"The question is not ‘when does Q-day arrive?’," Rik Ferguson told the Infosecurity Europe audience on June 3. "It’s ‘will we be ready when that moment comes? Will we at least have started the journey?’"
Rik Ferguson’s warning at Infosecurity Europe
Rik Ferguson, vice-president of security intelligence at Forescout, used his Infosecurity Europe presentation to press a single point: organizations must accelerate plans to transition to post-quantum cryptography (PQC) now. Ferguson highlighted the current pace of adoption and the asymmetric risk posed by encrypted data being collected today for decryption later. He argued that preparatory steps — inventorying, procurement changes and building crypto-agility — should not be deferred.
Current adoption: 8% of SSH servers and mixed business priorities
Ferguson cited a concrete metric to underline the gap between rhetoric and readiness: just 8% of SSH servers worldwide currently support PQC, a figure that increased by only two percentage points in the past year. Complementing that technical snapshot, recent research from EY found a broader perception gap in business leadership: 87% of business leaders expect quantum computing to disrupt their industry by 2030, yet only 35% have made quantum a strategic priority for the next five years and 59% believe quantum is unlikely to mature enough until 2030.
Harvest-now-decrypt-later: intelligence collection and historical programs
From a security perspective, Ferguson warned, the countdown to cryptographically relevant quantum computers has already begun. He noted that the NSA was warning of harvest-now-decrypt-later (HNDL) attacks as far back as 2021. Citing the Snowden leaks, Ferguson pointed to the Muscular and Tempora programs — described in his remarks as highly classified joint surveillance programs in the UK and US — as evidence that states have been collecting large volumes of encrypted data with a view to decrypting it later. He also said previous incidents of massive redirection of internet traffic through China show Beijing is likely conducting similar collection, and that Salt Typhoon's ongoing efforts may also involve stealing encrypted data to decrypt at a later date. "Some of the things that cause the biggest problems are the things that you don’t hear or can’t see coming," Ferguson said, adding that although HNDL schemes haven't been confirmed in every instance, the "capability is documented and real."
G7 roadmap timing and IBM Starling’s projected schedule
Ferguson referenced a G7 Cyber Expert Group roadmap published in January that echoes the need to prepare, but he stressed a mismatch in timelines. The roadmap lays out phases — strategy, inventory, planning, migration, testing and monitoring — and places the planning phase in 2028–29. Ferguson noted that this timeframe aligns roughly with IBM's promise to have its Starling fault-tolerant quantum computer up and running, implying that deferring planning until the late 2020s could be dangerously close to the arrival of cryptographically relevant machines.
What this means for technologists, procurement leaders, and policymakers
- Technologists and security teams: Ferguson urged immediate, continuous inventory of assets that use encryption — determining what is on the network, what it runs and whether those assets can support PQC. He called for evolving from periodic scans to a continuous, real-time approach to visibility.
- Procurement leaders and enterprises: Ferguson recommended injecting cybersecurity and quantum-readiness checks into procurement processes so every purchase is evaluated for PQC compatibility. He framed this as a passive, scalable lever to shift vendor choices without creating a separate program.
- Policymakers and regulators: The G7 roadmap was cited as an endorsement of early action, but the roadmap’s placement of planning in 2028–29 suggests regulators and policy groups will need to consider whether that schedule aligns with evolving technical and threat realities.
Three operational steps and a practical caveat
Ferguson spelled out three practical actions organizations should prioritize: inventory encryption-using assets continuously; incorporate quantum-readiness into procurement; and build crypto-agility capability. He offered a concrete example of the latter: upgrading to TLS 1.3, which supports PQC mechanisms, not as an immediate cipher change but as a framework to enable future swaps. "It doesn’t mean you need to change the ciphers right now," he said. "It means you need to build the framework to have that ability in future."
Ferguson’s message is spare and stark: some encrypted records are already being collected for future decryption, adoption of PQC remains low in critical protocols, and multiyear roadmaps may put planning dangerously close to the era when fault-tolerant quantum machines become operational. The concrete choices he prescribes — inventory, procurement checks, crypto-agility — are practical, measurable steps organizations can take now to avoid being overtaken by events.
Original story: https://www.infosecurity-magazine.com/news/raise-security-procurement-quantum/
