Why privacy professionals should care about post-quantum cryptography

Privacy professionals should pay closer attention to post-quantum cryptography as quantum-enabled attacks could eventually expose today's encrypted sensitive personal data.

Contributors:
Lara Ballard
Former Special Advisor for Privacy and Technology
U.S. Department of State; Cyber risk analyst, Department of Homeland Security
Editor's note
The IAPP is policy neutral. We publish contributed opinion pieces to enable our members to hear a broad spectrum of views in our domains.
The White House's Executive Order 14412, following on the heels of the June 2025 Executive Order 14306 amending former President Joe Biden's Executive Order 14144, aims to prepare the United States for the future threat quantum computers pose to sensitive encrypted data. Cybersecurity professionals are paying close attention. But are privacy professionals?
I'm seized with the issue because, after more than 15 years of working as a privacy professional, I transitioned last fall to a position as a cyber risk analyst. I had worked alongside cyber professionals for years, and certainly respected their work, but now I actually had to understand it.
It was in the process of learning about the different types of encryption — a major topic on the Certified Information Systems Security Professional exam — that I realized I should have learned this years ago. It would have made me a better privacy professional.
It also would have helped me understand that the long-term threat posed by quantum computers has our most sensitive personally identifiable information squarely in its sights. To understand why, we only need to know a tiny bit about encryption, physics and — gasp — math.
Encryption — and some math
Encryption includes both symmetric and asymmetric varieties. Symmetric encryption has been around since Julius Caesar was using what is known today as the Caesar cipher. "Symmetric" means we use the same key to encrypt as to decrypt.
Several strong symmetric encryption algorithms are in use today, and quantum computers won't be that much better than today's classical computers at breaking them.
But symmetric encryption has one serious practical limitation: the parties must have some secure means of communicating the key between themselves before they can use it. So how can we engage in secure transactions with unfamiliar websites, as long as they have an HTTPS address? How do we authenticate ourselves with digital signatures when we're sending them to people we've never even met?
The answer is asymmetric encryption, an innovation that came about only in the 1970s and now faces an existential threat from quantum computers. Asymmetric encryption rests on one of three major types of mathematical calculations that are easy to carry out in one direction but practically impossible to reverse.
For example, no existing computer can determine which two prime numbers were multiplied to produce a very large number of 600-plus digits.
This type of calculation underlies the Rivest-Shamir-Adleman or RSA algorithm, which was developed in 1976, just two years after Whitfield Diffie and Martin Helman envisioned a way to use these one-way algorithms to create public key infrastructure, or PKI.
PKI then became thoroughly embedded in the internet economy. To appreciate how important and central PKI and the RSA algorithm are to everyday online transactions, go to any website with an HTTPS website address and click on the padlock symbol next to the address.
In most browsers, right-clicking or following the security links near the address bar eventually reveals a certificate icon. Opening that certificate will often show a reference to "RSA" somewhere in the details. PKI is used for the initial "handshake" between the browser and the website's server. This secure channel is then used to transmit the code needed to switch to symmetric encryption for the rest of the data exchange.
Physics
Classical computers rely on classical physics. They communicate in zeros and ones — a unit of information known as binary digits or "bits" — because they repeatedly track the outcome of a binary event. Since the first punch-card tabulating machine was invented for the 1890 U.S. Census, computers have all leveraged the transistor: either a particular electric circuit is closed, or not.
The phenomenon of the hanging chad following the Florida presidential election vote count in 2000 exemplifies the limitations of classical computing: If a hole in a punch card was only partially punched, there was no way to calculate a range of probabilities for that voter's intention.
Quantum computers, by contrast, leverage quantum physics — specifically, the "spooky" behavior, as Einstein described it, of quantum particles that Erwin Schrödinger tried to explain in 1935 with the "Schrödinger's cat" thought experiment. A quantum particle can literally be zero and one at the same time; the unit of information is referred to as a qubit.
More math
Because of these strange properties, mathematicians can use different algorithms entirely on qubits than on bits. To that end, in 1994 mathematician Peter Shor announced an algorithm that could break the RSA algorithm — if only he had a quantum computer with several hundred qubits.
Since 1994, hundreds of other quantum algorithms have been developed. For those interested in trying their hand at it, IBM now offers an online course.
More physics
Why aren't quantum computers already breaking the RSA algorithm? It's a physics and engineering problem. Like Schrödinger's cat, qubits don't maintain their spooky properties; once observed, they settle into the usual, binary, zero-or-one paradigm.
IBM's current model has just over 100 qubits. Around the world, labs are experimenting with different substances whose sub-atomic particles are most likely to maintain quantum properties in the most scalable and cost-effective manner. It may not happen until 2035.
The point
So why does this matter today? Because right now, malicious actors are engaging in a strategy of "Harvest now, decrypt later." Because storage is cheap, they are hoovering up encrypted data by the petabyte and waiting for the day — "Q-Day" — that a quantum computer will enable them to decrypt it.
The good news is, there is already a fix for this problem. The U.S. National Institute of Standards and Technology approved several algorithms that will withstand a quantum cryptanalytic attack. Pursuant to Executive Order 14306, the Cybersecurity and Infrastructure Security Agency has already published a list of acceptable and commercially available products. They just need to be adopted, through a gradual transition prioritizing those information assets that are just as likely to be sensitive on Q-Day as they are today.
And this gets to why privacy professionals should care. To be sure, not all data that is sensitive today will still be sensitive in 2035. But what will definitely be sensitive? Individuals' Social Security numbers. Envisioning all the contexts in which SSNs are required — such as for security, payroll or benefits — offers a head start on identifying the information collections that cybersecurity colleagues should be transitioning to post-quantum cryptography on a high-priority basis.
One of the points all those CISSP exam prep materials makes clear is that cyber professionals can secure data, but they don't know, unless we tell them, what data we think is the most valuable.
Of all the types of data that need to be protected today from "Q-Day," there should be no doubt that sensitive PII is among them. It's time for privacy professionals to get involved and speak up.
The views expressed in this article represent the personal views of the author and do not necessarily represent the views of the United States Government or its agencies.

This content is eligible for Continuing Professional Education credits. Please self-submit according to CPE policy guidelines.
Submit for CPEsContributors:
Lara Ballard
Former Special Advisor for Privacy and Technology
U.S. Department of State; Cyber risk analyst, Department of Homeland Security



