Minnesota tech council urges state to prepare for quantum security threats

In a report published Thursday, the Minnesota Technology Advisory Council recommended that the state begin preparing for the emergence of quantum computing, which could pose new security risks to the state’s sensitive data.

The annual report notes that quantum computing “introduces a new class of risk to traditional encryption methods that protect the state’s most sensitive financial and health data,” and that as the technology gets more powerful, Minnesota IT Services should work with other state agencies to ensure their sensitive data is protected and encrypted against quantum. The advisement serves as one of the first moves by a state technology agency to push for enterprise-wide quantum-resistant encryption, though actual implementation will take some time, owing to budgeting and system upgrades.

The report outlines the group’s work last year, covering four areas of technology: cybersecurity; artificial intelligence; data sharing and governance; and customer experience and product management. The council, which was established by the state’s legislature in 2021 to work with Minnesota IT Services to guide the state’s technology strategy, said that over the last year it evaluated the evolving cybersecurity threat landscape, including quantum computing.

Most state IT systems rely on public-key cryptography, to secure data like tax records, health and benefits systems, driver’s license databases, court and criminal justice information, election infrastructure and state employee records. But, quantum computers could someday crack those encryptions.

While the Cybersecurity and Infrastructure Security Agency has issued federal guidance that urges all levels of government to prepare for quantum threats through post-quantum cryptography planning, the report makes Minnesota one of the first states to formalize its approach to preparing for the technology. Other states, such as Maryland, New Mexico and Texas, have funded infrastructure to support quantum computing commercially, but have not offered strategic guidance to state agencies on quantum preparedness.

“To address this challenge, the TAC recommends establishing a strategic roadmap to identify cryptographic vulnerabilities and begin transitioning to quantum-resistant algorithms,” the report reads. “Taking proactive steps now will help safeguard critical infrastructure, reduce future decryption risks, and ensure continued regulatory compliance.”

Amid the ever-increasing risk to existing data encryption methods, and other landscape changes, such as dwindling federal support for state and local cybersecurity efforts, the council said it last year prioritized a “whole-of-state” cybersecurity model. This approach, the report said, emphasized shared intelligence through coordinated response. Other risk reduction measures included workforce development to protect critical services across state, local and tribal partners, and critical infrastructure.

The council recommended the state develop and initiate a statewide plan to assess and migrate to post-quantum encryption and offered a roadmap to help identify cryptographic vulnerabilities and transition to quantum-resistant algorithms. The report recommended the state conduct a “comprehensive inventory of cryptographic methods” in use across state systems, applications, databases and third-party services. The council said the state should also “assess the quantum vulnerability of existing encryption methods and identify high-risk systems that protect sensitive data,” such as financial systems, health records and critical infrastructure controls.

The plan urges the state to develop a phased migration plan to quantum-resistant encryption algorithms that follows the National Institute of Standards and Technology’s guidance on post-quantum cryptography, beginning with the highest-risk systems. Lastly, the report says the state should incorporate post-quantum encryption requirements into all security policy updates, procurement standards and vendor contracting to ensure consistent adoption across state government.

Tarek Tomes, the state’s chief information officer since 2019 (now set to take a job with the University of Minnesota), worked with the council to devise its recommendations. The state’s technology agency, Tomes said, has also worked to implement the group’s previous recommendations on strengthening the state’s technology posture — “In 2025, MNIT and our agency partners made meaningful progress strengthening the enterprise foundations required for effective, accountable government,” Tomes wrote in a letter to Gov. Tim Walz and other state executives that was included in the report.

“At the same time, the TAC’s work on data sharing, and product and experience reinforced how strong governance, effective delivery, and public trust work together,” Tomes continued. “By advancing enterprise data leadership, secure and lawful data sharing, modern procurement, sustainable funding, and human centered design, the TAC helped move Minnesota toward services that are more connected, accessible, and responsive to the people who rely on them. These efforts reflect Minnesota’s continued shift from managing technology to building enterprise capability — capability that enables agencies to adapt, scale what works, and deliver measurable value in a time of constant change.”