Active Quantum Threats Meet Fragmented Defenses
▼ Summary
– Enterprises are adopting post-quantum security at different rates, creating a widening gap between those with true crypto-agility and those just using the label.
– pQCee has launched a crypto-agile provider for Microsoft Windows, supporting new NIST standards and allowing integration of various post-quantum algorithms and hardware.
– Financial, healthcare, and government/defense organizations face the greatest risk from harvest-now-decrypt-later attacks, each with distinct consequences from data breaches.
– Dr. Tan advises against starting post-quantum migration with a complete cryptographic inventory, recommending instead to first secure high-risk, internet-facing systems.
– Organizations must pressure-test their supply chain’s post-quantum readiness and cannot rely solely on cloud providers, as their offerings do not cover all necessary security layers.
The transition to post-quantum cryptography is progressing unevenly across the enterprise landscape. A significant divide is emerging between organizations that have genuinely engineered crypto-agility into their core infrastructure and those that have merely adopted the term without implementing the necessary foundational capabilities. According to Dr. Tan Teik Guan, CEO of cybersecurity firm pQCee, true crypto-agility extends far beyond supporting multiple algorithms. It represents a holistic capability to deploy appropriate cryptographic defenses in a timely, cost-effective, and non-disruptive manner. This demands integrated intelligence, governance, and mitigation controls operating across a layered defense architecture to sustain a quantum-safe posture.
In a recent development, pQCee announced a crypto-agile Cryptographic Next Generation (CNG) provider for Microsoft Windows. The company positions this as the first CNG solution to support certificates for both the NIST FIPS 204 ML-DSA and FIPS 205 SLH-DSA algorithms. This provider enables the integration of various cryptographic standards, including post-quantum algorithms, hybrid combinations, and country-specific protocols like Malaysia’s MySEAL and South Korea’s KpqC. It also facilitates hardware integration with smartcards, USB tokens, HSMs, and trusted execution environments. The product is being showcased at RSAC 2026, where pQCee is also announcing partnerships with PQShield and Feitian Technologies to incorporate their cryptographic modules.
The primary catalyst for this market urgency is the harvest-now-decrypt-later (HNDL) threat. This attack method involves adversaries exfiltrating encrypted data today with the plan to decrypt it once quantum computing power becomes sufficiently advanced, exploiting the vulnerability of current public-key systems like RSA and ECC. Dr. Tan highlights that sectors with the most significant exposure include financial institutions, healthcare providers, and government and defense organizations, though the nature of the risk varies. Financial breaches threaten privacy and reputation, healthcare data loss carries severe personal privacy implications, and government compromises can undermine economic stability and public trust.
Public utilities represent a different risk profile. Dr. Tan notes that most operational utility data does not traverse the public internet, making initial harvesting difficult for attackers, and its value is often short-term rather than spanning multiple years. However, he views HNDL as merely the first in a series of quantum threats that will shape cybersecurity for decades. Organizations that begin addressing it now are simultaneously building the essential processes, governance, procurement practices, and training programs required for future quantum challenges.
Conventional post-quantum guidance often starts with building a complete cryptographic inventory across the entire enterprise. Dr. Tan challenges this as an optimal first step. He points out that enterprises outsource approximately 80% of their technology needs, from cloud infrastructure to operating systems. In such a dynamic and interconnected environment, any comprehensive inventory is likely obsolete by the time it is finalized, especially after applying routine patches. Instead, pQCee advocates for initially identifying high-risk systems and internet-facing data. Organizations should then apply layered defenses like end-to-end post-quantum encryption and post-quantum TLS 1.3 to complicate HNDL execution, allowing the detailed inventory work to follow.
Supply chain exposure remains a distinct and persistent vulnerability. An organization can secure its own systems yet remain at risk through vendors that have not advanced their post-quantum readiness. Dr. Tan recommends a three-step approach to pressure-test the supply chain. First, request the vendor’s post-quantum product roadmap. Second, require a cryptographic bill of materials (CBOM) with any solution or service delivery. Third, ask vendors to detail their post-quantum migration strategy. These steps allow an organization to assess if a vendor’s timeline aligns with its own or if vendor replacement planning must begin.
Major cloud providers like AWS and Azure have been actively expanding their quantum-safe offerings, leading some organizations to consider these services a complete solution. Dr. Tan references pQCee’s Crypto-Agile Defence-in-Depth framework to illustrate the limitations of this reliance. While cloud providers effectively address protection for data in motion and data at rest, other critical layers of defense fall outside their scope. Organizations depending solely on cloud-level protections will inevitably have gaps in their overall security posture, underscoring the need for a comprehensive, layered strategy.
(Source: Help Net Security)
