The threat posed by future quantum computers to encryption currently used in public administration is increasing. Since attackers are already collecting encrypted data today and could decrypt it later, long-term sensitive data such as citizen and classified information is particularly at risk. The administration must act now: conduct an inventory of its systems and critical data, in the short term close the largest vulnerabilities with quantum-safe encryption and physical protection, and in the medium term ensure through "crypto-agility" that future technologies can be flexibly integrated. What is crucial: the solution must be implemented today, before the risk materialises in a few years.
Today's widely used encryption methods rely on mathematical functions that are simple to compute forward but nearly impossible to reverse – however, quantum computers are expected to crack these functions within 5 to 10 years. Particularly dangerous is the "harvest now, decrypt later" strategy: hackers are already collecting encrypted data today to decrypt it later once the technology becomes available.
Public administration has particularly high stakes: classified intelligence information, highly sensitive citizen data such as tax, health and social security information, and trust in digital government services such as e-ID and e-voting. Whilst data can already be encrypted with quantum-safe methods today, the secure key exchange during communication and networking remains unsolved – corresponding solutions are not yet established and are extremely costly.
Action is required on three time horizons: immediately conduct an inventory of systems in use and critical data, in the short term close the largest vulnerabilities, for example through quantum-safe encryption of "data at rest" and physical protection of connections (aligned with NIST standards), and in the medium term build "crypto-agility" so that systems can flexibly integrate future encryption technologies.
The urgency stems from the protection period of data: citizen data must often remain confidential for at least 20 years, whilst the decryption risk will occur within 5 to 10 years – data that is not quantum-safe encrypted today is therefore at risk within its statutory protection period. Quantum security is not merely an IT problem but a governance issue that requires collaboration between administration, providers and experts, as well as risk-based decisions by leadership, since a perfect solution does not currently exist.