Meta Pushes Industry to Act Now on Quantum Threat
Menlo Park, CA – In a stark warning issued today, Meta is urging organizations to accelerate their transition to post-quantum cryptography (PQC) to counter the growing “store now, decrypt later” (SNDL) threat, where adversaries collect encrypted data today for future quantum decryption. The company released a detailed blueprint drawn from its own multi‑year migration, emphasizing that waiting even a few years could expose years of sensitive communications.
“We are not just preparing for a future threat; SNDL attacks are happening right now,” said a Meta security spokesperson. “Any organization handling long‑lived secrets must assume that encrypted data being captured today will eventually be cracked. Our migration framework shows that this transition is feasible if started early.”
Meta’s call comes as cybersecurity experts estimate that large‑scale quantum computers capable of breaking current public‑key encryption (like RSA and ECC) may arrive within 10 to 15 years. The UK’s National Cyber Security Centre (NCSC) and the U.S. National Institute of Standards and Technology (NIST) have both set 2030 as a key target for protecting critical systems.
Meta has already deployed PQC across parts of its internal infrastructure after a rigorous multi‑year process. The company’s blueprint includes a novel “PQC Migration Levels” system to help teams assess complexity and prioritize use cases.
Background: Why the Urgency?
Quantum computers will eventually break today’s public‑key cryptography, putting at risk everything from encrypted messages to digital signatures. NIST published the first industry‑standard PQC algorithms—ML‑KEM (Kyber) and ML‑DSA (Dilithium)—in 2024, with HQC scheduled next. Meta cryptographers are co‑authors of HQC, underscoring the company’s commitment to advancing global security.
“SNDL is the most immediate reason to migrate,” the spokesperson explained. “Attackers can store encrypted traffic today and decrypt it once quantum computers become available. The only defense is to deploy PQC now, so that even captured data remains safe.”
Both NIST and NCSC guidance emphasize that complexity and missing technical capabilities are major barriers. Meta’s framework aims to break down that complexity into actionable steps.
What This Means
For most organizations, the window to prepare is shrinking. Meta’s experience shows that inventorying every use of public‑key cryptography—from TLS certificates to digital signatures—and then updating libraries, hardware, and protocols is a multi‑year project. The company recommends that any entity handling sensitive data begin risk assessment and inventory immediately.
“The cost of delay is measured in lost confidentiality,” the spokesperson said. “We are sharing our lessons not as a courtesy, but as a call to action. Every organization must have a PQC roadmap by 2026 or risk being caught off guard.”
Meta’s Blueprint includes:
- Risk Assessment & Inventory: Identify all cryptographic assets and prioritize those most vulnerable to SNDL.
- Migration Levels: A tiered system to manage complexity across different use cases.
- Deployment & Guardrails: Techniques to ensure backward compatibility while phasing in quantum‑resistant algorithms.
“The industry cannot afford a fragmented, fire‑drill approach,” the spokesperson concluded. “Meta’s experience demonstrates that a structured, early start makes the transition efficient and economical.”
As the quantum threat matures, Meta’s blueprint may become essential reading for CTOs and CISOs worldwide. The full framework is available on Meta’s engineering blog.