The clock is ticking on today's encryption. Google just issued a stark warning that malicious actors are already hoarding encrypted data in "store now, decrypt later" attacks, banking on future quantum computers to crack today's security. In a policy brief published today, Kent Walker, President of Global Affairs at Google and Alphabet, announced the company is on track to complete its post-quantum cryptography migration while calling on governments to treat quantum-resistant encryption as critical infrastructure - before it's too late.
Google isn't mincing words: the encryption protecting your bank transfers, private messages, and classified data could be worthless within years. The company's latest policy push, published by Kent Walker, signals a shift from theoretical concern to urgent action on quantum computing security.
The threat is already materializing. While large-scale quantum computers capable of breaking current encryption don't exist yet, sophisticated attackers aren't waiting. They're executing what security experts call "store now, decrypt later" attacks - vacuuming up encrypted data today with plans to unlock it once quantum computers become powerful enough. It's a patient but devastating strategy that puts everything from trade secrets to government communications at risk.
Google's timeline shows the company has been preparing for this moment since 2016, conducting early experiments with post-quantum cryptography long before most enterprises considered it urgent. The company rolled out quantum-resistant algorithms in Chrome and across its product ecosystem, treating what others saw as a distant threat as an immediate engineering challenge. Now, with quantum computing hardware advancing faster than many predicted, that early investment looks prescient.
The technical challenge centers on cryptographically relevant quantum computers - machines powerful enough to break the public-key cryptosystems that secure modern digital infrastructure. Unlike classical computers that process information sequentially, quantum computers can evaluate multiple possibilities simultaneously, giving them unprecedented power to unravel mathematical problems that form the basis of current encryption. According to internal research shared by Google, the window to transition is narrowing.
The good news? Solutions exist. The National Institute of Standards and Technology released the first set of post-quantum cryptography standards in 2024 after a rigorous multi-year international vetting process. These algorithms are specifically designed to resist attacks from both classical and quantum computers, providing a mathematically sound foundation for the next era of digital security.
But Google is making clear that having standards isn't enough - the real work is migration at scale. The company outlined two core commitments: continuing research to refine PQC migration timelines based on quantum computing progress, and completing its own infrastructure transition. Google's approach focuses on what it calls "crypto agility" - the ability to update or replace cryptographic algorithms without disrupting services, a capability that will prove essential as quantum threats evolve.
The policy recommendations Google issued today target five critical areas. First, drive society-wide momentum for critical infrastructure sectors like energy, telecommunications, and healthcare that face workforce and technical barriers to migration. Second, ensure AI systems are built with post-quantum cryptography from the ground up, not bolted on later. As AI becomes more central to the economy, securing its cryptographic foundation becomes non-negotiable.
Third, reduce global fragmentation by rallying around NIST standards rather than pursuing incompatible regional approaches. Fourth, promote cloud-first modernization - Google Cloud and other providers are already implementing PQC across their networks, making migration to cloud infrastructure a faster path than updating legacy on-premise systems.
Fifth, and perhaps most important, lean on experts to avoid strategic surprise. Walker's brief emphasizes that a cryptographically relevant quantum computer is not "forever a decade away" - the timeline is uncertain but potentially shorter than conventional wisdom suggests. Regular dialogue between policymakers and research teams like Google's Quantum AI group will be essential to stay ahead of threats.
The economic stakes are enormous. Every digital transaction, every encrypted communication, every secure connection depends on cryptographic systems designed in an era when quantum computers were theoretical. The transition to post-quantum cryptography represents one of the largest coordinated infrastructure upgrades in computing history, touching everything from certificate authorities to IoT devices.
Google's track record since 2016 gives the company credibility on this issue. While competitors have announced various quantum initiatives, Google's systematic rollout of PQC across Chrome, internal infrastructure, and cloud products demonstrates the complexity of real-world migration. The company has published threat models and technical papers sharing lessons learned, treating the transition as a collective challenge rather than a competitive advantage.
The healthcare and financial sectors face particularly acute risks. Medical records and financial data stolen today but decrypted in five years could still cause catastrophic damage to individuals and institutions. This creates a perverse incentive structure where patient long-term threats receive insufficient attention compared to immediate quarterly priorities.
Walker's emphasis on cloud migration as an accelerator deserves attention. Rather than spending billions updating hard-coded cryptography in legacy government systems, his argument goes, shift those workloads to cloud providers already implementing PQC at scale. It's a pragmatic pitch that acknowledges the resource constraints facing public sector IT while advancing Google's commercial interests - a rare alignment of policy advocacy and business strategy.
The call for AI systems to incorporate PQC from inception reflects growing recognition that artificial intelligence and quantum computing are parallel revolutions that will intersect in complex ways. As AI systems handle more sensitive decisions and data, securing the cryptographic protocols that authenticate AI models and protect training data becomes critical infrastructure in its own right.
What's notable about Google's approach is the blend of technical specificity and policy advocacy. This isn't a vague call for "cyber resilience" - it's a detailed roadmap with concrete standards, specific vulnerabilities, and actionable recommendations. The company is effectively offering its migration playbook to accelerate broader adoption, recognizing that quantum security, like classical security, only works if the ecosystem moves together.
Google's push for quantum security preparedness reflects a sobering reality: the transition to post-quantum cryptography is no longer a research project but an operational imperative. With NIST standards published and threat actors already positioning for the quantum era, the window for orderly migration is closing. The company's decade-long preparation and detailed policy recommendations offer a roadmap, but success depends on coordinated action across governments, critical infrastructure operators, and the broader tech ecosystem. The question isn't whether quantum computers will break today's encryption - it's whether we'll finish rebuilding our security foundation before they arrive.
