Google issued what may be the most consequential cybersecurity warning of the year. On February 6, Kent Walker, President of Global Affairs at Alphabet and Google, published a call to action making one thing plain: current encryption systems are vulnerable to quantum computing, adversaries are already exploiting that vulnerability, and the window for organizations to act is closing faster than most assume.
The core message? Stop treating quantum threats as a future problem. They’re a present one.
“Store Now, Decrypt Later” Is Already Happening
The scariest part of Google’s announcement deserves attention upfront. Malicious actors are actively harvesting encrypted data right now — financial records, trade secrets, classified government communications — all of it being vacuumed up and stored, with the expectation that quantum computers capable of breaking today’s encryption will eventually arrive.
This attack vector is known in the cybersecurity community as “store now, decrypt later” (SNDL). Google confirmed that these campaigns are already underway. Every piece of sensitive data your organization transmits today, encrypted with current standards, could be sitting in an adversary’s storage somewhere, waiting. The encryption hasn’t been broken yet, but the bet is that it will be — and possibly sooner than most people assume.
Walker put it bluntly: a cryptographically relevant quantum computer is not forever a decade away. That phrasing is deliberate. For years, the quantum threat timeline has been a moving target, always pushed out just far enough to justify inaction. Google is saying that framing is no longer acceptable.
What Google Has Actually Done
Google isn’t just sounding alarms — they’ve walked the walk. The company has already migrated key exchanges for internal traffic to ML-KEM, the primary post-quantum standard that the National Institute of Standards and Technology (NIST) finalized in August 2024. All Google services and select Google Cloud-native services now use quantum-resistant key exchange by default.
That’s a massive infrastructure change from a company that processes a staggering percentage of global internet traffic. When Google says “we’ve done this, and you need to as well,” it carries a different kind of credibility than a vendor pushing a product.
ML-KEM — Module-Lattice-Based Key-Encapsulation Mechanism — is one of the algorithms NIST selected as part of its years-long post-quantum cryptography standardization effort. It’s designed to resist attacks from both classical and quantum computers, making it a replacement for current key exchange mechanisms. In practice, though, migrating enterprise infrastructure to new cryptographic standards is rarely straightforward, which is precisely why Google’s timeline recommendations are so aggressive.
The Policy Gap Nobody’s Talking About
The White House is currently drafting an executive order on quantum technology titled “Ushering In The Next Frontier Of Quantum Innovation.” On paper, it sounds comprehensive — tasking multiple federal agencies with updating the National Quantum Strategy and developing new quantum computing capabilities for scientific applications.
But there’s a notable omission: the draft reportedly lacks provisions specifically addressing post-quantum cryptography. You’d think an executive order focused on quantum innovation would address the single most urgent security implication of that technology, but it doesn’t — at least not yet.
Google’s policy push appears designed to fill that gap. Walker outlined five recommendations for policymakers: driving PQC adoption for critical infrastructure, promoting cloud-first modernization, building AI systems with post-quantum cryptography from the start, and preventing global fragmentation in standards adoption. If different countries adopt incompatible post-quantum standards, it would repeat the expensive compliance patchwork we’ve already seen with GDPR, CCPA, and China’s PIPL — except worse, because encryption is foundational to how digital systems operate.
Kiteworks 2026 Data Security and Compliance Risk Forecast found that 33% of organizations lack evidence-quality audit trails for AI systems. Another 61% have fragmented logs scattered across different platforms.
Only 9 Percent Have a Plan
Perhaps the most alarming statistic in Google’s announcement: according to research from Bain & Co. cited by Google Cloud, only 9 percent of organizations currently have a post-quantum roadmap in place.
That number should alarm anyone responsible for enterprise security or regulatory compliance. Analysts are describing the migration window as roughly 12 to 24 months for organizations to begin their transition — not complete it, begin it. Yet the overwhelming majority of organizations haven’t even started planning.
Digital signatures underpin everything from software updates to financial transactions to identity verification. If those signatures can be forged by a quantum-capable adversary, the entire chain of digital trust unravels.
From a compliance standpoint, the implications are immediate. CISA has already issued federal guidance identifying technology product categories where post-quantum cryptography is widely available, and government contracts are expected to mandate PQC compliance starting in 2026. Organizations subject to frameworks like FedRAMP, CMMC, or ITAR should expect explicit PQC requirements in the near term.
Why This Matters Beyond Government Contracts
The compliance implications extend well beyond federal contracting. Frameworks like HIPAA, PCI DSS, and SOX already require “reasonable” or “appropriate” security measures. Once NIST has published finalized PQC standards (which it has) and major providers have implemented them (which Google now has), relying exclusively on classical encryption becomes increasingly hard to defend as reasonable. Regulators won’t need new rules — they’ll reinterpret existing ones, just as PCI DSS compliance evolved when TLS 1.0 and 1.1 were deprecated.
For organizations handling data governed by long retention periods — healthcare records, financial data, intellectual property — the SNDL threat adds another dimension. Data encrypted today might need to remain confidential for decades. If a quantum computer arrives within that window, you have a retroactive data breach. The data was already stolen; you just didn’t know it was exposed.
What Should Organizations Do Right Now?
The practical advice isn’t complicated, even if the execution is. Start by taking a cryptographic inventory — identify what encryption algorithms your systems use, where they’re deployed, and how deeply embedded they are. Then evaluate post-quantum solutions from existing vendors. Many major cloud providers and security vendors are already rolling out PQC support or have it on near-term roadmaps.
Prioritize your most sensitive and longest-lived data. Patient records, defense-related information, and trade secrets should be at the front of the migration queue because of the SNDL threat. And engage your compliance and legal teams now — don’t wait for an explicit regulatory mandate. Organizations that start proactively will be in a far stronger position than those scrambling after a deadline drops.
The Bigger Picture
Google’s warning is part of a broader shift. NIST finalized its first post-quantum standards in August 2024. The NSA has published transition timelines for national security systems. CISA is issuing guidance. And now one of the largest technology companies in the world is publicly stating the threat is imminent, not theoretical.
The gap between awareness and action remains enormous. With only 9 percent of organizations holding a roadmap, the competitive and regulatory advantage of moving early is substantial. The quantum clock is ticking.
___
Patrick Spencer, Ph.D., vice president of corporate marketing and research at Kiteworks, has more than two decades of experience in marketing leadership roles in Fortune 500 and fast-growth companies.
Join our LinkedIn group Information Security Community!
