Industry News

The U.S. GAO Publishes a Quantum Threat Report – Right on Strategy but Wrong on Timing

Photo of Marin Ivezic Marin Ivezic Follow on X Send an email June 25, 2025
3 minutes read
GAO Quantum Computing

The U.S. Government Accountability Office (GAO) has issued a June 2025 report titled “Quantum Computing: Leadership Needed to Coordinate Cyber Threat Mitigation Strategy” (GAO-25-108590). GAO makes many spot-on recommendations – calling for strong federal leadership, workforce development, investment in post-quantum readiness, and securing the quantum tech supply chain – and I wholeheartedly agree with these points. However, I strongly disagree with GAO’s suggested timeline that a cryptography-breaking quantum computer is still 10–20 years away. In my view, the quantum threat is racing toward us faster than official estimates imply, and we must respond with the urgency of a present crisis.

GAO’s Call to Action: Leadership, Workforce, Investment, and Supply Chain

GAO’s report underscores four critical areas for U.S. preparedness in a post-quantum world. In an earlier study, GAO had identified policy options for policymakers across government and industry to accelerate quantum development and mitigate risks. These focus areas bear repeating, and I agree with all of them.

  • Federal Leadership & Strategy: No one was in charge of a unified quantum cybersecurity strategy until recently, and GAO argues that strong central leadership is needed going forward. The Office of the National Cyber Director (ONCD) is highlighted as the logical lead to coordinate a national response. (More on this below.)
  • Workforce Development: There is a pressing need to expand the quantum-capable workforce – through education programs, job training, and talent recruitment. Without enough skilled professionals in quantum science and cybersecurity, even the best strategies will falter.
  • Investment in Post-Quantum Readiness: Continuous and targeted investment is required to advance quantum technologies and to transition our encryption infrastructure to quantum-resistant standards. This includes funding R&D, supporting pilot projects, and ensuring organizations have the resources to migrate to post-quantum cryptography.
  • Secure Quantum Supply Chain: We must strengthen the supply chain for quantum technologies, ensuring it’s robust and secure. From quantum hardware components to post-quantum cryptographic software, any weak link or foreign dependency could undermine national security in the quantum era.

The Quantum Threat Timeline: 10–20 Years? Try Closer to Now

Now for the part of GAO’s report that didn’t sit well with me: the estimated timeline of the threat. GAO cites experts who predict that a cryptographically relevant quantum computer (CRQC) – essentially, a quantum computer capable of breaking current encryption – “may be developed in the next 10 to 20 years”. In other words, the worst-case scenario (from a cryptography perspective) is placed somewhere around 2035 to 2045.

We simply cannot assume we have that much time. This matches what used to be the expert consensus up until about a year ago. The consensus is now bringing the deadline forward. Personally, I am bullish about the field and I recently revised my prediction to 2030 (from 2032). See “Q-Day Revisited – RSA-2048 Broken by 2030: Detailed Analysis.”

More importantly, even if the first CRQC doesn’t arrive until, say, 2035, the threat is effectively already here. GAO’s report itself acknowledges this with a critical caveat: “adversaries could copy data protected by cryptography today and store it with the intention of accessing it later once a CRQC is developed.” This tactic is often phrased as “harvest now, decrypt later.” In practice, it means that any sensitive data being intercepted or stolen right now could be stockpiled and decrypted in the future when quantum code-breaking becomes feasible. So even if the quantum decryption machine comes in 15 years, the data you are encrypting today might only have 15 years of security at best. For some information (nuclear plans, identities of assets, etc.), 15 years is a blink of an eye. For other data (say, your genomic or medical data), you might expect confidentiality for a lifetime, but a quantum computer could expose it much sooner.

Given this reality, I argue that we must manage the quantum threat with the urgency of a present crisis. Treat that 10–20 year prediction as the ceiling, not the floor. The prudent approach for cybersecurity professionals is to assume the worst-case timeline – and act accordingly.

Photo of Marin Ivezic Marin Ivezic Follow on X Send an email June 25, 2025
3 minutes read
Photo of Marin Ivezic

Marin Ivezic

I am the Founder of Applied Quantum (AppliedQuantum.com), a research-driven professional services firm dedicated to helping organizations unlock the transformative power of quantum technologies. Alongside leading its specialized service, Secure Quantum (SecureQuantum.com)—focused on quantum resilience and post-quantum cryptography—I also invest in cutting-edge quantum ventures through Quantum.Partners. Currently, I’m completing a PhD in Quantum Computing and authoring an upcoming book “Practical Quantum Resistance” (QuantumResistance.com) while regularly sharing news and insights on quantum computing and quantum security at PostQuantum.com. I’m primarily a cybersecurity and tech risk expert with more than three decades of experience, particularly in critical infrastructure cyber protection. That focus drew me into quantum computing in the early 2000s, and I’ve been captivated by its opportunities and risks ever since. So my experience in quantum tech stretches back decades, having previously founded Boston Photonics and PQ Defense where I engaged in quantum-related R&D well before the field’s mainstream emergence. Today, with quantum computing finally on the horizon, I’ve returned to a 100% focus on quantum technology and its associated risks—drawing on my quantum and AI background, decades of cybersecurity expertise, and experience overseeing major technology transformations—all to help organizations and nations safeguard themselves against quantum threats and capitalize on quantum-driven opportunities.
Share via
Facebook
X (Twitter)
LinkedIn
Mix
Pinterest
Bluesky
Tumblr
Skype
Buffer
Pocket
VKontakte
Parler
Xing
Reddit
Line
Flipboard
MySpace
Delicious
Amazon
Digg
Evernote
Blogger
LiveJournal
Baidu
MeWe
NewsVine
Yummly
Yahoo
WhatsApp
Viber
SMS
Telegram
Facebook Messenger
Like
Email
Print
Copy Link
Powered by Social Snap
Copy link
CopyCopied
Powered by Social Snap