Innovation Heroes: Data encryption dates will expire soon. Now what?

Nation-states are harvesting your encrypted traffic right now. They can’t decrypt it yet — but they’re betting quantum computers will let them crack it in a few years. The 50-year-old encryption protecting everything from bank transactions to intellectual property is about to become obsolete. Federal deadlines that started December 1, 2025 are forcing critical infrastructure to prove they have quantum resilience strategies.

“As quantum computers have become more prevalent or more available, if we capture network traffic today, we may find very usable things or valuable things in it,” Brad Bowers says.

And that’s exactly what Bowers, Lead Field Chief Information Security Officer at SHI, discussed on the latest episode of Innovation Heroes. With over 20 years of security leadership experience — including work with the Federal Reserve, FBI, AT&T, and Verizon — Brad breaks down the quantum cryptography threat in terms IT leaders can actually act on.

The “harvest now, decrypt later” threat is already here

“Quantum cryptography” might sound like science fiction, but it’s a data protection reality. Brad explains that nation-states are collecting encrypted traffic at network choke points — the relatively small number of fiber routes that carry the bulk of internet traffic between continents. They’re storing everything, including intellectual property, financial transactions, military communications, and source code. The bet is simple: quantum computers powerful enough to decrypt today’s encryption are only a few years away.

“Think about all the engineering. Something like a million man hours a year of engineering and refinement and development goes into it,” Brad says. “When you take that development, you put it into documents or you put the source code for the products into files and you move those files across the network, you don’t really need a lot of network traffic to be able to get some potentially very sensitive data.”

Choke points make collection feasible. Nation-states have been able to tap these fiber routes for years. Quantum computing maturity has changed — as well as the realization that today’s “secure” data has a countdown clock attached to it.

Timeline reality: Act now, or five years from now?

Brad segments the quantum readiness timeline into three tiers. Critical infrastructure — financial institutions, telecommunications, power grids, healthcare systems, and defense contractors — are on the tip of the spear. Federal mandates require documented transition plans by June 2026, with crypto agility required by 2030. For these organizations, planning must start immediately.

“We expect that probably within the next couple of years on the far side, that the technology will mature enough for threat actors, nation-states, and others to do that decryption,” Brad predicts.

The second tier includes technology companies selling to government or critical infrastructure. They need alignment strategies even if they’re not under direct mandate. The third tier? Everyone else — from retailers to manufacturers — has roughly a five-year runway. But Brad emphasizes the real challenge isn’t urgency, it’s the time required to discover where encryption lives in your environment and plan the transition without breaking business operations.

The path forward: Discovery, planning, and crypto agility

So, what should IT leaders actually do? Brad advises a practical first step: discovery. Most organizations don’t know where they use encryption, which applications depend on it, how they manage keys, or what their cloud providers do.

“The first thing is really doing that discovery or understanding where the data is, how it’s being used, where crypto is, and how that’s being leveraged, and really the strength and susceptibility of that crypto to quantum computers,” Brad says.

From there, it’s about building a roadmap prioritized by business risk. Infrastructure vendors like Cisco, Palo Alto, and Fortinet will provide quantum-resistant updates for routers and firewalls — those will largely handle themselves. The heavy lifting is custom applications where encryption is hardcoded. That’s where “crypto agility,” the ability to swap out cryptographic algorithms without breaking systems, becomes essential.

Brad’s team at SHI helps organizations through this process with discovery assessments, lab testing to understand performance impacts of new algorithms, and transition planning. Our goal is to provide pragmatic readiness based on your organization’s unique risk profile and timeline. For critical infrastructure, that timeline is measured in months. For others, it’s years. But the planning must start now, because as Brad points out, what used to take a thousand years to decrypt could soon be done in minutes.

NEXT STEPS

Listen to the full conversation here to understand exactly where your organization falls on the quantum readiness spectrum — and what you need to do about it.

You can also find episodes of the Innovation Heroes podcast on SHI’s Resource Hub, Spotify, and other major podcast platforms, as well as on YouTube in video format.

Video + audio

Audio only