There is a category of risk to police data that is already relevant, leaves no immediate trace, and may only become visible when mitigation is no longer possible. It does not require a breach or a system compromise. It requires time, storage capacity, and intent. Adversaries operating at national scale have all three.
Understanding this risk, and acting on it in a structured way, is becoming an operational and governance issue for police leadership. The window for a controlled response is narrowing.
What is actually at risk
Modern policing depends on encryption across almost every critical function: communications, intelligence systems, evidence platforms, identity management, and forensic data. The important point is not that “everything is encrypted”. It is that much of this protection relies on a specific type of encryption that is expected to become vulnerable once quantum computing reaches a certain level of capability. Not all encryption is affected. The risk sits mainly in the mechanisms used to establish trust between systems and to protect data in transit. Those mechanisms underpin far more of your infrastructure than most organisations realise.
No system is failing today. The issue is that the assumption those systems rely on is no longer stable over the timeframe that police data needs to remain confidential.
The problem that starts today
The risk does not begin when a new type of computer arrives. It begins now. Encrypted data can be collected and stored long before it can be read. Once the capability exists, that stored data can be decrypted retrospectively. National cybersecurity agencies treat this as a current risk, not a theoretical one.
For policing, the implication is direct. Any data that must remain confidential for a decade or more is exposed to delayed compromise. That includes covert source identities, long-running intelligence files, and certain forensic and biometric records.
The moment of exposure will not be when the data is taken. It will be years later, when it is too late to reduce the damage.
This is no longer a technical unknown
The replacement for vulnerable encryption is already defined and has been tested at scale. It does not require new infrastructure. It runs on existing systems. It can be introduced through controlled updates rather than wholesale replacement.
The challenge is not whether a solution exists. It is whether organisations know where to apply it and can execute the transition in time.
Where this sits in the policy landscape
Governments are already acting on this.
Globally, organisations are expected to:
- understand where vulnerable cryptography is used
- assess exposure based on data sensitivity and longevity
- begin structured transition within this decade
- complete migration of critical systems on defined timelines
The details differ, but the expectation is consistent. This is now a matter of organisational preparedness, not technical speculation.
For policing organisations, that expectation is moving into the space of accountability.
What this means for police leadership
This is not about understanding cryptography. It is about asking the right operational questions.
1. Which data must remain confidential for more than ten years?
Focus on what actually matters. Not all data carries long-term risk. Some categories clearly do.
2. Do we know where our encryption actually sits?
Most organisations do not have a complete picture. Systems are assumed to be secure without knowing how that security is implemented or where dependencies lie.
3. Are our vendors preparing for this transition?
A large part of your exposure sits in systems you do not build yourself. Vendor readiness is now a risk factor, not a technical detail.
4. Are we holding data we no longer need?
Reducing unnecessary retention directly reduces future exposure. This is one of the few controls that works regardless of the technology timeline.
The real constraint: time
The urgency is not driven by an immediate technological breakthrough. It is driven by how long it takes to respond. Large organisations do not change their cryptographic foundations quickly. The impact reaches across systems, suppliers, and infrastructure that have developed over many years. Some components can be updated. Others cannot. Some will require replacement. Identifying which is which, and planning accordingly, takes time.
Organisations that delay will not run out of options. They will run out of time to implement those options in a controlled way.
Where to start
This begins as a governance decision.
Assign responsibility. Make exposure visible. Require an inventory of where and how cryptography is used.
From there:
- prioritise systems based on long-term data sensitivity
- begin phased updates where possible
- ensure all new procurement can adapt to future changes without replacement
None of this is technically extraordinary. What matters is starting early enough to stay in control.
Final observation
The timeline often creates a false sense of distance. The real question is not when the risk becomes active. It is whether the organisation has already acted by the time it does.
For policing, where some data must remain protected for decades, that question is already relevant today.