Since World War II, cryptography has been a cornerstone of U.S. national security, helping protect our citizens, businesses, critical infrastructure, military, and government operations. In today’s digital era, the need for strong cryptography has become even more critical, with increasing instances of AI-fueled cyber warfare and future threats from quantum computers. Despite recent legislation, National Security Memoranda, and Executive Orders from the past and current administrations, many government agencies are still lagging in terms of modernizing critical cryptographic systems.
One of the biggest barriers facing government CISOs is a lack of insight into what cryptographic elements they use, where they reside, or whether they meet current security standards. This lack of comprehensive cryptographic visibility leaves agencies vulnerable to increasingly sophisticated cyber threats with escalating national security implications. Without knowing what cryptographic keys, certificates, algorithms and protocols are deployed, agencies cannot efficiently replace outdated cryptography, mitigate vulnerabilities, or comply with evolving federal cybersecurity mandates. As a result, adversaries can exploit these blind spots to exfiltrate sensitive data, disrupt operations, and compromise critical infrastructure and our ability to govern securely and effectively.
The consequences of poor cryptography management are evident in recent high-profile U.S. Government (USG) breaches. Chinese hackers have successfully breached USG systems numerous times over the past decade, including the 2024 Salt Typhoon breach, the 2023 Microsoft Cloud Email Compromise, the 2021 Microsoft Exchange Hack, and the 2015 Office of Personnel Management data breach – all of which exposed sensitive data and communications of millions of U.S. citizens, government agencies, and high-ranking officials. Not to be outdone, Russian hackers were involved in the 2023 infiltration of MOVEit, a file-sharing tool used by various USG organizations, the 2021 Republican National Committee breach, and the devastating 2020 SolarWinds breach. A still-unknown hacker perpetrated the 2022 InfraGard breach, compromising a database of over 80,000 people whose information was sold on cybercrime forums.
Today, cybercriminals and nation-state actors are leveraging artificial intelligence (AI) to enhance their attack capabilities. AI-powered phishing campaigns, deepfake-driven social engineering, and automated malware creation are outpacing traditional cybersecurity defenses. Even more alarming is the looming quantum threat. Adversaries are already engaging in "Store Now, Decrypt Later" (SNDL) attacks, where encrypted government communications and data is stolen today with the intent of decrypting it once cryptographically-relevant quantum computers become available. At that time, the public-key encryption protocols that have protected our sensitive personal, financial, commercial and government data and communications for the last decades will be completely vulnerable to attack. Transitioning to quantum-resistant cryptography is no longer a distant priority; it is an immediate necessity.
In the meantime, the federal government has adopted a Zero Trust Architecture (ZTA) to strengthen security, but Zero Trust is only as strong as the encryption that supports it. Without strong, secure cryptographic foundations, ZTA frameworks can be undermined by weak key management practices, expired certificates, and vulnerable algorithms.
Given the increasing frequency and sophistication of cyber attacks, a comprehensive, unified approach to encryption management is essential to securing government systems. Unified cryptography management will give USG agencies full visibility into their entire cryptographic environment, continuously identifying and inventorying outdated or non-compliant cryptographic assets wherever they reside – across the entire IT footprint. Automated remediation ensures that weak or expired cryptographic elements are replaced before they become vulnerabilities, and enables seamless compliance with NIST, FIPS 140-3, PCI DSS, and other regulatory frameworks. Quantum-readiness is also enhanced through the rapid deployment of post-quantum cryptographic (PQC) algorithms, ensuring that agencies stay ahead of evolving threats.
Some USG agencies are proactively modernizing their cryptographic infrastructure. For example, the Department of Health & Human Services (HHS) is strengthening encryption policies to comply with federal health data regulations. However, modernization efforts mandated by President Trump – and facilitated by the Department of Government Efficiency (DOGE) – must be accelerated across all government agencies to mitigate AI-based cyber attacks and avoid playing catch-up when quantum threats materialize. Unified cryptography management aligns with these modernization goals by increasing cybersecurity strength and resilience while increasing operational efficiencies through AI and automation.
The cyber threats facing the USG are real, and the timeline for action is narrowing. Modernizing the foundation that underpins modern cybersecurity across numerous complex government IT systems will take a decade or more. In the meantime, rogue nations and adversaries are investing heavily in quantum computing and AI-driven cyber warfare and waiting to act will only cede our technological advantage to them. Failing to modernize cryptographic systems will have dire consequences: compromised national security, financial losses, disruption of critical services, and loss of citizen trust in government digital systems. To prevent this, the U.S. government must prioritize and take the lead in deploying unified cryptography management across USG agencies to protect our citizens, our national interests and the global digital economy.
