A new study warns that the United States has a rapidly closing window to protect critical infrastructure from quantum computers capable of breaking current encryption methods, with adversaries already collecting encrypted data today to decrypt once quantum technology matures. The R Street Institute released the policy study on June 25, 2026, examining how the nation can approach post-quantum cryptography (PQC) migration across critical infrastructure through a risk-based lens. The report concludes that waiting for certainty before beginning the transition is no longer viable, and that policymakers and industry leaders must act now to avoid severe long-term consequences.
The study arrives as quantum computing advances faster than many anticipated, with recent breakthroughs compressing earlier timelines for "Q-Day"—the point at which a quantum computer could break widely used public-key encryption. The Trump administration's recent executive order directs federal agencies to migrate high-value systems to post-quantum cryptography by 2030 and mandates that federal contractors do the same. The report identifies the "harvest now, decrypt later" threat as already active, meaning adversaries can collect encrypted data today with the expectation of decrypting it once quantum capabilities mature. Critical infrastructure sectors like energy, financial services, healthcare, and defense face the most urgent risk because they store sensitive, long-lived data.
The study advances three core findings: PQC migration must be treated as a present-day risk management imperative, data sensitivity and system criticality should drive prioritization, and federal leadership must move beyond high-level direction toward harmonized implementation. Mark Dalton, the senior director of R Street's technology and innovation team who authored the study with former resident fellow Haiman Wong, writes that "foundational steps of conducting a cryptographic inventory, prioritizing the most sensitive long-lived data, and beginning migration where feasible are available now." The report draws on insights from R Street's PQC Policy Working Group, which includes stakeholders across industry, academia, and government.
The report explains that the urgency stems from quantum computers' potential to break the encryption protecting everything from power grids to banking systems to medical records. Unlike traditional computers that process information in binary bits, quantum computers use quantum bits that can exist in multiple states simultaneously, giving them exponentially greater processing power for certain tasks—including cracking the mathematical problems that underpin current encryption. The threat isn't hypothetical or distant: hostile actors are already harvesting encrypted data today, betting they'll be able to unlock it within years once quantum technology catches up. For sectors managing infrastructure with decades-long lifespans or data that remains sensitive for years, the window for proactive defense is narrowing faster than the technology itself is arriving.
The authors offer four policy recommendations to accelerate the transition: align federal leadership with clear budgeting and accountability mechanisms, use targeted "Requests for Information" to identify implementation gaps and demonstrate solution pathways, launch pilot programs in high-impact environments at the Departments of Energy, Defense, and Treasury, and leverage market signals and private-sector leadership to accelerate adoption. The report frames the migration not as a future challenge to monitor, but as a present-day risk management imperative requiring immediate action across government and industry.