Organizations will face major challenges — and even greater costs — on the road to becoming quantum-ready over the next five years.

US President Donald Trump signed two executive orders related to quantum technology on June 22. 

One, “Ushering in the Next Frontier of Quantum Innovation,” aims to bolster US leadership in quantum information science and technology through updating the national quantum strategy and building out a domestic ecosystem that will lead to the development of a quantum computer beyond current capabilities. It also includes workforce investment and partnering with various stakeholders, such as international allies, manufacturers, and private sector investors.

The second, “Securing the Nation Against Advanced Cryptographic Attacks,” aims to prepare US infrastructure for the attackers that would use quantum technology to target organizations. The aim here is to accelerate the government’s transition to post-quantum cryptography (PQC) and fortify sensitive government data.

Related:Thanks for Crushing the Submissions Inbox. We’re Trying to Keep Up

The executive order requires federal agencies to appoint PQC migration leads within 30 days, establish PQC for key establishment and encryption by the end of 2030, and establish PQC for digital signatures by the end 2031 for high-value assets and high-impact systems. 

The order also directs the National Institute of Standards and Technology (NIST) to begin a PQC pilot program to create standards for the transition and directs relevant agencies to create guidance for a cryptographic bill of materials. Relevant agencies must also assist critical infrastructure in becoming quantum ready.

While many of these requirements primarily exist for the federal government, federal contractors will also be required to adhere to NIST’s PQC standards by Dec. 31, 2030. 

These orders dramatically accelerate the timeline many organizations had in mind for quantum readiness. Much of the security industry’s previous framing was that cryptographically relevant quantum computers were unlikely before 2035, so PQC migration was treated as something to prepare for rather than a compliance exercise.  

How government and industry think about quantum computing has changed in recent years. Security experts say threat actors are stealing credentials they can’t decrypt today to prepare themselves for a world where quantum computers can (harvest now, decrypt later). Google in March set a deadline of 2029 to integrate PQC cryptography into its systems, products, and services, and Apple has been ringing the quantum bell for years now.

Related:2026 FIFA World Cup Faces Surge in Cyber Threats

Going Quantum: Big Challenges, Bigger Costs

But even if the security industry is putting its best forward, it doesn’t change the reality that for contractors and critical infrastructure organizations needing to comply with these standards, the process will be costly and complex.

Jonathan Nguyen-Duy, chief technology officer (CTO) at quantum security vendor Arqit, tells Dark Reading that many organizations underestimate the scale of this challenge, viewing post-quantum migration as a technology upgrade.

“Cryptography sits everywhere from applications, networks, cloud environments, and software libraries to connected devices and third-party systems,” he says. “That’s why post-quantum migration is much more than swapping one algorithm for another. Every update needs to be tested and implemented without disrupting the business. It requires long-term funding, cross-functional ownership and a level of persistence that many organizations will find challenging.”

Garfield Jones, SVP of research and strategy at post-quantum cryptography vendor QuSecure, says that many agencies are in the inventorying stage, and some have designated PQC leads. “But substantial work remains on implementation and testing of NIST standardized algorithms within agency environments,” he explains. “Smaller agencies may be able to meet these accelerated deadlines, but larger and federated agencies face a more difficult path as previously unaccounted IT and OT assets continue to surface through manual counting processes.”

Related:Do CISOs Need a Code of Ethics?

In 2024, the Office of the National Cyber Director (ONCD) projected that “the total government-wide cost required to perform a migration of prioritized information systems to PQC between 2025 and 2035 will be approximately $7.1 billion in 2024 dollars.”

It is impossible to assess an across-the-board PQC transition cost for organizations because of their different sizes, needs, security readiness levels, assets that need inventorying, and more. 

Quantum encryption vendor QNSQY published a blog covering PQC readiness budgets, explaining that a number of factors drive this cost, including the need for cryptographic inventory tooling, staff time (such as a PQC architect, crypto engineers, and integrators), firmware upgrades, certificate authority costs, quality assurance, vendor migrations, and training. 

Estimates vary, but assessments (including QNSQY’s) range from $100,000 to $500,000 for small organizations (less than 100 employees), $1 million to $20 million for mid-sized enterprises (1,000 to 10,000 employees), and from $10 million to $100 million for large enterprises (more than 10,000 employees). It must be noted that because the timeline for many organizations has collapsed, many estimates may no longer be accurate. 

Jones explains that for many organizations, the most pressing challenge will be to achieve accurate visibility into IT and OT environments as cryptography is embedded across a wide and complex technology stack, compounded by multivendor environments, misaligned update life cycles, and interoperability gaps.

“The $7.1 billion OMB transition budget was scoped for a 2035 deadline; the accelerated timeline will likely drive costs significantly higher as demand for PQC transition services, crypto-agile tooling, hybrid architectures, and backward-compatible solutions intensifies across the federal enterprise,” he says.

To Become Quantum Ready, Start Immediately

One thing generally agreed upon is that becoming quantum-ready is a lengthy, labor-intensive modernization process. 

Celia Merzbacher, executive director of the Quantum Economic Development Consortium (QED-C), tells Dark Reading that organizations that want to get started preparing for PQC migration should visit NIST’s page on the subject, which has a wide range of resources for organizations. She also stresses that “If organizations have not already begun the process of assessing and planning for PQC migration, they should do so immediately.”

Jones recommends starting with a sensitive data life cycle inventory across IT and OT assets, and he echoes the sequence laid out by the executive order: identifying critical systems, locating vulnerable cryptography, and prioritizing remediation by asset criticality, data sensitivity, and operational dependency.

Mike Fleck, senior director at TLS/SSL certificate authority DigiCert, recommends that orgs should “start to move all current external TLS connections to TLS 1.3 and ML-KEM, the NIST-standardized post-quantum key exchange mechanism.” Fleck says security leaders that have to communicate quantum risk to their boards should position it as a strategic issue that requires planning and action well in advance.

“The biggest mistake boards can make is waiting for a cryptographically relevant quantum computer to emerge before acting,” he elaborates. “By the time such a system becomes public knowledge, it is likely to have already existed for some time, and it will be too late to react.”

Don’t miss the latest Dark Reading Confidential podcast, Do CISOs Need a Code of Ethics? Kickbacks, no-show jobs, “dirty” VCs, and shelfware — industry expert Robert “RSnake” Hansen explains why he thinks it’s time for a CISO code of ethics. It could ensure cybersecurity bosses aren’t engaged in self-dealing that could risk enterprise, and even national, security. Listen now!





Source link

#

No responses yet

Leave a Reply

Your email address will not be published. Required fields are marked *