The U.S’s most sensitive computer networks are under daily attack today by adversarial hackers, and these networks’ data encryption needs to hold off the supercomputers of the future.
Adversaries, including nation state actors, have demonstrated they can break into defense and intelligence networks, lie low and live off the land, and gather intelligence for future strategic planning and commercial advantage. They’re playing the long game, waiting patiently for the advent of quantum computing so powerful it can crack today’s standard encryption algorithms.
The U.S. military and intelligence community and the contractors and vendors who serve them — along with militaries around the world — must immediately begin migrating sensitive networks and data stores to encryption systems running algorithms that quantum computers won’t be able to crack.
The U.S. government knows this. This is not fantasy or fiction. The NSA’s Commercial National Security Algorithm Suite 2.0 (CNSA 2.0) mandates the transition to post-quantum cryptography for national security systems, with compliance timelines beginning now and running through 2033. CISA and NIST have finalized the first quantum-resistant standards.
At RSAC 2026, that mandate showed up as execution pressure: vendors shifted from theory to deployment, rolling out crypto discovery, hybrid PQC, and hardware-level implementations built explicitly for CNSA 2.0 timelines. Before that, the Department of War in November launched the migration, including ordering the department to catalog “all cryptography used in any type of system” and to identify internal leads to run the migration.
“Now is the time to plan, prepare, and budget for an effective transition to quantum-resistant algorithms, to assure continued protection of National Security Systems and related assets,” the NSA said in a May 2025 announcement.
Build From the Ground Up for Post-Quantum
DoD, as well as defense ministries and armed forces around the world, operate tens of thousands of networks and millions of endpoints, with more OT and IoT devices and weapons systems coming online every year. That “opens more attack opportunities for adversaries,” the Government Accountability Office warned as far back as 2018.
Undertaking the gargantuan transition from legacy public-key encryption to post-quantum encryption algorithms will demand end-to-end quantum-secure networking that integrates directly into existing cloud infrastructure, cold data storage, resilient communications infrastructure, weapons platforms, and edge devices. This problem not only spans government and defense networks, but also critical, regulated enterprise networks, like banking and health care.
ZeroTier Quantum is ready. It’s the only software-defined, end-to-end quantum-secure networking platform on the market. It’s built from the ground up for the post-quantum era, it’s CNSA 2.0 compliant, and it’s deployable across the full spectrum of defense environments: cloud, on-prem, air-gapped, sovereign-gapped, and at the tactical edge.
The Threat Is Not Hypothetical
Nation-state adversaries with the most advanced cyber programs have already shown sophisticated capability to penetrate U.S. defense networks and its allies to gather intelligence. Chinese-linked groups have been observed breaking into U.S. government and defense networks since at least 2021. U.S. intelligence officials anticipate hacking groups affiliated with the People’s Republic of China and other countries will continue to attack U.S. defense and intelligence networks to gather intelligence. Russia too possesses advanced cyber capabilities and has found “repeated success compromising sensitive targets for intelligence collection,” U.S. intelligence officials have warned.
In live-off-the-land attacks, hackers blend into normal system and network activities and evade defenses, lying in wait. They gather sensitive ciphertext from data storage and network traffic, such as classified communications, controlled technical information, logistics data, ISR feeds, weapons system telemetry and much more, to store for the future.
In principle, quantum computing exploits quantum mechanics to perform calculations at a speed and scale that legacy computers fundamentally cannot match. That will enable them to perform in hours computations that would take a legacy computer billions of years — computations like breaking into massive sets of data protected by public-key cryptography, such as RSA and elliptic curve.
Post-quantum cryptography is the set of encryption algorithms that don’t have the vulnerabilities that make legacy encryption crackable by quantum computers. It begins with node identity, where a zero-trust architecture ensures all identities are verified at the start of every session. Routine packet authentication uses AES 256 GCM for performance, while HMAC SHA384 is applied during session negotiation for added integrity. ZeroTier Quantum combines post-quantum and classical cryptography using algorithms approved for use at the highest levels of the U.S. and EU governments, including ML KEM 1024, ML DSA 87, 384-bit P 384 elliptic curve cryptography in a hybrid layer, AES 256, and SHA2 at 384 and 512-bit levels. This hybrid approach requires both classical and post-quantum encryption to be broken for a compromise, while quantum agility enables seamless adaptation as standards evolve, maintaining resilience against future mathematical or side channel vulnerabilities.
ZeroTier Can Network it
ZeroTier connects legacy systems, modern infrastructure, and state-of-the-art edge devices under the same policy model — a crucial capability for DoW commands that are constantly integrating new technology into older platforms. It can handle tactical edge nodes with constrained compute, IoT and OT devices, air-gapped networks with no internet access, legacy platforms, and allied networks built on different standards. It enables seamless interoperability with other networked systems across the Joint Force and with coalition partners.
Rather than centralizing the network configuration, ZeroTier distributes signed network state across independent channels. Configuration authority is separated from operational coordination. Nodes validate all configuration updates locally, so even if root infrastructure goes offline or is actively attacked, network nodes continue operating. The design builds in inherent resistance to denial-of-service attacks without requiring redundant hardware or complex failover engineering.
ZeroTier is API-first and infrastructure-agnostic. It runs across cloud providers, on-premise infrastructure, edge environments, and constrained devices. Organizations can operate fully distributed or hybrid topologies, split or join network segments dynamically, and deploy sovereign networking environments entirely under their own administrative control — no SaaS dependency, no call-home requirement, no third-party footprint inside a classified enclave.
The Clock Is Already Running: A PQC Transition Scenario
A major defense prime is already integrating a new autonomous platform into an existing command and control system. The new program reaches into unclassified, secret, and top secret networks, demands interoperability with Five Eyes partners, and includes legacy encrypted comms equipment and drone platforms from multiple vendors. The program office receives a CNSA 2.0 compliance requirement with a hard deadline.
The program’s existing networking stack uses RSA-based key exchange for inter-node authentication and AES-128 for bulk encryption. That’s no longer sufficient, but the prime and the subcontracting vendors can’t take it offline for the transition without disrupting the operational software that runs on top of it. Nor can they replace their hardware.
ZeroTier Quantum’s software overlay pushes ZeroTier Quantum to existing endpoints like UAS platforms, ground control stations, forward-deployed edge sensors, and enterprise back-end systems without touching the underlying hardware. Meanwhile, its distributed control plane can provision new cryptographic identities across thousands of nodes simultaneously. Administrators authenticate endpoints and push policy from a central dashboard without needing physical access to any device. New trust domains are established: coalition partner nodes get segmented network access with policy enforcement at the endpoint, not at a shared gateway.
A few months in, the program detects anomalous traffic patterns: a nation-state adversary is probing the network’s authentication layer, trying to fingerprint the cryptographic configuration ahead of an attack. But with ZeroTier Quantum’s zero-trust enforcement, every connection is already authenticated, every identity is already cryptographically bound, and no inference about the network’s structure can be drawn from traffic metadata alone. The program meets its CNSA 2.0 deadline. The probe found nothing, the network keeps running.
Want to get ahead of quantum risk? Contact sales today.
Want a deeper breakdown of the terminology? Our complete networking and cybersecurity glossary has you covered.