The Quantum Clock Is Ticking on U.S. Cybersecurity

By Tanya Reddy Sattineni

The United States is not prepared for the quantum era. Unless the federal government accelerates post-quantum cryptographic migration, today’s encrypted financial records, health data, and classified communications could become exposed within the next decade.

When I attended the Aspen Cyber Summit last year in Washington, D.C., I asked a representative from the Cybersecurity and Infrastructure Security Agency (CISA) about their agency's biggest concern regarding cybersecurity. They simply replied that AI is “old news” and that quantum is now their main focus. 

When CEOs such as Sam Altman and Dario Amodei share stages with world leaders at global AI summits, it signals where political urgency lies. That focus, however, obscures a looming cybersecurity inflection point: the transition to a post-quantum world. Quantum preparedness must become a strategic priority. But to comprehensively address this threat, the federal government must first understand the transformative power of quantum computing and why it differs so dramatically from existing technologies. 

Quantum computing is a revolutionary way of processing information that uses the rules of quantum physics instead of traditional electronics. While classical computers use bits that are either 0 or 1, quantum computers use qubits, which can exist as 0 and 1 at the same time. This allows quantum computers to explore several solutions to a problem simultaneously rather than one at a time. As a result, they can break certain forms of encryption much faster than conventional computers. 

Quantum computers have the potential to revolutionize medicine by simulating molecules for new drugs and materials, optimize complex systems like power grids and supply chains, and help scientists explore the fundamental laws of nature in ways that were previously impossible. 

At the same time, quantum computing poses a serious risk to data security. Contemporary encryption protects sensitive data by using encryption algorithms like RSA and elliptic curve cryptography. To break this encryption, traditional computers would need an astronomically long time. However, a powerful quantum computer could undercut the mathematical foundation that secures many of today’s encryption systems. This would make currently secure data vulnerable. In response, governments and companies are now preparing quantum-resistant algorithms to protect data in the future. 

Although fully capable quantum computers do not yet exist, adversaries—including nation-state cyber actors like the People's Republic of China and Russia—are already collecting sensitive data in what’s called a "Harvest Now, Decrypt Later" attack. Data like Social Security numbers and medical records never expire, so they can be stolen and saved now in their encrypted form. When these adversaries eventually gain access to a quantum computer, they could decrypt all of it at once. This underscores the dire need to fortify sensitive data with quantum-resistant algorithms.  

Recognizing this growing threat, government agencies and cybersecurity organizations have begun developing formal frameworks to safeguard sensitive information against future quantum attacks. In 2024, the National Institute of Standards and Technology (NIST) finalized its first set of post-quantum cryptography standards under the Federal Information Processing Standards (FIPS). These standards establish quantum-resistant methods for secure key exchange and digital signatures, providing federal agencies and private-sector organizations with an official blueprint for protecting sensitive data.

The release of FIPS 203, 204, and 205 marks a critical milestone. For the first time, the United States has standardized cryptographic tools designed specifically to withstand quantum decryption capabilities. This gives organizations such as federal agencies, financial institutions, and healthcare systems technical clarity by specifying which post-quantum algorithms are approved for implementation, reducing uncertainty in procurement decisions. 

While critics contend that accelerating post-quantum migration would be too costly amid existing budget pressures, the cost of inaction could be far greater. A single quantum-enabled breach of financial or classified systems would carry profound economic and geopolitical consequences. Many institutions rely on deeply embedded encryption infrastructure that cannot be replaced overnight. Additionally, while these algorithms are designed to resist known quantum attack models, cryptography remains an evolving field where future breakthroughs could expose unforeseen vulnerabilities. FIPS provides a foundation, but not a final quantum-secure solution. 

These limitations make clear that technical standards must be paired with decisive federal action. Because migration could take ten to fifteen years, the White House, through its Office of Management and Budget and NIST, must require that all federal procurement contracts comply with FIPS 203 and FIPS 204 by 2026. Such a mandate would effectively force the global supply chain to modernize its cryptographic agility. In the face of “Harvest Now, Decrypt Later” attacks, the government must not only issue mandates but also enforce and implement them rigorously. 

While AI dominates today’s headlines, quantum technologies are quietly emerging as the next great challenge. Failure to act now will force societies to face the inevitable quantum disruption unarmed.