Why the government must accelerate quantum preparedness now

Somewhere in the United States right now, a water treatment facility is running control systems that a quantum computer will eventually be able to compromise, and there is no federal deadline requiring anyone to fix it. The risk is here and now, and America is moving too slowly to protect itself. 

On March 25, Google announced it will complete its transition to stronger encryption by 2029, citing faster-than-expected advances in quantum technology. Federal agencies are not expected to complete that same transition until 2035 at the earliest.

That needs to change. The White House should set a binding 2030 deadline for federal systems to transition to quantum-resistant cryptography. In addition, federal procurement rules should require that new equipment sold to the government after 2027 be designed so that encryption can be upgraded without replacing the entire system.

Quantum computers cannot yet break today’s encryption, but experts expect they will in the not-too-distant future. When they do, systems securing government communications, financial networks and critical infrastructure could be exposed. European regulators are already acting: The EU Cyber Resilience Act requires that products with digital elements like industrial equipment, medical devices and network hardware be designed with upgradable encryption if they are expected to remain in use past 2030, with the law taking full effect in December 2027. Acting now matters because adversaries do not need to wait for a quantum computer to begin the attack. They are already collecting and stockpiling encrypted data today, waiting for the moment quantum capabilities allow them to unlock it.

The federal government has begun preparing for the day adversaries acquire quantum capabilities, but these preparations are uneven. The National Security Agency has directed defense and intelligence systems to start adopting quantum-resistant cryptography now. The National Institute of Standards and Technology will phase out vulnerable encryption standards by 2030, meaning systems still using them after that date will be operating outside federal security guidance. Yet most federal agencies are not expected to finish transitioning to quantum-resistant cryptography until 2035. That means large parts of the government will, if Google’s timeline is correct, still be mid-transition when quantum computers unlock the protections securing sensitive systems.

Google runs one of the world’s most advanced quantum computing research programs, giving its security leadership visibility into the pace of quantum progress that most governments and organizations do not have. Ignoring new information and relying on old timelines will leave organizations exposed as both the threat accelerates and migration to quantum-resistant cryptography becomes more difficult and costly. 

The risks are especially serious for critical infrastructure. Systems that run power grids, water facilities and industrial operations depend on encryption to ensure that only authorized commands and updates are accepted. If that encryption is broken, those protections collapse: adversaries could impersonate trusted operators, send unauthorized commands or disrupt physical operations instantaneously. The challenge is that many of these systems were built and purchased with the idea that they would last for decades. And many rely on encryption that was embedded when the devices were manufactured and cannot be easily updated. In some cases, fixing the problem will require replacing equipment, a process that can take years and cost millions of dollars. 

To begin addressing the problem, the government first needs to get its own house in order. Unless the White House sets a deadline for federal systems to transition to quantum-resistant cryptography, the process could take a decade or more. And federal procurement rules should require that new equipment be amenable to cryptographic upgrades, since without this flexibility transitions will be slower, more expensive and, in some cases, impossible.

Most of the encryption at risk sits inside privately owned critical infrastructure, where the government must act through regulatory authority rather than direct mandate. Federal regulators should require owners and operators of critical infrastructure to inventory the encryption embedded in their systems: identifying what encryption methods are in use, whether those systems can receive software updates and whether fixing the problem will require replacing physical equipment. For sectors where federal authority is fragmented or absent, Congress should establish baseline requirements to ensure consistent adoption. 

The United States is not starting from zero. But its current pace is not aligned with the urgency seen thus far in the responses of its own adversaries and its own private sector. If the government waits until 2035, it risks securing its systems only after the threat has already materialized.

Georgianna Shea is Chief technologist for the Center on Cyber and Technology Innovation at the Foundation for Defense of Democracies, where Aarushi Garg is an intern.