Post-Quantum Era Poses Unique Threats to Space Systems - National Defense Magazine

SPACE Post-Quantum Era Poses Unique Threats to Space Systems 3/24/2026 By Leandra Bernstein Share Post Email Share Share Share National security satellites must be quantum-resistant by 2035. Northrop Grumman image WASHINGTON, D.C. — The emergence of a powerful quantum computer that will break conventional encryption — known as “Q-Day” — will have security implications extending to space systems, experts say. The perception of space as a sanctuary has been shattered in recent years. The 2022 cyberattack against Viasat, a recent data breach at the European Space Agency, the contest to hack a live satellite and a group of computer scientists intercepting satellite data with $800 worth of equipment are all reminders that distance is not a defense. “For decades, people thought space was out of reach, so why bother?” said Eric Adolphe, CEO and founder of Forward Edge-AI, a company developing post-quantum solutions for space systems. Few manufacturers worked on advanced space cryptography, so the price of security often dwarfed the cost of a satellite, and the power required to run advanced cryptography could be twice the power budget of a CubeSat, Adolphe said in an interview. There was a quiet acceptance of the risk. “Humans are really bad at predicting what future disasters will be. And we’re almost always proven wrong when we predict where technology is going to go,” he said. Today, a handful of nations are racing to build the first cryptographically relevant quantum computer, with U.S. companies like Google and IBM making strides in sustaining logical, error-corrected qubits. China is also making advances that U.S. officials warn could jeopardize U.S. national security, though it is less clear what milestones China is hitting. The U.S.-China Economic and Security Review Commission recently warned of the risks of China achieving a “first-mover advantage” in quantum, noting that the nation is “likely concealing the location and status of its most advanced efforts,” raising uncertainty about the arrival of Q-Day. In response to the risks posed by quantum computing, the U.S. federal government has mandated the timely transition away from asymmetric public key cryptography toward quantum-resistant algorithms, with deadlines taking effect in December. These deadlines were part of the 2022 National Security Memorandum 10, which identified specific post-quantum national security risks to civilian and military communications, control systems for critical infrastructure and security protocols for most internet-based financial transactions. In response to the memo, the National Security Agency released a roadmap for the post-quantum transition under the Commercial National Security Algorithm suite, or CNSA 2.0, requiring all national security systems be quantum-resistant by 2035 — a general consensus date when officials estimate a quantum computer could be developed to jeopardize classically encrypted systems. According to the roadmap, by the end of 2025 web browsers, cloud and traditional servers, as well as any new software and firmware, had to incorporate quantum-secure algorithms. By 2027, all new national security system acquisitions will need to be quantum-secure. Government agencies acknowledged that the transition from the traditional algorithms that formed the backbone of CNSA 1.0, like Elliptic Curve Cryptography and Rivest-Shamir-Adleman, will not happen overnight, and they have urged organizations to move as quickly as possible. “CISA recognizes that transition to post-quantum cryptography is a complex, multi-year process,” Nick Andersen, executive assistant director for cybersecurity at the Cybersecurity and Infrastructure Security Agency, told National Defense in an email. “As quantum computing capabilities evolve, CISA encourages critical infrastructure owners and operators to update systems using a risk-based approach to incorporate current and future standards.” One of the consistent messages to industry from CISA and other agencies has been to take inventory of information technology assets and prioritize the transition of the most sensitive systems, said Tim Hollebeek, vice president of industry standards at global digital trust company DigiCert. “If you haven’t done that by now, it’s actually too late. At this point, the goal is operational excellence and making sure that you’ve transitioned as much as possible by 2030,” he said. While some organizations may see quantum as a distant threat, experts noted the risks exist on a shorter timeline. Dustin Moody, leader of the post-quantum cryptography standardization project at the National Institute of Standards and Technology, noted that “even though a cryptographically relevant quantum computer has not yet been built — which will threaten current levels of security — there are still important reasons to start your migration promptly.” One reason is the time and complexity of cryptographic changes, especially across distributed environments. “You can’t wait until a quantum computer is imminent and then start,” said Moody. Another reason is the “harvest now, decrypt later” threat, where data leaked or stolen today can be unlocked later. “Your data may already be at risk,” Moody said. This threat can be assessed using Mosca’s Inequality Theorem, which was first described by Michele Mosca, co-founder of the Institute for Quantum Computing at the University of Waterloo. It states that if data must be secure for 10 years, and if it takes five years to migrate to post-quantum cryptography, that’s a 15-year exposure window. If a quantum computer arrives in the next 10 years, that data could be compromised. With a compressed timeline for action, CNSA 2.0 has provided a set of post-quantum algorithms that were finalized and approved by NIST in 2024, with instructions for incorporating them into products and encryption systems. The three approved standards include the Module-Lattice-Based Key-Encapsulation Mechanism and two digital signature algorithms, the Module-Lattice-Based Digital Signature Algorithm and the Stateless Hash-Based Digital Signature Algorithm. NIST is working to finalize another digital signature algorithm, FALCON, and a post-quantum cryptography algorithm called Hamming Quasi-Cyclic that will be used as a backup defense in case quantum computers are able to crack the Module-Lattice-Based Key-Encapsulation Mechanism. Asked whether the incomplete rollout of standards was creating a moving target for organizations, experts said the existing algorithms are sufficient to begin to transition old systems and develop new ones. “The primary algorithms that are probably going to be used in 90 percent of use cases, those were standardized two years ago,” said Hollebeek, referring to the three NIST standards. “There’s still some work on actual signing algorithms.” FALCON is expected to be released “imminently,” and is essentially a “backup algorithm for resource-constrained use cases.” NIST expects Hamming Quasi-Cyclic will be finalized in 2027, he added. Satellite networks face specific risks that go beyond the classic network threats such as harvest now, decrypt later. The Space Information Sharing and Analysis Center has identified several of these on its website’s frequently asked questions section. They include: GPS interference, satellite spoofing and jamming, denial of service, remote code execution, man-in-the-middle attacks and command-and-control intrusions. One of the worst-case scenarios could involve a series of compromises that enable a bad actor to effectively hijack a satellite. “Right now, we know for a fact that adversaries are recording transmissions and storing them so they can decrypt in the future,” said Adolphe. “Moreover, using side channel attacks, adversaries already have the ability to exfiltrate long-lived keys, decrypt messages and send valid-looking commands that look like they’re coming from a ground station. You can deorbit a satellite, you can change the orbit, you can capture it — all kinds of crazy things.” NIST and CISA have noted the unique challenge for space systems implementing zero trust and quantum security given the limitations in size, weight, power, cost and compute on space systems. Post-quantum cryptography keys are “bigger than we’re used to, so there will be challenges for some applications and use cases to migrate to them,” Moody said. That larger footprint may come with advantages. “In terms of performance — how fast the algorithms encrypt, sign, verify, etc. — the post-quantum cryptography algorithms are pretty fast. We don’t anticipate that their performance will be a problem in comparison to what is in current use.” Organizations will need to strike a careful balance between performance and size, weight and power against security requirements, a CISA official told National Defense on background. “In constrained environments, industry should evaluate which algorithms help balance security with computational overhead.” CISA has detailed specific recommendations for balancing size, weight and power and security in a 2024 publication, “Space System Security and Resilience Landscape: Zero Trust in the Space Environment.” Another specific challenge with securing space systems is their long lifespans. The average operational life of a low-Earth orbit satellite is roughly five to 10 years, and geostationary orbit satellites can last 10 to 20 years, making hardware refreshes unfeasible. “You can’t easily patch legacy platforms,” said Adolphe. Spacecraft should “be designed with crypto agility in mind,” according to the CISA official, so algorithms can be modified through software or firmware updates without major hardware changes. For legacy systems that can’t be upgraded, the agency recommends enhanced security through non-cryptographic layers, such as network segmentation to isolate critical systems and strict access controls. Within the space supply chain, manufacturers — including Berlin Space Technologies, SEALSQ, Thales Alenia Space, WISeSat and Xiphera — are integrating post-quantum cryptography keys and algorithms directly into hardware and onboard compute modules. Forward Edge-AI has a working post-quantum cryptography prototype on orbit and plans to launch a high-throughput quantum-secure space router in late 2026 in support of the Space Development Agency’s Proliferated Warfighter Space Architecture. The broader IT industry is also moving ahead with quantum-resistant hardware and software, as evidenced by CISA’s recent release of a list of product categories that use approved post-quantum cryptography standards that can be incorporated into supply chains. “For security and efficiency reasons, people are often moving in the hardware direction,” said Hollebeek. But there are tradeoffs. “Unlike the past 20 years, the next 20 years are going to see a lot more changes,” he said. There will be adjustments and lessons learned as algorithms are implemented in different environments. “People are going to have to patch their systems, and that’s just the reality,” he added. “No one knows precisely how close we are to Q-Day, but we know we’re close enough that delaying a transition would be irresponsible,” said Adolphe. “That is why I think you’re seeing this acceleration to implement PQC. It’s not a panic — it’s prudence. We’ve got to get going. We cannot afford another failure of imagination.”   Topics: Emerging Technologies, Global Defense Market Related Articles JUST IN: South Korean Collaborative Combat Aircraft Make Debut JUST IN: Company Debuts Marinized EW Training System for Naval Warfare JUST IN: As U.S., Iran Trade Strikes, Pentagon Official Calls Out Need for CBRN Defense Funds (UPDATED) VIEW ALL ARTICLES Comments (0) Name * Email * Comment * Please enter the text displayed in the image. Characters * Legal Notice * NDIA is not responsible for screening, policing, editing, or monitoring your or another user's postings and encourages all of its users to use reasonable discretion and caution in evaluating or reviewing any posting. Moreover, and except as provided below with respect to NDIA's right and ability to delete or remove a posting (or any part thereof), NDIA does not endorse, oppose, or edit any opinion or information provided by you or another user and does not make any representation with respect to, nor does it endorse the accuracy, completeness, timeliness, or reliability of any advice, opinion, statement, or other material displayed, uploaded, or distributed by you or any other user. Nevertheless, NDIA reserves the right to delete or take other action with respect to postings (or parts thereof) that NDIA believes in good faith violate this Legal Notice and/or are potentially harmful or unlawful. If you violate this Legal Notice, NDIA may, in its sole discretion, delete the unacceptable content from your posting, remove or delete the posting in its entirety, issue you a warning, and/or terminate your use of the NDIA site. Moreover, it is a policy of NDIA to take appropriate actions under the Digital Millennium Copyright Act and other applicable intellectual property laws. If you become aware of postings that violate these rules regarding acceptable behavior or content, you may contact NDIA at 703.522.1820. I have read the legal notice.