Insider Brief
- Panelists at the Vanderbilt Quantum Forum said the primary cybersecurity risk from quantum computing is already underway, driven by the “harvest now, decrypt later” strategy targeting sensitive data today.
- Experts emphasized that organizations must begin migrating to post-quantum cryptography despite challenges posed by legacy systems and the complexity of maintaining operations during the transition.
- The discussion highlighted growing risks tied to expanded quantum access, emerging threat models, and the need for workforce readiness and cross-sector collaboration to secure infrastructure before large-scale quantum capabilities arrive.
- Image: Joe Howell, Vanderbilt University
The most important shift in cybersecurity is not about a future breakthrough. It is about something that may have already happened.
The data is already being harvested.
At the Vanderbilt Quantum Forum, a panel on The Year of Quantum Security (YQS2026) focused less on distant timelines and more on a present reality: information moving through today’s systems may already be in the hands of adversaries, stored and waiting to be unlocked.
Moderated by Doug Adams, Executive Director of the Institute of National Security at Vanderbilt University, the discussion began with a familiar question. If quantum computers capable of breaking modern encryption are not yet widely available, why act now?
Adams answered plainly. Modern infrastructure—energy, finance, healthcare, communications—depends on encrypted data. That encryption still holds, but only for now. Adversaries are not waiting for quantum capability to arrive before acting. “They’re capturing the data and they’re waiting,” he said. “They’re very patient.”
The strategy is known as harvest now, decrypt later. Sensitive data is intercepted today with the expectation that future quantum systems will be able to decode it. For long-lived data—government records, industrial systems, healthcare information—that shifts the risk into the present.
For Jeremy Lawrence, Principal Technical Leader for Cyber Security at the Electric Power Research Institute (EPRI), the implications are immediate. “We know we have to migrate to postquantum cryptography,” he said. The challenge is not deciding to act, but how to do it.
Critical infrastructure is layered with legacy systems, many never designed for modern cybersecurity, let alone quantum resilience. Replacing them is not simple. As Lawrence put it, the real question is what that “in-between phase” looks like—and how organizations accelerate without disrupting operations.
Mohamed Shaban, a Research Assistant Professor at Tennessee Technological University, reinforced that the risk is already underway. “The risk is not a future facing,” he said. “It start to happening now.”
His concern extends beyond encryption alone. While post-quantum cryptography is essential, it remains rooted in classical assumptions. Over time, he suggested, more fundamental approaches may be needed, including quantum-native security. At the same time, quantum systems will introduce new vulnerabilities. He pointed to emerging threats like “malicious entanglement,” noting that many risks will only become clear as systems are deployed.
From the industry side, Corey McClelland, Senior Director of Quantum Networking at IonQ, framed the issue around access. The future of quantum, he suggested, is less about devices and more about availability. As access expands through networks and cloud-like infrastructure, the barrier to advanced computation falls.
That shift matters. As quantum capability becomes more accessible, the ability to act on previously harvested data may spread as well, reshaping the threat landscape.
Still, the panel focused on what can be done now. McClelland pointed to the importance of aligning with post-quantum standards and preparing the workforce to understand what is coming. Awareness, he emphasized, cannot be limited to specialists.
Lawrence underscored a related point: many cyberattacks still begin with people. “The human layer is important,” he said, describing it as one of the most critical lines of defense. Quantum does not replace basic cybersecurity practices. It raises the stakes for getting them right.
The discussion ultimately returned to collaboration. Universities, industry, and government each play a role in the transition. Shaban highlighted shared testbeds to validate quantum-secure systems in real environments. McClelland emphasized workforce development. Lawrence pointed to the need for continuous exchange between research and application.
What emerged was a clearer sense of timing. The Year of Quantum Security is not about a distant turning point. It reflects a shift already in motion.
By the time quantum systems reach full maturity, much of the data they could unlock will already exist—and in some cases, already be in the wrong hands.
That is what gives this moment its urgency. Not the arrival of quantum computing, but the realization that the groundwork for its impact has already been laid.
