The business impact of cryptographic drift: The urgent case for post-quantum cryptography - Federal News Network

COMMENTARY The business impact of cryptographic drift: The urgent case for post-quantum cryptography The warnings are here. The danger is real. The timeline is shorter than you think. There are mitigations out there now that can be implemented. Garfield Jones March 20, 2026 3:39 pm           While researching the Titanic recently, I was struck by something profound: The ship received numerous warning signs that could have prevented the catastrophic disaster of 1912. More than a century later, organizations continue making the same mistake, ignoring blatant warnings about pending disasters. Today’s iceberg? The quantum computing revolution that threatens to render our current cryptography obsolete. The warning signs are already here Any entity using digital networks to store sensitive data needs to transition away from classical cryptography toward post-quantum cryptography (PQC) standards. Organizations that fail to course-correct risk drifting dangerously off course by maintaining the same classical cryptography instead of implementing new quantum-resistant algorithms that are already available. This lack of proactive course correction, or what I call “cryptographic drift,” creates what is now referred to as cryptographic debt — a burden that builds up until it may be too late to avoid disaster. One of the other perspectives to understand is that adversaries are constantly harvesting your data during the cryptographic drift, and the slow implementation of PQC-resistant algorithms will ease the adversarial burden to decrypt the data once a CRQC becomes operationally available. The Titanic didn’t sink simply from drifting off course, but because it maintained high speed into a known ice field despite numerous warnings that never reached the captain. Everyone was too busy to act.         Join us May 11 for Federal News Network's Risk & Compliance Exchange as government and industry experts discuss how to navigate evolving cybersecurity mandates and accelerate secure adoption of emerging technologies. Sound familiar?   Understanding the quantum threat Quantum computers harness quantum mechanical phenomena, including superposition and entanglement, to process information in fundamentally different ways from classical systems. While classical computers encode data as binary bits (0s and 1s), quantum computers use quantum bits (qubits) that can occupy multiple states at once, potentially delivering exponential speedups for specific problem classes. Quantum computers using gate-based operations (analogous to classical and/or gates) have been built with dozens of qubits, though their quality remains inconsistent. Scaling to fully error-corrected systems with logical qubits that can perform substantially more operations likely won’t arrive until around 2030. Organizational management needs to understand what lies ahead in the cryptographic space of quantum computing. Advanced planning is essential to implement quantum-resistant algorithms before a cryptographically-relevant quantum computer (CRQC) arrives on the scene. The primary organizational risk from quantum computing is that a CRQC could break widely used classical encryption schemes. This threat has prompted formal government action, including Office of Management and Budget Memorandum M-23-02, “Migrating to Post-Quantum Cryptography,” and National Security Memorandum 10 NSM-10, “Promoting United States Leadership in Quantum Computing While Mitigating Risk to Vulnerable Cryptographic Systems,” which direct federal agencies to take proactive steps toward post-quantum cryptography (PQC) migration. The Defense Department has issued additional guidance outlining implementation requirements and constraints for PQC adoption across government systems. Private sector organizations, particularly those working with or seeking to work with government entities, should closely monitor these directives, as compliance will likely become essential for maintaining those relationships. Proactive planning safeguards your organization against the threat of a CRQC rendering current public-key encryption such as RSA (Rivest, Shamir and Adleman) and Elliptic Curve Cryptography (ECC) obsolete. It may also mitigate “harvest now, decrypt later” (HNDL) attacks — an ongoing threat where adversaries intercept and store encrypted data today, intending to decrypt it once error-correcting quantum computers become capable of breaking today’s cryptographic protections.         Sign up for our daily newsletter so you never miss a beat on all things federal Recent academic and industry publications have accelerated the timeline for operational CRQCs to on or before 2030, exponentially increasing risk in three critical areas: Business operations disruption Data exposure and breaches Cost of emergency transition Most forward-thinking organizations are already transitioning their encryption ahead of 2030, anticipating moderate impacts to these areas. Organizations experiencing cryptographic drift will continue operating normally, creating a dangerous illusion of security while adversaries store sensitive data now and decrypt it later (also known as HNDL attacks) — capturing encrypted data today for future exploitation. A crypto-agile approach maintains operational continuity while transitioning to quantum-resistant algorithms that protect data in transit. As shown in the figure, cryptographic debt accumulates over time and can become overwhelming or irreversible as organizations scale. Eventually, it leads to loss of operational functionality and relevance due to government mandates and guidance. Wholesale replacement of IT infrastructure is neither practical nor cost-effective for achieving quantum resistance. Instead, implementing crypto-agility enables seamless migration from obsolete encryption to quantum-resistant standards, positioning organizations for future competitiveness through reduced costs, accelerated transition timelines, minimized data compromise risk and uninterrupted operations.  The time to act is now My advice is simple: start changing course now. The quantum resistant/PQC algorithms have been released by the National Institute of Standards and Technology: FIPS 203 (ML-KEM) – key encapsulation FIPS 204 (ML-DSA) – digital signatures FIPS 205 (SLH-DSA) – stateless hash-based signatures These standards form the foundation of the post-quantum cryptography migration mandated by government directives like OMB M-23-02 and NSM-10. Start by inventorying your assets to understand what encryption is currently being used within the organizational enterprise. Focus on migrating the highly operationally used assets (high value or high impact) to using the standard quantum resistant algorithms, as they most likely transmit most of your sensitive data. For now, the HNDL threat is at the data in transit level, not particularly at the data in use and data at rest levels. Additionally, migrating from TLS 1.2 to TLS 1.3 can also counter a CRQC due to PQC algorithms integrating more naturally into the TLS 1.3 architecture. This is available now.         Read more: Commentary Reactive planning Migrating only after it’s too late and your cryptography has been rendered void by an error correcting/fault-tolerant quantum computer will dramatically increase the risk of your organization ending up like the Titanic. It took 73 years to find the wreckage, and to date, the Titanic has never fully recovered from the ocean floor. Let’s try not to have that happen to your organization. The warnings are here. The danger is real. The timeline is shorter than you think. There are mitigations out there now that can be implemented within your organization. Don’t be too busy to change course; pay attention to the warnings. Garfield Jones is senior vice president, research and technology strategy at QuSecure.   Copyright © 2026 Federal News Network. All rights reserved. This website is not intended for users located within the European Economic Area.           Sign up for breaking news. Related Stories Federal agencies still don’t speak the same identity language. That has to change. COMMENTARY Read more Getty Images/iStockphoto/doomu The wrong enemy in the war on fraud COMMENTARY Read more Getty Images/ipopba The missing layer in federal data protection COMMENTARY Read more Related Topics ALL NEWS COMMENTARY CRYPTOGRAPHY CYBERSECURITY GARFIELD JONES QUANTUM QUSECURE TECHNOLOGY Around the Web UPCOMING EVENTS TSP Maximization and Roth Conversion Strategy Federal capital projects: Strategies for next-generation infrastructure and accountability Federal News Network’s AI & Data Exchange 2026 Federal Executive Forum IT Modernization and Transformation in Government 2026 Progress & Best Practices A smarter, simpler VA: Reimagining the veteran experience More TOP STORIES Pentagon says Navy Secretary John Phelan is leaving, in latest departure of a top defense leader NAVY Treasury secretary: IRS hit a ‘home run’ on challenging filing season, but still needs staffing and budget cuts BUDGET House appropriators omit civilian federal pay raise from 2027 spending bill BUDGET Is SBA moving the small business contracting goal posts? ACQUISITION POLICY DoD seeks to split Defense Health Program into two accounts in fiscal 2027 BUDGET Plankey withdraws as CISA nominee CYBERSECURITY