RSAC in focus: Quantum computing and security

While AI dominated many sessions at RSAC Conference 2025, the long-term implications of quantum computing and security also cast a significant shadow. The core concern, extensively debated in sessions and among experts, centered on the future capability of fault-tolerant quantum computers to break the encryption algorithms that currently protect vast amounts of digital information worldwide. As reported by ITPro, this isn't a distant academic exercise but a looming challenge requiring proactive measures today.

The "harvest now, decrypt later" imperative

A central theme resonating through quantum-focused discussions at RSAC 2025 was the concept of "harvest now, decrypt later" (HNDL). This refers to the practice of adversaries collecting and storing currently encrypted data with the expectation that future quantum computers will be able to decipher it. This makes the potential quantum threat an immediate concern, even if cryptographically relevant quantum computers are still several years from realization. Data with a long shelf-life – sensitive government secrets, intellectual property, personal health information, and financial records – stolen today could be decrypted tomorrow. This understanding shifts the quantum problem from a future hypothetical to a present-day data security risk demanding attention.

The primary cryptographic systems at risk are asymmetric, or public-key, algorithms like RSA and Elliptic Curve Cryptography (ECC), which underpin secure web communications, digital signatures, and much of the internet's trust infrastructure. While symmetric encryption is also susceptible, it’s generally considered more resilient to quantum cracking, often requiring larger key sizes for continued protection.

Navigating to a quantum-resistant future: post-quantum cryptography

The primary pathway to a quantum-resistant future, as emphasized throughout RSAC Conference 2025, is the adoption of Post-Quantum Cryptography (PQC). PQC involves the development and deployment of new cryptographic algorithms that are designed to be secure against intrusions originating from classical or quantum computers. The National Institute of Standards and Technology (NIST) in the US is playing a pivotal role in this transition, currently in the final stages of standardizing a suite of PQC algorithms. Organizations were strongly advised at the conference to closely monitor NIST's progress and prepare to align with these forthcoming standards.

The migration to PQC is anticipated to be a complex and resource-intensive undertaking, significantly more involved than previous cryptographic transitions. It will require careful planning, thorough testing, and a deep understanding of where and how cryptography is currently used within an organization.

Organizational preparedness: the time to act is now

Organizations were urged to approach preparation methodically rather than with panic. The first essential step is creating a comprehensive cryptographic inventory to identify all instances of cryptography deployed across applications, systems, hardware, and data stores. This process helps organizations understand what requires protection and the algorithms currently in use.

Following this, strategic planning becomes vital. Organizations need to develop detailed roadmaps for migrating to Post-Quantum Cryptography, taking into account the lifecycles of their data and prioritizing the safeguarding of the most sensitive and long-lived information. Testing and experimentation with candidate PQC algorithms in controlled, non-production environments is another important step. This enables organizations to evaluate performance characteristics and integration challenges, ensuring smoother transitions when new standards are adopted.

Additionally, fostering crypto-agility is recommended. Designing systems and protocols to be adaptable enables organizations to update cryptographic algorithms efficiently as vulnerabilities emerge or standards evolve.

Although the timeline for the arrival of quantum computers capable of breaking current encryption remains uncertain, the consensus at RSAC 2025 underscored the urgency of addressing the "harvest now, decrypt later" threat. Immediate planning and preparation for the post-quantum era are critical steps toward safeguarding the future integrity of digital systems.