Trump’s Quantum Executive Orders: A Bold Vision Built on Sand

The President signed two executive orders today with sweeping ambitions for American quantum supremacy. The orders — “Ushering in the Next Frontier of Quantum Innovation” and “Securing the Nation Against Advanced Cryptographic Attacks” — are, on paper, exactly what the United States needs. On paper. Let’s talk about what they actually do. And then let’s talk about what they won’t.

What the Orders Say

The first order sets a target of deploying a scientifically relevant quantum computer at a Department of Energy national laboratory by 2028. It calls for quantum sensors and networking technology within five years, establishes a new federal program called QC-ADDS (Quantum Computer for Application Development and Discovery Science), and creates National Quantum Workforce Development Institutes to train the next generation of quantum engineers.

The second order is arguably more urgent. It accelerates the federal deadline for adopting post-quantum cryptography — encryption capable of withstanding attacks from quantum computers — from 2035 to December 2031, a four-year jump. It directs NIST to complete a pilot migration of federal systems by the end of 2027 and tasks the Cybersecurity and Infrastructure Security Agency (CISA) with helping critical infrastructure operators make the same transition.

2031 is nice but consider this. Google says this is going to be a problem in 2029, so starting to solve it in 2031 means you lost the battle and the war to China.

Trump called it “a big step forward,” and declared the U.S. would be “the leader by a lot more.” Energy Secretary Chris Wright said, “With this Executive Order and this coordinated effort, we will have scientifically-relevant Quantum Computing during this administration.”

Stirring words. Now let’s return to Earth.

What the Orders Will Probably Accomplish

An interdepartmental memo. A very well-worded one.

There is no new funding attached to either order. No quantum czar with real budget authority. No emergency appropriation moving through Congress. What exists is a set of instructions telling federal agencies to coordinate, plan, and report back — the Washington equivalent of putting something on your to-do list and then going to lunch.

History is not encouraging here. The federal government has repeatedly missed cybersecurity migration deadlines that were far simpler than this one. The transition away from SHA-1 encryption dragged on for years past its mandated deadline. Federal adoption of basic email security standards like DMARC remained embarrassingly incomplete a decade after it was directed. IPv6 migration was mandated in 2010 and still isn’t finished.

Post-quantum cryptography migration is incomparably more complex. It requires every federal agency to inventory every cryptographic system it operates, update or replace hardware security modules, retrain technical personnel, and coordinate with thousands of contractors and vendors — many of whom run systems that predate the smartphone. Significant portions of U.S. government infrastructure still run on COBOL. The idea that this apparatus will complete a migration of this scale by 2031 is not optimism. It is magical thinking.

Meanwhile, China has been executing a nationalized, state-funded, military-integrated quantum program for years. The U.S. response remains, at its core, a coordination framework that hopes private sector momentum will do the heavy lifting. Against that backdrop, the most realistic outcome of today’s orders is that the highest-priority federal systems may reach partial compliance by the early 2030s, while vast stretches of the federal IT ecosystem remain vulnerable well past that — and nobody in charge will want to say so out loud.

A Note of Grudging Optimism — And a Much Larger Problem

To be fair: it is genuinely better that these orders exist than that they don’t. Moving the post-quantum deadline from 2035 to 2031 creates real pressure, even if the deadline is aspirational. NIST finalized its first post-quantum cryptography standards in 2024, so the technical foundation exists. And the QC-ADDS program, if it ever receives actual funding, could accelerate scientific progress in meaningful ways. The workforce development piece, if real, addresses a genuine bottleneck. So yes — possibly, maybe, under ideal conditions, with congressional appropriations and sustained political will across administrations — the government might not fall catastrophically further behind where it already is. That’s the optimistic case.

But here is the problem that neither executive order touches at all: the federal government is not where most of the risk lives.

Critical infrastructure in the United States — power grids, water systems, financial networks, telecommunications, hospitals, pipelines, transportation — is overwhelmingly owned and operated by private companies. And today’s executive orders do nothing for them. CISA is “tasked with helping” private critical infrastructure operators make the post-quantum shift, but tasking CISA with helping and actually requiring, funding, or enforcing a transition are entirely different things. Private companies operate on their own timelines, their own budgets, and their own risk calculations — and “the government recommends you upgrade your encryption” has never been a sentence that moves corporate IT spending committees.

And even if it did, Washington’s definition of “critical infrastructure” is itself dangerously narrow. Take financial services. When policymakers talk about protecting the financial sector from quantum threats, they mean the obvious targets: Wells Fargo, Citibank, JPMorgan, the major clearinghouses, the Fed’s payment rails. Those institutions have compliance departments, federal regulators breathing down their necks, and the resources to at least begin migration planning. Protecting them matters enormously. But the financial ecosystem extends vastly beyond them.

Consider what doesn’t make the list. Smart contract platforms. Decentralized finance protocols. Cryptocurrency exchanges, wallets, and the blockchain networks themselves. The entire DeFi ecosystem — which now moves trillions of dollars annually — runs on public-key cryptography that a sufficiently capable quantum computer could crack. IN A FRACTION OF A SECOND. Bitcoin’s elliptic curve signatures, Ethereum’s transaction authentication, the cryptographic foundations of virtually every digital asset in existence are all built on mathematics that Q-Day renders obsolete. Coinbase’s own advisory council has warned that roughly 7 million Bitcoin could eventually be exposed to quantum attack — tens of billions of dollars sitting in wallets whose private keys could theoretically be reverse-engineered.

None of this is in scope for today’s executive orders. There is no federal regulator with jurisdiction over a DeFi protocol running on a distributed network. There is no CISA guidance that reaches a smart contract deployed on a public blockchain. There is no compliance framework that touches the thousands of smaller fintech companies, regional crypto exchanges, and Web3 infrastructure providers that millions of Americans now use to manage real money. Washington’s mental model of “financial infrastructure” was built for a world that no longer fully exists, and its quantum preparedness framework reflects that outdated map.

Stretch this further and the picture gets worse. Healthcare records. Legal document platforms. Insurance networks. Real estate transaction systems. Supply chain management software. The list of industries that rely on encryption now vulnerable to quantum attack is essentially a list of the entire modern economy — and virtually none of it falls under any definition of critical infrastructure that today’s orders address.

Q-Day — the moment a sufficiently powerful quantum computer can crack the public-key encryption underpinning virtually all digital security — doesn’t distinguish between a Department of Energy server and a power grid, between a major bank and a DeFi protocol, between a classified military network and a hospital’s patient records system. A foreign adversary capable of breaking encryption on federal systems is equally capable of breaking encryption on everything else. The executive orders signed today address a thin slice of one side of that equation and ignore the vast majority of it entirely.

It is also important to understand that when China builds a sufficiently powerful quantum computer that will render all modern encryption obsolete and will allow China to empty your bank account … they are NOT going to tell you about it. They are just going to empty your bank account or disable the power grid or both.

The quantum threat is real. The urgency is real. Today’s orders are a start — a timid, underfunded, aspirational start aimed at a target much smaller than the actual problem. But mistaking a memo for a mobilization, and a partial mobilization for a complete one, would be the most dangerous thing we could do.

by