage, transmission, or authentication. Search the document text for the words RSA, ECC, and Diffie-Hellman. If any appear without an adjacent post-quantum migration clause or roadmap commitment, flag that vendor for an immediate follow-up call. Use this exact question: “What is your current timeline for supporting CRYSTALS-Kyber or NIST FIPS 203 compliant key encapsulation?” If they cannot answer it, that is your answer.

Step 2: This month. Go directly to csrc.nist.gov/projects/post-quantum-cryptography and download NIST IR 8413. It is free, publicly available, and written accessibly enough for a non-specialist to use. Cross-reference your current encryption stack against the flagged algorithms list. This is not a consultant engagement. It is a one-hour internal review that your security lead can do without a budget line.

Step 3: Assign it to a person. Not a team. One named individual on your staff owns a post-quantum readiness assessment with a completion date attached to it. The assessment should answer three questions: what data does your organization hold with a sensitivity window longer than five years, what encryption currently protects it, and does that encryption appear on NIST’s vulnerable list. When that person has a name and a deadline, this moves from awareness to action.

The window for treating this as someone else’s problem is closing. The organizations that moved early on TLS migration, on GDPR compliance, on zero trust architecture, did not do it because the threat had already materialized. They did it because they understood that security timelines and threat timelines are never the same clock.