- ■
Google signals quantum encryption threat is imminent, not theoretical, with adversaries already collecting encrypted data via 'store now, decrypt later' attacks
- ■
NIST finalized post-quantum cryptography standards in 2024; Google rolling out ML-KEM across infrastructure starting now—not in 5+ years
- ■
For enterprises: encryption strategy window closes in 18 months. Cloud migration becomes security mandate, not optional modernization
- ■
Watch next threshold: government mandates for critical infrastructure (energy, healthcare, finance) by Q3 2026
Google just crossed a critical threshold. What was a decade-out research concern—quantum computers breaking today's encryption—is now a government policy priority. Kent Walker, President of Global Affairs, issued a direct call to policymakers: post-quantum cryptography migration must accelerate from "someday" to "now." This marks the moment quantum threats transition from academic alert to infrastructure imperative, meaning enterprises, governments, and security architects have roughly 12-24 months to shift from pilot programs to mandatory deployment.
The inflection point is clear in Walker's framing: malicious actors aren't waiting for quantum computers to arrive. They're harvesting encrypted data today—financial records, trade secrets, classified communications—betting that future quantum machines will decrypt it. This "store now, decrypt later" threat isn't speculative. It's happening. Google documented this risk in August 2024, but Walker's statement escalates from technical warning to policy imperative.
Here's what makes this moment different. For years, post-quantum cryptography lived in the research lane. Google started experimenting in 2016—a full decade before practical urgency. Academics debated. Standards bodies deliberated. The National Institute of Standards and Technology (NIST) took five years to finalize the first quantum-resistant encryption algorithms in August 2024. That felt like progress. But Walker's statement reframes the timeline: progress is too slow.
Google is rolling out ML-KEM—NIST's primary post-quantum standard—across internal infrastructure and products now. Not in phases. Not in pilot programs. The company's bet is explicit: the gap between quantum capability and quantum threat is narrowing faster than previous timelines suggested. The phrase "Cryptographically Relevant Quantum Computer (CRQC)" appears throughout the statement. That's the inflection point metric—not if, but when quantum computers become powerful enough to break 2048-bit RSA encryption. Walker refuses to guess when that arrives. He instead demands readiness by assuming it could happen sooner than historically predicted.
The five policy recommendations Walker outlines aren't advisory—they're a roadmap for accelerated infrastructure transition. "Drive society-wide momentum, especially for critical infrastructure." That means energy grids, telecommunications networks, healthcare systems. "Promote Cloud-first modernization." That's Google Cloud positioning, but it's also structural logic: legacy systems with hard-coded encryption can't migrate quickly. Cloud platforms can push cryptographic updates globally without system redesigns. "Ensure AI is built with PQC in mind." That's the meta-pivot: as enterprises rush to deploy AI systems, they're building on insecure cryptographic foundations. The window to rebuild is closing.
What matters is the timing signal. NIST completed standards in 2024. Google's announcing production deployment in 2026. That 18-month window? It's now the enterprise migration deadline. Gartner's 2024 guidance suggested 2026-2027 for mainstream PQC adoption. Google just moved that to 2026. Major cloud providers will follow. The signaling effect is immediate: security teams that haven't started PQC migration are now visibly late.
For investors in infrastructure security, this is the moment encrypted-data storage and cryptography-as-a-service startups become acquisition targets. The companies that help enterprises identify encrypted systems, audit cryptographic dependencies, and manage migration without downtime will see valuations spike. Fortanix, Zymbit, and similar players just moved from "nice to have" to "must have" status.
For security architects, the inflection is uncomfortable. Post-quantum cryptography is mathematically different from current systems. ML-KEM (formerly Kyber) uses lattice-based cryptography—completely different from the RSA/elliptic-curve systems protecting most infrastructure. Implementation requires re-architecting certificate chains, key management systems, and authentication protocols. This isn't a software patch. It's infrastructure reconstruction. And it needs to happen within 18 months for critical systems.
For enterprises over 10,000 employees, the decision calculus changed today. Before Walker's statement, post-quantum cryptography was a "monitor and plan" initiative. After it, it's a budget-approval conversation. IT leaders will demand accelerated timelines. Chief Security Officers will escalate to boards. The conversation moves from "should we" to "when must we." And "when" just became significantly sooner.
The precedent here matters. When major tech companies signal infrastructure requirements through policy statements rather than technical papers, it usually means mandatory timelines are coming. Walker's five recommendations will likely become industry compliance standards within 18 months. Banks will face pressure from regulators. Government contractors will face compliance deadlines. Healthcare systems will face audit requirements. The transition accelerates once regulatory frameworks follow corporate signals.
Google's position is clever. By positioning post-quantum encryption as both urgent and achievable through existing NIST standards and cloud migration, the company frames its own cloud services as the path to compliance. That's not cynicism—it's market structure. But it also means enterprises choosing non-cloud infrastructure will face significantly higher migration costs and complexity. The inflection point forces a larger architectural decision than just "use new encryption." It forces "move to cloud infrastructure or build internal quantum-safe capabilities."
One more timing signal: Walker emphasizes that "a CRQC is not forever a decade away." That's a direct rebuke to the assumption that's governed security planning for 15 years. Quantum threats have always felt distant enough to defer. Walker is saying: they're not. The window exists. Act now.
Kent Walker's statement marks the transition from quantum cryptography as a research problem to quantum cryptography as an infrastructure mandate. Enterprises now operate on a concrete timeline: 12-24 months to audit encrypted systems, evaluate post-quantum standards, and begin migration. Investors should watch infrastructure security and cloud migration vendors—compliance will drive spending. Security professionals need post-quantum cryptography skills immediately. Decision-makers must connect quantum readiness to cloud strategy, IT budgets, and regulatory risk. The next inflection arrives when government mandates for critical infrastructure arrive—watch for CISA guidance in Q2 2026.
