GUEST ESSAY: Google’s 2029 deadline exposes readiness gap as move to quantum-safe crypto lags

For years, quantum risk was easy for most institutions to treat as premature: real in theory, urgent someday, but not yet an operational problem. That is no longer tenable.

Related: AI spawns semantic attacks

Two developments this month brought the shift into focus. Google Quantum AI published research suggesting the computing resources needed to break widely used encryption may be significantly lower than earlier estimates assumed. Around the same time, researchers from Oratomic, Caltech and UC Berkeley described a plausible path for running Shor’s algorithm at a scale relevant to real-world security.

Most executives do not need to understand the technical details. They need to understand the takeaway: the threshold for quantum systems to threaten today’s cryptography is moving closer, faster and more credibly than many institutions planned for.

In response, Google pushed its reported migration target from 2035 to 2029 for moving its own infrastructure to quantum-safe cryptography.

That is why 2029 matters. Not because it predicts some cinematic “Q-Day,” but because it is a forcing function. A date like that changes behavior. It tells boards, regulators, investors and customers that this is no longer a fringe concern. It is a planning issue now, entering the boardroom as a budget issue. Soon it will become a scramble.

The public debate still revolves around the wrong question: when will a quantum computer be powerful enough to break current encryption? The more important question is how long it will take an organization to migrate before that day comes.

For most enterprises, the honest answer is uncomfortable: longer than leadership expects. In company after company, leaders assume their use of cryptography is bounded and manageable. Then they start tracing it. Encryption turns out to be embedded across far more applications, workflows, vendors, devices and legacy systems than anyone realized. What looked like a contained security upgrade becomes a multi-year operational transformation.

The organizations that will fare best are not the ones producing the longest slide decks. They are the ones that start testing, piloting and migrating early enough to learn what the work really entails. In many environments, there are practical, non-disruptive ways to begin upgrading cryptography without replacing everything underneath. The problem is that adoption remains shockingly low relative to the stakes.

And those stakes are not hypothetical. The risk does not begin on the day a quantum machine breaks encryption at scale. Sensitive data with long-term value is being collected now with the expectation it can be decrypted later—an attack widely known as “harvest now, decrypt later.” Financial records, intellectual property, health information and government communications may already be inside the exposure window.

There is a second dimension to this threat that deserves equal attention. If quantum-capable adversaries can eventually forge digital signatures and certificates, they will not just read protected data—they will impersonate trusted systems, alter records and undermine the authenticity of communications at scale.

This is “trust now, forge later”: the risk that threat actors are already mapping the cryptographic dependencies they intend to exploit once the capability arrives. Harvest now, decrypt later compromises confidentiality. Trust now, forge later compromises integrity. Together, they define a threat surface that is already active.

What changed with these papers and this deadline is that the issue has become legible to the people who actually allocate resources. If Google believes it needs to be quantum-safe by 2029, the rest of the market should be asking a much more uncomfortable question: what will it take for us to get there in time?

For many organizations, the honest answer is that they do not know yet. That uncertainty should not be reassuring. It should be clarifying. The window for calm, methodical action is still open. But it will not stay open for long.

About the essayist: Rebecca Krauthamer is co-founder and CEO of QuSecure, a leader in post-quantum cryptography helping enterprises and government prepare for the coming break of public key encryption. She previously co-founded Quantum Thought, serves on the World Economic Forum’s Global Futures Council on Quantum Computing, and has been recognized by Forbes 30 Under 30 and Inc. Female Founder 500.

The post GUEST ESSAY: Google’s 2029 deadline exposes readiness gap as move to quantum-safe crypto lags first appeared on The Last Watchdog.