QCEP: Quantum Combat Extension Packs for defense - Quantum-Secure Communications for Defence Contractors : Why Immediate Action Is Required

Jan 26, 2026

Executive summary

A “cryptographically relevant quantum computer” or QRQC would be capable of undermining widely deployed public‑key cryptography used for key exchange and digital signatures, creating a systemic risk for confidentiality, integrity, and authenticity in national security environments.

In today’s strategic environment, defence contractors face a rapidly evolving threat landscape where the assumptions that sustained secure communications for decades are no longer reliable. The rise of advanced adversarial capabilities - including parallel classical/AI-assisted attacks and preparations for post-quantum decryption - means that legacy cryptography and conventional secure networks cannot be relied on alone.

Defence data often has a long operational lifespan: mission plans, intelligence, platform designs, and command and control information may need to remain confidential for decades. If an adversary collects encrypted traffic today, advances in computing - hybrid quantum-classical systems in particular - make that data vulnerable to decryption in the not-so-distant future. This “harvest now, decrypt later” problem is not theoretical; it is already driving forward-looking threat models in national security circles.

The work being done on hybrid quantum-classical systems underscores this shift. Hybrid systems - architectures where quantum computing elements are integrated with classical computing - are essential for solving problems neither domain can address alone. They partition workloads dynamically, letting quantum processors handle specific intensive sub-tasks while classical parts manage data preprocessing, error correction, and workflow management. This makes them not only a bridge to full quantum computing but a pragmatic way real-world systems are already advancing computation and cryptanalysis capabilities.

In the defence and aerospace context, hybrid systems are already being adopted for complex optimisation, simulation, mission planning, and secure communication tasks. By combining quantum sub-routines with classical control, hybrid systems are effectively enabling computational advantages that traditional architectures cannot match, which includes potential pathways for examining and attacking classical cryptographic schemes at scale.

For defence contractors, the urgency is not limited to enterprise IT. The joint Cybersecurity and Infrastructure Security Agency / National Security Agency / National Institute of Standards and Technology guidance explicitly urges contract and supply‑chain engagement so that new products are delivered with post‑quantum cryptography (PQC) built in, and older products are upgraded to meet transition timelines.

The executive risk equation is driven by three timing realities:

Harvest‑now‑decrypt‑later (HNDL) is already a rational adversary strategy for data with long secrecy lifetimes, and the public sector is explicitly planning on that basis.

Defence systems and information routinely require protection for decades, while full crypto transitions can take 10–20 years from standardization to deep integration- and 20+ years for full deployment across national security systems.
Coalition operations impose interoperability constraints, meaning migration must be orchestrated across mission networks rather than executed unilaterally.

The policy signals are now unambiguous: NATO states that post‑quantum cryptography is an important approach today to secure communications against quantum‑enabled attacks and calls for transition work across domains including air, space, cyber, land, and maritime.

Strategic drivers for immediate action

Harvest-now-decrypt-later turns time into a vulnerability

HNDL is a simple operational logic: capture encrypted data today, store it, and decrypt it later once breakthrough capabilities exist. The U.S. government’s quantum-readiness guidance warns explicitly that threat actors could be targeting data today that has a long secrecy lifetime, citing “harvest now, decrypt later,” and urges early planning, inventories, and vendor engagement.

NIST’s transition guidance underscores that this risk exists even though migration may begin before a cryptographically relevant quantum computer is built: encrypted data remains at risk because of the “harvest now, decrypt later” threat. The Office of Management and Budget similarly directs agencies to prepare now, explicitly noting that encrypted data can be recorded now and later decrypted by operators of a future CRQC.

In defence environments, HNDL is amplified by the intelligence value of historical communications, identities, system telemetry, program data, and coalition operating patterns that may remain sensitive long after the mission ends.

Long data lifecycles create a “must-start-now” deadline

National security guidance is explicit about lifecycles: NSA states that new cryptography can take 20 years or more to be fully deployed across national security systems, that equipment is often used for decades after deployment, and that national security information can require protection for many decades.

Independent standards guidance converges on the same conclusion. NIST states that historically the journey from algorithm standardization to full integration into information systems can take 10–20 years, reflecting the complexity of building algorithms into products and then integrating them into infrastructures. The UK National Cyber Security Centre characterizes PQC migration as a mass technology change taking years and sets national milestones that culminate in completing migration by 2035.

This is why “wait and see” is not a neutral posture in defence. If the data must remain secret for 10–30+ years, and migration takes a decade or more at scale, delay increases the probability that security obligations will outlive the cryptography used to enforce them.

The underlying cryptographic break is well established

The quantum threat to RSA and elliptic-curve systems is not speculative: Peter W. Shor’s factoring and discrete-logarithm result shows that a sufficiently powerful quantum computer could solve problems that underpin many widely deployed public-key systems in polynomial time.

Resource estimates for breaking RSA‑2048 have also evolved. Peer‑reviewed work by Craig Gidney and Martin Ekerå provides a concrete, widely cited estimate for factoring RSA‑2048 under assumptions about large-scale error‑corrected quantum computing. More recent preprint work argues for substantial reductions in qubit requirements (still under demanding assumptions), demonstrating that the cost curve is not static even before large‑scale machines exist.

Additional arguments on cryptographic break timelines

Beyond long-term quantum roadmaps, there are credible, near-term arguments explaining why cryptographic break risk is accelerating faster than most defence planning cycles assume.

Hybrid timelines matter more than “full quantum” milestones

Much public discourse still frames cryptographic risk around the arrival of a large-scale, fault-tolerant quantum computer. This framing is increasingly misleading.

Work by Whitfield Diffie has already highlighted that cryptographic timelines should be evaluated against adversarial capability growth, not against idealised academic end-states. In other words, security fails when enough capability exists, not when a perfect machine is achieved.

The practical implication is clear: incremental, hybrid advances compress timelines dramatically, even if no universal quantum computer exists.

The “quantum cryptopocalypse” window is not speculative

Within the security and intelligence community, the term “quantum cryptopocalypse” has increasingly been used, not because quantum computers suddenly become perfect, but because:

hybrid quantum-classical systems mature
AI accelerates workload partitioning and optimisation
specialised hardware and parallelisation erode classical security margins
orchestration attacks bypass theoretical crypto strength entirely

From a defence perspective, this is the worst possible scenario: encryption that appears strong on paper, but fails in practice due to system-level exploitation.

Waiting for a clean, single “Q-Day” is therefore a strategic error.

The Steve H. theorem: why full CRQC is not required

The Steve H. theorem reframes the discussion entirely.

It states, in practical terms, that:

A cryptographic system does not require a full-scale, fault-tolerant quantum computer to be broken. It only requires a hybrid system capable of dynamically assigning computational workloads across classical, AI, and quantum components in a way that exceeds the defender’s cryptographic assumptions.

This reflects what we already observe today:

classical AI reduces effective key search spaces
quantum subroutines accelerate specific mathematical bottlenecks
orchestration and downgrade attacks neutralise “strong crypto” without breaking it mathematically

In this model, hybrid systems - not pure quantum machines - become the dominant threat vector.

This aligns directly with the hybrid architectures already discussed earlier in this article and explains why cryptographic failure is a systems problem, not a physics milestone.

Why this matters for defence contractors

For defence contractors, these arguments converge on a single conclusion:

cryptographic break risk is non-linear
timelines are shorter than procurement cycles
responsibility increasingly extends beyond internal networks to delivered systems

If your platforms, products, or communications solutions are not quantum-secure today, you are implicitly assuming that adversaries will wait for perfect machines before acting.

History suggests they will not.

This is precisely why quantum-secure communications must be embedded now, both internally and in the solutions delivered to defence customers.

This reality has direct implications for defence contractors:

1. Defence Networks Are Only Part of the Problem

Protecting your own network is necessary but not sufficient. Your products - from C2 systems to ISR platforms, from autonomous systems to satellite communications - become part of a larger operational ecosystem once deployed. If your solutions are not quantum-secure, they become potential vectors for compromise across the supply chain.

2. The Threat Is Already Evolving Toward Hybrid Capabilities

Adversaries are not waiting for universal fault-tolerant quantum computers. They are investing in hybrid technologies now because these architectures already extend classical capabilities and can be used to probe weaknesses in conventional cryptography. If you do not assume this reality in your threat models, you risk underestimating future decryption capabilities and strategic exploitation windows.

3. Your Customers Expect Future-Proof Solutions

Defence agencies increasingly embed security requirements into procurement criteria, not just for immediate cybersecurity resilience but for long-term cryptographic sustainability. Being able to demonstrate quantum-secure communications and cryptography in your solutions can be a decisive factor in competitive bids.

4. Upgrading Later Is Costly and Risky

Retrofitting quantum-secure capabilities post-deployment is expensive, disruptive, and adds risk during transitional periods. Designing quantum security into your products now ensures continuity of operations and reduces the lifecycle cost of maintaining secure platforms.

Prime contractor exposure: supply-chain, products, and accountability

Product-level compromise is the strategic failure mode

Defence contractors deliver systems that must remain secure across decades of operation, sustainment, and coalition integration.

The risk therefore sits in product security properties (secure communications, update authenticity, embedded identity, key management), not just perimeter defenses in corporate networks. The U.S. Government Accountability Office has repeatedly emphasized that adding cybersecurity late in weapons-system development is typically harder, more costly, and less effective than integrating it from early stages; it further notes that contract omissions (missing cybersecurity requirements, acceptance criteria, and verification processes) lead to systems that do not meet security needs, and that modifications after award can require renegotiation and additional time and compensation. This aligns directly with PQC transition risk: if quantum resilience is not specified early, it becomes an expensive retrofit with operational disruption and contractual friction.

Supply-chain and procurement are now explicitly part of quantum readiness

The CISA/NSA/NIST quantum-readiness factsheet is unusually direct about the procurement and supplier component:

Cryptographic inventory should be led by IT/OT procurement experts and include engagements with supply-chain vendors.

Organizations should ask vendors for lists of embedded cryptography that discovery tools may miss.
Most importantly, organizations are urged to proactively plan changes to existing and future contracts so that new products will be delivered with PQC built in and older products upgraded to meet transition timelines.

This is the clearest evidence-based argument for defence primes: customer organizations are being instructed, by national-level security agencies, to make PQC a procurement and contract deliverable.

Legal and contractual exposure is already structured for flow-down accountability

Defence contracting frameworks already impose obligations that flow through primes to suppliers:

DFARS 252.204‑7012 includes explicit subcontract flow‑down requirements and requires subcontractors to notify the prime regarding variations from NIST SP 800‑171 requirements, among other responsibilities.

Department of Defense guidance reiterates that DFARS 252.204‑7012 is required broadly (with limited exception for certain COTS-only acquisitions) and must be included in subcontracts involving covered defense information or operationally critical support; it also links safeguarding requirements to implementing NIST SP 800‑171.
The DoD CMMC program regulation describes requirements for contractors and subcontractors to implement prescribed cybersecurity standards for safeguarding FCI and CUI, and explicitly references NIST SP 800‑171 as a foundational standard for safeguarding.

While these instruments do not yet universally mandate “PQC in every deliverable,” they establish the structural reality: primes are accountable for safeguarding obligations and flow‑down compliance across the supply chain. As PQC becomes embedded in national roadmaps and procurement expectations, quantum resilience increasingly becomes a foreseeable component of “adequate security” and “secure by design” expectations, especially for long-lived data and mission systems.

Coalition interoperability and deployed-platform constraints

Coalition mission networks require standardized, coordinated change

NATO doctrine frames Federated Mission Networking (FMN) as the Alliance approach to unifying coalition networks to enable information exchange and sharing among mission partners across the operational spectrum.

It also emphasizes interoperability as essential for multinational operations and notes that FMN is the preferred way to achieve interoperability and seamless, secure information exchange.

FMN standards profiles reinforce that NATO interoperability policy relies on agreed standards to support information sharing in a networked environment and enable trust between information-sharing partners.

This coalition reality changes the migration calculus: even if a single nation or contractor can move quickly, mission networks must still operate across partners during transition. That almost guarantees periods of hybrid, gateway-mediated, or profile-constrained deployment, with strict governance to prevent downgrade/fallback paths.

Deployed platforms have patching windows and “no retrofit” zones

A major reason defence should move immediately is that many operational systems are difficult to update post-deployment.

UK NCSC guidance explicitly warns that some legacy systems, long-lived physical infrastructure, outdated platforms, and systems on old protocols may not be capable of being transitioned to support PQC, and strategies must account for that reality.

It also calls out that infrequent replacement cycles (particularly in OT and extensive physical infrastructure) impose constraints that must be addressed in migration planning.

NSA transition guidance adds a related enforcement reality: equipment and software not refreshed regularly may require waivers and plans to bring them into compliance as quantum-resistant requirements become mandatory within specified product classes.

For defence executives and program managers, the conclusion is operational: platform refresh cycles and accreditation timelines mean that PQC must be designed into roadmaps and integrated early - especially where systems are expected to remain fielded into the 2030s and beyond.

Technical landscape: PQC readiness, hybrid risks, and AI-accelerated exploitation

PQC is no longer “waiting on standards”

NIST has finalized its first set of PQC standards, including ML‑KEM (FIPS 203) for key establishment and ML‑DSA / SLH‑DSA (FIPS 204/205) for digital signatures, and encourages organizations to begin transitioning.

At the national security level, NSA’s CNSA 2.0 guidance sets a transition end date aligned to 2035 and urges vendors, owners, and operators to make every effort to meet that deadline; it also specifically calls out software and firmware signing as urgent and recommends beginning that transition immediately.

This matters for defence acquisition because digital signatures underpin secure boot, firmware authenticity, code signing, and update workflows elements that must remain trustworthy across long platform lifetimes.

Hybrid migration is necessary, but it introduces attack and governance risk

In practice, PQC transitions will often be hybrid for a period. NIST explicitly discusses PQC-classical hybrid protocols as an initial migration path.

The IETF TLS working group is standardizing approaches for hybrid key exchange in TLS 1.3, reflecting ecosystem-wide work to enable quantum-safe transitions in real protocols. In IPsec/IKE, the IETF has published RFC 9370, which allows multiple key exchanges during Security Association setup - an enabling mechanism for hybrid post-quantum transitions in VPN-like infrastructures.

NSA guidance acknowledges that hybrid solutions may be allowed or required due to protocol standards, product availability, or interoperability requirements, while still asserting that CNSA 2.0 algorithms become mandatory to select by specified dates.

Hybrid periods create two governance imperatives:

Maintain interoperability while preventing algorithm downgrades and unintended fallback to quantum‑vulnerable suites. NCSC explicitly warns that, when PQC cipher suites become standardized, organizations must check that systems actually use them and do not fall back to traditional cryptography.

Build crypto agility so that transitions can occur across protocols, applications, and embedded systems without breaking operations. NIST’s crypto‑agility guidance states that algorithm transitions are costly, raise interoperability issues, and disrupt operations; it defines crypto agility as the capability to replace and adapt cryptographic algorithms across protocols, applications, software, hardware, firmware, and infrastructure while preserving security and ongoing operations.

AI-accelerated key recovery is primarily about implementation weaknesses, but also about hybrid systems workload

AI meaningfully changes the threat landscape by improving the scalability of attacks against real systems, especially embedded devices and operational platforms.

A major evidence-based vector is deep-learning-based physical side-channel analysis: a substantial systematization of knowledge shows that deep learning is used to exploit physical leakage (power, EM, timing, etc.) to recover secrets in embedded targets, expanding attacker capability beyond traditional side-channel tooling.

For defence contractors, this matters because platforms often include constrained devices and mission hardware where side-channel resistance and key governance are uneven - and because those devices frequently anchor trust for communications and updates.

The net technical argument for executives is therefore layered:

Quantum drives a requirement to replace vulnerable public-key cryptography (key exchange and signatures).

PQC standards now exist, and national security timelines are already defined.
Hybrid and transition complexity create near-term exposure if downgrade paths and governance are not engineered.
AI and modern attack tooling increase exploitation efficiency against weak key management, embedded cryptography, and device-level implementations, making “algorithm swap only” approaches insufficient.

Enter Blackhills Quantum and the QS-Dome™ & QCEP™ Solutions

Blackhills Quantum is aligned with these strategic priorities. We work with global partners that are deeply embedded in the defence ecosystem, providing practical solutions for quantum-secure communications and cryptography that are ready for deployment and integration today.

QS-Dome™ A Comprehensive Quantum Security Architecture

QS-Dome™ is an end-to-end defence-grade solution engineered to provide quantum-safe communications and cryptographic assurance across platforms and networks. It is not a research prototype but an operationally hardened architecture that includes:

Post-quantum cryptography and key management
Secure protocol integration for communication links
AI-assisted governance and enforcement
Compatibility with existing defence systems

QS-Dome™ ensures that security decisions remain valid over time and that cryptographic keys and trust boundaries are continually upheld even as adversaries evolve their capabilities.

QCEP™ Quantum Combat Extension Packs

For organisations that need rapid integration without re-engineering their entire stack, Quantum Combat Extension Packs (QCEP™) provide modular, mission-aligned extensions. QCEP™ enables:

Fast-track integration of quantum-secure protocols into existing systems
Tailored suites for specific operational domains (C2, ISR, satellite uplinks, field networks)
Plug-in cryptographic modules and compliance tooling

These extensions let defence contractors augment existing solutions with quantum security without disrupting current engineering roadmaps.

This approach - designing for quantum security now - protects your own infrastructure and ensures that the systems you supply to defence customers remain operationally useful and secure as adversarial capabilities evolve.

Blackhills Quantum: QS-Dome™ and QCEP™ for rapid, governed integration

Why QS-Dome aligns with defence requirements

Blackhills Quantum describes QS‑Dome as a “Quantum Secure Cloud and Data Center Solution” designed to secure data “in the cloud or in server racks within your data-centre environment,” explicitly stating that it combines QKD, PQC and AI, is crypto‑agile, and is positioned to protect against “harvest now decrypt later” attacks.

In defence terms, that positioning maps to the core technical and acquisition imperatives found in NATO and national guidance:

NATO explicitly identifies PQC as an important approach today to secure communications against quantum-enabled attacks, with continued transition support across domains.

CISA/NSA/NIST require early inventories, supplier engagement, and contract planning so that new products deliver PQC built in.
NIST emphasizes that transition will be large-scale and lengthy (10–20 years from standardization to integration), and that crypto agility is essential to manage repeated transitions.

A defence-grade QS‑Dome™ reference architecture can be described in a way that is consistent with those requirements and with Blackhills Quantum’s public positioning:

PQC foundation (communications and identity): adoption aligned to NIST PQC standards for key establishment and signatures.

Key governance (lifecycle control): governed key generation, rotation, revocation, escrow rules (where applicable), and audit, designed for long-lived systems and coalition interfaces - directly aligned to the inventory and supplier-governance imperatives in national guidance.
Crypto-agility layer: ability to phase out weak algorithms, support hybrid periods safely, and evolve as standards and profiles mature - explicitly recommended by NIST as a core practice because the PQC transition will not be the last one.
Zero-trust integration: continuous verification and strong identity enforcement. This aligns with the U.S. federal migration posture that ties PQC preparation to a broader zero‑trust architecture direction.

A critical defence nuance: NSA has cautioned that it does not recommend QKD for securing transmission of data in national security systems unless limitations are overcome, and earlier NSA FAQs similarly caution that QKD is not considered a practical solution for protecting national security information without direct consultation. This reinforces a procurement-safe message: QS‑Dome’s strongest “no-regret” alignment is PQC-first transition readiness, with any QKD components used only where the mission, infrastructure, and assurance model support it.

Worldwide partners as deployment acceleration

Blackhills Quantum positions itself as offering quantum security products and equipment (including QKD, PQC, QRNG) through a partner ecosystem.

External partner listings also reference Blackhills Quantum in partner ecosystems focused on quantum-safe security solutions.

In practical defence procurement terms, a “partnered stack” matters because PQC migration touches many product classes (gateways, endpoints, embedded firmware, PKI, and operational platforms). NCSC explicitly advises system owners to communicate with suppliers about their plans for supporting PQC in products and expects new IT to either use PQC or be capable of being upgraded to PQC as final standards mature.

QCEP™ for rapid integration into operational and mission systems

A Blackhills Quantum post describes a “Total Quantum + AI module” for defence, listing QS‑Dome and QCEP, and explicitly defining QCEP as a “Quantum Combat Extension Pack” that includes advanced quantum sensing solutions for military and defence applications.

Positioned correctly for defence executives, QCEP should be treated as modular integration kits designed to shorten the path between policy imperatives and operational deployment - especially in areas where deployed platforms have patch constraints and coalition interoperability profiles must be preserved.

Deployment models, integration motion, and procurement advantages

Defence adoption is rarely “one environment.” Effective deployment patterns generally span:

On-prem / sovereign enclaves: QS‑Dome is explicitly positioned for cloud and data-centre/server-rack deployments, supporting sovereign processing requirements.

Cloud gateways / hybrid: migration often proceeds by hardening ingress/egress points and high-value services first, consistent with national guidance on inventories and prioritization.
Edge and tactical: coalition mission networking pushes secure information exchange requirements into deployed environments; PQC migration must therefore support mission networks, not only fixed infrastructure.
Embedded firmware and update chains: NSA explicitly treats software/firmware signing as urgent and recommends beginning the transition immediately, making this a high‑ROI first integration target for QCEP-style kits.

Procurement/compliance advantages, grounded in guidance:

Contract defensibility: CISA/NSA/NIST explicitly urge changes to contracts to ensure PQC built-in delivery and upgrade paths; adopting solutions aligned to that posture can reduce contractual friction and reduce post-award retrofit negotiation.

Audit-ready planning: agencies and regulated entities are being pushed toward cryptographic inventories and supplier mapping; supporting that evidence trail (inventory, dependency mapping, migration plan, assurance metrics) reduces execution risk.
Interoperability-aware transition: NATO FMN doctrine and standards profiles emphasize standardized, secure information exchange; migration approaches must therefore preserve interoperability while preventing downgrade paths.

For generals and operational leadership: Strategic competitors do not need to decrypt your communications today to exploit them tomorrow. HNDL is a present-day collection strategy against long-lived secrets. NATO and national agencies are directing transition to quantum-safe communications across operational domains. Quantum-secure communications is therefore force protection for data, systems, and coalition relationships.

For CISOs and risk owners: PQC is not a one-time algorithm swap. Hybrid migration periods create downgrade risk unless governed, and crypto agility is required to maintain interoperability while preventing weak algorithms. Your suppliers must be contractually prepared to deliver PQC built in and upgrade legacy products to meet transition timelines.

Investor enquiries: contact info@blackhillsquantum.com or DM Steve H. (author).

A Strategic Imperative

Defence contractors operate in a domain where strategic advantage depends on anticipating the future threat environment, not reacting to it. Hybrid systems are already extending computational reach today; quantum security must extend communications assurance for tomorrow.

By embedding quantum-safe communications into both infrastructure and deliverables, organisations not only protect their own operations but also secure their value propositions to customers who demand long-term resilience.

For Investors and Leaders

If you are an investor or executive interested in the future of defence technology and secure communications, we welcome conversations. You can reach out via:

Email: info@blackhillsquantum.com Direct Message to Steve H., author of this article

Blackhills Quantum is actively engaging with partners and investors to scale deployment of quantum-secure solutions in the defence sector and beyond.