When Google announced last month it was moving up its own internal timeline for migrating to quantum-resistant forms of encryption, it started a broader conversation in the cybersecurity and cryptography communities: Just what was pushing one of the largest tech companies in the world to significantly accelerate its adoption of post-quantum protections for its systems, devices and data?

In the weeks since, new research has lended weight to those claims. A joint research paper from the California Institute of Technology, its tech startup Oratomic and the University of California concluded that technological advancements in neutral atom arrays indicate a quantum computer capable of breaking classical encryption may require as few as 10,000 quantum bits (or qubits), not millions as previously thought.

Qian Xu, a CalTech researcher and coauthor of the paper, said the findings are significant and indicates that such a computer could potentially be operational by the end of the decade.

“For decades, qubit count has been viewed as the main obstacle to fault-tolerant quantum computing,” Xu said in a statement. “I hope our work helps shift that perspective.”

Google’s Quantum AI division released its own research paper around the same time, outlining a twenty-fold decrease in the number of physical qubits believed to be needed to break some of the most popular forms of 256-bit elliptic curve encryption algorithms used to currently protect cryptocurrencies.

“We note that while viable solutions like [post-quantum cryptography] exist, they will take time to implement, bringing increasing urgency to act,” wrote Ryan Babbush, director of research and Hartmut Neven, vice president of engineering at Google.

Google’s decision to accelerate its shift to post-quantum encryption reflects a growing consensus.  Over the past year, CyberScoop has heard similar concerns from tech and government officials, typically centered on two quantum-related threats facing governments and businesses today.

One is the capability of foreign nations and cybercriminals to collect sensitive, encrypted data today in the hopes of breaking it later with a quantum computer. This “harvest now, decrypt later” technique is one of the main reasons proponents push for faster adoption of post-quantum encryption.

The second stems from a string of notable quantum computing breakthroughs over the past two years, many led by researchers in China.

Andrew McLaughlin, chief operating officer for SandboxAQ, a Software-as-a-Service company that focuses AI and quantum computing technologies, said concerns can be summed up as “hardware, math and China.

Advancements in areas like neutral atom arrays have given scientists more powerful hardware, while breakthroughs in mathematics like that in the Google research paper have found ways to use that hardware more efficiently. 

But he also pointed to what he described as exciting (and worrying) advancements in the field from some of America’s greatest international rivals.

Beijing has invested heavily in quantum computing, empowering top scientists like Pan Jianwei, a professor at China’s University of Science and Technology, with the resources and support to push the boundaries of technological development and position China as a world leader in quantum science.

Late last year, Chinese state media reported that Huanyuan 1, a 100-qubit quantum computer developed by researchers at Wuhan University on a Chinese government grant program, had been approved for commercial use. The reports claim that orders worth more than 40 million yuan (or $5.6 million dollars) have already been processed in sales, including to subsidiaries at domestic telecom China Mobile and the government of Pakistan.

Experts say quantum computers pose a potentially exceptional threat to blockchain-based cryptocurrencies.

Nathaniel Szerezla, chief growth officer at Naoris Protocol, a company that develops quantum-resistant encryption for blockchain infrastructure, said the paper from Oratomic and Caltech has “shifted the timeline” for planning around quantum encryption, particularly for cryptocurrency and blockchain platforms.

The underlying assumption was a “fault tolerant” quantum computer (i.e. one capable of threatening classical encryption) would require millions of qubits, but the paper suggests that it may actually only need as few as 10,000 qubits.

“Ultimately, we have gone from planning for a threat two decades out to one that overlaps with systems actively being deployed and funded,” Szerezla said.

For digital assets like cryptocurrency, the implications are “immediate” because the private key encryption underpinning billions of dollars on the blockchain were never designed to withstand attacks from a quantum computer.

“Migrating a live blockchain to post-quantum standards is a different problem entirely from upgrading a centralized system,” Szerezla continued. “You are dealing with immutable ledgers, billions in locked liquidity, and decentralized governance that cannot mandate a coordinated upgrade.”

Not everyone believes that we are on the cusp of a quantum hacking apocalypse.

On BlueSky Matthew Green, a computer science professor and cryptography expert at Johns Hopkins University, called the Google and Oratomic papers a good “precautionary” analysis of the long-term challenge of quantum encryption.

However, he expressed skepticism that quantum computing had enough “lucrative immediate applications” to push the field beyond its foundational research stage to more practical applications. He also questioned whether some of the newer quantum-resistant algorithms vetted by NIST would truly stand up to a real quantum computer. They were designed to protect against a threat that is still largely theoretical, and several of the post-quantum algorithms initially evaluated by NIST have turned out to contain vulnerabilities that could be exploited by classical computers.

That’s if one does indeed arrive in the next decade. Green said this week that he’s not convinced quantum-enabled hacks will be something to worry about in his lifetime, though he acknowledged that prediction might “haunt him” someday.

Nevertheless, “I’d bet huge amounts of money against a relevant quantum computer by 2029 or even 2035,” he wrote.

The post Why is the timeline to quantum-proof everything constantly shrinking? appeared first on CyberScoop.

After decades of development, quantum computing is now becoming increasingly available for advanced scientific and commercial use. The potential marvels range from accelerating drug discovery and materials science, to optimizing complex logistics and financial modeling.

But there’s a paradox to this trend: Quantum computing also poses a growing threat to data security.

The risk is that the algorithms and protocols currently used to secure devices, applications and computer systems could eventually be broken by malicious actors using quantum computing, compromising even the strongest security measures. By some estimates, widely used encryption standards such as RSA and ECC could be cracked by quantum computers as soon as 2029—a doomsday known as “Q-Day,” when current security standards would be rendered ineffective by quantum computing’s number-calculating prowess.

The possibility that quantum computing could break today’s data protection protocols is prompting chief security officers and chief technology officers to ramp up countermeasures. They’re doing it with post-quantum cryptography (PQC), a niche area of cybersecurity that is rising in priority across the business world. Lack of preparedness could be costly, with one report putting the potential U.S. economic cost of a quantum attack at more than $3 trillion. Even before that potential calamity, the current average cost of a data breach is upwards of $10 million, and that number will only increase commensurate to the scale of a quantum-induced breach.

That is why the quantum threat should not be treated as a concern only for forward-thinking executives. It must become a board-level issue for every enterprise. Organizations should launch a comprehensive PQC initiative that builds enterprise-wide awareness and updates digital systems and data assets to be resilient against quantum attacks.

Waiting until Q-Day would be mistake because people will not know when it occurs. It probably will not arrive with press releases or product announcements. Instead, in may unfold quietly as attackers try to maximize what they can steal before anyone notices. The reality is that sensitive data is already at risk of being stolen and stored away so it can be decoded – an attack referred to as “harvest now, decrypt later”- when Q-Day is a reality. Security pros need to give this immediate attention, even if the ultimate threat appears to be a few years away.

Quantum-proofing data at scale

Security teams are usually focused on immediate threats, but they still have a window of opportunity to prepare for Q-Day, as long as they start now. 

One interim measure underway is the transition to more robust versions of the digital certificates and keys that are already pervasive in business and everyday life. Such certificates, which act as identity credentials, are used to authenticate billions of users, devices, documents and other forms of communications and endpoints. The certificates contain cryptographic keys. Security teams are phasing in “47-day keys,” which are designed to expire and be replaced within 47 days—much more frequently than the current generation. It’s a step in the right direction, but not enough.

Establishing a hardened PQC defense requires much more than a standard software patch or upgrade to the public key infrastructure (PKI) used most everywhere to manage digital certificates and encrypt data. An enterprise-wide PQC strategy must be adopted and implemented at scale.

Consider the rapid rise of agentic AI, where organizations may need to assign digital identities to thousands or even millions of AI agents. That will require a level of authentication that goes well beyond existing infrastructure.

These projects will be led by the CISO but planning and execution should include other business leaders because post-quantum security must reach every part of the organization’s digital environment. Boards also need to be involved, given the governance stakes and the significant capital investment required. 

Developing a multi-year, multi-pronged strategy

Organizations in regulated industries—banking, healthcare and government, for example—are generally a step ahead in bracing for the post-quantum threat. Regardless of industry, though, few are fully prepared because readiness requires a detailed picture of an organization’s end-to-end data and security landscape.

In my experience, that holistic view is a rarity. For CISOs and their line-of-business colleagues, a good starting point is creating a comprehensive inventory of systems and data across the enterprise, then prioritizing what needs to be safeguarded.

Another important step is to begin testing and adopting the latest quantum-resistant algorithms and protocols that have been standardized by NIST. A growing range of PKI products and platforms support those specifications. That’s essential because the only way enterprises will be able to orchestrate, monitor and manage the scope of deployment is through automation.

Such updates are vital, but this isn’t a matter of simply replacing pre-quantum specs with newer ones. Because PQC will be a multi-year undertaking, organizations must bridge the gap between old and new. The best strategy for some will be a hybrid approach that combines classical cryptography and next-gen algorithms, though standardization remains a work in progress. Other organizations are driving toward a “pure” or unblended post-quantum model.

As for those harvest attacks, the best defense is straightforward: Encrypt your most sensitive long-lived data with quantum-resistant algorithms ASAP.

PQC is a shared responsibility

Unfortunately, there is no finish line in the race to quantum-era security. And even if an organization locks down its systems against emerging threats, there’s no guarantee that customers and business partners will do the same.

 Many vulnerabilities will still remain, which is why the business case for PQC includes protecting customer data and safeguarding reputation and brand trust as digital threats evolve quickly. Even today, a major breach can cost millions and inflict lasting damage to a corporate brand.

Quantum computing promises to bring many new capabilities to business and society—from transforming supply chain optimization and risk analysis, to enabling breakthrough discoveries in medicine and climate science. But the potential risks are just as substantial. After years of watching and waiting for quantum, business leaders have little choice but to take action.

Chris Hickman is the chief security officer of Keyfactor, a leading provider of quantum-safe security solutions. 

The post It’s time to get serious about post-quantum security. Here’s where to start. appeared first on CyberScoop.

A cybersecurity official at the State Department called for the public and private sector to more tightly coordinate plans to transition their systems, devices and data to quantum-resistant encryption algorithms.

Gharun Lacy, Deputy Assistant Secretary for the Cyber and Technology Security Directorate at the Department of State, issued a challenge for cybersecurity defenders to view their own individual “post-quantum” encryption plans as a small part in a greater collective project to make the entire digital ecosystem more resilient against longer-term threats like quantum-enabled cyberattacks.

With adversaries like China able to target “entire ecosystems” for digital compromise, Lacy argued for the industries and sectors being plundered to come together in shared interest and create strong and consistent protections across society. In that context, modernization is about more than upgrading your technology or encryption.

“We have to defend holistically as an ecosystem,” said Lacy while speaking at CyberTalks, presented by CyberScoop, in Washington D.C. Thursday. “The organization that goes by themselves in modernization will not succeed.”

The State Department is exploring the potential for predictive attack chain analysis, using historical telemetry and planning to predict “where we’re going to be in the future.” Other countries are doing the same, he said, underscoring how challenges like data harvesting must be addressed for national security purposes.

Modernization plans must do more than update technology to perform the same security functions more effectively. They should also reshape the threat surface while “breaking some of the tendencies that are predictable from our historical data.”

“It’s not just about modernizing hardware, it’s not just about implementing AI faster,” said Lacy. “It’s about injecting that little segment of randomness that means the adversary that’s reading, 10, 20 years of our history cannot use that to deduce” our plans.

U.S. federal agencies and the private sector are working broadly towards the goal of having most or all high-risk systems, data and devices transitioned to newer post-quantum algorithms by 2035. This reflects the long-term nature of the threat, as no one can say for certain when a quantum computer capable of breaking some classical forms of encryption will arrive.

But the Trump administration and private sector cybersecurity officials have been mulling whether the risks around data harvesting and recent advances in quantum computing may merit faster timelines.

Lacy said the risk organizations face around data harvesting – or foreign nations collecting encrypted data today to break later with a quantum computer — will be “like an accordion,” presenting a threat that stretches across time. Individual organizations will need to do more than work with each other to execute their post quantum cryptographic plans. They will have to do it across generations, meaning “we cannot shift priority just because our leadership changes.”

“When you look at long horizon priorities of a nation state actor like China, that means that your data and the risk it poses to you will now outlive leadership cycles,” said Lacy.

The post State Dept. official says post-quantum transition plans will outlive current leadership appeared first on CyberScoop.