Quantum computers able to defeat the encryption that has long safeguarded confidential electronic data – including that of U.S. state and local governments – might be viewed as a potential threat that's still many tomorrows away, but it's a risk the municipal sector can't afford to ignore.
"So, right now, as we speak, nation states are collecting data that they don't have the capability to decrypt," said
Those nation states are "collecting that data with the expectation" that they can decrypt it later with quantum computing, said Rahmani, who isn't alone in noting that strategy. In an
"Even if an adversary can't crack the encryption that protects our secrets at the moment, it could still be beneficial to capture encrypted data and hold onto it, in the hopes that a quantum computer will break the encryption down the road," according to NIST's explainer. "This idea is sometimes expressed as 'harvest now, decrypt later' — and it's one of the reasons computers need to start encrypting data with post-quantum techniques as soon as possible."
While NIST's explainer didn't any foreign states, a Feb. 5 blog post on the website of SHI International Corp., a technology solutions provider that serves a variety of organizations including corporate and public sector customers, did mention them in connection with the "harvest now, decrypt later" threat.
"Nation-states are harvesting your encrypted traffic right now," the blog post by SHI staff said. "They can't decrypt it yet — but they're betting quantum computers will let them crack it in a few years."
NIST through its Post-Quantum Cryptography (PQC) program is leading a global effort to create electronic defenses to guard against potential attacks by quantum computers that might in the future be able to break through the encryption methods that for decades have been used to protect confidential electronic information. In 2024, NIST released three PQC standards. In an Aug. 13, 2024 press release, NIST encouraged computer system administrators "to begin transitioning to the new standards as soon as possible."
When will a quantum computer arrive that's powerful enough to threaten current encryption methods? "No one knows," according to NIST.
"Researchers need to surmount many technical challenges before this can happen," NIST's explainer said. "Experts' estimates range from a few years to a few decades."
A quantum computer differs from a conventional computer, and is far more powerful.
"It takes advantage of the quantum world's counterintuitive properties — which enable a bit of data to act as both a 0 and 1 at the same time — to make calculations that would be difficult or impossible on a conventional computer," NIST's explainer said. "If they can be built, sufficiently powerful quantum processors would be able to sift through many potential solutions to a problem simultaneously, zeroing in on the correct answer very quickly."
Fitch's Rahmani began by emphasizing that much about quantum computing at this stage "is theoretical and hypothetical." While quantum computing is "an executable theoretical concept," having been proven in a laboratory setting, timelines for its viability "range wildly" from three to 20 years, he said.
"Right now it is limited by raw computing power because to be able to even do … quantum experimentation in a laboratory setting you need really, really significant computing power that is just not viable to have on [an] enterprise level at the moment," he said, adding that breakthroughs in computing power and technology would have to occur before any enterprise level implementation of quantum computing could happen.
Still, "every major power in the world is building data centers right now like it's going out of style," Rahmani said.
"Countries are rapidly trying to increase their computing power, their information processing power – they're trying to speed that up," he said. "There is sort of a technological arms race going on right now."
Rahmani also pointed to "significant technological breakthroughs" in the artificial intelligence – or AI – realm in recent years.
"And it's the same thing when it comes to any kind of emerging tech," he said. "There can be breakthroughs, there can be economies of scales that [get] deployed and it shortens that timeline. The same thing is possible with quantum."
Given that as of now quantum computing is "very energy and data intensive and requires very special machinery," nation states are expected to be the first widespread adopters, Rahmani said.
For state and local governments, the potential risk posed by hostile nation states' adoption of quantum computing technology is relevant "because our adversaries don't recognize local, state and federal government the same way we do," he said.
"For them, American government is American government," Rahmani said.
When it comes to preparing for the potential risks associated with quantum computers, "one of the areas of opportunity for the municipal sector is having better data policies and data management practices," he said, adding that something he's seen "over and over again" is organizations storing data without having any idea why they're doing it.
"Most of the time they don't know they're storing specific data that poses regulatory or legal risks to them," Rahmani said.
Among SHI International's state and local government clients, awareness regarding the potential threat posed by quantum computing "is on the rise," especially at the state and larger metro area levels, said Denise Collison, senior vice president, public sector, at SHI International. Many smaller governments, however, "are still focused on [zero day] threats like ransomware," she said.
So what can state and local governments do now to protect themselves given that the "harvest now, decrypt later" threat is here already?
"The best defense is data minimization and advanced hygiene," Collison said. "If you don't need to store sensitive data, don't."
For data that must be kept, "move toward quantum resiliency-ready solutions now," she said.
"Zero trust architecture is a must," Collison said. "Even if a nation-state harvests data, strict identity management and micro-segmentation make it harder for them to get the 'keys to the kingdom' in the first place."
"We are helping our clients perform cryptographic inventories," Collison said. "You can't protect what you don't know you have."
SHI identifies "where sensitive data is encrypted with older algorithms that are vulnerable to quantum attacks," she said.
"We are guiding them toward NIST-approved post-quantum algorithms," Collison said. "We help them build crypto-agility – the ability to update their encryption methods without ripping out their entire IT infrastructure."
Linn Freedman, a partner at Robinson & Cole LLP who is chair of the firm's data privacy and cybersecurity practice and of the artificial intelligence team, is also keeping an eye on the issue.
"As a cybersecurity lawyer who helps clients navigate data protection strategies, I am very concerned about this risk, as it poses a significant risk to the compromise of sensitive data in the future," Freedman said. "Although distant, it is a very real risk that will likely materialize in the next five to ten years."
Generally speaking, "governmental and tax-exempt entities are behind in recognizing and preparing for cybersecurity risks," she said.
"This is not their fault," Freedman said. "It is because they have limited funds to be able to invest in preventative and sophisticated responses to cybersecurity threats."
Still, "I would not limit the lack of awareness to just governmental and tax-exempt entities," she said.
"Most organizations, including for-profit organizations, are focused on current risks, and even those are hard to manage as they are constantly evolving," Freedman said. "All organizations are responding to increased risks posed by AI tools, sophisticated ransomware and social engineering attacks, and it is hard to manage the day to day risks, while at the same time prepare for risks that will likely come in 5 to 10 years."
So what kind of legal liability might state and local governments be facing in relation to the quantum encryption-busting threat?
"Presently, it is generally accepted that it is reasonable for organizations to protect data through encryption technology," Freedman said. "I can't predict what the reasonable standard will be in the future, and how standards will evolve to address the risk of decryption through quantum computing."
Still, "I can say that it would be unfair to impose new standards on organizations that stored data using commercially reasonable standards that were in place at the time," the attorney added.
While quantum computing will bring risks, it will also bring opportunities, Fitch's Rahmani said, adding that "it does have significant promising deployments as well in things like research."
"It is a new industrial revolution that we're experiencing both with artificial intelligence and in the future with quantum," he said, adding that he doesn't parse out AI and quantum "as standalone things, because they're not."
"They're in a holistic technology ecosystem that is advancing rapidly that we're in right now," Rahmani said.
