Skip Sanzeri is the founder, COO and board chair of QuSecure, a global leader in post-quantum cybersecurity.
As various technologies and capabilities advance, the global cybersecurity landscape will definitively change. Quantum computing, cryptographic agility and artificial intelligence (AI) will lead a pack of advancing technologies slated for use by bad actors to steal, gain control or unfairly influence societal and political outcomes. Here are some predictions around post-quantum cybersecurity and cryptographic agility for 2025 worthy of our attention:
1. AI and quantum continue to merge, creating a future threat.
Cybercriminals are increasingly leveraging AI to enhance the sophistication and scale of their attacks. For instance, AI can be used to craft highly personalized phishing emails, making them more convincing and harder to detect. AI also enables the automation of complex tasks, allowing for more targeted and efficient cyber threats.
In my previous Forbes articles, “AI Agents Are The Future, And A Lot Is At Stake” and “The Impact Of AI On Post-Quantum Cybersecurity,” I explain how AI and quantum computing can be combined to both speed the development of powerful quantum computers and create new attack vectors that will be very dangerous. 2025 will see both AI and quantum computing advancing and combining for explosive threats.
2. Quantum computing advances, causing more organizations to start preparing.
As we know by now, quantum computers have the potential to break the encryption protocols currently used to secure global internet traffic and over 20 billion connected devices. This unprecedented vulnerability could trigger the largest cybersecurity upgrade cycle in history.
Quantum computers are advancing rapidly with countries like China spending over $15 billion on their quantum program. In 2025, we will see organizations begin to implement quantum-resistant algorithms as a proactive approach to safeguard against quantum decryption of previously harvested data.
3. Crypto agility becomes commonplace.
Organizations will need to develop crypto-agile systems capable of swiftly integrating new cryptographic algorithms, ensuring resilience against evolving threats. Automation in cryptographic management is essential for maintaining secure operations amid changing standards.
In the U.S., we expect NIST to approve two to three new cryptographic algorithms over the next year and a half. Organizations will need to use crypto agility for swift adaptation to new cryptographic standards as threats evolve.
4. Cryptographic management becomes automated.
The adoption of automated tools for managing cryptographic protocols is expected to rise, facilitating seamless transitions between algorithms and reducing the risk of vulnerabilities during migrations. Using automated cryptographic management will be increasingly important to effectively orchestrate cryptography throughout the enterprise.
5. The U.S. federal government and foreign nations continue to push PQC adoption.
The United States is actively advancing policies to integrate post-quantum cryptography (PQC) into national security frameworks, with significant developments anticipated in 2025:
•The National Institute of Standards and Technology (NIST) is encouraging federal agencies to migrate to PQC with Internal Report (IR) 8547 outlining strategies for migrating from quantum-vulnerable algorithms to quantum-resistant standards. The public comment period for this draft concluded on January 10, 2025, with the final version expected later in 2025.
•The National Security Agency (NSA) has introduced the Commercial National Security Algorithm Suite 2.0 (CNSA 2.0), incorporating quantum-resistant algorithms. This suite is slated for implementation across National Security Systems, with federal agencies required to comply by 2025.
•HR 7535, which was signed into law in December 2022, requires federal agencies to transition to PQC standards. The Office of Management and Budget (OMB) is expected to issue directives in 2025, setting deadlines for agencies to identify quantum-vulnerable systems and establish migration plans.
6. Organizations prioritize addressing ‘harvest now, decrypt later’ threats.
Recognizing the potential for adversaries to harvest encrypted data now for future decryption using quantum computers, U.S. policies will likely focus on implementing PQC to safeguard long-term data confidentiality. Nation-states are both monitoring and storing global data traffic with the intent of decrypting it at a later date. Data that requires a long shelf life, such as personal information, government secrets, financial information and healthcare data all need decades of secrecy.
In 2025, we expect both enterprise and federal agencies to more strongly address the problem of data that is exfiltrated by implementing the PQC standards.
7. The Cryptography Bill of Materials gains significant traction in the 2025 cybersecurity landscape.
A Cryptography Bill of Materials (CBOM) serves as a comprehensive inventory detailing the cryptographic assets and their dependencies within an organization’s systems. This transparency is crucial for assessing vulnerabilities and ensuring robust digital trust.
Organizations are expected to widely adopt CBOMs to catalog their cryptographic assets, enabling more effective risk assessments and management. By providing a detailed overview of cryptographic implementations, CBOMs can empower organizations to identify and mitigate potential vulnerabilities more efficiently, thereby strengthening their security posture. The adoption of CBOMs is anticipated to become a vital practice in 2025.
Steps To Ensure Your Organization Remains PQC Vigilant
Transition from a PQC strategy to practical deployments.
Organizations should move from planning to actively deploying PQC solutions. DigiCert anticipates that 2025 will mark a significant shift, with PQC becoming operational across various industries.
Get ahead of regulatory/compliance pressures and standardization efforts.
In 2025, NIST may announce new PQC standards, providing a more diverse framework for widespread adoption. These standards are crucial for ensuring interoperability and security across different platforms. Governments are mandating the integration of quantum-resistant algorithms, compelling organizations to update their cryptographic infrastructures to comply with new regulations.
Increase your awareness and preparedness.
The designation of 2025 as the International Year of Quantum Science and Technology by the United Nations highlights the global focus on quantum advancements and the importance of PQC in securing future technologies. Making sure everyone in your organization is on the same page will be critical.
Closing Thoughts
2025 is expected to be a pivotal year for PQC, with significant strides in standardization, implementation and global awareness to ensure that cryptographic systems are prepared for the challenges posed by quantum computing. We can expect quantum computing to challenge existing encryption standards, prompting the adoption of quantum-resistant cryptographic solutions and the development of regulatory frameworks to ensure data security in the quantum era.
Forbes Technology Council is an invitation-only community for world-class CIOs, CTOs and technology executives. Do I qualify?
