The Quantum Threat and Industry Response

As quantum computing advances, the cryptographic foundations of today’s digital infrastructure face a fundamental challenge. Research indicates that sufficiently powerful quantum computers will eventually break widely used public-key encryption methods, such as RSA and ECC, exposing sensitive data that was encrypted with those schemes. While experts estimate this tipping point is still 10–15 years away, the threat is immediate because of the “store now, decrypt later” (SNDL) strategy. Adversaries can harvest encrypted data today, store it, and decrypt it once quantum computers become available. This makes it critical for organizations to begin post-quantum cryptography (PQC) migration now, before it is too late.

Recognizing this urgency, standards bodies and national cybersecurity agencies have issued migration guidance. The U.S. National Institute of Standards and Technology (NIST) and the UK’s National Cyber Security Centre (NCSC) have published roadmaps that recommend prioritizing PQC protections in critical systems by 2030 or earlier. NIST has already finalized its first set of PQC standards, including ML-KEM (Kyber) for key encapsulation and ML-DSA (Dilithium) for digital signatures, with additional algorithms like HQC under review. Notably, Meta cryptographers are co-authors of HQC, reflecting the company’s deep involvement in advancing global cryptographic security.

Yet migration is complex. Organizations must contend with legacy systems, protocol dependencies, and performance trade-offs. Incomplete technical capabilities and the sheer scale of inventory make the transition daunting. Meta’s experience offers a practical blueprint for tackling these challenges.

Meta’s Proactive PQC Migration Strategy

With billions of users relying on its platforms daily, Meta has taken a proactive stance against the quantum threat. Over a multi-year process, the company has already begun deploying post-quantum encryption across its internal infrastructure. The goal is to maintain strong security and data protection commitments both now and in the quantum future.

Meta’s approach is built on a comprehensive framework that covers risk assessment, inventory, deployment, and guardrails. Rather than a one-size-fits-all solution, the company recognizes that different use cases—from internal communications to customer-facing services—require tailored migration strategies. This led to the development of PQC Migration Levels, a structured way to manage complexity.

Introducing PQC Migration Levels

PQC Migration Levels are a proposed model to help teams within an organization assess where they stand and what steps are needed. Inspired by capability maturity models, each level defines a set of criteria for cryptographic readiness:

• Level 1 – Inventory and Awareness: Identify all cryptographic assets, algorithms, and dependencies. Create a central registry.
• Level 2 – Risk Assessment: Evaluate which assets are most exposed to SNDL attacks or quantum decryption. Prioritize based on data sensitivity and system criticality.
• Level 3 – Protocol and Algorithm Selection: Choose suitable PQC algorithms (e.g., ML-KEM, ML-DSA) and update protocols accordingly.
• Level 4 – Deployment and Testing: Roll out changes in a controlled manner, with side-by-side operation where possible. Perform extensive testing to ensure performance and interoperability.
• Level 5 – Monitoring and Remediation: Continuously monitor for vulnerabilities, algorithm deprecations, and emerging standards. Apply updates as needed.

This framework enables organizations to break down the monumental task of PQC migration into manageable phases, each with clear deliverables and success criteria.

Lessons Learned and Practical Takeaways

Meta’s migration experience has yielded several insights that can benefit the broader community:

1. Start with a Comprehensive Inventory

You cannot protect what you do not know. Many organizations underestimate the number of cryptographic endpoints they have. Meta invested heavily in automated discovery tools to build a complete picture of all keys, certificates, and algorithms in use. This step is the foundation for any migration plan.

2. Prioritize Based on Threat Exposure

Not all systems face the same risk. Data with long confidentiality requirements (e.g., health records, intellectual property) should be addressed first. Systems that rely on long-lived certificates or that are publicly accessible are also higher priority.

3. Embrace Hybrid Approaches

During the transition, using both classical and post-quantum algorithms together (hybrid mode) provides backward compatibility and reduces risk if a PQC algorithm is later weakened. Meta has employed hybrid key exchange in its internal protocols, ensuring a smooth upgrade path.

4. Test Performance Impact Early

PQC algorithms typically have larger keys and ciphertexts, and may be slower than current algorithms. Meta conducted benchmarking in realistic environments to avoid performance degradation. For latency-sensitive applications, careful optimization and hardware acceleration may be necessary.

5. Build Organizational Buy-In

Cryptographic migration is not just a technical task; it requires coordination across security, engineering, product, and compliance teams. Meta established a cross-functional working group with clear ownership and regular updates. Communicating the “why” (SNDL threat) helps secure executive support.

6. Plan for Post-Deployment Maintenance

PQC standards will continue to evolve. New algorithms will be standardized, and old ones may be deprecated. Meta has set up automated monitoring to track algorithm usage and alert on outdated or vulnerable configurations. Regular rotation and key management processes must be updated to support PQC.

Conclusion

The transition to post-quantum cryptography is one of the most significant infrastructure changes the tech industry will face. Meta’s experience demonstrates that a structured, phased approach—from inventory through deployment and guardrails—can make the journey manageable. By sharing its PQC Migration Levels framework and the lessons learned, Meta aims to help other organizations navigate this transition effectively, efficiently, and economically. The time to act is now: start building quantum resilience today, or risk exposing tomorrow’s data to today’s adversaries.