top of page

PQC Discovery Does Not Start With Infrastructure. It Starts With Data.

  • Writer: Brian Couzens
    Brian Couzens
  • Jun 19
  • 12 min read

Last week I challenged a post that framed PQC discovery as a choice between infrastructure and code. The responses confirmed what I already suspected. The industry is still anchoring discovery to observation methods rather than exposure analysis. That is backwards, and it is why most discovery programmes either stall or produce inventory without insight.


Cryptographic discovery is a risk discipline. It is not an asset count. The question is not where your cryptography is. It is what your cryptography is protecting, how long that protection needs to hold, what the consequence of failure looks like, and who is motivated to exploit it. That is a data question. And it demands a data framework.


There are three universally recognised data states that define how information exists within any system at any given moment: data at rest, data in motion and data in use. Each carries fundamentally different PQC risk depending on the sector, the threat model and the regulatory environment. Understanding these three states, and how cryptographic exposure differs across them, is the foundation of any credible PQC prioritisation model.


But before walking through them, there is a concept that underpins the entire framework and is routinely misunderstood.



Long Lived Data: The Concept That Changes Everything

Long lived data is not old data. It is any data whose confidentiality, integrity or regulatory protection requirement outlasts the expected lifespan of the cryptographic algorithm protecting it. This is not about file age. It is about obligation duration versus algorithm durability.


A mortgage file originated today and encrypted with RSA-2048 carries a retention obligation of twenty five to thirty years in most jurisdictions. If a cryptographically relevant quantum computer arrives within that window, the protection fails while the obligation still stands. That is long lived data. The encryption was adequate at the point of creation. It will not be adequate for the duration of the requirement.


This is precisely the mechanism behind harvest now, decrypt later. Adversaries do not need to break encryption today. They need to collect encrypted data today and wait. The data does not expire. The cryptography does. Every year of delay in migration extends the window of exposure for every long lived record in the estate.


Long lived data is not confined to archives. It includes pension records, genomic data, sovereign intelligence, land registries, treaty instruments, and any data set where the protection requirement is measured in decades. If the obligation outlives the algorithm, the data is long lived. That single test drives the entire prioritisation model and it applies across all three data states.



Part One: The Three Data States and Their Cryptographic Exposure


Data at Rest: The Long Fuse

What it is

Data at rest is information stored in persistent systems and not actively being transmitted or processed. Databases, file servers, backup tapes, cloud storage, archives, document management systems. If it is written to disk and sitting there, it is at rest.


Why it matters for PQC

Data at rest is the primary HNDL exposure surface and the place where long lived data concentrates. Every encrypted record sitting in storage today is a potential future decryption target. The threat is not real time interception. It is patient collection followed by future exploitation.


Sector exposure

Financial services: Regulatory retention requirements create long lived data by mandate. Under the EU’s MiFID II, transaction records must be retained for a minimum of five years, with some member states extending this to seven. In the UK, FCA rules impose similar obligations. In Singapore, MAS Notice 637 and associated guidelines require retention of credit risk and capital adequacy records across reporting cycles spanning years. In the Middle East, the DFSA and ADGM frameworks carry comparable requirements for regulated firms. Pension records, mortgage files and long duration instruments span decades regardless of jurisdiction. An adversary harvesting this data today has the full retention window to wait for decryption capability.


Healthcare: Protection requirements are driven by the nature of the data, not just the regulation. Under the EU’s GDPR, health data is a special category with heightened protection obligations and no fixed retention ceiling tied to patient lifetime. In Japan, the APPI applies similar protections to sensitive personal information including medical records. In India, the DPDP Act 2023 classifies health data as sensitive and imposes purpose limitation and storage constraints. Genomic data is permanent by definition regardless of jurisdiction. A breach of genomic data is not remediable. You cannot reissue a genome.


Government and intelligence: Classified material routinely carries protection requirements of twenty five to fifty years across NATO member states, Five Eyes nations and beyond. France’s ANSSI, Germany’s BSI and the UK’s NCSC all publish guidance on long term protection of sovereign information. Agencies that have not already begun migrating long lived archives to post-quantum algorithms are accumulating risk that compounds silently with every year of inaction.


The forensic point: Data at rest is where time works against you. Prioritisation is driven by retention obligation, data sensitivity, adversary interest and the gap between algorithm lifespan and protection requirement. If the algorithm expires before the obligation does, you are already exposed. This applies in London, Singapore, Riyadh and Tokyo with equal force.



Data in Motion: The Live Wire

What it is

Data in motion is information actively being transmitted between systems, devices, users or networks. API calls, TLS sessions, VPN tunnels, messaging protocols, file transfers, payment authorisations. If it is traversing a wire, a radio link or a network boundary, it is in motion.


Why it matters for PQC

The exposure window for data in motion is shorter than data at rest, but the attack surface is broader and the consequences of failure are immediate. Compromise of data in transit is not a future risk. It is a real time event with real time impact.


Sector exposure

Payments: Every transaction authenticated using classical cryptography is exposed at the point of transit. SWIFT messaging operates across more than 200 countries. Card scheme authorisation flows under Visa and Mastercard traverse multiple jurisdictional boundaries in a single transaction. Real time gross settlement systems, from the Bank of England’s RTGS to the ECB’s TARGET2 to India’s RTGS operated by the RBI, all depend on cryptographic protocols that are not yet quantum resistant. A compromise of any major settlement system does not produce a localised incident. It produces systemic disruption across interconnected global financial infrastructure.


Telecommunications: Signalling protocols, session keys and subscriber authentication traverse networks observable by state level adversaries across every continent. 5G authentication frameworks, standardised globally through 3GPP, still rely on classical key agreement. The exposure is architectural and it scales with every subscriber on every network. ETSI’s work on quantum-safe cryptography for telecoms acknowledges this exposure but the deployment gap remains substantial.


Critical national infrastructure: SCADA and ICS environments transmit operational commands over protocols with minimal cryptographic protection. This applies to energy grids in Europe, water treatment in Southeast Asia, oil and gas operations in the Gulf states, and transport infrastructure globally. A quantum capable adversary with access to the communications layer does not need to decrypt stored data. They need to intercept or manipulate a single command in transit. One compromised instruction to a water treatment facility or power grid is not a data breach. It is a safety event. Geography does not change the physics of this exposure.


The forensic point: Data in motion risk is defined by protocol exposure, transit path and consequence of interception. The modernisation priority is driven by the value of what moves, not the volume. Cross-border data flows amplify this risk because a single transaction may traverse multiple regulatory jurisdictions, each with different cryptographic expectations and none yet mandating PQC.



Data in Use: The Decision Point

What it is

Data in use is information actively being processed, computed against or held in memory in a decrypted state. Application runtime, database queries, analytics processing, real time decision engines, confidential computing enclaves. If it is decrypted and being acted upon, it is in use.


Why it matters for PQC

Data in use is the least discussed data state and in some operational contexts the most consequential. When data is in use, it is exposed in its plaintext form. The cryptographic risk here is not about confidentiality alone. It is about integrity. If the data being processed has been manipulated, the decisions derived from it are compromised.


Sector exposure

Defence: This is the command and control layer. Targeting data, mission planning, real time intelligence feeds and fire control systems. NATO member states, Five Eyes partners and allied nations across the Indo-Pacific all face the same fundamental exposure. The cryptographic integrity of data in use determines whether the right decision is made at the right time. Compromise here is not a confidentiality breach. It is an integrity failure with kinetic consequences. This is why defence establishments from the US DoD to the UK MOD to the Australian Signals Directorate prioritise data in use above all other states. When you are making operational decisions, historical records are irrelevant. What matters is the integrity of the data in front of you at the point of action.


Autonomous systems and AI: Model inference depends on data integrity at the point of computation. This applies equally to autonomous vehicle testing in Germany, surgical robotics deployed in South Korea and Japan, and AI-driven financial modelling in London and Hong Kong. If training data or real time sensor inputs are manipulated through cryptographic compromise, the outputs are poisoned. In safety critical applications, this is not a theoretical risk. It is a direct path to physical harm regardless of where the system operates.


Cloud and multi-tenant environments: Data in use exposure is architectural and jurisdictionally complex. Confidential computing enclaves and trusted execution environments depend on cryptographic boundaries that are not yet quantum resistant. Major cloud providers operate across dozens of regions globally. The assumption that data is protected during processing rests on classical guarantees with an expiry date. For organisations subject to data sovereignty requirements under GDPR, India’s DPDP Act, China’s PIPL or the UAE’s PDPL, the question of where data is processed and what protects it during processing is not just a security concern. It is a compliance exposure.


The forensic point: Data in use risk is about integrity and decision trust, not just confidentiality. It is sector specific, consequence driven, and in some operational contexts it is the only data state that matters. Jurisdictional boundaries do not change the exposure. They add regulatory complexity on top of it.



Part Two: From Data States to Operational Domains

The three data states tell you what to protect first. But data does not protect itself. Delivering PQC readiness across those three states requires operational capability across a wider set of domains. This is where the Quantum Governance Compass applies.


The compass maps eight interdependent domains, each representing an operational boundary that must be quantum ready for the migration to hold. The three data states sit within this model. The remaining five domains are the infrastructure, governance and supply chain capabilities that make the migration real.


Article content

The Quantum Governance Compass: Mapping Trust Across the 8 Domains



Identity and Signing: The Trust Root

Hybrid PKI. Firmware chain signing. Device lifecycle.


This is the trust anchor for the entire ecosystem. Every certificate, every signed firmware update, every device identity assertion depends on the integrity of the signing infrastructure. If your certificate authority is issuing certificates signed with classical algorithms, every entity in your PKI hierarchy is carrying an expiry date that has nothing to do with the certificate validity period.


Hybrid PKI, running classical and post-quantum signatures in parallel, is the transitional mechanism endorsed by NIST, ANSSI, BSI and the NCSC. But hybrid is not the destination. It is the bridge. The critical dependency is that signing infrastructure must migrate before the entities that rely on it. If the root is not quantum resistant, nothing downstream can be.


Firmware chain signing carries the same logic globally. Whether you are deploying IoT devices across European smart grids, medical devices in Japanese hospitals or industrial controllers in Gulf state refineries, every device that accepts a firmware update authenticated by a classical signature is one compromised signing key away from running hostile code. Device lifecycle management, from provisioning through decommissioning, must account for the cryptographic validity of every assertion made about that device across its operational life.



Governance and Lifecycle: The Control Plane

Entropy. Algorithm policy. Runtime telemetry.


This is the operational control layer that determines whether your cryptographic estate is governed or merely deployed. Algorithm policy defines what is permitted, where, and under what conditions. Without it, teams make local decisions that create global exposure. This is particularly acute in multinational organisations where different subsidiaries may be subject to different national cryptographic requirements. ANSSI, BSI, the NCSC and NIST do not always align on algorithm preferences or transition timelines. A coherent algorithm policy must account for these variances without creating lowest common denominator security.


Runtime telemetry is the feedback mechanism. It tells you whether what is actually running in production matches what the policy permits. Without telemetry, policy is aspiration. With it, policy is enforceable.


Entropy is rightly positioned here because it is a governance problem, not just a technical one. If your random number generation is weak, deterministic or insufficiently seeded, the algorithm strength is irrelevant. A perfectly implemented ML-KEM instantiation with poor entropy is a perfectly implemented failure. Entropy quality must be assured, monitored and governed as a first class cryptographic dependency. The source and quality of entropy is under active scrutiny from standards bodies globally, including work by NIST, BSI and CCCS in Canada.



Hardware Roots: The Physical Trust Boundary

PQC modules. Validated firmware. Silicon provenance.


This is where cryptography meets physics. HSMs, TPMs and secure elements are the physical enforcement points for key protection, algorithm execution and trust anchoring. If these hardware components do not support PQC algorithms natively, you are building your migration on a foundation with a known expiry date. Major HSM vendors are at varying stages of PQC readiness. Validation programmes under FIPS 140-3 and Common Criteria are in progress but not yet complete across all PQC algorithms.


Validated firmware ensures that the code running inside those hardware modules is what it claims to be. Without validation, a compromised firmware update can subvert the entire cryptographic chain from the inside.


Silicon provenance is the most upstream dependency in the entire model. If you cannot verify the origin and integrity of the silicon itself, no amount of software or firmware validation can compensate. A backdoored chip is pre-cryptographic. No algorithm protects against a compromised substrate. This is not theoretical. Supply chain interdiction at the silicon level is a documented capability of state level adversaries. The concentration of advanced semiconductor fabrication in a small number of geographies makes this a geopolitical dependency as much as a technical one.



Supply-Chain Integrity: The Build Pipeline

Reproducible builds. Signed artefacts. Provenance chain.


If you cannot verify the provenance of every cryptographic dependency in your build pipeline, you do not know what algorithms are actually running in production. This domain maps directly to SBOM requirements under the US Executive Order on Improving the Nation’s Cybersecurity, the EU Cyber Resilience Act, and emerging CBOM frameworks that extend the same logic to cryptographic components specifically.


Reproducible builds are the verification mechanism. If two independent builds from the same source produce identical outputs, you have evidence that the build has not been tampered with. Without reproducibility, you are trusting your toolchain implicitly.


Signed artefacts ensure that every component, from compiled library to deployed container, carries a verifiable assertion of origin. Provenance chain extends that assertion backwards through every stage of the build and delivery process. If any link in that chain is unsigned or unverifiable, the integrity of the deployed system is an assumption, not a fact. For organisations operating across multiple jurisdictions with different supply chain security expectations, this is not optional. It is the baseline for demonstrating due diligence.



Operational Resilience: The Response Layer

Re-encryption. Revocation. Crypto telemetry.


This is the domain that determines whether your organisation can respond when something breaks. And something will break. Algorithms will be deprecated. Implementations will be found vulnerable. Keys will be compromised. The question is whether you can act at scale and at speed.


Re-encryption capability means being able to migrate encrypted data from one algorithm to another across the estate without operational disruption. This is not a one-time migration event. It is a recurring operational requirement. Crypto-agility is not a feature. It is an operational capability that must be designed, tested and exercised.


Revocation is the ability to invalidate compromised keys and certificates across the entire trust hierarchy. If your revocation infrastructure cannot handle mass revocation events, a single compromised root key becomes an estate-wide crisis with no fast remediation path. For global organisations operating PKI hierarchies that span multiple regions and regulatory jurisdictions, revocation capability must be tested against realistic failure scenarios, not just documented in a policy.


Crypto telemetry provides continuous visibility into the cryptographic health of the estate. What algorithms are deployed. What key lengths are in use. What is compliant. What is drifting. Without telemetry, you are governing by assumption. With it, you have an auditable, real time view of your cryptographic posture across every geography you operate in.



The Governance Anchor

At the centre of the compass sits the Governance Anchor: Integrity, Lifecycle, Oversight.


This is not a ninth domain. It is the binding principle that holds the other eight together. Without centralised governance, the eight domains become eight siloed workstreams with no coordination, no shared prioritisation and no mechanism for resolving conflicts between them.


Integrity means that every cryptographic assertion in the ecosystem is verifiable. Lifecycle means that every cryptographic component is tracked from deployment through deprecation. Oversight means that someone is accountable for the whole, not just the parts.


For multinational organisations, this governance layer must reconcile divergent national requirements. NIST timelines, ANSSI algorithm preferences, BSI certification expectations, NCSC hybrid deployment guidance and emerging mandates from regulators in Asia-Pacific and the Middle East do not always align. The governance anchor is where those conflicts are resolved, not in individual domain workstreams.



Conclusion: The Full Picture

The three data states tell you what to protect first. The eight domains tell you what must move to deliver that protection. The governance anchor ensures the migration is coordinated, measurable and accountable.


PQC discovery that starts with infrastructure or code has already skipped the question that matters. Start with the data. Understand the exposure. Map the domains. Govern the transition.


The question was never where to start. The question is what matters.

 
 
 

Recent Posts

See All

Comments


bottom of page