So, I’ve discovered something interesting happens when you write a blog.

In your head, you develop a clear idea to convey to the reader. You try to capture that in 600-800 words with a catchy title. Then you publish it, and despite your best intentions, sometimes a completely different message is heard by your audience.

Of course, this is a failure on the part of the author, not the audience.

My blog last week failed catastrophically on this front. My goal was to push back on some of the over-simplistic statements I’d heard about hack-now, decrypt-later attacks. There is nuance missing from the public narrative and I was trying to trigger a discussion around it.

However, I did a terrible job of conveying that idea. And, horrifyingly, what landed for many readers was a message of “You don’t need to do a post-quantum migration any more.”

Let me be super clear: all organizations must take the quantum threat seriously and take action now. It is well-established that cryptographic migrations take a long time. Just look around at some of the migrations we’ve barely finished (MD5 anyone?). To get our systems quantum-ready is going to take a decade or more, so it must begin with urgency.

Let me also be clear that hack now, decrypt later attacks are a genuine threat to high-value targets. Every organization should consider this type of threat carefully and decide if they are impacted by it. If so, you must move even sooner on your migration.

I’ve deleted my previous post because it seems irresponsible to let that confusion continue. My sincere apologies for being unclear, and my deep thanks to the friend in my network who drew attention to this issue.