Quantum Computing and National Security: GAO Calls for Coordinated Strategy to Address Looming Cryptographic Threats

Quantum computing promises groundbreaking advances in science, medicine, and engineering, but it also carries a looming threat to cybersecurity. In testimony before the House Subcommittee on Cybersecurity, Information Technology, and Government Innovation, Marisol Cruz Cain, Director of Information Technology and Cybersecurity at the Government Accountability Office (GAO), presented findings from recent reports emphasizing the urgent need for national leadership in mitigating the quantum threat. This June 2025 testimony (GAO-25-108590) underscores that while progress has been made in understanding and preparing for quantum risks, significant gaps remain in formulating and coordinating a comprehensive strategy to protect U.S. cryptographic systems from future quantum-enabled attacks.

Quantum computers, unlike classical systems that rely on binary bits, operate on qubits that can represent multiple values simultaneously, enabling massive leaps in processing power for specific classes of problems. While this could eventually revolutionize sectors such as chemical simulation, drug development, and logistics optimization, it poses a severe threat to modern cryptographic systems. Many cryptographic standards—especially public-key encryption widely used to secure federal systems and critical infrastructure—are theoretically vulnerable to a cryptographically relevant quantum computer (CRQC). Such a device, which experts estimate could emerge within the next 10 to 20 years, would render much of today’s encryption ineffective in a matter of hours or days, compared to the centuries it would take classical computers to achieve the same.

The GAO’s 2024 report (GAO-25-107703) identified three central pillars of a national quantum cybersecurity strategy: standardizing post-quantum cryptography (PQC), migrating federal systems to PQC, and encouraging private sector and critical infrastructure stakeholders to do the same. However, as Cain noted in her testimony, these efforts remain fragmented. No single federal entity has been tasked with unifying the many disparate agency strategies, leaving critical gaps in planning, implementation, and accountability.

Although the Office of Management and Budget (OMB) has produced cost estimates for migrating federal systems—approximately $7.1 billion through 2035—its estimates are based on preliminary data and may lack accuracy. Furthermore, while federal initiatives have set milestones for developing and standardizing PQC, they lack clearly defined objectives, performance metrics, or a coordinated risk assessment framework for government and private-sector systems alike. For instance, while one document assessed risk across 55 national critical functions, there was no corresponding assessment of how federal agency systems might fare under similar scrutiny.

To address these issues, the GAO recommended that the Office of the National Cyber Director (ONCD) take the lead in orchestrating a unified national strategy. Established by Congress in 2021 to provide leadership in cybersecurity policy, the ONCD is well-positioned to integrate the efforts of OMB, the National Security Council, the Cybersecurity and Infrastructure Security Agency (CISA), and the National Institute of Standards and Technology (NIST). While ONCD has not formally agreed to this leadership role, its engagement is critical to ensuring that migration to PQC is prioritized across sectors and that resource investments align with areas of highest risk.

In its broader assessment, the GAO also outlined four policy areas that will affect the development of quantum technologies: collaboration, workforce development, investment, and supply chain security. It noted that international cooperation may accelerate breakthroughs, but could also raise intellectual property and national security concerns. Building a quantum-ready workforce will require expanded education and training programs, and developing a secure supply chain for rare materials and sensitive components remains an urgent priority.

As quantum computing edges closer to maturity, the GAO’s message is clear: without a fully coordinated, performance-driven national cybersecurity strategy, the United States remains exposed. The emerging threat of quantum-enabled cyberattacks demands not just technological readiness, but strategic leadership capable of uniting the public and private sectors under a common mission to secure America’s digital infrastructure.

Disclaimer: This summary is based on publicly available information from the U.S. Government Accountability Office’s June 2025 testimony (GAO-25-108590). It is provided for informational purposes only and does not constitute legal, technical, or investment advice. Readers should consult the original report and other authoritative sources for full details and guidance.