Google is accelerating its timeline for migrating its products to quantum resistant encryption to 2029, the latest sign that tech leaders are worried that they haven’t been aggressive enough in planning for a post-quantum future.

In a blog posted Wednesday, vice president of security engineering Heather Adkins and senior staff cryptology engineer Sophie Schmieg said that Google and other tech companies have observed faster than expected advances in several quantum fields.

“This new timeline reflects migration needs for the PQC era in light of progress on quantum computing hardware development, quantum error correction, and quantum factoring resource estimates,” Adkins and Schmieg wrote.

Google is replacing outdated encryption across their devices, systems and data with new algorithms vetted by the National Institute for Standards and Technology. Those algorithms, developed over a decade by NIST and independent cryptologists, are designed to protect against future attacks from quantum computers.

While Google has said it is on track to migrate its own systems ahead of the 2035 timeline provided in NIST guidelines, last month leaders at the company teased an updated timeline for migration and called on private businesses and other entities to act more urgently to prepare.

Unlike the federal government, there is no mandate for private businesses to migrate to quantum-resistant encryption, or even that they do so at all. Adkins and Schmieg said the hope is that other businesses will view Google’s aggressive timeframe as a signal to follow suit.

“As a pioneer in both quantum and PQC, it’s our responsibility to lead by example and share an ambitious timeline,” they wrote. “By doing this, we hope to provide the clarity and urgency needed to accelerate digital transitions not only for Google, but also across the industry.”

Moving up Google’s internal timeline to 2029 – more ambitious than the U.S. federal government’s – is an attempt to get ahead of the problem. It also aligns with a growing belief among executives in the U.S. quantum sector, who say Chinese scientists and labs have achieved breakthroughs across several different fields of quantum computing over the past two years.

That too, is making U.S. tech policymakers anxious to more quickly implement newer encryption. Currently, the federal government is mandating that agencies switch over to quantum-resistant encryption by 2035, but CyberScoop reported last year that the White House has discussed the possibility of releasing its own executive order that would push agency timelines up to 2030 or sooner.

The post Google moves post-quantum encryption timeline up to 2029 appeared first on CyberScoop.

After decades of development, quantum computing is now becoming increasingly available for advanced scientific and commercial use. The potential marvels range from accelerating drug discovery and materials science, to optimizing complex logistics and financial modeling.

But there’s a paradox to this trend: Quantum computing also poses a growing threat to data security.

The risk is that the algorithms and protocols currently used to secure devices, applications and computer systems could eventually be broken by malicious actors using quantum computing, compromising even the strongest security measures. By some estimates, widely used encryption standards such as RSA and ECC could be cracked by quantum computers as soon as 2029—a doomsday known as “Q-Day,” when current security standards would be rendered ineffective by quantum computing’s number-calculating prowess.

The possibility that quantum computing could break today’s data protection protocols is prompting chief security officers and chief technology officers to ramp up countermeasures. They’re doing it with post-quantum cryptography (PQC), a niche area of cybersecurity that is rising in priority across the business world. Lack of preparedness could be costly, with one report putting the potential U.S. economic cost of a quantum attack at more than $3 trillion. Even before that potential calamity, the current average cost of a data breach is upwards of $10 million, and that number will only increase commensurate to the scale of a quantum-induced breach.

That is why the quantum threat should not be treated as a concern only for forward-thinking executives. It must become a board-level issue for every enterprise. Organizations should launch a comprehensive PQC initiative that builds enterprise-wide awareness and updates digital systems and data assets to be resilient against quantum attacks.

Waiting until Q-Day would be mistake because people will not know when it occurs. It probably will not arrive with press releases or product announcements. Instead, in may unfold quietly as attackers try to maximize what they can steal before anyone notices. The reality is that sensitive data is already at risk of being stolen and stored away so it can be decoded – an attack referred to as “harvest now, decrypt later”- when Q-Day is a reality. Security pros need to give this immediate attention, even if the ultimate threat appears to be a few years away.

Quantum-proofing data at scale

Security teams are usually focused on immediate threats, but they still have a window of opportunity to prepare for Q-Day, as long as they start now. 

One interim measure underway is the transition to more robust versions of the digital certificates and keys that are already pervasive in business and everyday life. Such certificates, which act as identity credentials, are used to authenticate billions of users, devices, documents and other forms of communications and endpoints. The certificates contain cryptographic keys. Security teams are phasing in “47-day keys,” which are designed to expire and be replaced within 47 days—much more frequently than the current generation. It’s a step in the right direction, but not enough.

Establishing a hardened PQC defense requires much more than a standard software patch or upgrade to the public key infrastructure (PKI) used most everywhere to manage digital certificates and encrypt data. An enterprise-wide PQC strategy must be adopted and implemented at scale.

Consider the rapid rise of agentic AI, where organizations may need to assign digital identities to thousands or even millions of AI agents. That will require a level of authentication that goes well beyond existing infrastructure.

These projects will be led by the CISO but planning and execution should include other business leaders because post-quantum security must reach every part of the organization’s digital environment. Boards also need to be involved, given the governance stakes and the significant capital investment required. 

Developing a multi-year, multi-pronged strategy

Organizations in regulated industries—banking, healthcare and government, for example—are generally a step ahead in bracing for the post-quantum threat. Regardless of industry, though, few are fully prepared because readiness requires a detailed picture of an organization’s end-to-end data and security landscape.

In my experience, that holistic view is a rarity. For CISOs and their line-of-business colleagues, a good starting point is creating a comprehensive inventory of systems and data across the enterprise, then prioritizing what needs to be safeguarded.

Another important step is to begin testing and adopting the latest quantum-resistant algorithms and protocols that have been standardized by NIST. A growing range of PKI products and platforms support those specifications. That’s essential because the only way enterprises will be able to orchestrate, monitor and manage the scope of deployment is through automation.

Such updates are vital, but this isn’t a matter of simply replacing pre-quantum specs with newer ones. Because PQC will be a multi-year undertaking, organizations must bridge the gap between old and new. The best strategy for some will be a hybrid approach that combines classical cryptography and next-gen algorithms, though standardization remains a work in progress. Other organizations are driving toward a “pure” or unblended post-quantum model.

As for those harvest attacks, the best defense is straightforward: Encrypt your most sensitive long-lived data with quantum-resistant algorithms ASAP.

PQC is a shared responsibility

Unfortunately, there is no finish line in the race to quantum-era security. And even if an organization locks down its systems against emerging threats, there’s no guarantee that customers and business partners will do the same.

 Many vulnerabilities will still remain, which is why the business case for PQC includes protecting customer data and safeguarding reputation and brand trust as digital threats evolve quickly. Even today, a major breach can cost millions and inflict lasting damage to a corporate brand.

Quantum computing promises to bring many new capabilities to business and society—from transforming supply chain optimization and risk analysis, to enabling breakthrough discoveries in medicine and climate science. But the potential risks are just as substantial. After years of watching and waiting for quantum, business leaders have little choice but to take action.

Chris Hickman is the chief security officer of Keyfactor, a leading provider of quantum-safe security solutions. 

The post It’s time to get serious about post-quantum security. Here’s where to start. appeared first on CyberScoop.

President Donald Trump released his administration’s cyber strategy Friday, promoting offense operations in cyberspace, securing federal networks and critical infrastructure, streamlining regulations, leveraging emerging technologies and strengthening the cybersecurity workforce.

Trump also signed an executive order Friday directing agencies to take action to combat cybercrime and fraud.

A little more than half of the five pages of strategy text of the long-anticipated document is preamble, and two of its seven pages are title and ending pages. Administration officials have said the strategy is deliberately high-level, and the White House promised more detailed guidance in the future.

The strategy “calls for unprecedented coordination across government and the private sector to invest in the best technologies and continue world-class innovation, and to make the most of America’s cyber capabilities for both offensive and defensive missions,” the White House said in a statement accompanying its release.

Each of the six “pillars” of the strategy offer some prescriptions.

“Shaping adversary behavior” calls for using U.S. government offensive and defensive capabilities in cyberspace, as well as incentivizing the private sector to disrupt adversary networks.

It also says Trump will “counter the spread of the surveillance state and authoritarian technologies that monitor and repress citizens,” even as administration critics argue that his administration has fostered surveillance and repression against U.S. citizens.

The shortest pillar, “promote common sense regulation,” decries rules that are only “costly checklists.” The Biden administration expanded cyber regulations, spurring some industry resistance. But the Trump pillar does talk about addressing liability, a point of emphasis for the prior administration as well.

“Modernize and secure federal networks” talks about using concepts and technologies like post-quantum cryptography, artificial intelligence, zero-trust and lowering barriers for vendors to sell tech to the government to meet those goals.

To “secure critical infrastructure,” the strategy calls for fortifying not just owners and operators but also the supply chain, in part by focusing on U.S.-made rather than adversary-made products.

“We will deny our adversaries initial access, and in the event of an incident, we must be able to recover quickly,” the strategy reads. “We will galvanize the role of state, local, Tribal, and territorial authorities as a complement to— not a substitute for — our national cybersecurity efforts.” Some critics of the administration’s cybersecurity actions have contended that it has shifted the burden to state and local governments too much.

AI usage makes up the bulk of the pillar entitled “sustain superiority in critical and emerging technologies,” in addition to reflecting earlier parts of the strategy on the topics of quantum cryptography and privacy protection. That includes the protection of data centers, the subject of localized fights across the country over their location and resource costs.

The final pillar says the United States must “build talent and capability,” after a year of the administration cutting a significant number of cyber positions in the federal government. “We will eliminate roadblocks that prevent industry, academia, government, and the military from aligning incentives and building a highly skilled cyber workforce,” it states.

Some positive reviews rolled in about the strategy despite the late-Friday afternoon release, traditionally the time of week when an administration looks to publish news it hopes will garner little attention.

“As new and more sophisticated threats emerge, America needed a new national cyber strategy that captures the urgency of this moment,” USTelecom President and CEO Jonathan Spalter said in a news release. “The President’s strategy rightly recognizes that harnessing America’s unique mix of private-sector innovation with public-sector capacity is the best deterrence.”

Frank Cilluffo, Director of the McCrary Institute for Cyber and Critical Infrastructure Security at Auburn University, was struck by the focus on deterrence: “This unified strategy determining a direction on offensive and defensive cyber operations and collaboration couldn’t be more timely.”

The Business Software Alliance cheered the call for streamlining cyber regulations, in particular.

A number of cyber vendors took note of the passages on AI. “Redirecting resources from paperwork to AI-powered security capabilities is the only way to keep pace with modern threats and adversaries who operate at great speed,” said Bill Wright, global head of government affairs at Elastic. “This strategy appears to recognize that fundamental truth.”

Not all the reviews were flattering, however, including from the top Democrat on the House Homeland Security Committee, Bennie Thompson, who said the strategy’s “underachieving” was the only thing impressive about it.

“What little ‘substance’ does exist in this pamphlet is a mishmash of vague platitudes, a long catalogue of ‘we will’ statements that may or may not match the Administration’s current behavior, and, mercifully, an apparent extension of some Biden-era policies,” he said. “Completely lacking is even the most basic blueprint for how the Administration will go about achieving any of its cybersecurity goals — an objective possibly hamstrung by the hemorrhage in cyber talent across all Federal agencies since Trump took office.”

The executive order Trump signed Friday coincides with the release of the strategy but there’s little overlap between the subject matter; the strategy makes one mention of cybercrime.

The order directs the attorney general to prioritize prosecution of cybercrime and fraud, orders agencies to review tools that they could use to counter international criminal organizations and  gives the Department of Homeland Security marching orders to improve training, in addition to other steps, according to a fact sheet.

“President Trump is unleashing every available tool to stop foreign-backed criminal networks that exploit vulnerable Americans through cyber-enabled fraud and extortion,” the fact sheet states.

The post The long-awaited Trump cyber strategy has arrived appeared first on CyberScoop.

A cybersecurity official at the State Department called for the public and private sector to more tightly coordinate plans to transition their systems, devices and data to quantum-resistant encryption algorithms.

Gharun Lacy, Deputy Assistant Secretary for the Cyber and Technology Security Directorate at the Department of State, issued a challenge for cybersecurity defenders to view their own individual “post-quantum” encryption plans as a small part in a greater collective project to make the entire digital ecosystem more resilient against longer-term threats like quantum-enabled cyberattacks.

With adversaries like China able to target “entire ecosystems” for digital compromise, Lacy argued for the industries and sectors being plundered to come together in shared interest and create strong and consistent protections across society. In that context, modernization is about more than upgrading your technology or encryption.

“We have to defend holistically as an ecosystem,” said Lacy while speaking at CyberTalks, presented by CyberScoop, in Washington D.C. Thursday. “The organization that goes by themselves in modernization will not succeed.”

The State Department is exploring the potential for predictive attack chain analysis, using historical telemetry and planning to predict “where we’re going to be in the future.” Other countries are doing the same, he said, underscoring how challenges like data harvesting must be addressed for national security purposes.

Modernization plans must do more than update technology to perform the same security functions more effectively. They should also reshape the threat surface while “breaking some of the tendencies that are predictable from our historical data.”

“It’s not just about modernizing hardware, it’s not just about implementing AI faster,” said Lacy. “It’s about injecting that little segment of randomness that means the adversary that’s reading, 10, 20 years of our history cannot use that to deduce” our plans.

U.S. federal agencies and the private sector are working broadly towards the goal of having most or all high-risk systems, data and devices transitioned to newer post-quantum algorithms by 2035. This reflects the long-term nature of the threat, as no one can say for certain when a quantum computer capable of breaking some classical forms of encryption will arrive.

But the Trump administration and private sector cybersecurity officials have been mulling whether the risks around data harvesting and recent advances in quantum computing may merit faster timelines.

Lacy said the risk organizations face around data harvesting – or foreign nations collecting encrypted data today to break later with a quantum computer — will be “like an accordion,” presenting a threat that stretches across time. Individual organizations will need to do more than work with each other to execute their post quantum cryptographic plans. They will have to do it across generations, meaning “we cannot shift priority just because our leadership changes.”

“When you look at long horizon priorities of a nation state actor like China, that means that your data and the risk it poses to you will now outlive leadership cycles,” said Lacy.

The post State Dept. official says post-quantum transition plans will outlive current leadership appeared first on CyberScoop.

The Cybersecurity and Infrastructure Security Agency is hoping to guide federal agencies through the murky process of updating their technology stack with quantum-resistant encryption.

On Jan. 23, the agency released a list of different IT software and hardware products that are commonly purchased by the federal government and use cryptographic algorithms for encryption or authentication.

The guidance covers cloud services like Platform-as-a-Service and Infrastructure-as-a-Service, collaboration software, web software like browsers and servers, and endpoint security tools that provide full disk and at-rest data encryption.

CISA pointed to these products as examples where hardware and software post-quantum cryptography standards are “widely available” and designed “to protect sensitive information…including after the advent of a cryptographically relevant quantum computer (CRQC).”

Federal agencies and the private sector are preparing for the long-term threat posed by quantum computers, which many cryptographers believe will one day be able to break through some forms of classical encryption.

The federal government is currently operating under an executive order mandating that agencies shift most of their high value systems and devices to post-quantum encryption by 2035. Last year, the Trump administration held discussions with allies and quantum industry executives about a potential executive order that would further move up that timeline.

National security officials have cited concerns that foreign nations could be harvesting encrypted data now in the hopes of accessing them once a quantum codebreaking computer is developed. Industry executives have also pointed to lingering concerns around China’s burgeoning quantum industry as another factor making U.S. businesses and policymakers in Washington nervous.

However, the transition to quantum-resistant encryption protocols is expected to be a massive societal task, one that will require parallel collaboration and buy-in from not only from hardware and software vendors but also the constellation of standards bodies, protocols and backend processes that help transport data across the internet.

That reality can lead to an uneven procurement field for buyers, who are being pressed to purchase and implement post quantum encryption solutions today.

Alongside the more mature industries, CISA also listed a variety of other technologies – including networking hardware and software, Software-as-a-Service, security tools like password managers and intrusion detection systems –  as product categories where implementation and testing of PQC capabilities is “encouraged” by manufacturers.

Even the list of seemingly “PQC safe” technologies offered by CISA comes with a caveat: most have post-quantum standards in place for key encapsulation and key agreement, but not for digital signatures or authentication. 

Adopting newer post-quantum cryptography will also require redesigning much of the core backend infrastructure that encrypts our data across the internet. Major internet cryptographic protocols like Secure Shell Protocol (SSH) and Transport Layer Security have done some foundational work in this area.

But Surabhi Dahal of Encryption Consulting noted in September that “most protocols are still in the early stages, with proposals being drafted, prototypes being and testing underway to determine how quantum-safe methods can be integrated into existing systems.”

A 2024 study from the Department of Energy’s Pacific Northwest National Laboratory  looked at technical challenges associated with post-quantum migration in just one industrial sector: electric vehicle charging infrastructure. The study found companies faced numerous internal and external obstacles, including “interoperability concerns, the computational and memory demands of PQC algorithms, and the organizational readiness for such a transition.”

Roberta Faux, head of cryptography and field chief technology officer at Arqit, a firm that provides post-quantum encryption services, told CyberScoop that CISA’s guide “omits much” detail needed to credibly guide organizations as they navigate their post-quantum security options.

For instance, she said the document provides little to no insight on how to set up cryptographic inventories or timelines, what performance data should be used to measure tradeoffs, how CISA measures or defines what it means by “PQC-capable” or guidance on how to set up hybrid models.

The document “ends up feeling optimized for procurement compliance rather than security outcomes,” she said.

Peter Bentley, chief operating officer for Patero, another post-quantum encryption company, expressed similar sentiments, noting that “the hardest part isn’t selecting a post-quantum algorithm—it’s knowing where cryptography actually lives” because most organizations don’t have detailed inventories. 

“Without that visibility, and arguably developing a Cryptographic Discovery and Inventory best practice, ‘PQC-enabled’ becomes a marketing label instead of a verifiable capability, especially in hybrid or mixed-vendor environments,” Bentley said. 

Faux said CISA’s guidance also “concedes a weakness in today’s post-quantum transition,” namely that most vendor offerings labeled as “PQC-capable” really only address parts of the cryptographic process, leaving some functions like digital signatures and key establishment, with the same classical forms of encryption policymakers are trying to replace.

Cryptographic transitions, she said, are measured in decades, largely due to the time it takes to work out interoperability, performance and operational tradeoffs, with the result being “an extended period of half-measures.”

One footnote in the agency guidance acknowledges that two of the post-quantum algorithms approved by the National Institute for Standards and Technology, ML-DSA or SLH-DSA, currently lack production-ready support for implementation. Faux noted that “this is not a minor caveat.”

 “Key agreement without quantum-safe authentication provides limited protection,” she said. “An attacker can still forge certificates, impersonate endpoints, or conduct man-in-the-middle attacks, even if the session keys are quantum-resistant. In this context, ‘partial resistance’ is functionally equivalent to no resistance.”

The post CISA publishes a post-quantum shopping list for agencies. Security professionals aren’t sold appeared first on CyberScoop.

The National Institute for Standards and Technology is starting 2026 with a smaller staff, a shrinking budget and some big responsibilities around supporting national security and cybersecurity.

At a meeting Wednesday of the Information Security Privacy Advisory Board, NIST officials provided updates on how they’re grappling with several Trump administration priorities, including mandates on AI, cybersecurity and post-quantum encryption.

Kevin Stine, Director of the Information Technology Laboratory (ITL) at NIST, said the agency has shed more than 700 positions since Trump assumed office last year  through personnel initiatives like resignations, and voluntary deferments. His office, which focuses on IT measurements, testing, and standards, has a headcount of 289 and lost about 89 employees over the last year.

More constraints are on the way, as the latest “minibus” spending package from Congress would cut $13 million from NIST’s labs program, something Stine called “relatively good numbers” compared to other budget proposals he’d seen.

While Stine did not stump for more money or staff, he said the constraints have caused the office to reshuffle remaining resources on a narrower set of priorities.

“It’s forcing a very focused discussion on prioritization of our activities,” said Stine. “Certainly critical emerging technologies and anything aligned with the new NIST strategy, as well as administration priorities, are going to be top of the list and we will adequately resource those.”

NIST’s technical work testing and validating encryption for the federal government is also dealing with impacts from the staffing reductions.

Part of ITL’s mission involves jointly working with the Canadian Centre for Cybersecurity to validate the cryptography of commercial IT hardware and software purchased by their governments.

David Hawes, program manager for the program at NIST’s computer security division,  called this process “associatingly complex” because of how many different implementations and technologies testers must account for when validating encryption, but said in essence it was about establishing a baseline level of trust between vendors and the federal agencies buying their products.

“The way that we think of what our office does is: we’ve got a standard, we’ve got testing, we validate it,” said Hawes. “Can…federal government purchasers and users of these products, can they trust the cryptography? That’s what this is all about. Does it meet the standard? Can it be trusted with the information that’s there?”

Until recently, “a lot of the trust” in NIST’s validation process came from back-end human-led reviews after labs tested products. This approach “heavily required manpower” to sift through hundreds of pages of technical documents, certifications, non machine-searchable PDF files and other unstructured data. Hawes said in years past, this work was typically assigned to junior NIST staffers.

A review of the past 30 cryptographic validations performed by NIST found that it took an average of 348 days to complete each project. However, Hawes said the agency has reduced its backlog from nearly two years in 2020 to about six months today.

The ultimate goal is to reduce the validation process to “days.” Some of that work can be picked up through automation and other streamlined workflows, but Hawes suggested that could be difficult under current staffing numbers.

“I would say [our progress to date] was in spite of the loss,” he said. “We’d be a lot better off in terms of the queue lane now had we not lost the people recently that we did.”

The federal government is shifting its IT from older, classical encryption to newer “quantum-resistant” algorithms meant to protect federal systems and devices from cyberattacks enabled by a quantum computer in the future. As agencies work to identify and replace encryption protecting their most sensitive assets, they also face a deadline: older encryption applications, like RSA, are set to be formally deprecated by 2030.

Hawes said NIST is preparing to support that effort and tested its first post-quantum cryptographic module in recent weeks. However, solving the backlog, he suggested, was the fastest way to provide that help.

“I would say collectively our approach is…getting post-quantum modules validated sooner,” said Hawes. “So get the queue down, get them in, get them through.”

The post NIST officials detail impact of staff cuts on encryption and other priorities appeared first on CyberScoop.

The Trump administration is aiming to release its six-part national cybersecurity strategy in January, according to multiple sources familiar with the document. The document, which is a mere five pages long, will possibly be followed by an executive order to implement the new strategy.

The administration has been soliciting feedback in recent days, which one source considered more of a “messaging” document than anything, with more important work to follow.

According to sources familiar with the strategy, the six “pillars” focus on cyber offense and deterrence; aligning regulations to make them more uniform; bolstering the cyber workforce; federal procurement; critical infrastructure protection; and emerging technologies.

An opening section of the draft offers a Trumpian call for a more muscular approach to cyberspace. Despite its short length — the Biden administration’s cybersecurity strategy was 35 pages long — it touches on a significant number of topics.

Those subjects include cybercrime, China, artificial intelligence, post-quantum cryptography and more.

National Cyber Director Sean Cairncross recently offered a preview of some of those themes and plans.

“As a top line matter, it’s going to be focused on shaping adversary behavior, introducing costs and consequences into this mix,” Cairncross said last month at the 2025 Aspen Cyber Summit. “It is becoming more aggressive every passing day, and as new technology is developed … and AI is folded into this next, it will become more aggressive.”

A source told CyberScoop the administration appeared genuinely interested in soliciting feedback on the strategy to incorporate or change.

The release date of the strategy is fluid. While the administration is targeting January, its publication might follow the broader national security strategy. Politico recently reported that the national security strategy had been delayed, but was still likely to be released this month.
Cairncross also recently talked about the broader approach of the strategy and what comes next.

“It will be setting the posture of the United States in this domain and things that we are driving toward, and we will have follow-on action items that will be in support of that strategy,” he said at the 2025 Meridian Summit.

The post Five-page draft Trump administration cyber strategy targeted for January release appeared first on CyberScoop.

Lawrence Hoffman // So Microsoft is open sourcing PowerShell and putting it on Linux. Realistically Linux already has a full suite of administrative tools and some very powerful scripting languages […]

The post Lawrence’s List 081916 appeared first on Black Hills Information Security, Inc..