The business impact of cryptographic drift: The urgent case for post-quantum cryptography - Federal News Network

The warnings are here. The danger is real. The timeline is shorter than you think. There are mitigations out there now that can be implemented. While researching the Titanic recently, I was struck by something profound: The ship received numerous warning signs that could have prevented the catastrophic disaster of 1912. More than a century later, organizations continue making the same mistake, ignoring blatant warnings about pending disasters. Today’s iceberg? The quantum computing revolution that threatens to render our current cryptography obsolete. Any entity using digital networks to store sensitive data needs to transition away from classical cryptography toward post-quantum cryptography (PQC) standards. Organizations that fail to course-correct risk drifting dangerously off course by maintaining the same classical cryptography instead of implementing new quantum-resistant algorithms that are already available. This lack of proactive course correction, or what I call “cryptographic drift,” creates what is now referred to as cryptographic debt — a burden that builds up until it may be too late to avoid disaster. One of the other perspectives to understand is that adversaries are constantly harvesting your data during the cryptographic drift, and the slow implementation of PQC-resistant algorithms will ease the adversarial burden to decrypt the data once a CRQC becomes operationally available. The Titanic didn’t sink simply from drifting off course, but because it maintained high speed into a known ice field despite numerous warnings that never reached the captain. Everyone was too busy to act. Join us May 11 for Federal News Network's Risk & Compliance Exchange as government and industry experts discuss how to navigate evolving cybersecurity mandates and accelerate secure adoption of emerging technologies. Quantum computers harness quantum mechanical phenomena, including superposition and entanglement, to process information in fundamentally different ways from classical systems. While classical computers encode data as binary bits (0s and 1s), quantum computers use quantum bits (qubits) that can occupy multiple states at once, potentially delivering exponential speedups for specific problem classes. Quantum computers using gate-based operations (analogous to classical and/or gates) have been built with dozens of qubits, though their quality remains inconsistent. Scaling to fully error-corrected systems with logical qubits that can perform substantially more operations likely won’t arrive until around 2030. Organizational management needs to understand what lies ahead in the cryptographic space of quantum computing. Advanced planning is essential to implement quantum-resistant algorithms before a cryptographically-relevant quantum computer (CRQC) arrives on the scene. The primary organizational risk from quantum computing is that a CRQC could break widely used classical encryption schemes. This threat has prompted formal government action, including Office of Management and Budget Memorandum M-23-02, “Migrating to Post-Quantum Cryptography,” and National Security Memorandum 10 NSM-10, “Promoting United States Leadership in Quantum Computing While Mitigating Risk to Vulnerable Cryptographic Systems,” which direct federal agencies to take proactive steps toward post-quantum cryptography (PQC) migration.

The Defense Department has issued additional guidance outlining implementation requirements and constraints for PQC adoption across government systems. Private sector organizations, particularly those working with or seeking to work with government entities, should closely monitor these directives, as compliance will likely become essential for maintaining those relationships. Proactive planning safeguards your organization against the threat of a CRQC rendering current public-key encryption such as RSA (Rivest, Shamir and Adleman) and Elliptic Curve Cryptography (ECC) obsolete. It may also mitigate “harvest now, decrypt later” (HNDL) attacks — an ongoing threat where adversaries intercept and store encrypted data today, intending to decrypt it once error-correcting quantum computers become capable of breaking today’s cryptographic protections. Sign up for our daily newsletter so you never miss a beat on all things federal Recent academic and industry publications have accelerated the timeline for operational CRQCs to on or before 2030, exponentially increasing risk in three critical areas: Most forward-thinking organizations are already transitioning their encryption ahead of 2030, anticipating moderate impacts to these areas. Organizations experiencing cryptographic drift will continue operating normally, creating a dangerous illusion of security while adversaries store sensitive data now and decrypt it later (also known as HNDL attacks) — capturing encrypted data today for future exploitation. A crypto-agile approach maintains operational continuity while transitioning to quantum-resistant algorithms that protect data in transit. As shown in the figure, cryptographic debt accumulates over time and can become overwhelming or irreversible as organizations scale. Eventually, it leads to loss of operational functionality and relevance due to government mandates and guidance. Wholesale replacement of IT infrastructure is neither practical nor cost-effective for achieving quantum resistance. Instead, implementing crypto-agility enables seamless migration from obsolete encryption to quantum-resistant standards, positioning organizations for future competitiveness through reduced costs, accelerated transition timelines, minimized data compromise risk and uninterrupted operations. The quantum resistant/PQC algorithms have been released by the National Institute of Standards and Technology: These standards form the foundation of the post-quantum cryptography migration mandated by government directives like OMB M-23-02 and NSM-10. Start by inventorying your assets to understand what encryption is currently being used within the organizational enterprise. Focus on migrating the highly operationally used assets (high value or high impact) to using the standard quantum resistant algorithms, as they most likely transmit most of your sensitive data. For now, the HNDL threat is at the data in transit level, not particularly at the data in use and data at rest levels. Additionally, migrating from TLS 1.2 to TLS 1.3 can also counter a CRQC due to PQC algorithms integrating more naturally into the TLS 1.3 architecture. This is available now. Migrating only after it’s too late and your cryptography has been rendered void by an error correcting/fault-tolerant quantum computer will dramatically increase the risk of your organization ending up like the Titanic. It took 73 years to find the wreckage, and to date, the Titanic has never fully recovered from the ocean floor. Let’s try not to have that happen to your organization. The warnings are here. The danger is real. The timeline is shorter than you think. There are mitigations out there now that can be implemented within your organization. Don’t be too busy to change course; pay attention to the warnings. Garfield Jones is senior vice president, research and technology strategy at QuSecure. Copyright © 2026 Federal News Network. All rights reserved. This website is not intended for users located within the European Economic Area.