Skip to main content

When quantum computers become reality: the facts for public administration

The threat posed by future quantum computers to encryption currently used in public administration is increasing. Since attackers are already collecting encrypted data today and could decrypt it later, long-term sensitive data such as citizen and classified information is particularly at risk. The administration must act now: conduct an inventory of its systems and critical data, in the short term close the largest vulnerabilities with quantum-safe encryption and physical protection, and in the medium term ensure through "crypto-agility" that future technologies can be flexibly integrated. What is crucial: the solution must be implemented today, before the risk materialises in a few years.

Today's widely used encryption methods rely on mathematical functions that are simple to compute forward but nearly impossible to reverse – however, quantum computers are expected to crack these functions within 5 to 10 years. Particularly dangerous is the "harvest now, decrypt later" strategy: hackers are already collecting encrypted data today to decrypt it later once the technology becomes available.

Public administration has particularly high stakes: classified intelligence information, highly sensitive citizen data such as tax, health and social security information, and trust in digital government services such as e-ID and e-voting. Whilst data can already be encrypted with quantum-safe methods today, the secure key exchange during communication and networking remains unsolved – corresponding solutions are not yet established and are extremely costly.

Action is required on three time horizons: immediately conduct an inventory of systems in use and critical data, in the short term close the largest vulnerabilities, for example through quantum-safe encryption of "data at rest" and physical protection of connections (aligned with NIST standards), and in the medium term build "crypto-agility" so that systems can flexibly integrate future encryption technologies.

The urgency stems from the protection period of data: citizen data must often remain confidential for at least 20 years, whilst the decryption risk will occur within 5 to 10 years – data that is not quantum-safe encrypted today is therefore at risk within its statutory protection period. Quantum security is not merely an IT problem but a governance issue that requires collaboration between administration, providers and experts, as well as risk-based decisions by leadership, since a perfect solution does not currently exist.

Did you find this useful?

Thanks for your feedback