Quantum computing is rapidly reshaping the security assumptions that have guided digital infrastructure for decades. The shift to post-quantum cryptography is no longer a distant milestone on global roadmaps; it has become an urgent, multi-year undertaking that many organisations still underestimate.
QuantumGate CTO Janne Hirvimies spoke to Sandhya D’Mello, Technology Editor, CPI Media Group, about the industry’s readiness and emphasised that the threat has already started, driven by “Harvest Now, Decrypt Later” tactics where adversaries quietly intercept encrypted data today with the intention of unlocking it once quantum capabilities mature.
Hirvimies highlights the UAE’s early national stance on quantum resilience, while underscoring the sheer complexity of replacing cryptographic foundations embedded across applications, devices, protocols, and critical infrastructure. For leaders, he argues, the challenge is not only technical but cultural — requiring crypto agility, long-term planning, and collaboration across hardware ecosystems, cloud platforms, regulators, and service operators.
You’ve often spoken about the illusion of time in cybersecurity transformation. Why do you believe the timelines many organisations set for quantum migration are dangerously optimistic?
Many organisations take comfort in dates like 2030 or 2035 that appear in global post-quantum roadmaps. The set timelines often create the impression that there is still room to wait and that the risk is far away. The threat, however, does not begin when quantum computers become fully capable. It begins the moment attackers start harvesting encrypted data with the intention of decrypting it in the future. That is already happening today, which means time is not on our side.
Another misconception is how long migration takes. Moving to post-quantum cryptography is a multi-year transformation that affects applications, devices, protocols, and long-lived data. Even the first step, which is identifying where cryptography is used across an environment, can take six to eight months in a large organisation. During crypto discovery, we often uncover what teams describe as “shadow cryptography” — keys, certificates, and embedded mechanisms organisations did not know existed. This hidden complexity is what turns long timelines into urgent ones.
The UAE recognised this early and through the UAE Cybersecurity Council (CSC) the country set a clear path for quantum readiness and highlighted the importance of sovereign, in-country cryptographic capabilities. Protecting long-lasting national data depends on keeping algorithms, libraries, and key management under national oversight and aligned with the country’s cybersecurity strategy. The real illusion of time is not only the calendar date. It is the assumption that change can happen quickly.
Many organisations still treat post-quantum readiness as a future concern. How would you convince leaders that the “Harvest Now, Decrypt Later” threat is already real and needs immediate attention?
The most effective way to show leaders that this threat is real is to focus on the data itself. Encrypted information that needs long-term protection is already exposed. Government records, healthcare files, financial histories, intellectual property and research data often require confidentiality that lasts for many years. Once any of this information is intercepted and stored by an adversary, it remains vulnerable until quantum computers can break the public key algorithms that protect it, such as RSA and ECC.
Data stays vulnerable for as long as it relies on today’s public key encryption standards. If confidential information is being shared or transmitted, there is a real risk it can be harvested. Once this happens, control over that data is lost, and an adversary can simply wait until quantum computers allow them to decrypt it.
This is the reality behind Harvest Now Decrypt Later. Attackers do not need quantum computers today; they only need access to the data, for instance, while it is moving across networks or through compromised infrastructure. The moment it is collected, the exposure begins.
From your two decades in hardware-based mobile security, how do you see the evolution of cryptographic systems that are now deeply embedded across devices — and why does that make migration so complex?
For nearly fifty years, the cryptography we rely on has remained stable. The same public key foundations became the basis for authentication, secure access, and digital transactions. Updates happened over time, such as increasing key lengths or retiring from individual algorithms, but they were gradual. The overall trust model remained unchanged.
Because of this long period of stability, public key cryptography is built into every layer of modern infrastructure and into the mechanisms that secure how systems operate. It underpins how devices exchange data, how certificates function, and how digital trust is established across mobile, cloud, IoT and industrial environments. This model has served as the bedrock of security for decades.
The challenge now is that the entire foundation of public key cryptography needs to change. Post-quantum algorithms introduce new ways of establishing keys and creating signatures, and this affects every system that relies on the existing PKI model. Since the same approach has been adopted everywhere for forty years, the migration is complex. We are updating the base layer that everything else depends on.
What are the biggest misconceptions enterprises hold about the speed at which they can transition to quantum-safe systems?
One major misconception is the idea that moving to quantum-safe systems is like a routine software update. The change goes much deeper. It affects software libraries, communication protocols, embedded code, and often the hard-coded algorithms inside legacy hardware. Many of these components were never designed for rapid replacement.
Another misconception is the belief that organisations can wait for mandates or off-the-shelf solutions before acting. When everyone begins at the same time, pressure builds across the entire ecosystem. Suppliers become overwhelmed, costs rise, and there is little space for careful testing or phased rollout. Starting early is what prevents that bottleneck.
There is also the assumption that migration fits into a short project window. In practice, this work spans years. Before any upgrade can happen, organisations need a full picture of where cryptography sits across their environment, which can take many months. Only then can they prioritise, test, integrate, and gradually cut over to new quantum safe mechanisms. Fault-tolerant quantum computers are still in development, but progress is accelerating, and the timelines are tightening.
QuantumGate positions itself at the frontier of secure communication and applied cryptography. What role do secure hardware platforms and key-management innovation play in accelerating quantum migration?
Secure hardware and key management are both important in quantum safe migration, but neither is a one-size-fits-all approach. Each addresses different parts of the problem. Hardware anchored keys provide strong assurance for high value assets, yet they also come with cost, operational complexity and long replacement cycles. If a migration depends only on hardware, these factors can slow progress across the wider environment.
This is where key-management innovation becomes essential. Post-quantum migration increases the number and types of keys organisations must handle, and in many cases quantum-safe keys can be deployed directly to devices like mobile phones, providing strong security without the expense of dedicated hardware.
Sovereign capability also matters for leaders responsible for national or critical infrastructure. In the UAE, the Technology Innovation Institute’s (TII) cryptographic libraries provide an in-country, certified foundation that integrates with both secure hardware platforms and large-scale key management systems. This gives organisations a clear path that matches national requirements.
In practice, secure hardware and modern key management work best together. The right combination supports quantum safe adoption in a way that is practical, secure, and aligned with the realities of each environment.
You’ve led security architecture development across global chipset and mobile ecosystems. How can industry-wide collaboration shorten the pilot-to-production cycle for quantum-resistant solutions?
Industry-wide collaboration is not just helpful for quantum migration, but essential. Cryptographic systems only work when they are interoperable, meaning devices, platforms, certificate authorities, and communication protocols must support the new algorithms in a consistent way. If one layer lags, the entire chain slows.
Standards bodies such as NIST and ETSI define the algorithms, but real progress happens when hardware makers, cloud providers, software developers, regulators and service operators test and validate these changes together. Shared pilots reveal performance characteristics, integration issues, and interoperability gaps early, which prevents costly rework later. Collaboration does more than shorten timelines. It makes the transition possible.
Beyond technology, what cultural or organisational inertia prevents decision-makers from acting faster on quantum resilience — and how can this mindset be shifted?
Many decision-makers still assume they have time or believe the threat is too distant to compete with more immediate priorities. This creates a kind of scope blindness. When leaders underestimate how deeply cryptography is woven into their infrastructure, they plan a small fix instead of recognising the scale of the modernisation required.
Another challenge is the perception that cryptography is stable and slow-moving. That was true for decades, but the field is evolving quickly. Algorithms, standards, and best practices are shifting faster than before, which means organisations need crypto agility, the ability to adopt new algorithms and key-management approaches as they emerge. Post-quantum migration should be viewed not only as a security requirement but also as an opportunity to replace deprecated cryptographic assets.
Shifting this mindset is largely an educational effort. This is why we place so much emphasis on awareness and guided planning. Once leaders understand that their cryptographic foundations and key-management systems are long-term assets that must remain adaptable, the conversation changes. It moves from “Do we need to do this now?” to “How do we build the agility to stay ahead as the standards evolve?”
Looking ahead to 2030, do you think we’ll view this decade as the period when industry leaders responded wisely to the quantum threat, or as the time we lost to the comfort of the calendar?
It is still a choice. We already have enough clarity to act. The leading post-quantum algorithms have been selected, migration guidance is maturing, and hybrid paths allow organisations to move safely as the ecosystem evolves. Many countries are beginning to set expectations, and the UAE has been among the first to place post-quantum resilience on the national agenda through the Cyber Security Council. That direction signals where the world is heading, and those who begin early will navigate the transition more smoothly. The organisations that use this decade well will treat PQC as a chance to strengthen their foundations. They will protect long-lived data, replace deprecated cryptography, modernise key-management, and build the crypto agility needed to adopt new algorithms as standards continue to develop. Those who start discovery now, pilot next, and move into hybrid deployments after that will look back on the 2020s as the period they prepared with intention rather than urgency. Those who wait will still do the same work, but under pressure.
Image Credit: QuantumGate
