FUD
We need to replace all cryptography immediately
A measured, risk-based transition to post-quantum cryptography is appropriate. Panic-driven wholesale replacement creates more risk than it prevents.
The Claim
“Organizations need to immediately replace all their cryptography with post-quantum alternatives to avoid catastrophic security failures.”
The Verdict: FUD
While PQC migration is important, panic-driven immediate replacement is neither necessary nor advisable.
Why Immediate Replacement is FUD
- Quantum computers aren’t here yet - Cryptographically-relevant QC is years to decades away
- Rushed migrations introduce bugs - Cryptographic changes require careful testing
- PQC implementations are maturing - Early adoption carries implementation risks
- Not all systems are equally at risk - Risk-based prioritization is appropriate
What’s Actually Recommended
NIST Guidance
NIST recommends a measured approach:
- Inventory your cryptographic usage
- Identify high-priority systems
- Test in non-production environments
- Plan hybrid deployments
- Monitor industry guidance
Risk-Based Prioritization
Focus migration efforts on:
- Systems protecting long-term secrets (10+ year confidentiality)
- Systems vulnerable to HNDL attacks
- Critical infrastructure
- Systems with long deployment cycles
The Real Timeline
| Priority Level | When to Migrate |
|---|---|
| Critical (long-term secrets) | Start now |
| High (sensitive data) | Plan for 2025-2027 |
| Medium (general enterprise) | Plan for 2027-2030 |
| Low (consumer apps) | Follow platform updates |
Risks of Panic Migration
- Implementation bugs - New cryptography needs time to mature
- Performance impacts - PQC algorithms often have larger keys/signatures
- Compatibility issues - Not all systems support new algorithms
- Resource misallocation - Focus should be on highest-risk systems first
Verdict: FUD - Measure twice, cut once. A careful, prioritized approach is more effective than panic.