NIST is already well into a post-quantum crypto competition. Any serious user of cryptography will have switched to the new protocols by the time quantum computers become powerful enough to crack production RSA. Cloudflare has already prototyped protocols in TLS [0]. Scott Aaronson has gone on record saying he would be "astonished" if this happened within a decade.
This isn't like the cold war days. The quantum computing research community is close-knit and people would notice researchers being hoovered up by the NSA; this hasn't happened.
Shor's algorithm is undeniably a groundbreaking result but is not the killer app of quantum computers. It's more of an unfortunate side-effect.
> Any serious user of cryptography will have switched to the new protocols by the time quantum computers become powerful enough to crack production RSA
Yes, but the NSA could still decrypt messages from the past if they recorded and stored them.
Well, anyone could yes. That's why if you want messages you're sending today to remain secret for longer than a decade, you use a cipher that isn't fully broken by quantum computers like AES. It's really just the key distribution methods that will be broken by quantum computers, they only get a sqrt(n) speedup against symmetric-key cryptography: double the key size and you're golden.
This isn't like the cold war days. The quantum computing research community is close-knit and people would notice researchers being hoovered up by the NSA; this hasn't happened.
Shor's algorithm is undeniably a groundbreaking result but is not the killer app of quantum computers. It's more of an unfortunate side-effect.
[0] https://blog.cloudflare.com/the-tls-post-quantum-experiment/