The White House has signed an executive order requiring federal agencies to replace encryption systems that could be broken by quantum computers, and the deadline is far sooner than what most organizations had been planning for, according to Ars Technica.
The order, titled Securing the Nation against Advanced Cryptographic Attacks, sets a deadline of December 31, 2030 for high-value and high-impact systems to adopt post-quantum cryptographic key establishment schemes. Digital signature systems must follow by December 31, 2031.
For many organizations, that represents a shift of roughly four to five years. Under a timeline the National Security Agency published in 2022, defense and intelligence systems were expected to be quantum-ready between 2030 and 2033. Most other organizations had until 2035. The new order moves a large portion of those systems to the 2030 to 2031 window.
The change comes after recent research suggested that the cost and resources needed to build a cryptographically relevant quantum computer are lower than previously estimated. Google and Cloudflare both tightened their own transition timelines to 2029 after that research was published.
The executive order stated: "The advent of large-scale quantum computers, particularly in the hands of adversaries, will pose a significant threat to widely used cryptographic security systems." It also warned of a strategy known as harvest now, decrypt later, in which adversaries collect encrypted data today and hold it until quantum computers are powerful enough to break it. "Ongoing cyber activity against our Nation also presents the risk of adversaries collecting United States information now, and decrypting it later once large-scale quantum computers are operational," the order stated.
Brian LaMacchia, a cryptography engineer who oversaw Microsoft's post-quantum transition from 2015 to 2022 and now works at Farcaster Consulting Group, told Ars Technica that the impact is concrete. "So, for any system that falls into this new bucket of high-value assets and high-impact systems, their transition timelines just got shortened by 4-5 years (from 2035 to 2030/2031)," he said. "That is a significant shortening of the transition timeline for these systems, and it follows similar timeline revisions from Google and Cloudflare that we saw announced back in late March/early April."
The encrypted systems at stake protect data belonging to militaries, banks, governments, and most individuals. The concern is not only about future attacks but about data that has already been collected and stored by adversaries waiting for quantum capabilities to catch up.
The 2030 deadline gives affected organizations roughly four and a half years to complete transitions that cybersecurity experts have long described as complex and time-consuming. Whether agencies and contractors can meet that timeline remains an open question.
