From Y2K to PQC: Preparing for the Next Great IT Challenge

Many of us remember, or at least remember hearing about, Y2K. For much of the 1990s, there was widespread concern about how software and systems were programmed to represent years using only the last two digits – “99” instead of “1999.” As the year rolled over to 2000, computers risked interpreting “00” as “1900” rather than “2000,” leading to potential errors in systems relying on date calculations. This sparked fears of widespread failures in critical systems like banking, air traffic control, and power grids, creating panic that an unprecedented global IT crisis was imminent.

The fear was that stored dates used in calculations based on daily or yearly activities – think banking systems, air traffic control systems or power grids – would cause these programs to malfunction. Approaching the year 2000 meant approaching a near-certain global IT meltdown of epic proportions.

But that meltdown never happened. With attention, action and remediations, a crisis was averted, and Y2K became, essentially, a non-event. 

Today, there’s a similarly massive although very, very different IT challenge confronting the world. 

For all the transformative potential they bring, quantum computers also have the potential break the current cryptographic encryption standards we use to secure everything from bank data to personal identification information to classified intelligence, and more. 

Such breaks could expose sensitive information to our adversaries who, today, are already harvesting massive amounts of encrypted data so that they can decrypt it in the future.

With Y2K we had widespread attention on the problem, a shared global imperative to address it, a clear and simple fix, and a fixed deadline to meet. 

This time around, the challenge is different. While significant government action is underway, the broader public and global attention that accompanied Y2K is largely absent. Unlike Y2K, where there was a shared imperative to address the issue, our adversaries are actively exploiting the situation. And the solution – transitioning to quantum safe cryptography – is far more complex. Compounding these challenges is the uncertainty surrounding the timeline for when cryptographically relevant quantum computers may mature to the point of breaking today’s encryption. 

But we do have learnings from the Y2K crisis to lean on. And there are parallels between how we addressed that problem and how we can, today, prepare for a post-quantum cryptography (PQC) world.

Certainly, NIST is beginning its preparations, having recently released encryption tools and algorithms designed to withstand quantum computers. These standards are intended to safeguard everything from email traffic to online commerce, and the agency is encouraging a transition to these new standards as quickly as possible. 

“Post-quantum cryptography is not just a technical upgrade,” said GDIT Cyber Vice President Matt McFadden. “It’s a critical step in protecting national security against imminent risks and it brings new attention to the importance of encryption as new quantum-resistant algorithms are developed.” 

Some are calling the PQC challenge “Y2Q” – and for good reason. Because by preparing now and building flexible, scalable strategies, agencies can ensure their missions not only remain resilient today but are prepared for future quantum risks. 

“Like Y2K, we’re solving for a future risk, now,” said Ray Harishankar, IBM Fellow, Quantum Safe, IBM Research.  “From contributions to NIST’s PQC algorithm standardization efforts, to government and industry consortia planning, the effort to assess for – and ultimately migrate to – quantum-safe solutions is made all the more urgent, as we don’t have an obvious deadline like we did 25 years ago.” 

Discover and Assess

The first step involves understanding and assessing where and how an organization is using encryption. Having a full situational awareness of your cryptography use is critical to planning for the migration.

McFadden, of GDIT, said the company works with clients to conduct a thorough discovery process that gauges an organization’s current quantum-resilient cybersecurity posture and informs the development of a PQC readiness roadmap prioritizing the PQC migration for the most critical risks.

This helps agencies develop an actionable strategy for implementing quantum-safe solutions, including encryption algorithms and security measures, that will protect against quantum threats today and into the future.

Identify At-Risk Data and Prioritize Mitigations

From there, agencies should identify their most at-risk data sets and prioritize mitigations. These mitigations include implementing quantum-safe solutions, such as encryption algorithms and security measures, to protect against quantum threats.

GDIT and IBM recently conducted a joint study about how Federal agencies are preparing for a PQC future. It found that just 8% of respondents had fully assessed and integrated current cryptographic standards and risks. Half of the respondents surveyed said they are developing strategies for PQC readiness, yet many still lack clear roadmaps or dedicated resources. 

These numbers speak to the magnitude of the PQC challenge and the important role new standards (like those from NIST), updated algorithms and tools, and collaborative mission partners will play in addressing it. 

Prepare Both the Workforce and the Enterprise for the Challenges Ahead 

As PQC standards continue to evolve, agencies will need to develop strategies to continuously discover, assess, and manage cryptography risks. They will need to regularly assess and audit their systems in order to manage cryptography at scale and ensure continuous quantum resilience and readiness. 

“Unlike Y2K, this is not just an upgrade and you're done; it’s a retrospective problem,” Harishankar, of IBM, continued. “Y2K generated a huge investment in software upgrades that were simply not optional – as is the move to PQC solutions. It’s critically important to prepare the workforce and the enterprise for what’s needed of them and what’s to come.”

The PQC transformation depends on agencies taking critical steps to prepare now. Doing so will make them quantum-safe and, as the world moves to quantum-safe cryptography, will also drive crypto agility within their organizations. 

“The transition to post-quantum cryptography is not just a technical challenge—it’s a mission-critical imperative,” McFadden continued. “The security of our most sensitive systems and data depends on our ability to act decisively today. Agencies must embrace this transformation now to stay ahead of quantum risks and ensure the resilience of their operations for years to come.”