The Post-Quantum Cryptography Crisis: Why 2026 Will Be a Reckoning

91.4% of top websites lack post-quantum cryptography support, while quantum computers threaten current encryption. The tech debt reckoning is coming.

A cryptographic crisis is quietly building that could make the Y2K transition look like a minor inconvenience. While organizations remain fixated on AI implementation, post-quantum cryptography (PQC) represents a looming threat that will force a massive tech debt reckoning by 2026.

The Sobering Statistics

Chuck Herrin, Field CTO at F5, has spent the past year witnessing enterprise unpreparedness firsthand. His company's research reveals that 91.4% of the top one million websites don't support PQC, with adoption remaining devastatingly low across critical sectors: banking (2.9%), healthcare (8.5%), and government (7.1%).

"If you've got data that you need to keep safe and confidential for 50, 60, 70 years, you need to be on this now," Herrin warned. "The day that a cryptographically relevant quantum computer hits the scene, you must consider data that was previously encrypted as compromised."

The "Harvest Now, Decrypt Later" Reality

The quantum threat isn't theoretical; it's already happening. Nation-state actors are collecting encrypted data today, banking on future quantum computers to decrypt it. This means any data requiring long-term confidentiality—intellectual property, healthcare records, financial information—is already at risk.

"Salt Typhoon demonstrates this perfectly," Herrin noted, referring to recent reports of telecommunications data being systematically collected by foreign adversaries. "All telcos, all data getting siphoned off."

The Competing Priority Problem

Despite the urgency, financial institutions and other critical sectors are moving slowly on PQC implementation. The largest banks are actively working on it; they have tens of millions of interfaces to upgrade, but it's a multi-year project that lacks immediate business justification.

"AI is sucking all the air out of the room," Herrin explained. "Nobody is coming to them saying, 'Save me a million dollars next year' with PQC. There's no big business use case driving adoption."

This creates a dangerous prioritization problem, where organizations pour resources into AI initiatives while ignoring the cryptographic foundation that protects all their data.

The Banking Paradox

Financial institutions exemplify the "early bird gets the worm, but the second mouse gets the cheese" mentality. Despite being heavily regulated and handling sensitive financial data, banking shows only 2.9% PQC adoption. Top-tier banks are working on implementation, but smaller institutions aren't yet considering it.

The Tech Debt Time Bomb

The convergence of AI expansion and quantum threats will force a massive tech debt reckoning. Legacy IoT devices, SCADA systems, and HSMs that can't support PQC key lengths will all require urgent attention.

"Tech debt is going to come due with interest," Herrin predicted. "You're going to have to upgrade your old IoT devices, your legacy systems. It's going to drive a whole raft of unplanned projects."

Organizations face the challenge of simultaneously:

• Implementing AI systems across the enterprise

• Upgrading cryptographic infrastructure

• Maintaining operational security during transitions

• Managing budget constraints across competing priorities

The AI-Quantum Intersection

The timing couldn't be worse. As Herrin noted, organizations "can't afford to not be doing AI stuff right now," yet they also can't ignore the quantum threat. This creates unprecedented pressure on technology budgets and strategic planning.

"You fundamentally can't skip the fundamentals," Herrin emphasized. "You can have complete cybersecurity mastery on the 10% of interfaces you're aware of, and you're going to get burned because of the 90% you don't know about."

Current Implementation Challenges

Organizations implementing PQC face several critical challenges:

• Discovery and Inventory: Many organizations can't accurately count their exposed endpoints, making comprehensive crypto upgrades nearly impossible.

• Key Management: PQC algorithms require significantly larger key sizes, stressing existing key management infrastructure.

• Performance Impact: Quantum-resistant algorithms can impact system performance, requiring careful testing and optimization.

• Hybrid Approaches: F5's solution combines classical and NIST-standardized quantum-resistant algorithms, enabling phased upgrades without service interruptions.

Strategic Recommendations

Based on Herrin's insights and industry best practices:

1. Start with Discovery: "You fundamentally can't skip the fundamentals. Start with continuous discovery, improvement, testing, and validation."

2. Risk-Based Approach: "Understand your business risk appetite. Risk profile may vary by division."

3. Leverage AI for Acceleration: Use AI tools to understand legacy configurations and gain visibility into inherited technical debt.

4. Plan for Hybrid Periods: Implement solutions that support both classical and quantum-resistant algorithms during transition periods.

5. Budget for Unplanned Work: Prepare for the "raft of unplanned projects" that quantum readiness will require.

The Business Case

Organizations need to frame both AI security and PQC investments in terms of risk appetite. The key questions for boards and executives:

• What are our data sensitivity and longevity requirements?

• What is our risk tolerance for potential future quantum attacks?

• How do we balance immediate AI opportunities with long-term cryptographic security?

Real-World Implementation

F5 customers are already using AI to tackle cryptographic complexity. Use cases include:

• Analyzing legacy configurations to understand existing crypto implementations

• Explaining complex rule sets that have been running for decades

• Building new crypto policies that incorporate quantum-resistant algorithms

• Gaining an understanding of inherited technical debt

The 2026 Deadline

The convergence of several factors makes 2026 a critical year:

• Continued advancement in quantum computing capabilities

• Growing awareness of "harvest now, decrypt later" attacks

• Maturation of NIST-standardized PQC algorithms

• Increasing regulatory pressure for quantum readiness

Industry Perspectives

The cybersecurity community is divided on timing and urgency. Some experts argue for immediate implementation, while others advocate for waiting until standards and implementations mature. However, the economic reality of attack surface expansion through AI adoption means organizations can't delay fundamental security improvements.

Looking Forward

Organizations that will thrive are those using AI to strengthen their security posture, rather than just racing toward advanced use cases. The winners in 2026 will be those who invested in foundational security, including cryptographic infrastructure, before both quantum computers and AI-powered attacks made the choice for them.

As Herrin concluded: "It's never going to get better. Use AI to fix it." The message is clear: 2026 will separate organizations that invested in foundational security from those that chased shiny objects, and the time for eating vegetables before dessert is now.