Quantum Computing Threatens to Become a National Security Crisis in Orbit
Featured image: Conceptual illustration of quantum-secure satellite communication links. [Credit: ESA / IQM]
The race to field the first cryptographically relevant quantum computer is converging with the rapid expansion of satellite constellations in low Earth orbit, creating what security experts describe as a looming national security crisis that could fundamentally undermine trust in space-based infrastructure.
In a stark assessment published June 29 in SpaceNews, Eddy Zervigon, CEO of quantum security firm Quantum XChange, laid out a five-phase scenario in which the combination of advancing quantum capabilities and the existing satellite encryption architecture creates risks that span everything from civilian communications to missile warning systems.
“This is not a distant threat,” Zervigon wrote. “The harvest-now-decrypt-later window has already opened, and real-time decryption capability could arrive within just a few years.”
Already happening: harvest now, decrypt later
The most immediate threat, and the one already underway, is straightforward. Adversaries are capturing encrypted satellite data today, telemetry streams, command and control signals, mission payload data, and storing it for future decryption when a sufficiently powerful quantum computer becomes available.
The problem is structural. A LEO satellite may operate for only five to seven years, but the systems and architectures those satellites depend on, ground networks, software update channels, corporate IT infrastructure, persist across multiple replenishment generations. Data collected today about satellite architectures, sensor designs, and command patterns retains strategic value for years or decades.
“Once traffic is captured, no future patch can un-expose it,” Zervigon noted.
This is not hypothetical; intelligence agencies globally have long practiced bulk collection of encrypted traffic. What has changed is the end of the assumption that those encrypted archives will remain secure indefinitely.
After Q-Day: real-time decryption
The moment a cryptographically relevant quantum computer comes online (what the industry calls Q-Day, estimated by Google, Cloudflare, and IBM as early as 2029), the threat escalates dramatically.
Current public-key encryption standards, including those used to protect satellite command links, authentication, and telemetry, would become breakable in near-real time. An adversary with quantum capability could:
- Monitor constellation health and track which satellites are being tasked against which targets
- Map command patterns and ground station relationships, identifying vulnerabilities in operational procedures
- Intercept mission payload data, from agricultural imagery to military surveillance
The consequences for military space operations are particularly severe. Defense customers relying on commercial satellite data for applications like missile warning, a key mission for programs such as the U.S. Space Force’s Golden Dome initiative, could receive compromised information without any visible signs of tampering.
Integrity attacks: the overlooked danger
While the threat to data confidentiality has received the most attention, the article warns that integrity attacks may present an even greater danger. The same cryptography that ensures confidentiality also verifies identities, authenticates commands, and confirms data integrity. When those protections fail:
- Operators can no longer trust telemetry and tracking data
- Forged ephemeris data shared with space situational awareness providers could corrupt collision-avoidance decisions across the orbital environment, affecting more than 18,000 active satellites and millions of debris fragments
- Forged sensor readings could cause operators to hold maneuvers that should have executed, or execute maneuvers that shouldn’t
The worst case: an adversary impersonates a legitimate operator and issues commands that the spacecraft accepts as authentic. The satellite becomes a weapon in someone else’s hands.
“The perfect gray-zone weapon,” Zervigon wrote. “Quantum attacks pass authentication as legitimate. Standard monitoring tools won’t detect them. Attribution is extremely difficult.”
What operators can do now
The prescription, according to Zervigon, is urgent but achievable. The first priority is crypto-agility, the ability to swap cryptographic algorithms without replacing hardware or taking down the network. Once a system is agile, migrating dependencies becomes a software update rather than a redesign.
The NIST post-quantum cryptographic standards, finalized in 2024, provide the algorithmic foundation. The NSA’s CNSA 2.0 timeline sets the migration deadlines for national security systems. But the article warns that the commercial satellite industry, which operates much of the critical infrastructure in space, has been slow to act.
“Press vendors for concrete roadmaps now,” Zervigon urged. “Don’t wait for a full inventory before starting.”
The key to prioritization is identifying assets with long confidentiality lifespans, data that must remain secret for years or decades. Those face the greatest exposure to harvest-now-decrypt-later attacks and should be migrated first.
Broader implications
The quantum threat arrives at a moment of unprecedented expansion in space-based infrastructure. Starlink alone has more than 15,000 satellites in orbit. Amazon’s Kuiper, China’s Guowang and SpaceSail constellations, and Europe’s IRIS2 program are adding thousands more. Each one relies on encryption that will eventually be vulnerable.
Massive quantum investments by the United States, China, the United Kingdom, France, and Japan are accelerating the Q-Day timeline. The article notes that the window for action is shorter than many in the industry assume, and that every month of delay adds to the volume of data that will eventually become readable.