President Donald Trump signed two executive orders Monday to accelerate the federal government’s transition to post-quantum encryption and reprioritize government financing to support the domestic quantum computing industry. 

The orders, which CyberScoop first reported on last year, direct the government to throw its weight behind the quantum computing industry. They are part of a broader effort by the Trump administration to put its stamp on the development of another key emerging technology.

In May, the Department of Commerce announced letters of intent for more than $2 billion in federal financing incentives for nine quantum companies under the CHIPS and Science Act. Last year, the administration did something similar with its AI-focused executive orders and action plan that created special federal export programs for AI technology and equipment, directed federal agencies to mobilize federal financing tools to support the industry, and cut or curtail regulations that the administration said may impede domestic growth. 

Ahead of the signing, sources previewed details of those orders to CyberScoop. Per one of those sources, who spoke on condition of anonymity to discuss pending administration actions, a “whole of government approach is used to empower research and development into quantum computing, as well as quantum sensing [and other resources].”

They described the Trump administration’s attitude for propping up industry as “don’t let us miss out on prioritizing the feeders for the research or the development of quantum.” 

The second order requires federal civilian networks to adopt quantum-resistant encryption faster than the current 2035 deadline. The new encryption algorithms, vetted by the National Institute of Standards and Technology, will protect against future quantum computer attacks. 

Agencies that miss the new deadline must report to the Office of Management and Budget explaining why. 

On hand for the signing were Department of Energy Undersecretary for Science Darío Gil, Department of Commerce Secretary Howard Lutnick, National Cyber Director Sean Cairncross, Defense Secretary Pete Hegseth, Federal Chief Information Officer Greg Barbaccia, and Office of Science and Technology Policy Director Michael Kratisos.

Multiple executives from technology companies were also on hand for the order’s signing, complimentary of the government’s efforts in boosting the industry.

“IBM applauds the Administration for taking this important, timely step forward,” said IBM CEO Arvind Krishna in a statement. “Sound policy, sustained investment and public-private partnership are vital to sustaining U.S. quantum leadership and technological resilience. We’re proud to keep building on this foundation — strengthening U.S. competitiveness and bolstering national security as we shape the quantum future together.”

“At Google, we are proud of our sustained breakthroughs in quantum computing and post-quantum cryptography,” said Google President and Chief Investment Officer Ruth Porat. “Quantum computing is a transformational technology that can advance national security, drug discovery, energy solutions and more.”

Update; 6/22/26; 5:20 p.m.: This story was updated after the signing with details about the orders, signing ceremony attendees, and comments from IBM’s Arvind Krishna and Google’s Ruth Porat.

The post Trump executive orders speed up post-quantum migration, boost industry appeared first on CyberScoop.

Apple has released quantum-resistant cryptographic code and the mathematical verification tools it developed to prove the code’s correctness, making them publicly available for independent review and broader use across the industry.

The release includes implementations of two quantum-secure algorithms, ML-KEM and ML-DSA, along with the formal verification libraries and tools Apple created to validate their accuracy. The company also published detailed documentation of its verification methodology, which it describes as achieving the strongest known correctness results for any widely deployed production implementation of these algorithms.

The quantum-secure algorithms are integrated into corecrypto, Apple’s cryptographic library used across its operating systems. The library handles encryption, decryption, hashing, and digital signatures on over 2.5 billion active devices. Apple began deploying quantum-resistant encryption in iMessage in 2024 and has expanded the technology to VPN services and TLS networking protocols.

One of the tools released is the company’s Cryptol-to-Isabelle translator, which converts cryptographic models between formal languages, along with supporting libraries needed to reproduce the results. Formal verification uses mathematical proofs to show that code works correctly for all possible inputs. Apple translated its code into Cryptol, a formal language developed by Galois, then into Isabelle, a proof assistant from the University of Cambridge and The Technical University of Munich, to prove both matched the official standards. Apple has used Isabelle previously to verify hardware cryptographic components.

The verification process uncovered errors that conventional testing would have missed. Researchers found a missing computational step in the ML-DSA code that would have silently broken digital signatures. If this bug had reached production, messages in iMessage may have appeared authenticated when they actually weren’t, leaving users unaware their communications lacked proper security.

Even with these tools, Apple acknowledged that it still depends on conventional cryptographic testing and evaluation is needed for assurance. Formal verification can catch errors that traditional testing simply cannot find. Testing works by trying many scenarios, but with complex cryptographic code, there are too many possible inputs to test exhaustively. Subtle bugs can hide in the gaps between test cases and never trigger a warning. Formal verification, by contrast, uses mathematics to prove correctness across all possible inputs at once.

However, Apple’s team writes that it couldn’t formally verify every single aspect of their code with the tools available, so they combined approaches: formal verification for core mathematical correctness, conventional testing for aspects formal methods couldn’t cover, and careful evaluation of how all the pieces work together. Apple argues this hybrid approach provides the most robust security for critical cryptographic software.

“Based on our work to date, we believe that the strongest assurance possible comes from combining formal verification with conventional methods and critically evaluating the end-to-end results,” the blog post reads.

Furthermore, the blog states that Apple selected ML-KEM and ML-DSA from among several standardized quantum-resistant algorithms because they best matched the company’s requirements for security, performance, and compact parameters. The algorithms address the threat posed by future quantum computers, which could potentially break the encryption methods currently protecting digital communications.

More information can be found on Apple’s corecrypto GitHub page. 

The post Apple open-sources quantum-resistant encryption code appeared first on CyberScoop.

Earlier this month, ShinyHunters breached Instructure’s Canvas platform twice within a single week — stealing 3.65 terabytes of data from approximately 275 million users across more than 8,000 institutions. The group defaced login pages at hundreds of schools during final exam periods, forced Canvas offline, and extracted a ransom payment before Congress opened a formal investigation. The attack did not require exotic malware or zero-day exploits. Attackers entered through compromised “Free-For-Teacher” accounts, escalated rapidly, and exfiltrated sensitive data at scale before Instructure could contain them.

That sequence — entry through weak identity controls, rapid lateral movement, mass exfiltration, extortion, disruption — is now the standard playbook. It will happen again, unless the priority for security and technology leaders becomes reducing the blast radius of every intrusion before it happens.

The problem with how enterprises think about SaaS risk

Modern organizations have consolidated critical operations inside shared SaaS platforms, creating enormous concentrations of risk in single points of failure. When Canvas went down, thousands of students could not access coursework, faculty lost contact with their classes, and administrators scrambled to postpone exams. The scale of disruption came from how deeply institutions depended on Canvas, not from the vulnerability alone.

That asymmetry is the defining feature of SaaS risk in 2026. A single compromised account at a shared platform can trigger sector-wide operational failure. Yet most enterprise security frameworks still treat SaaS platforms primarily as availability problems — measured by uptime, recovery time objectives, and business continuity plans. Canvas exposed the gap in that thinking. Availability means nothing when the platform is operational but the data inside it has already been stolen.

Resilience in SaaS environments requires a harder and more honest premise: treat compromise as continuous and expected. Attackers will reach critical systems. The real test is how much they can take, how far they can move, and how long they can persist before detection and containment.

Identity is the perimeter now

The Canvas attack followed a pattern that has repeated across sectors for years. By compromising legitimate accounts with excessive standing privileges, the attackers moved laterally through Canvas infrastructure, maintained persistence, and exfiltrated data at a scale that took days to quantify.

Too many organizations still operate with fragmented identity controls, inconsistent privilege management, and limited visibility into how accounts interact across SaaS integrations. When attackers compromise a legitimate account, they inherit whatever access that account holds — and in most environments, that access far exceeds what the user actually needs. The result is that identity has become the most reliable attack surface in the modern enterprise, and most organizations are still treating it as a secondary concern.

Strong passwords and multifactor authentication are necessary but no longer sufficient. Enterprises need continuous identity verification, tightly scoped privileges, aggressive governance over third-party integrations, and real-time visibility into anomalous access patterns across SaaS systems. Identity governance cannot be a compliance checkbox. In cloud-native environments, it should be the primary control that determines how far an attacker can travels if they manage to get inside.

Data protection cannot stop at the application layer

Even organizations with strong identity controls face a second, underappreciated problem: the data stored inside SaaS platforms is often far less protected than the credentials used to access it.

Enterprises accumulate vast repositories of sensitive information inside SaaS environments — private messages, accommodation requests, financial records, personal disclosures — while relying almost entirely on application-level access controls to protect it. When those controls fail, as they did at Canvas, the data is immediately readable, searchable, and monetizable. 

Attackers do not need to crack anything. They simply take it.

Cryptographic protections — including encryption strategies that preserve organizational control over sensitive data even after it leaves the platform — directly reduce the value of a successful exfiltration. Stolen data that cannot be read or used is far less valuable as an extortion instrument. That distinction matters significantly in today’s threat environment, where the leverage attackers extract from stolen data often outlasts the breach itself.

The threat does not expire when the incident ends 

The “agreement” between Canvas’s parent company and attackers illustrates a risk that most organizations have not yet fully priced in. While Instructure received digital confirmation that the stolen data was destroyed, Congress opened an investigation anyway. The Instructure CEO has been called to testify before the House Homeland Security Committee. Affected institutions — many of which had no visibility into Instructure’s security posture or incident response capabilities — remain accountable for protecting student data they can no longer control.

That accountability gap will not close after Congress concludes its inquiry. Sensitive data stolen during incidents like Canvas retains value long after the breach itself. Adversaries increasingly collect encrypted data today with the expectation that it can be decrypted later as cryptographic standards age or quantum computing capabilities mature. This “harvest now, decrypt later” approach means that encryption protecting data only in the present still leaves organizations exposed downstream.

Strong cryptographic protection must therefore be paired with crypto-agility and post-quantum readiness. Security leaders should assume that any sensitive data exfiltrated during a SaaS breach may remain a target for years, not days. If stolen data remains immediately usable, attackers retain leverage indefinitely. If it does not, the economics of extortion shift.

What the Canvas breach actually demands

The lesson from Canvas is not that SaaS platforms are inherently insecure. They remain foundational to how modern organizations operate and scale. The lesson is that the assumptions underlying most enterprise security strategies — that prevention is the primary objective, that access controls are sufficient data protection, that recovery means restoring uptime — no longer match the realities of today’s threat environment.

Attackers have already internalized this. They target SaaS platforms precisely because the concentration of data and operational dependency makes them extraordinarily high-value targets. They exploit identity weaknesses because those weaknesses are pervasive and reliable. They apply extortion pressure because stolen data retains leverage long after technical remediation.

The organizations that close this gap — by treating identity governance as mission-critical infrastructure, implementing cryptographic protections that survive exfiltration, building recovery discipline alongside prevention, and planning for post-quantum exposure — will be significantly better positioned when the next breach arrives. And it will arrive. The only variable is how much it costs.

Rishi Kaushal is the CIO of Entrust, a company that helps organizations fight fraud and cyber threats with identity-centric security.

The post The Canvas breach proved that prevention is no longer enough appeared first on CyberScoop.

When Google announced last month it was moving up its own internal timeline for migrating to quantum-resistant forms of encryption, it started a broader conversation in the cybersecurity and cryptography communities: Just what was pushing one of the largest tech companies in the world to significantly accelerate its adoption of post-quantum protections for its systems, devices and data?

In the weeks since, new research has lended weight to those claims. A joint research paper from the California Institute of Technology, its tech startup Oratomic and the University of California concluded that technological advancements in neutral atom arrays indicate a quantum computer capable of breaking classical encryption may require as few as 10,000 quantum bits (or qubits), not millions as previously thought.

Qian Xu, a CalTech researcher and coauthor of the paper, said the findings are significant and indicates that such a computer could potentially be operational by the end of the decade.

“For decades, qubit count has been viewed as the main obstacle to fault-tolerant quantum computing,” Xu said in a statement. “I hope our work helps shift that perspective.”

Google’s Quantum AI division released its own research paper around the same time, outlining a twenty-fold decrease in the number of physical qubits believed to be needed to break some of the most popular forms of 256-bit elliptic curve encryption algorithms used to currently protect cryptocurrencies.

“We note that while viable solutions like [post-quantum cryptography] exist, they will take time to implement, bringing increasing urgency to act,” wrote Ryan Babbush, director of research and Hartmut Neven, vice president of engineering at Google.

Google’s decision to accelerate its shift to post-quantum encryption reflects a growing consensus.  Over the past year, CyberScoop has heard similar concerns from tech and government officials, typically centered on two quantum-related threats facing governments and businesses today.

One is the capability of foreign nations and cybercriminals to collect sensitive, encrypted data today in the hopes of breaking it later with a quantum computer. This “harvest now, decrypt later” technique is one of the main reasons proponents push for faster adoption of post-quantum encryption.

The second stems from a string of notable quantum computing breakthroughs over the past two years, many led by researchers in China.

Andrew McLaughlin, chief operating officer for SandboxAQ, a Software-as-a-Service company that focuses AI and quantum computing technologies, said concerns can be summed up as “hardware, math and China.

Advancements in areas like neutral atom arrays have given scientists more powerful hardware, while breakthroughs in mathematics like that in the Google research paper have found ways to use that hardware more efficiently. 

But he also pointed to what he described as exciting (and worrying) advancements in the field from some of America’s greatest international rivals.

Beijing has invested heavily in quantum computing, empowering top scientists like Pan Jianwei, a professor at China’s University of Science and Technology, with the resources and support to push the boundaries of technological development and position China as a world leader in quantum science.

Late last year, Chinese state media reported that Huanyuan 1, a 100-qubit quantum computer developed by researchers at Wuhan University on a Chinese government grant program, had been approved for commercial use. The reports claim that orders worth more than 40 million yuan (or $5.6 million dollars) have already been processed in sales, including to subsidiaries at domestic telecom China Mobile and the government of Pakistan.

Experts say quantum computers pose a potentially exceptional threat to blockchain-based cryptocurrencies.

Nathaniel Szerezla, chief growth officer at Naoris Protocol, a company that develops quantum-resistant encryption for blockchain infrastructure, said the paper from Oratomic and Caltech has “shifted the timeline” for planning around quantum encryption, particularly for cryptocurrency and blockchain platforms.

The underlying assumption was a “fault tolerant” quantum computer (i.e. one capable of threatening classical encryption) would require millions of qubits, but the paper suggests that it may actually only need as few as 10,000 qubits.

“Ultimately, we have gone from planning for a threat two decades out to one that overlaps with systems actively being deployed and funded,” Szerezla said.

For digital assets like cryptocurrency, the implications are “immediate” because the private key encryption underpinning billions of dollars on the blockchain were never designed to withstand attacks from a quantum computer.

“Migrating a live blockchain to post-quantum standards is a different problem entirely from upgrading a centralized system,” Szerezla continued. “You are dealing with immutable ledgers, billions in locked liquidity, and decentralized governance that cannot mandate a coordinated upgrade.”

Not everyone believes that we are on the cusp of a quantum hacking apocalypse.

On BlueSky Matthew Green, a computer science professor and cryptography expert at Johns Hopkins University, called the Google and Oratomic papers a good “precautionary” analysis of the long-term challenge of quantum encryption.

However, he expressed skepticism that quantum computing had enough “lucrative immediate applications” to push the field beyond its foundational research stage to more practical applications. He also questioned whether some of the newer quantum-resistant algorithms vetted by NIST would truly stand up to a real quantum computer. They were designed to protect against a threat that is still largely theoretical, and several of the post-quantum algorithms initially evaluated by NIST have turned out to contain vulnerabilities that could be exploited by classical computers.

That’s if one does indeed arrive in the next decade. Green said this week that he’s not convinced quantum-enabled hacks will be something to worry about in his lifetime, though he acknowledged that prediction might “haunt him” someday.

Nevertheless, “I’d bet huge amounts of money against a relevant quantum computer by 2029 or even 2035,” he wrote.

The post Why is the timeline to quantum-proof everything constantly shrinking? appeared first on CyberScoop.

The Akira ransomware group has compromised hundreds of victims over the past year with a well-honed attack lifecycle that has whittled down the time from initial access to encryption of data in less than four hours, according to cybersecurity firm Halcyon.

Akira has been active since 2023, racking up at least $245 million in ransom payments from victims through September 2025. The cybercriminal outfit likely includes former members and affiliates of the now-defunct Conti ransomware group, and is known for its polished approach to digital extortion.

A primary example can be found in the efficiency of Akira’s infection cycle, which has reduced incident response times to hours. According to Halcyon, Akira is known for using zero-day vulnerabilities, buying exploits from initial access brokers and exploiting VPNs lacking multifactor authentication to infect their victims. Akira also uses a process known as “intermittent encryption,” whereby large files can be encrypted faster in smaller blocks.

“Akira is more stealthy and less aggressive allowing the ransomware to move swiftly through the entire ransomware attack kill chain from initial access to exfiltration, and encryption in as little as 1 hour without detection,” Halcyon wrote in a blog published Thursday. “In most cases, the time from initial access to encryption was less than four hours.” 

Additionally, while most ransomware operators tend to spend “about 90-95%” of their time developing their encryption malware and 5-10% on crafting decryptors, Halcyon said Akira has made “extensive efforts to ensure the recovery of large files, like server images,” going so far as to temporarily auto-save files with custom .akira extensions to ensure they can be recovered if the encryption process is interrupted.

Halcyon’s blog notes that these efforts are likely less due to ethical principles than because the group believes offering functional decryptors increases the chance that a business will pay the ransom. Akira’s combination of rapid infection while offering firms a more reliable way to recover their data is something that “sets it apart from many ransomware operators.”

“The group’s ability to move from initial access to full encryption in under an hour, while maintaining recovery guarantees that incentivize victim payment, reflects a mature, business-driven criminal enterprise,” Halcyon said.

The group has been observed exploiting vulnerabilities in Veeam backup and replication servers, Cisco VPNs and SonicWall appliances. Like other ransomware groups, Akira uses a double-extortion model against victims, stealing their data before encrypting it, then threatening to publish the stolen data online if businesses don’t pay.

Last year, the FBI and the Cybersecurity and Infrastructure Security Agency flagged Akira as one of the top ransomware criminal groups in the world, primarily targeting small- and medium-sized businesses in the manufacturing, education, IT, health care, financial and agricultural sectors.

The post Akira ransomware group can achieve initial access to data encryption in less than an hour appeared first on CyberScoop.

Google is accelerating its timeline for migrating its products to quantum resistant encryption to 2029, the latest sign that tech leaders are worried that they haven’t been aggressive enough in planning for a post-quantum future.

In a blog posted Wednesday, vice president of security engineering Heather Adkins and senior staff cryptology engineer Sophie Schmieg said that Google and other tech companies have observed faster than expected advances in several quantum fields.

“This new timeline reflects migration needs for the PQC era in light of progress on quantum computing hardware development, quantum error correction, and quantum factoring resource estimates,” Adkins and Schmieg wrote.

Google is replacing outdated encryption across their devices, systems and data with new algorithms vetted by the National Institute for Standards and Technology. Those algorithms, developed over a decade by NIST and independent cryptologists, are designed to protect against future attacks from quantum computers.

While Google has said it is on track to migrate its own systems ahead of the 2035 timeline provided in NIST guidelines, last month leaders at the company teased an updated timeline for migration and called on private businesses and other entities to act more urgently to prepare.

Unlike the federal government, there is no mandate for private businesses to migrate to quantum-resistant encryption, or even that they do so at all. Adkins and Schmieg said the hope is that other businesses will view Google’s aggressive timeframe as a signal to follow suit.

“As a pioneer in both quantum and PQC, it’s our responsibility to lead by example and share an ambitious timeline,” they wrote. “By doing this, we hope to provide the clarity and urgency needed to accelerate digital transitions not only for Google, but also across the industry.”

Moving up Google’s internal timeline to 2029 – more ambitious than the U.S. federal government’s – is an attempt to get ahead of the problem. It also aligns with a growing belief among executives in the U.S. quantum sector, who say Chinese scientists and labs have achieved breakthroughs across several different fields of quantum computing over the past two years.

That too, is making U.S. tech policymakers anxious to more quickly implement newer encryption. Currently, the federal government is mandating that agencies switch over to quantum-resistant encryption by 2035, but CyberScoop reported last year that the White House has discussed the possibility of releasing its own executive order that would push agency timelines up to 2030 or sooner.

The post Google moves post-quantum encryption timeline up to 2029 appeared first on CyberScoop.

After decades of development, quantum computing is now becoming increasingly available for advanced scientific and commercial use. The potential marvels range from accelerating drug discovery and materials science, to optimizing complex logistics and financial modeling.

But there’s a paradox to this trend: Quantum computing also poses a growing threat to data security.

The risk is that the algorithms and protocols currently used to secure devices, applications and computer systems could eventually be broken by malicious actors using quantum computing, compromising even the strongest security measures. By some estimates, widely used encryption standards such as RSA and ECC could be cracked by quantum computers as soon as 2029—a doomsday known as “Q-Day,” when current security standards would be rendered ineffective by quantum computing’s number-calculating prowess.

The possibility that quantum computing could break today’s data protection protocols is prompting chief security officers and chief technology officers to ramp up countermeasures. They’re doing it with post-quantum cryptography (PQC), a niche area of cybersecurity that is rising in priority across the business world. Lack of preparedness could be costly, with one report putting the potential U.S. economic cost of a quantum attack at more than $3 trillion. Even before that potential calamity, the current average cost of a data breach is upwards of $10 million, and that number will only increase commensurate to the scale of a quantum-induced breach.

That is why the quantum threat should not be treated as a concern only for forward-thinking executives. It must become a board-level issue for every enterprise. Organizations should launch a comprehensive PQC initiative that builds enterprise-wide awareness and updates digital systems and data assets to be resilient against quantum attacks.

Waiting until Q-Day would be mistake because people will not know when it occurs. It probably will not arrive with press releases or product announcements. Instead, in may unfold quietly as attackers try to maximize what they can steal before anyone notices. The reality is that sensitive data is already at risk of being stolen and stored away so it can be decoded – an attack referred to as “harvest now, decrypt later”- when Q-Day is a reality. Security pros need to give this immediate attention, even if the ultimate threat appears to be a few years away.

Quantum-proofing data at scale

Security teams are usually focused on immediate threats, but they still have a window of opportunity to prepare for Q-Day, as long as they start now. 

One interim measure underway is the transition to more robust versions of the digital certificates and keys that are already pervasive in business and everyday life. Such certificates, which act as identity credentials, are used to authenticate billions of users, devices, documents and other forms of communications and endpoints. The certificates contain cryptographic keys. Security teams are phasing in “47-day keys,” which are designed to expire and be replaced within 47 days—much more frequently than the current generation. It’s a step in the right direction, but not enough.

Establishing a hardened PQC defense requires much more than a standard software patch or upgrade to the public key infrastructure (PKI) used most everywhere to manage digital certificates and encrypt data. An enterprise-wide PQC strategy must be adopted and implemented at scale.

Consider the rapid rise of agentic AI, where organizations may need to assign digital identities to thousands or even millions of AI agents. That will require a level of authentication that goes well beyond existing infrastructure.

These projects will be led by the CISO but planning and execution should include other business leaders because post-quantum security must reach every part of the organization’s digital environment. Boards also need to be involved, given the governance stakes and the significant capital investment required. 

Developing a multi-year, multi-pronged strategy

Organizations in regulated industries—banking, healthcare and government, for example—are generally a step ahead in bracing for the post-quantum threat. Regardless of industry, though, few are fully prepared because readiness requires a detailed picture of an organization’s end-to-end data and security landscape.

In my experience, that holistic view is a rarity. For CISOs and their line-of-business colleagues, a good starting point is creating a comprehensive inventory of systems and data across the enterprise, then prioritizing what needs to be safeguarded.

Another important step is to begin testing and adopting the latest quantum-resistant algorithms and protocols that have been standardized by NIST. A growing range of PKI products and platforms support those specifications. That’s essential because the only way enterprises will be able to orchestrate, monitor and manage the scope of deployment is through automation.

Such updates are vital, but this isn’t a matter of simply replacing pre-quantum specs with newer ones. Because PQC will be a multi-year undertaking, organizations must bridge the gap between old and new. The best strategy for some will be a hybrid approach that combines classical cryptography and next-gen algorithms, though standardization remains a work in progress. Other organizations are driving toward a “pure” or unblended post-quantum model.

As for those harvest attacks, the best defense is straightforward: Encrypt your most sensitive long-lived data with quantum-resistant algorithms ASAP.

PQC is a shared responsibility

Unfortunately, there is no finish line in the race to quantum-era security. And even if an organization locks down its systems against emerging threats, there’s no guarantee that customers and business partners will do the same.

 Many vulnerabilities will still remain, which is why the business case for PQC includes protecting customer data and safeguarding reputation and brand trust as digital threats evolve quickly. Even today, a major breach can cost millions and inflict lasting damage to a corporate brand.

Quantum computing promises to bring many new capabilities to business and society—from transforming supply chain optimization and risk analysis, to enabling breakthrough discoveries in medicine and climate science. But the potential risks are just as substantial. After years of watching and waiting for quantum, business leaders have little choice but to take action.

Chris Hickman is the chief security officer of Keyfactor, a leading provider of quantum-safe security solutions. 

The post It’s time to get serious about post-quantum security. Here’s where to start. appeared first on CyberScoop.

According to a recent report, the State Department sent a cable urging U.S. diplomats to oppose international data sovereignty regulations like GDPR, characterizing these guardrails as “unnecessarily burdensome.” 

In the cable, the State Department claims that data sovereignty regulations “disrupt global data flows, increase costs and cybersecurity risks, limit Artificial Intelligence (AI) and cloud services, and expand government control in ways that can undermine civil liberties and enable censorship.”

Underpinning this argument is both a legitimate concern and a critical misconception.

The truth is that actual data sovereignty is technical, not territorial. 

Data localization is a blunt instrument trying to solve a sophisticated problem. Mandating that data stay within geographic boundaries doesn’t actually ensure that data owners retain control over how their information is accessed, used, or shared. People move; endpoints move; data must move.

European regulators have already defined what digital sovereignty actually requires. Specifically, in the aftermath of Schrems II, the European Data Protection Board made clear that sovereignty is preserved when data is strongly encrypted and the encryption keys remain solely under the control of the data owner in Europe. That clarity is often lost in broader geopolitical debates. 

True data sovereignty requires governments, enterprises, and citizens to retain cryptographic authority over who can access their information, regardless of where it is processed. Forcing data to sit inside national borders accomplishes little if foreign vendors still hold the keys. Sovereignty is fundamentally a technical challenge: it depends on controlling access through encryption and authentication, not simply controlling physical location.

There is a widespread belief that data sovereignty is disruptive to innovation, commerce, and national security. This is a misconception.

The memo presents a false choice: That we must either accept unfettered cross-border data flows with minimal protections in place for the data owner, or implement burdensome localization requirements that stifle innovation and collaboration.

This is simply not true, and the rise of data-centric security proves it: From the U.S., to Five Eyes nations, to the Indo-Pacific, security leaders are embracing this model. Rather than focusing efforts solely on building a strong perimeter boundary, controls and policies must instead follow the data itself, wherever it moves — providing more resilient and contextual security for the data itself. This is the central pillar of the DoW’s own Zero Trust strategy, and the model for agencies across the U.S. federal government and beyond. 

Even the Department of State’s own ITAR (the U.S. International Traffic in Arms Regulations) treat sensitive munitions data with location-specific requirements. There are good reasons for some types of sensitive information to be shielded from external eyes.

Context matters. We should not dismantle well-established data sovereignty standards without clear technical alternatives in place. Instead, we need to evaluate how to more effectively protect and govern sensitive data, without impeding the free flow of information. 

Data-centric security fortifies data sovereignty and liberates secure data flows. 

By shifting the focus from walls — border-specific protections, localization, and perimeters — to the data itself, you can fundamentally transform global data flows. When data is actually governed, tagged, and understood, it can move safely, through trusted channels, to achieve mission success.

In a data-centric security environment, a government agency can leverage cloud services from any provider while maintaining sovereign control over sensitive information by managing and hosting their own encryption keys, additionally providing resilience from third-party breaches with cloud service providers or other partners. 

This isn’t theoretical. Modern data-centric security architectures are in production today, with open standards like the Trusted Data Format enabling platform-agnostic, global data sharing among partners. It’s the antithesis of a data silo, allowing data to travel under very specific conditions and with governance attached to each data object itself. The U.K.’s Operation Highmast is a prime example of the success that comes from dynamic, intelligent data sharing among trusted partners. 

In an era defined by AI acceleration and geopolitical competition, sovereignty and interoperability must be engineered to reinforce one another — not framed as tradeoffs.

Angel Smith is the president of global public sector for Virtru.

The post No, it’s not ‘unnecessarily burdensome’ to control your own data appeared first on CyberScoop.