The Defense-in-Depth Question the United States Has Not Asked

Defense‑in‑depth has long been the United States’ cornerstone for safeguarding nuclear deterrence, missile defense, and critical infrastructure. Yet the quantum era has exposed a glaring inconsistency: while layered protection governs most domains, the nation’s Tier‑1 cyber links depend exclusively on Post‑Quantum Cryptography. This single‑assumption posture simplifies migration but ignores the permanent confidentiality horizons of nuclear command segments, interbank settlement networks, and bulk‑power control systems, where a cryptographic breach would be catastrophic and unrecoverable.

The emerging interdependence of PQC and Quantum Key Distribution reshapes that risk calculus. QKD’s authentication layer still relies on PQC algorithms, and both technologies face shared downgrade threats during partial rollouts. Hardware maturity constraints and the need for trusted‑node relays further blur the line between complementary and competing solutions. China’s aggressive rollout—over 12,000 km of fiber‑based QKD with 145 trusted nodes—demonstrates a willingness to accept permanent chokepoints in exchange for a diversified cryptographic hedge. By contrast, the United States has cultivated operational simplicity, leaving its most sensitive links exposed to a single mathematical failure mode and lacking a coherent QKD strategy.

For policymakers and infrastructure operators, the imperative is clear: develop a unified risk framework that evaluates PQC and QKD as a coupled system rather than isolated options. Such an assessment must consider capital expenditures, vendor lock‑in, and the overlapping migration window that aligns quantum‑resilient cryptography with AI and LEO satellite modernization slated for the early 2030s. Implementing a layered, defense‑in‑depth approach for Tier‑1 links will not only mitigate single‑point failures but also align U.S. cyber resilience with the strategic rigor applied across its broader national‑security portfolio.