With a June 6 executive order, President Trump took a Sharpie to parts of President Biden’s final cybersecurity directive, including guidance related to post-quantum cryptography (PQC)—a defense against the super-fast machines that could someday break many of today’s message scramblers.
While the directive acknowledges the security risks of quantum computers, the EO also erased Biden-era language encouraging the implementation of PQC keys “as soon as practicable upon support being provided by network security products and services.”
Cybersecurity pros who spoke with IT Brew reflected on a defense that remained in the Trump order: a requirement for agencies to support the internet privacy protocol known as Transport Layer Security version 1.3, or a successor version.
TLS 1.3 alone won’t save us from the encryption-breaking quantum computers, according to Nick Reese, adjunct professor at NYU Center for Global Affairs (and former DHS director for emerging technology policy).
“TLS 1.3 is not a quantum-resistant solution. It is a good security solution. It will make for a good foundation upon which we can build quantum solutions, but we still have to change the asymmetric algorithm, and that’s hard,” Reese told IT Brew.
TLS, TL;DR. Think of TLS like a message carrier, negotiating protections between two parties: a “handshake” key swap between a sender and receiver, and the resulting agreed-upon encryption between the two parties.
The key, in TLS 1.3, is exchanged through a process known as Elliptic-curve Diffie–Hellman (ECDH), which uses algebraic functions to create and encode a key on the client and server, simultaneously.
While Reese appreciates 1.3’s built-in rejection of outdated encryption methods like SHA-1, he is concerned that the protocol’s reliance on ECDH could lead to a quantum computer breaking the algebra, enabling an attacker to access past and current information exchanges.
“We know that data and information are both highly valuable and highly weaponizable,” Reese said. “If we agree on that, then a quantum computer that is able to break our asymmetric encryption is going to be the centerpiece of the most important cybersecurity challenge that we face in our lifetimes, and it’s not something that any one organization can do itself, whether that’s a nation or an individual company.”
Top insights for IT pros
From cybersecurity and big data to cloud computing, IT Brew covers the latest trends shaping business tech in our 4x weekly newsletter, virtual events with industry experts, and digital guides.
The TLS 1.3 standard was released in 2018 by the Internet Engineering Task Force (IETF). The National Institute for Standards and Technologies also released post-quantum encryption standards in 2024.
“Yes, let’s do TLS 1.3, but not only TLS 1.3; we need to do TLS 1.3 and the NIST algorithms,” Reese told us, adding in a follow-up email that IT system managers should be actively asking vendors for their plans to integrate the NIST post-quantum standards into their products. “Together with the TLS 1.3 transition, this creates a true hybrid approach,” he wrote.
What’s next? In January 2025, the IETF released guidance for “hybrid” TLS, which uses two (or more) key exchange algorithms based on different cryptographic setups: one traditional algorithm and one next-gen algorithm.
“Many (though not all) post-quantum algorithms currently under consideration are relatively new; they have not been subject to the same depth of study as RSA…or Elliptic-curve Diffie–Hellman, and thus the security community does not necessarily have as much confidence in their fundamental security,” the IETF wrote.
The June 6 cybersecurity order acknowledges that a quantum computer could break “much of the public-key cryptography used on digital systems across the United States and around the world,” and the directive still requires the Department of Homeland Security to release a list of products supporting post-quantum cryptography.
Michael Smith, field CTO at DigiCert, sees only small changes between the dueling EOs and their take on quantum preparations.
“The overall direction is still there. The overall direction is moving forward,” he said.
An April ISACA study found that 40% of respondents are not aware of their company’s quantum-preparation plans.