• Don’t panic! Google tells governments and businesses to keep calm and prepare carefully for the realities of a post-quantum world
• New ‘policy briefing’ governments and industry alike must accept that quantum-resistant encryption will be a critical infrastructure
• It is time to deploy it now, especially in AI and cloud networks, ‘before it is too late’ 
• New standards and cross-industry co-operation vital to mitigating hacking attacks

It has been known for years now that hackers have been breaking into corporate and governmental systems as well as the networks of critical infrastructure operators, stealing encrypted data and, in a process known as ‘harvest now, decrypt later’, archiving it to be decrypted as soon as robust and reliable quantum computers are available to crack even the most sophisticated of today’s encryption techniques.

In this regard, post-quantum cryptography (PQC) refers to new, software-based cryptographic algorithms designed to ensure the security of sensitive data against the quantum computers of the near future. PQC uses very complex mathematical structures, such as lattice-based cryptography, to protect data. Current public-key cryptography solutions are just about good enough for today’s computers and networks but will be too weak to resist quantum-based incursions. 

However, help is at hand. The US National Institute of Standards and Technology (NIST) finalised its first standards in 2024 with the aim of enabling their widespread uptake to combat the proliferating threats of such attacks. 

Meanwhile, it seems, Google has, for years, been working on the problem. Thus, it has been revealed that the company has been building its defences against bad actor attacks since way back in 2016 and now, a decade on, is close to completing its migration to PQC in accordance with NIST guidelines. Google is now making a generalised call for organisations to overhaul their quantum security and accelerate the transition to post-quantum cryptography as the global tide of threats continues to rise and swirl.

In a ‘policy briefing’ blog, Kent Walker, the president of global affairs at Google and Alphabet (Google’s parent company), and Hartmut Neven, the founder and lead of Google Quantum AI, warn that governments and commercial organisations alike must now accept that quantum-resistant encryption will be an absolutely critical infrastructure that must be deployed now – especially in AI and cloud networks – before it is too late.

Google’s timeline illustrates that the company was prescient enough to recognise the quantum threat very early in the technology’s development and has been taking it very seriously for a full 10 years whilst other organisations have, until very recently, tended to regard the threat as either insignificant, too far into the future, or both. 

Google is also evangelising the notion that although NIST and other standards are undeniably important, companies and governments must be “crypto agile” and equip themselves with the ability to update or replace cryptographic algorithms without disrupting their services. Google says such a capability “will prove essential as quantum threats evolve.”

The briefing blog also reinforces Google’s continuing commitment to the post-quantum world by continuing research and the updating of post-quantum timelines and sharing the company’s findings “where security considerations allow”. The company regards these and other considerations as “investments in the long-term integrity of the digital economy” but also recognises that to be successful, post-quantum computing is far too strategically important to be left entirely to private initiatives and stresses that security in the age of quantum will require “co-ordinated public- and private-sector engagement.”

The five pillars of post-quantum wisdom

Adding flesh to the bare bones of their ideas, the authors of the policy briefing blog list five vital recommendations that should be acknowledged and implemented.

The first is to “drive society-wide momentum, particularly across critical infrastructure” and that preparation for the post-quantum future preparation go far beyond government networks to include sectors such as energy, telecom and healthcare. These are industry sectors where legacy systems and an inexperienced workforce under-qualified to meet the problems of the quantum age could result in the slow and partial adoption of new technology to keep data safe. That would be very dangerous. The policy also stresses that the strengthening of “trust infrastructure”, including digital certificates, must also be a priority.

Secondly, governments are urged to ensure that AI systems are, from the very outset, designed and deployed with post-quantum cryptography as the driving force behind them. 

Thirdly, Walker and Neven warn against global fragmentation, stressing that NIST standards provide a widely researched and agreed benchmark and their widespread adoption would reduce the real risk of partial or incompatible solutions weakening security overall. 

The fourth recommendation is that “cloud-first modernisation” is the best and most practical way forward. Changing cryptographic systems is a massive and complex task fraught with potential dangers and PQC makes the move away from hard-coded, legacy systems all the more important. Meanwhile, cloud platforms permit governments to exploit, and benefit from, ongoing security upgrades without necessarily having to pay the full cost of “retrofitting aging infrastructure.”

The fifth and final Google recommendation calls on policymakers continuously “to engage with technical experts” to avoid any “strategic surprises”, adding that it is foolish to think that it will be another five to ten years before quantum computers will be capable of decrypting public key cryptography. Indeed, when things change they may well do so unexpectedly and quickly and governments and other organisations would do well to be in ongoing dialogue with research groups and quantum specialists well before that happens. 

As the policy briefing makes clear, the transition to post-quantum cryptography will be one of the biggest and most complex coordinated infrastructure upgrades in the history of computing and will involve “everything from certificate authorities to IoT devices” and to be successful, action will need to be synchronised across governments, infrastructure operators, and the greater technology ecosystem.  As Google puts it, ”The question isn't whether quantum computers will break today's encryption – it's whether we'll finish rebuilding our security foundation before they arrive.” 

The policy briefing points out that the promise, potential and considerable risks are inseparably intertwined. The authors conclude the document with this: “Here’s the bottom line: We believe quantum computing can help shape a brighter tomorrow – but we need an all-hands-on-deck approach to make sure the quantum era is defined by breakthroughs, not breakdowns. Working together we can prepare today and promote greater security tomorrow.”

They also stress that despite the likely imminence of quantum computing, reaction to it by governments and industry should be based on proper preparation for changing times rather than “the sky is falling “ panic.