War on the Rocks Publishes "A Bletchley Park for the Quantum Age"
Washington DC, Nov. 6, 2025—War on the Rocks has published a major new commentary by Stanford RQT’s Mauritz Kop, titled “A Bletchley Park for the Quantum Age.” The article translates his broader research on quantum governance into a concrete, operational blueprint for post-quantum cryptography (PQC) migration across the United States and its allies.
Appearing in a venue read closely by practitioners in defence, intelligence, and foreign policy, the piece draws a deliberate conceptual line from the World War II codebreaking effort at Bletchley Park to today’s challenge of securing democratic communications. It argues that Bletchley Park was more than a geographic location; it was a method—an integrated system of science, engineering, operations, and alliance management. Kop contends that a similar methodology is required now to protect national security systems against cryptanalytically relevant quantum computers.
The Enigma Machine utilized a complex series of electromechanical rotors to produce a polyalphabetic substitution cipher, creating an encryption standard that was widely deemed unbreakable by contemporary adversaries. Defeating this system required the Allies to operationalize abstract mathematics into industrial capability, a feat that fundamentally altered the trajectory of the war.
The article situates PQC migration not as a narrow information technology upgrade, but as a core tenet of United States and allied quantum-AI grand strategy. It highlights how flagship programmes such as the United States Department of Defense’s Replicator initiative must be made “quantum-ready” to avoid becoming silently obsolete once large-scale quantum computers arrive.
Professor Kop extends his gratitude to War on the Rocks editor Lieutenant Colonel Walter ‘Rick’ Landgraf, PhD, whose precise editorial work helped sharpen the argument and tailor it to the publication’s strategic readership.
War on the Rocks Publishes "A Bletchley Park for the Quantum Age" authored by Stanford RQT’s Mauritz Kop.
The Core Argument: A Bletchley Method for Post-Quantum Cryptography Migration
The essay begins from a straightforward technical premise. Once fault-tolerant quantum computers exist, Shor’s algorithm will efficiently factor large integers and compute discrete logarithms, thereby breaking the public-key cryptosystems—such as RSA and elliptic-curve cryptography—on which secure communication currently relies. In parallel, Grover’s algorithm will provide a quadratic speed-up in brute-force search, effectively halving the security margin of many symmetric-key schemes.
In this setting, the world’s cryptographic infrastructure cannot simply be patched at the margins. It requires a comprehensive, carefully managed transition to new, quantum-resistant algorithms.
Kop proposes that the United States and its allies apply a “Bletchley method” to this problem by tightly linking:
Domestic execution of PQC migration, and
An allied, standards-based certification compact that prevents fragmentation.
Defensively, this means post-quantum cryptography by default and certified interoperability across critical systems. Politically, it means that Washington earns the right to lead abroad by delivering verifiable results at home.
The framework is organised around two distinct but mutually reinforcing tracks:
Track One – “Ultra at Home”: rigorous domestic execution, and
Track Two – “Allied Codebook Abroad”: international architecture designed to avoid a “quantum splinternet.”
Alan Turing, a brilliant mathematician, was instrumental in breaking the German Enigma machine code during WWII by developing the Bombe, an electromechanical device that automated finding the daily settings, significantly aiding the Allies by deciphering crucial German communications, especially U-boat traffic, though the CIA (US Central Intelligence Agency) acknowledges Polish cryptographers first identified Enigma's core weaknesses before Turing's advancements
Track One: “Ultra at Home” – Verifiable Domestic Execution
Borrowing the historic codename “Ultra”—the designation for the highly classified intelligence produced by Bletchley Park’s decryption efforts—Kop uses “Ultra at Home” to describe a disciplined American domestic execution plan. The goal is to convert emerging standards, such as the National Institute of Standards and Technology (NIST) Federal Information Processing Standards (FIPS) 203, 204, and 205, into deployed reality across federal systems and critical infrastructure.
The article outlines six concrete actions for United States policymakers and regulators:
Set and Publish Dated Adoption Milestones
Every cabinet department and critical-infrastructure regulator should establish time-bound deployment targets for post-quantum cryptography across core use cases, including Transport Layer Security (TLS) for web traffic, Internet Protocol Security (IPsec) for virtual private networks, software code-signing, payment systems, and firmware updates. Progress should be publicly reported using clear metrics, for example:the percentage of external TLS handshakes using approved PQC or hybrid algorithms;
the share of firmware images signed with lattice-based or hash-based signature schemes.
Procure Only Validated Cryptographic Modules
Federal procurement should be conditioned on the use of modules validated under NIST’s Cryptographic Module Validation Program (CMVP) and compliant with FIPS 140-3. Kop recommends that NIST scale and automate its Cryptographic Algorithm Validation Program so that algorithm testing can occur at industrial scale. This would enable a machine-readable “cryptography bill of materials” for federal systems and, over time, for critical private-sector suppliers as well.Test Deployment, Not Vendor Promises
Kop advocates for a federal test-and-evaluation network linking the Department of Homeland Security (DHS), NIST, the Department of Defense (DoD) and other agencies. This network would exercise PQC in real-world software stacks (such as OpenSSL with post-quantum extensions, email protocols, Domain Name System security, mobile systems) using open, reproducible benchmarks. Vendors seeking to sell into federal or defence systems would need to clear these benchmarks, rather than merely asserting compliance on paper.Harden the Physical Pipeline of Quantum-Relevant Hardware
Export controls and industrial policy are reframed as enablers of secure deployment rather than purely defensive instruments. Kop emphasises that coalition control over cryogenics, single-photon detection, cryogenic electronics, advanced photonics, and specialised materials can be used to set de facto global baselines for quantum-ready, secure infrastructure. Coordinated action by the United States Bureau of Industry and Security, the European Commission, and partners in the United Kingdom and Japan would align export controls, subsidies, and research funding with PQC and secure quantum sensing roll-out.Adopt a Pragmatic Posture on Quantum Key Distribution
In line with the positions of agencies such as the United States National Security Agency (NSA), the United Kingdom National Cyber Security Centre (NCSC), and Germany’s Federal Office for Information Security (Bundesamt für Sicherheit in der Informationstechnik, BSI), the essay argues for post-quantum cryptography by default. Quantum key distribution (QKD) should be explored and standardised only in narrow, well-defined niches where it brings demonstrable value, and always coupled with open evaluation and interoperability requirements.Make the Replicator Initiative Quantum-Ready
Kop devotes particular attention to the Replicator initiative, the Pentagon’s programme to field large numbers of attritable autonomous systems at speed. He argues that Replicator must be PQC-hardened now—across command-and-control links, telemetry, update pipelines, and supply-chain provenance—so that systems deployed in the mid-2020s are not silently compromised by quantum-enabled adversaries in the 2030s. This requires crypto-agility by design, strong collaboration with trusted private-sector suppliers, and embedding post-quantum requirements in acquisition from the outset.
Taken together, these measures would convert strategy documents and technical standards into a measurable, time-bound domestic campaign—very much in the spirit of Bletchley’s tight feedback loop from discovery to doctrine to deployment.
Kop proposes that the United States and its allies apply a “Bletchley method” to the emerging quantum threat by tightly linking (1) Domestic execution of PQC migration and (2) An allied, standards-based certification compact that prevents fragmentation, operationalized by an Ultra at Home and an Allied Codebook Abroad.
Track Two: “Allied Codebook Abroad” – Preventing a Quantum Splinternet
The second track shifts from domestic implementation to the international environment. Kop warns against the emergence of a “quantum splinternet”: a fragmented landscape of incompatible national encryption stacks, some based on proprietary or opaque technologies. Such fragmentation would weaken the open internet, complicate North Atlantic Treaty Organization (NATO) interoperability, and undermine the stability of global finance and trade.
To avoid this outcome, he proposes a focused allied compact centred on standards, certification, and capacity-building:
Trans-Atlantic Post-Quantum Cryptography Profile
NIST, the European Commission, the United Kingdom National Cyber Security Centre, the Canadian Centre for Cyber Security, Japan’s Ministry of Internal Affairs and Communications, and other like-minded agencies should issue a joint implementation profile for post-quantum cryptography. This profile would bind their choices to open standards developed at the Internet Engineering Task Force (IETF)—for example, key-encapsulation mechanisms for TLS, hybrid certificates for Public Key Infrastructure (PKI), and post-quantum-ready versions of protocols such as QUIC, Secure Shell (SSH), and Domain Name System Security Extensions (DNSSEC).Mutual Recognition: “One Test, Many Markets”
Kop calls for bridging the United States Cryptographic Module Validation Program and the planned European Union Cybersecurity Certification Schemes so that a single accredited test cycle can suffice for multiple allied markets. This “one test, many markets” principle would reduce costs, accelerate deployment, and create strong incentives for vendors to design products that meet high, common baselines.Conformance Laboratories Network
Allies should fund a distributed network of accredited conformance laboratories that run the same open test suites against both reference implementations and commercial products. These laboratories would validate that PQC algorithms and protocols are implemented correctly in real stacks, not just in theory.
Capacity-Building with Conditionality
Development-finance institutions and export-credit agencies—such as the United States International Development Finance Corporation and their European and Japanese counterparts—should integrate PQC deployment and crypto-agility plans into their digital-infrastructure programmes. Partner states receiving support to modernise networks, payment systems, or government platforms would adopt certified PQC as part of that process.
International Quantum Agency as a Certification Club
Kop sketches a non-treaty International Quantum Agency, effectively a certification club among Group of Seven (G7) democracies and close partners. Its mandate would be narrow and practical: auditing against agreed baselines, certifying test methods and reference artefacts, coordinating incident investigations, and publishing best practices. Participation would signal trustworthiness and provide market access; non-participation would flag elevated risk.Crypto-Failure Clearinghouse
Finally, the article proposes a crypto-failure clearinghouse for cross-border cryptographic incidents, modelled on existing mechanisms such as Common Vulnerabilities and Exposures (CVE). Cybersecurity agencies in the United States, the European Union, and the United Kingdom, working with established incident-response communities, would catalogue failures such as downgrade paths, mis-parameterisation, and flawed certificate ecosystems, and coordinate rapid remediation.
This second track is explicitly designed to keep the democratic coalition on a single, open, and verifiable cryptographic footing, even as states pursue different industrial and defence strategies in the quantum domain.
Positioning Within the Broader Quantum Governance Research Corpus
The War on the Rocks essay is deeply embedded in Mauritz Kop’s wider research programme on quantum technology, security, and governance. Across earlier work on a prospective European Union Quantum Act, on standards-first quantum governance, and on concepts such as “Responsible Quantum Innovation”, “security-sufficient openness” and “Qubits for Peace,” he has argued that democratic alliances must treat quantum as a systems challenge.
“A Bletchley Park for the Quantum Age” takes those conceptual themes and presents them as a policy-ready playbook aimed at practitioners. The Bletchley metaphor and legacy of Alan Turing offer a historically grounded narrative; the dual structure of “Ultra at Home” and “Allied Codebook Abroad” provides actionable levers for programme managers, acquisition officials, and allied planners.
Together with Kop’s broader scholarship, the essay aims to help allied governments and institutions convert a looming quantum vulnerability into an organised, Bletchley-style campaign for post-quantum security—one that is verifiable, interoperable, and aligned with the values of an open, rules-based international order.
Read the full article at War on the Rocks:
https://warontherocks.com/2025/11/a-bletchley-park-for-the-quantum-age/
View the announcement on LinkedIn:
https://lnkd.in/g5HjxH6C