Secure the quantum era: International and Domestic Approaches to Post-Quantum Cryptography

By Noah Hebdon

Executive Summary

Quantum computing poses a real threat to contemporary encryption systems, potentially enabling bad actors to decrypt secure data and communications. In order to adequately address this threat, policymakers should carry out the following:

  • Require the full adoption of post-quantum cryptography (PQC) across critical infrastructure and government institutions

  • Fold quantum resilience into cybersecurity regulations

  • Establish an international framework to coordinate PQC standards

Implementing these measures will prevent the formation of fragmented security systems and preserve interoperability. If quantum computing is underestimated in its potential effect and these policies not adopted, current encryption systems are bound to be compromised, putting national security, financial stability, and digital privacy at considerable risk.

The Issue

Given recent advances in quantum computation technology, it is likely that the mathematical frameworks that form the basis of today’s encryption systems, such as Rivest-Shamir-Adleman (RSA) and Elliptic Curve Cryptography (ECC), will be breakable at some point within the next decade: the so-called “Q-Day.” Currently, standard encryption protocols are deeply embedded in the following sectors:

  • Global finance

  • Healthcare

  • Digital governance

  • Defense

A sudden breakdown in the security of encryption protocols would threaten national security, financial stability, and privacy rights. Alarmingly, adversarial states commonly execute “harvest now, decrypt later” strategies, exacerbating the problem and putting even today’s data at risk.

In response to these risks, organizations such as the National Institute of Standards and Technology (NIST) and the International Telecommunication Union (ITU) are well into developing PQC algorithms. Despite their efforts, however, cross-sector and international adoption has been met with uneven commitment. Coordinated efforts for implementation are necessary to ensure that data remains secure domestically and abroad.

Key Stakeholders

1.       Government:

As the world leader in quantum-initiative investment, China has spent an estimated $15 billion in its national quantum strategy. By way of comparison, the U.S. has only invested about $3 billion. In the U.S., National Security Memorandum 10 (NSM-10) also sets a loose goal of 2035 for adoption of quantum-ready security measures across government systems. In the interim, federal systems will rely on decades-old encryption, such as RSA-2048 or ECC-256.

2.       International Institutions:

NIST finalized its first set of PQC standards for public-key encryption in 2024. However, the standardization of these algorithms is quite slow. Interoperability and testing challenges have delayed adoption. While nations want protection, they fear dependence on standards set by others. Although the harder problem of PQC development has largely been solved, the data security threat posed by quantum technologies remains firm due to the slow and reactive nature of bureaucratic structures.

3.       Private Firms:

Google, IBM, and Microsoft lead in quantum hardware and “crypto-agile” infrastructure (e.g., Google’s Willow chip, Microsoft’s SymCrypt). While governments prize secure, standardized encryption, tech firms favor flexibility and speed to market. Critical infrastructure firms depend on reliable encryption but are deterred by expensive migration to PQC systems.

While governments and private firms cooperate on quantum readiness, they compete for control over the implementation of security standards. As quantum capabilities expand faster than the policies that govern them, international coordination remains ever critical.

Analysis

Whoever controls PQC standards will possess the power to determine whose data is trustworthy, whose systems are interoperable, and which states depend on others for security. Currently, two nations representing opposing governance models vie for supremacy and control: the United States and China.

  • China has adopted a state-centered approach, integrating civilian, academic, and military research. Policies related to the “Made in China 2025” initiative have allowed China to lead in quantum infrastructure, with more than 4,600 km of quantum secure fiber-networks.

  • The United States relies heavily on a private innovation model, allowing firms to drive more than 60% of global quantum patents.

The competition intensifies in the face of economic and security incentives. Starting around 2022, the U.S. placed export controls on advanced chips and quantum components, which restricted China’s access to high-end lithography and chipmaking equipment. In retaliation, China limited exports of gallium and germanium, which are both needed for quantum and semiconductor technologies. Truly, control over supply chains functions as a form of structural power, whereby states manipulate access to exert geopolitical leverage.

International organizations such as NIST and the ITU hurry to match the cadence of development. While NIST’s post-quantum algorithms advance standardization in the U.S., China continues developing its own domestic alternatives to minimize its dependence on western standards. The result is a fragmented system with two incompatible ecosystems of encryption.

Unlike previous technologies, quantum cryptography has the potential to reshape the competitive digital landscape. Without cooperation, the world would split between incompatible encryption standards, undermining global commerce, communication, and cybersecurity. Of course, direct cooperation between the U.S. and China is unlikely. However, coordination through neutral standard-setting bodies remains essential to prevent a permanently divided quantum space nonetheless.

Policy Recommendations

1.       Require  Adoption of Quantum-Resilient Encryption Across Government and Other Critical Infrastructure

To decrease data vulnerability, the U.S. Department of Homeland Security and its equivalents abroad should require all critical infrastructure operators, such as financial institutions, defense contractors, health systems, and telecommunication providers, to commit to the following:

  • Transition to PQC standards within five to ten years

  • Integrate PQC algorithms approved by NIST or equivalent bodies into data storage protocols and public key systems

Some firms may lack necessary resources to migrate legacy systems. This could lead to uneven adoption that favors a small number of cryptographic providers. This would, in turn, reduce flexibility and innovation. However, these issues may be remedied through government subsidies and continued research into adaptable “crypto-agile” systems.

2.     Integrate Quantum Resilience into National Cybersecurity Regulations

The U.S. Federal Trade Commission, European Union Agency for Cybersecurity, and other similar agencies should be tasked with the following:

  • Include quantum resilience in national cybersecurity compliance requirements

  • Require government-regulated organizations to routinely assess and report on their readiness for threats related to quantum-cryptography through encryption audits and certification programs

By including quantum resilience in contemporary cybersecurity regulations, governments can maintain institutional continuity and accountability while preserving security. Although these measures will burden organizations with compliance costs, the inclusion of quantum resilience standards allows governments to ensure that quantum readiness is monitored and enforced.

3.       Coordinate Post-Quantum Standards and Protection Interoperability with International Framework

In collaboration with NIST, the European Telecommunications Standards Institute (ETSI), and other organizations, ITU should convene a working group of public, private, and academic experts to guide integration of quantum infrastructure. To prevent fragmented quantum encryption standards, these organizations should

  • Coordinate PQC standards on behalf of their respective governments

  • Align certification protocols

  • Promote mutual recognition of quantum-secure systems

Of course, powerful states will be reluctant to cooperate due to their perceived loss of control over cryptographic standards. To combat this, coordination should focus on technical interoperability and mutual assurance mechanisms rather than full disclosure of sensitive technologies.

Next Steps

Over the next five years, implementation should proceed in the following stages:

Phase 1: Transfer federal systems and critical infrastructure to PQC encryption

Phase 2: Extend mandates to regulated private firms with compliance monitoring

Phase 3: Coordinate with other nations and implement broad adoption of PQC protocols

Progress may be monitored through the percentage of firms and governments that have adopted PQC standards, as well as the extent to which critical infrastructure and government networks have completed migration.

Conclusion

In sum, quantum computing presents new threats to our digital infrastructure and demands coordinated action. Policy makers can protect digital privacy, financial systems, and national security by mandating PQC and embedding quantum resilience into cybersecurity regulations. The success of these measures, however, depends heavily on international coordination. Without it, fragmented systems will prevent interoperability across borders and slow integration. These essential measures ensure that quantum technology is seen as the revolutionary innovation that it is, and not the global vulnerability that it could become. Without them, critical information and infrastructure are exposed to unprecedented risk.

Works Cited

1.     Omaar, Hodan, and Martin Makaryan. “How Innovative Is China in Quantum?” Information Technology and Innovation Foundation. September 9, 2024. https://itif.org/publications/2024/09/09/how-innovative-is-china-in-quantum/

2.     Biden, Joseph R. Memorandum on Promoting United States Leadership in Quantum Computing While Mitigating Risks to Vulnerable Cryptographic Systems (National Security Memorandum 10), May 4, 2022. The American Presidency Project, University of California, Santa Barbara. https://www.presidency.ucsb.edu/node/355722

3.     National Institute of Standards and Technology (NIST). SP 800-78-5: Cryptographic Algorithms and Key Sizes for Personal Identity Verification. Gaithersburg, MD: NIST, July 2024. https://doi.org/10.6028/NIST.SP.800-78-5

4.     National Institute of Standards and Technology. NIST Releases First 3 Finalized Post-Quantum Encryption Standards, August 13, 2024. https://www.nist.gov/news-events/news/2024/08/nist-releases-first-3-finalized-post-quantum-encryption-standards

5.     Neven, Hartmut. “Meet Willow, Our State-of-the-Art Quantum Chip.” Google AI Blog, December 9, 2024. https://blog.google/innovation-and-ai/technology/research/google-willow-quantum-chip/

6.     Microsoft. “Microsoft’s Quantum-Resistant Cryptography Is Here.” Microsoft Security Blog, September 9, 2024. https://techcommunity.microsoft.com/blog/microsofts-quantum-resistant-cryptography-is-here/4238780

7.     Chen, Yu-Ao, Qiang Zhang, Teng-Yun Chen, Wen-Qi Cai, et al. “An Integrated Space-to-Ground Quantum Communication Network Over 4,600 Kilometres.” Nature 589, no. 7841 (January 2021). https://doi.org/10.1038/s41586-020-03093-8

8.     Massachusetts Institute of Technology. Quantum Index Report 2025: Patents. MIT Quantum Index. Accessed September 2, 2025. https://qir.mit.edu/patents/

9. Associated Press. “China Bans Exports to U.S. of Gallium, Germanium, Antimony and Other High-Tech Materials.” AP News, December 3, 2024. https://www.apnews.com/article/china-us-tech-semiconductor-chip-gallium-6b4216551e200fb719caa6a6cc67e2a4

1 Comment