Despite Government Regulations, Few Enterprises Have Moved Past Migration Planning
The post-quantum cryptography transition has moved beyond a theoretical exercise. Governments in the United Kingdom, United States and Europe have begun publishing migration road maps and setting increasingly explicit expectations around cryptographic inventories and governance. Yet many organizations are still in the early planning phase.
See Also: The Machine Knows You’re Vulnerable. Do You?
IBM forecasts that by 2029, it will deliver the first large-scale, fault-tolerant quantum computer. Q-Day, the hypothetical future date when a quantum computer becomes powerful enough to break widely used public-key cryptography, is on the horizon, and policymakers are now evaluating whether more government guidance is needed – and whether more stringent regulatory measures are needed to ensure readiness.
Part of the challenge is competition for IT executives’ attention, with artificial intelligence initiatives dominating boardroom discussions, budgets and technology road maps.
“AI has sucked the oxygen out of the room,” said Francis Gorman, head of the security center of excellence at Bank of Ireland. “Everyone is so distracted with what can the magic box in the corner do, that they have actually not looked into the sea and saw the shark coming up with the jaws open from beneath.”
But competition from AI initiatives is only part of the problem. The bigger challenge is getting enterprises to continue to include post-quantum cryptography as part of an enterprise-wide transformation program. The biggest misconception is that security teams own the problem, Gorman said. Without executive ownership and accountability, organizations will continue to treat post-quantum migration as a long-term problem.
This governance gap also helps explain why government road maps and preparedness guidance haven’t translated into action by most enterprises. Even though organizations may acknowledge the long-term risk, many struggle to justify investments without clear ownership, regulatory expectations or business drivers.
Louise Davey, president of LDIQ, a Canadian advisory and consulting firm that helps boards to understand emerging quantum risks, warned that quantum risk is often treated as a technical issue when it’s also a legal, operational, privacy and resilience challenge.
Because post-quantum cryptography migration competes with initiatives that deliver more immediate business value, organizations frequently defer action until regulatory or commercial pressure forces the issue, she said. As a result, many enterprises acknowledge the risk but struggle to prioritize it.
“It is time-shifted, highly technical and often has no clear business owner. That makes it too abstract for many organizations to seize,” Davey said.
This challenge has some observers questioning whether it’s time for governments to impose mandatory regulations, not just voluntary guidelines. Regulators have increasingly asked organizations to take stock of their cryptographic assets and develop migration strategies, but few jurisdictions have imposed specific private-sector requirements. While forcing organizations into aggressive migration timelines could create compliance fatigue and encourage rushed implementations, government mandates could remove ambiguity and help organizations justify the investment, Davey said.
New regulations should start with governance and inventory, she said.
“Most organizations could not migrate next year even if they were ordered to. They do not yet have the inventory, the decision rights, the vendor visibility, the funding, the skills, or the execution capacity,” Davey said. “Building these capabilities can take years, even before the first keys and certificates are migrated.”
At the very least, regulators need to send a signal to get organizations ready to act: Know where cryptography sits, what is exposed and who owns the decisions, while building the team and standing up reporting and governance oversight.
Mature enterprises understand the risk and have begun their post quantum migrations, but those organizations are few and far between. Most will wait until regulators, auditors, insurers and partners force the issue, which is what’s happened with privacy and other cybersecurity regulations. Organizations only ramp up investments when compliance expectations became clearer.
Not everyone agrees that regulation is the missing ingredient. Some experts argue that organizations already have sufficient information to begin preparing and that waiting for mandates may create a false sense of security.
Darren Bender, co-founder and chief legal officer at ProteQC, said organizations should not assume the absence of regulation eliminates responsibility. Boards and C-level executives already have fiduciary duties to make informed decisions about foreseeable risks. Government mandates may accelerate action, but they should not be the only driver, Bender said.
“Walking into the PQC conversation midway is like catching The Wizard of Oz halfway through,” Bender said. “You cannot appreciate the color of the circumstances unless you start at the beginning, in black and white. Lower that barrier, and leaders can finally see the full picture.”
Plus, organizations can’t afford to wait for perfect clarity before acting, he said. As governments publish increasingly detailed road maps and expectations, the debate is shifting from whether quantum readiness is necessary to how quickly organizations should be required to prepare.
“If governments believe quantum risk is material, and they believe it is in the national interest that their critical infrastructure and industry prepare, then they need to move beyond guidance and create clear expectations,” Bender said. “The countries that do, may well find themselves on the side of the winners.”