Meta Sounds Alarm on Post-Quantum Cryptography: Urgent Migration Lessons and Framework Released

Meta today is urging organizations to prioritize post-quantum cryptography (PQC) migration, sharing a detailed framework and lessons from its own multi-year rollout. The company warns that quantum computers could break current encryption within 10–15 years, but the threat is already active through “store now, decrypt later” (SNDL) attacks.

“We cannot wait until quantum computers are a reality,” said Alex Smith, Meta’s Director of Cryptographic Engineering. “Adversaries are harvesting encrypted data today, betting on future decryption. Every organization must begin migrating now to protect sensitive information.”

Background

Research confirms that sufficiently powerful quantum computers will eventually break today’s public-key cryptography, jeopardizing the security of digital communications, financial systems, and personal data. The US National Institute of Standards and Technology (NIST) and the UK’s National Cyber Security Centre (NCSC) have issued migration guidelines, with a target of 2030 for critical systems.

NIST has already published the first PQC standards—ML-KEM (Kyber) and ML-DSA (Dilithium)—with more coming, such as HQC. Notably, Meta cryptographers are co-authors of HQC, underscoring the company’s commitment to advancing global cryptographic security.

Meta’s PQC Migration Framework

Meta’s approach covers risk assessment, inventory of affected systems, deployment strategies, and guardrails. The company proposes new “PQC Migration Levels” to help teams across an organization manage complexity for different use cases.

“Our goal is to provide a clear, repeatable model so others can navigate this transition effectively, efficiently, and economically,” Smith added. The framework is designed to accelerate the industry’s move toward a post-quantum future.

Lessons Learned

One key takeaway is that migration is not a one-time event but an ongoing process requiring continuous inventory updates, testing, and collaboration between cryptography, engineering, and security teams. Meta also highlights the importance of benchmarking performance impacts and having fallback mechanisms.

Another lesson is that missing or incomplete technical capabilities—such as interoperability between old and new cryptographic systems—are major barriers. Meta stresses that early standardization efforts, like those from NIST, are critical but need industry-wide adoption to succeed.

What This Means

For organizations worldwide, Meta’s release signals that PQC migration is no longer optional. The window to act is narrowing, especially for industries handling sensitive data—finance, healthcare, government, and technology.

“We hope that by sharing our journey, we can help others avoid common pitfalls and accelerate their own migrations,” Smith said. The message is clear: start now, implement PQC migration levels, and treat this as a strategic priority, not just a technical upgrade.

Meta is also calling for greater collaboration across the security community to refine migration frameworks and ensure that the transition to post-quantum cryptography is as smooth and inclusive as possible.