Quantum computing executive orders: What's the impact on federal agencies and the private sector?

Video interview
July 2026

IN BRIEF

  • "The concept of "harvest now, decrypt later' has been around a long time. Companies have known that our adversaries are trying to steal data, banking on the idea that at some future point they can break the encryption."
  • "Q-day is coming possibly as soon as 2029, from what I'm seeing. And what are we going to do? You know, those first attacks, they're going to be possibly silent [...] Whoever does it isn't going to exactly announce it to the world."
  • "The defense industrial base and the federal government absolutely have the resources and capability to do this in the time frame that's required, if it's prioritized appropriately."

In this VISION by Protiviti interview, we sit down with Protiviti’s Konstantinos Karagiannis, Senior Director, Quantum Computing Services, and Dave Brand, Managing Director and Global Aerospace, Defense & Federal Lead, to discuss the two executive orders regarding quantum computing, which were signed by President Trump in late June. The executive orders are aimed at U.S. readiness and securing the United States against potential attacks. 

In this interview:

1:10 – What are the two executive orders?

2:49 – Implications for federal agencies and their contractors

4:15 – Wider implications

10:48 – Does the US have the resources required to comply?

13:07 – What should business leaders do next?


Read transcript

Unpacking Trump’s quantum computing executive orders: What’s the impact of federal agencies and the private sector?

Joe Kornik: Welcome to the Vision by Protiviti interview. I'm Joe Kornik, Editor-in-Chief of VISION by Protiviti, where we explore topics being discussed inside C-suites and executive boardrooms worldwide. In late June, President Trump signed two executive orders regarding quantum computing aimed at US readiness and securing the US against potential attacks. To break it all down, I'm joined today by my Protiviti colleagues, Konstantinos Karagiannis, Senior Director, Quantum Computing Services, and Dave Brand, Managing Director and Global Aerospace, Defense & Federal lead. Dave and Konstantinos, thank you so much for joining me today. 

Dave Brand: Thank you, Joe. Happy to be here. Looking forward to the discussion today.

Konstantinos Karagiannis: Yeah, thanks, Joe. Trump threw us a little bit of a gift in the quantum industry this week, so happy to talk about it. 

Kornik: Well, great, Konstantinos, why don't we start there? Why don't we start there? As you mentioned, the president signed two executive orders this week that seemed to accelerate some of the quantum timelines, so can you unpack that a little bit for us? What do those executive orders say, and what did they do specifically?

Karagiannis: Sure, one of them kind of builds on stuff from the past that says, 14413, and it basically states that the US has to be first, that we have to build a quantum computer that's large scale, able to do, you know, real world problem solving. It's about deploying sensors and networks, and it's about making sure that there's a workforce to support all this. So, it's this idea that we're going to actually do amazing things with quantum computers. So, that's great. No one can deny that. The other one, 14412, focuses on accelerating the migration to post-quantum cryptography, and that one is going to have some more immediate impact industry-wide, because even though it's for high-value assets and the government, it's really going to be copy-and-pasted by regulatory bodies and the private sector, and everyone's going to want to be able to do business with the government. So I'm happy that it's going to accelerate this move to post-quantum cryptography.

Brand: And I might add, Joe, specific to the defense industrial base. The concept, especially on the on the encryption side, of “harvest now, decrypt later” has been around a long time, so companies have known, right, that our adversaries have tried to steal data, banking on the idea that at some future point they could break the encryption. What this executive order does is just add some urgency to it. It takes it from a kind of theoretical discussion around when it might happen and points it very specifically at “this is now a national security threat that we need to address.”

Kornik: Yeah, let me dig a little deeper on that. If we could, I mean, I know this impacts federal agencies as well as this defense industrial base, so maybe you can give us a little more clarity around the implications for both federal agencies and then the contractors who work with them.

Brand: Yeah, thanks, Joe. And I'll focus more specifically on the executive order around the timeline, because that's probably the most impactful for the defense industrial base. The new timeline, 2030, to establish the keys, frankly, depending on where you look and who you listen to, even that might be a little bit long, but that takes it from a long-term R&D issue to a contractual readiness requirement, because just like the government has done in other areas, PQC is effectively becoming the next compliance wave, and that will start to flow down, so you'll see it added to the DFARS requirements, FAR requirements. As Konstantinos just mentioned, it's going to affect whether or not you can contract with the government, they'll put it into the next iteration of CMMC, we’ll likely have some aspect of quantum readiness built in. And then you'll see the prime contractors start to flow that down to all of their subs, and so it becomes a cascading impact in the defense industrial base — if you want to be in the game, if you want to have access to these contracts, you are going to have to have some way to evidence and show that you can comply with all of the new PQC requirements.

Kornik: Thanks, Dave. This obviously impacts federal agencies, public and private sectors. So, Konstantinos, beyond the specific guidelines offered in the orders, what do you think are the wider and potentially more far-reaching implications of this announcement,

Karagiannis: So it has some really good potential impact, and it's also not quite what I wanted it to be at the same time, so I'll cover both. First of all, for the big impact, as I said earlier, everyone wants to do business with the government, and it's this idea that if we see a sense of urgency coming from the White House and coming from federal agencies, then the other industries are going to start to do the same thing. So, you're going to finally start seeing CISOs taking this seriously. For too long, when I've spoken to CISOs — I guess I don't know if it's because their average lifespan at a job is two years — you know that that's a real number, if you feel like looking it up — but they always have this sense of, oh, it's not my problem, it's a future thing, you know, and now we're finally getting to the point where it's very clearly not a future thing. I'm hoping that the impact will be a trickle-down effect where private sector actually starts doing a technical inventory of cryptography and starts examining what it takes to migrate, because migrating cryptography is not an overnight thing, it does take some time. But the attack vectors are not always very clearly understood, so “harvest now, decrypt later” is a huge problem, it's very real, but if you look at algorithmic attacks, they take time. Okay, a good example would be Gidney's 2025 paper, where he showed that a quantum computer would have to run for about five days to reverse a key. So, let's say some nation-state gets a quantum computer of sufficient power and starts cracking keys, that's 73 attacks a year. Do you really think a nation-state is going to sit there and just read 73 messages a year and call it a day? That's not realistic, it's not really, I mean, maybe a handful of messages that they know are super, super high priority. But I'm more worried about the possibility of “harvest now, forge later,” this idea of attacking things like code signing keys, that would be particularly the most devastating. So when I said that I don't feel the executive order did quite what I wanted it to do, in it it calls for the end of 2030 for key establishment, so that would protect you mostly from harvest now, decrypt later. But for digital signatures, it called for the end of 2031, so essentially 2032. At that point, you're talking the attack that's most likely to happen first is the one that's going to be protected last. So, if a machine comes online around 2029 — and it's very likely around that year we're going to have a machine that can start reversing signatures — then what are we going to do? We're going to be in a situation where an attacker can do something like, oh, I don't know, become the software driver for every single laptop at a federal agency. Now that's way more powerful than reading one message, or even 73 in a year, right? Because you can live on that network with a valid signed key that says you're Lenovo, or whatever company, and good luck finding that with any virus, good luck finding it with anything. You know you're going to live very, very long time on a network. Forget about APTs of the past, it's going to be, you know, hundreds of weeks, not hundreds of days, that these attacks are going to stay live, possibly. So I'm a little worried about that, and I would like to see a little more acceleration on doing both key encapsulation and digital signatures.

Brand: Joe, from a defense industrial base, sort of two things I want to hit on real quick. One is, you know, I talked a little bit about the supply chain, so immediately when you think broader implications, you should expect to see PQC clauses in flow-down contracts, supplier attestations, vendor risk scoring based on their crypto posture. But then the second piece — and this gets to what Constantinos was hinting at — when you look across the kind of defense industrial base, the systems deployed by the US government, some of those systems are decades old, and some of those systems have hard-coded encryption components, right? It's not as simple as just, you know, put the disc in and hit upgrade, and now I'm crypto compliant. Some of those systems, it will require whole tech refresh cycles. Some of them are in locations that aren't easy to get to, and so the timeline to do this has become incredibly compressed, and it is much more complex than some people may be thinking about.

Kornik: Yeah. Thanks, thanks for that, Dave and Constantinos. It sounds to me like you're both sort of saying that we, these timelines might not be aggressive enough. Is that fair?

Karagiannis: Yeah, that's definitely fair. And I'm not basing this on a gut, I'm basing this on actual algorithmic development and hardware development. So what you have right now is, every year we keep seeing that the number of required qubits to crack encryption is plummeting, and I mean plummeting. We went from 2019, 20 million qubits to 2025, 897,000 qubits to last February, 100,000 qubits, and numerous teams involved in similar research have admitted that they could probably get it as low as 10,000 physical qubits. And meanwhile vendors just keep adding them onto systems. I mean, these two lines are going to cross, and Q-day is coming possibly as soon as 2029 — 2028 maybe, but more likely 2029 from what I'm seeing. And what are we going to do? You know, those first attacks, they're going to be possibly silent, possibly like what was going on when we cracked Enigma in World War II. You know, whoever does it isn't going to exactly announce it to the world. They're probably going to very start quietly rolling out these attacks. So, I think we have got ourselves into a little bit of a corner here.

Brand: I think the flip side, not flip side, the other side of that would be that not only is it coming faster than we thought, I think the effort in large complex organizations with lots of high-end, high-risk encryption deployed in their products are finding that just the beginning point, the inventory of what's all the encryption we own. Where's it deployed? How do we use it? The lift to figure all that out, and then roadmap how do we get from where we are today to complying algorithms is much longer than people originally think.

Kornik: Yeah, it's very interesting, you know, all these security implications, and obviously you know, Dave, you mentioned supply chains, infrastructure, among the most obvious threats, potentially the most vulnerable. So, Dave, I'll ask you, does the US have the resources required to sort of meet these new deadlines? I mean, when you think about how the US will react to this new executive order, are you confident that we'll be able to meet the deadlines?

Brand: Konstantinos mentioned earlier about his conversation with CISOs, and maybe this will drive some of that urgency. The defense industrial base and the federal government absolutely have the resources and capability to do this in the time frame that's required, if it's prioritized appropriately, and that's why I'm excited about the executive order. I do think it adds a little bit of a sense of urgency, maybe not as much as either Constantinos or I would like, but with a sense of urgency we can do it. Just companies have to get started.

Karagiannis: Yeah, to add on to that, they're gonna, let's say, the government, they're going to need not only the resources in terms of people and effort, but they're going to need the resources, like they're going to need to throw out a lot of quantum technical debt, you know, some things cannot be upgraded, they just can't. Certain types of attacks can go all the way down to the firmware level, and if you don't have two TPM, two chips running v185 and up, those machines are never going to be PQC. It's going to be possible to go all the way root and then, like, work your way up at that root of trust. So, there is going to be a lot of money that's going to have to be spent to do this properly and do it right. And in the private sector, that's going to vary, you know. I almost envy the new companies that are going to come out in like three years from now. It's going to be turnkey PQC everything. You know, one day we're just going to call it C, but for now it's still, it's still a difficult migration, and that quantum technical debt factor is going to kick in big time. Luckily, private sector companies, especially, they don't have to do alone, you know, they could call my team, and we do this kind of thing all the time, actually. But it is a lot, it is a long journey, requires effort, and also software too, there's new breed of tools that help the migration process along.

Kornik: Great. Well, thank you both so much for your time today, digging into this incredibly complex and important issue around the executive orders for quantum computing. Let me just ask both of you before I let you go, and Konstantinos, let me start with you. What comes next? What should business leaders do now as they start to think about quantum and the potential burning platform that's in front of them, and ultimately its implications for running their business?

Karagiannis: Yeah, some of the stuff we hinted at throughout this. It's immediately beginning a PQC assessment, right? It's your technical inventory has to be taken, you don't even know what you have, most likely, you know, chances are you don't. You gotta do that. You have to consider third parties, third parties sometimes control major cryptographic elements in your organization. Cloud is a great example of that. There's probably never been a better time to migrate to the cloud, because those workloads will probably be secured before on-prem is. And then you have to figure out how you handle coding, things like that, or do you have a code base that is not very agile that will just like have to be completely ripped apart to make it PQC ready? And then once you assess all these factors and figure out your crown jewels, what's most important to start the migration with, you then have to go through the process. And it is a lengthy one and it involves, like, rolling this out in phases, making sure that libraries are updated, and that you disallow weak ciphers. It's actually going to also create a new headache people didn't realize, like there are still very old browsers connecting to retail sites, for example, right now — a lot of that's going to have to be disallowed. You're not going to be able to connect with some ancient browser, you know, to buy a handbag or something. It's going to have to be clamped down, like, nope, you must be using TLS 13 with this, or else we're just going to be right back where we start.

Kornik: Thanks, Konstantinos. And thank you both for joining me today, to, like I said, discuss this in very important topic. Thanks, guys.

Karagiannis: Thanks, Joe. Always appreciate a chance to talk about this.

Close transcript

Konstantinos Karagiannis is Senior Director of Quantum Computing Services at Protiviti, where he helps companies get ready for quantum opportunities and threats. He has been involved in the quantum computing industry since 2012, and in InfoSec since the 1990s. Konstantinos is a frequent speaker at conferences worldwide, and was named one of the Top 25 Most Influential People in Quantum Security by Techstrong. He hosts The Post-Quantum World, the longest continuously running quantum computing podcast.

Konstantinos Karagiannis
Sr. Director, Quantum Computing, Protiviti
View bio

David  Brand leads Protiviti’s Aerospace, Defense & Federal Industry practice. He has extensive experience in the areas of information technology auditing, regulatory compliance, risk management, business leadership, strategy execution, financial controls and board reporting. Dave has led teams for some of our largest clients and has both published and spoken on various business topics.

David Brand
Aerospace & Defense Lead, Protiviti
View bio
Add a Comment
CAPTCHA
Solve this simple math problem and enter the result. E.g. for 1+3, enter 4.
This question is for testing whether or not you are a human visitor and to prevent automated spam submissions.
* Required
Comments
No comments added yet.