Tuesday, June 30, 2026

Government Sets New Deadline for Quantum-Safe Encryption

A student in one of my summer courses asked the question I get every time encryption comes up in discussion: why does this matter now? RSA (Rivest-Shamir-Adleman) and ECC (elliptic curve cryptography) have protected data for decades. The quantum computer that breaks them does not exist yet. 

My usual answer leans on Q-Day estimates: Google's Gidney put the threshold at roughly one million physical qubits to break RSA-2048, and an IonQ fidelity result last October pushed the realistic window to somewhere between 2029 and 2033. Most expert estimates before that sat closer to 2035. On June 22, the federal government answered the student's question for me. President Trump signed 

an executive order setting hard deadlines for federal post-quantum cryptography migration (PQC): agencies must move high value assets to post-quantum key establishment by December 31, 2030, and post-quantum digital signatures by December 31, 2031. Federal contractors get the same 2030 deadline for FIPS (Federal Information Processing Standards) compliance.

That replaces the prior government baseline. Under the Biden administration's National Security Memorandum 10, agencies were planning around 2035. The new order compresses that by four to five years and adds teeth: agencies must name a PQC migration lead within 30 days, the Commerce Department must run a migration pilot by the end of 2027, and contractors face FIPS enforcement through procurement rules. 

Coverage from Cybersecurity Dive notes the order also pushes CISA (the Cybersecurity and Infrastructure Security Agency) to publish guidance on cryptographic bills of materials, the inventory work agencies need before they can migrate anything.

How the Industry Responded

Two days after the signing, STMicroelectronics introduced the ST54M, the first mobile chip with a dedicated hardware accelerator for post-quantum algorithms. It runs ML-KEM (Module-Lattice-Based Key-Encapsulation Mechanism) and ML-DSA (Module-Lattice-Based Digital Signature Algorithm), the NIST (National Institute of Standards and Technology) standards finalized in 2024, on a single die alongside NFC (near-field communication), secure element, and eSIM (embedded SIM) functions. Commercial sampling is available now, with certification targeted for July 2026. That is the hardware path the federal order is pushing the rest of industry toward on the same compressed timeline.

I tell students today: nobody knows the exact day a cryptographically relevant quantum computer arrives, but the government just stopped waiting to find out. And.... I would not be surprised at all to see the deadline moved forward again.... soon.

Sunday, June 28, 2026

STEM at Two Years: Community College Degrees That Pay

Most of my career has been at the community college. I directed an NSF Center of Excellence at Springfield Technical Community College and taught electronics, computer systems, and photonics there. At Holyoke Community College I still teach engineering transfer courses part time for students heading to four-year universities. Over forty years I have watched students come through two-year STEM programs and go directly into careers that surprised people who assumed a bachelor's degree was required. This post is the third in a series on degree choice and outcomes. The first two covered bachelor's programs and two-year degrees broadly. This one focuses specifically on STEM at the associate degree level: what the programs are, what they pay, and how the job outlook looks in 2026.

The macro case for STEM at any credential level is straightforward. The BLS projects STEM occupations will grow 8.1 percent between 2024 and 2034, nearly triple the 2.7 percent rate for all other occupations. The median salary across STEM occupations sits at $101,600, well above the all-occupation median. The two-year credential does not open every STEM door, but it opens more of them than most people expect, and it does so at a fraction of the cost and time of a four-year path.

The highest-paying two-year STEM programs in 2026, per BLS occupational data: information security analysts (cybersecurity) median at $119,860 with 32 percent projected job growth through 2032; radiation therapy at a median above $100,000; dental hygiene at $94,260; and registered nursing at $93,600. Below those, nuclear technicians median around $84,000, electronics engineering technicians around $67,550, and laser electro-optics technicians in the $55,000 to $65,000 range depending on industry and region. HVAC technology and computer network support round out the middle of the table at $58,000 to $62,000.


A point worth making clearly: the two-year STEM credential typically leads to technician and support roles, not engineering or research positions. That distinction matters for career planning, but it does not diminish the outcomes. An electronics engineering technician working in manufacturing or test and measurement earns $67,550 median with stable demand. A cybersecurity analyst with an associate degree and relevant certifications, CompTIA Security+ in particular, enters a field with 32 percent projected growth and a six-figure median salary. The ceiling in those careers depends more on certification, experience, and specialization than on whether the entry credential was a two-year or four-year degree.

The cost side of this decision matters as much as the salary side. Average annual tuition at a public two-year college runs about $3,990, versus over $11,500 at a public four-year institution. A student completing a two-year cybersecurity or nursing program graduates with little or no debt and enters a field paying $90,000 to $120,000. A student completing a four-year program in the same field earns more in some cases, but starts with average student loan debt above $29,000 and two additional years of foregone income. For STEM technician roles specifically, that math favors the two-year path more consistently than in most other fields.

Before committing to a two-year STEM program, check three things. First, verify that the program carries the right accreditation for your field. Nursing programs must be accredited by ACEN or CCNE for graduates to sit for the NCLEX. Engineering technology programs are credentialed by ABET. Second, check whether the career path requires licensure or certification beyond the degree itself, and build the cost and timeline for those credentials into your plan. Third, look at your specific college's job placement data for that program. National medians are a baseline; local labor market conditions move those numbers significantly in both directions.

One pathway that gets less attention than it deserves: the two-year degree as the first half of a four-year degree, paid for by an employer. Many community college STEM graduates enter the workforce directly, then pursue a bachelor's degree part time while their employer covers tuition. This is not rare. A significant share of working adults completing bachelor's degrees are doing exactly this, particularly in nursing, engineering technology, and information technology. The RN-to-BSN pathway is the most established example: a graduate earns an associate degree, passes the certification, enters the workforce as a registered nurse, and completes a BSN online or part time over two to three years, often with hospital tuition reimbursement covering most of the cost. The same model applies in engineering technology and cybersecurity, where employers in manufacturing, defense, and infrastructure actively fund continuing education. The credential upgrade from technician to technologist, meaning from associate to bachelor's degree, also typically comes with a pay bump and expanded career options. For students weighing cost, this route splits the financial risk: two years of low-cost community college tuition, then employer-subsidized completion of the bachelor's, with income throughout. The total credential is the same four-year degree. The debt load and the timeline are very different.

The community college students I’ve watched who did best in two-year STEM programs were not picking a fallback. They were picking a specific job in a specific field and treating the degree as the direct path to it. That approach still works in 2026. For some, the two-year degree is also the starting point for a four-year degree the employer ends up paying for. The programs are there. The jobs are there. Check the current numbers before you decide. Know the program, know the credential requirements, know the market.

Friday, June 26, 2026

Both Tracks Moving

In 1994 I started writing a textbook called Windows 95 Essentials for an Engineer’s Toolkit. There was one problem: Windows 95 did not exist yet. Microsoft was still building it, and they pushed updates almost weekly. Each one arrived on a new set of over a dozen floppy disks. Every update meant loading those disks, reinstalling from scratch, retesting every procedure, and rewriting any section that no longer matched the software. My second daughter, Gabby was turning four years old. Eva was born in June 1995, right as the book was finishing. I kept writing.

Spring 1995 something else happened that had nothing to do with floppy disks. The internet was being privatized in real time. Through most of the early 1990s, the internet was a government and academic network. The NSFNET backbone carried U.S. research and education traffic at no cost to institutions. Commercial access was limited, and online services like CompuServe and AOL operated as walled gardens: you paid a subscription, you got their content, and the wider internet was largely off the table. Microsoft had built The Microsoft Network on exactly that model, a paid subscription service meant to compete with AOL. Then the walls started coming down. The NSFNET was decommissioned in April 1995, handing the backbone to commercial providers. Commercial ISPs multiplied. The web browser arrived. And Microsoft, watching the same thing everyone else was watching, pivoted almost overnight. Bill Gates’ “Internet Tidal Wave” memo from May 1995 called the internet “the most important single development to come along since the IBM PC.” MSN shifted toward the open web. 

Technically, Internet Explorer (IE) did not ship with the OS on August 24,1995 - IE 1.0 was released a week earlier on August 16,1995 as part of what Microsoft called the Plus! pack.

The book I was writing had to reflect a platform that was no longer just a desktop operating system; it was suddenly a node on a network becoming public infrastructure. That meant more rewrites. It also meant the book was documenting something larger than a software release.

The book took nearly a year to complete. The only way through it was parallel progress. I could not wait for the software to stabilize before writing, and I could not wait for the writing to be done before testing. Both tracks ran at the same time, and I updated whichever one had fallen behind. That is not a comfortable way to work. It is, however, the only way to finish something when the target keeps moving.

Working under moving targets is a skill. Most engineering projects involve some version of it: a component spec changes mid-build, a client requirement shifts after the design review, a test result forces a redesign two weeks before the deadline. The teams that handle this well are not the ones with the most complete plans. They are the ones who keep both tracks moving and update each one as new information arrives.

Three practical habits help. First, document as you go rather than saving it for the end; late-stage documentation of early decisions is mostly reconstruction from memory. Second, treat a changing spec as new information, not a setback; the project is not broken, it has just been updated. Third, keep the physical work and the written work in sync; a prototype that is ahead of its documentation, or documentation that describes a prototype that does not exist yet, creates debt that compounds.

The floppy disks eventually stopped coming. The book shipped. Eva was born healthy. Windows 95 launched on August 24, 1995, with a Rolling Stones song and more press coverage than any software release before it. The 31st anniversary is two months away. Not a round number, but the lessons from that year still hold: keep both tracks moving, treat every spec change as information, and do not wait for conditions to settle before making progress. The target never stops moving.

Tuesday, June 23, 2026

Pick a Major With Your Eyes Open: Employment Odds and Starting Pay by Field

Prediction is very difficult, especially if it's about the future. - Neils Bohr

My post yesterday - Engineering Jobs, Class of 2026 and Beyond - sparked some questions. Students (class of 2026 high school and those in college that are early in a major selection) along with some anxious parents want to know not just how engineering was doing, but how other fields compared. So here are the actual numbers, by major, before you or your student commits four years and a tuition bill to a course of study. But.... before we get into it the data in this post will age. Check it before you choose and keep tracking it.

Two numbers matter when you pick a major: whether you can get a job at all, and whether that job actually requires your degree. The Federal Reserve Bank of New York tracks both for recent graduates. In early 2026, the overall unemployment rate for new college graduates sat at 5.7 percent. More telling is the underemployment rate, the share working in jobs that do not require a college degree: 41.5 percent. That means nearly four in ten new graduates are serving coffee or managing a retail floor regardless of what their diploma says. The gap between majors on this metric is enormous.

Criminal justice majors face a 67.2 percent underemployment rate. Performing arts is 63.2 percent. General business, the catch-all major, runs 52.8 percent, far higher than accounting at 17.9 percent or business analytics at 27.2 percent. On the other end, nursing sits at 9.7 percent underemployment and computer science at 16.5 percent, per St. Louis Fed data. Computer science unemployment in 2025 ran about 6 to 7 percent, higher than average, but underemployment was low: if you landed a job, it was likely a real one in the field. Unemployment and underemployment pull in opposite directions for some majors; you need both numbers.

On the salary side, NACE's Winter 2026 Salary Survey projects these starting averages for bachelor's graduates: computer sciences at $81,535, engineering at $81,198, math and sciences at $74,184, and business at $68,873. Social sciences are the only category where projected salaries dropped, down 1.7 percent from last year. The gap between the top and bottom is real: computer science and engineering graduates start about $35,000 to $40,000 ahead of education, fine arts, and sociology majors, who typically open around $42,000 to $48,000.

Salary rankings and employment odds do not always point the same direction. A college senior in May 2026 expected to earn roughly $80,000 one year out, according to a Clever survey. The actual median starting salary was closer to $60,000. The inflation in expectations is not random: students hear the computer science headline number and generalize. STEM majors do earn more, on average. But within STEM the spread is wide, and geography compresses those national averages fast. A business administration grad taking a first job in a smaller market should expect something closer to the lower end of the employer band, not the $68,873 national average.

Before committing to a major, look up three things. Check the BLS Occupational Employment and Wage Statistics for what similar roles pay in your actual market, not the national average. Ask your college career services office for its own first-destination data: school-specific placement rates beat any national survey for your situation. And check the New York Fed's outcomes-by-major table directly. 

Every graduating class generates the same mix of relief and dread, usually with the same absence of specifics. The numbers above will not guarantee anything, but they put the decision on better footing. Four years is a long time. So is forty years of a career built on a choice made without doing a little research.

Bohr is right about the future. Things are changing very fast. Keep running the numbers.

Monday, June 22, 2026

Engineering Jobs, Class of 2026 and Beyond

I've been watching the Class of 2026 posts on LinkedIn. 

Overall (all majors) grad hiring is up just 1.6% from last year, and 45% of employers rate the market only "fair," the weakest reading since 2021. Engineering is holding up better than most fields.

Average starting salary for engineering graduates is $81,198, up from $78,731 last year. Petroleum engineering leads individual majors at $100,750. Master's level averages $92,873. These are base salaries; total compensation runs higher in defense and energy.

Mechanical is the second most in-demand bachelor's degree this cycle. At least 60% of employers surveyed plan to hire mechanical engineers from the Class of 2026. Electrical is being pulled hard by data center construction, which is running at record pace across the country. Civil engineers are busy in Texas, Oklahoma, and Colorado. Job growth projections through 2034: 11% for industrial, 9.1% for mechanical, 7.2% for electrical. Median salary (the midpoint wage; half of workers in that field earn more, half earn less) for those three disciplines currently sits at $101,140, $102,320, and $111,910.

Projected job growth through 2034 and median salary by engineering discipline. Source: U.S. News / BLS.

Three open engineering positions exist for every qualified candidate right now. Nearly half of working U.S. engineers are 50 or older. Retirements are outpacing new graduates in several disciplines, and that gap is not closing anytime soon. Hiring demand for engineers is projected to grow 13% by 2031. Defense contractors and infrastructure firms are actively recruiting now, not waiting for fall.

GPA screening dropped from 73% of employers in 2019 to 42% today. Internships and real project work are what move resumes forward. Some AI and data analytics fluency helps, particularly in electrical and systems roles. You do not need to be a researcher; you need to show you can use the tools.

The shortage of qualified candidates is real. Not a bad time to finish an engineering degree.


Thursday, June 18, 2026

The Pools at the Bottom

Pic courtesy of fws.gov
Tim and I were friends in elementary school and through high school. We fished and we hiked all over the Western Massachusetts  Berkshires. We specialized in finding waterfalls and the pools at the bottom that held brook trout. Small but beautiful. Tim always caught more than me. We almost always let them go, careful with how we handled them. He’s also the one who turned me on to Hemingway, including Big Two-Hearted River, both parts. A man goes fishing alone, and the whole story is what he doesn’t say.

High school ended. We went to different colleges. Jobs came, then families, and life pulled us in different directions. Forty years went by before we found our way back to each other.

This kind of drift happens to almost everyone. Nobody decides to lose a friend. It happens in small pieces: you mean to call, you don’t call, the next week comes and you don’t call then either. The years pass like that, fast, faster than you expect, until you realize you don’t actually know how someone you once knew well is doing anymore.

Judy, Tim’s wife, died this past April. Since then there have been a couple of text messages, nothing more. I haven’t picked up the phone. I never met his two sons. Forty years apart is enough time to miss entire chapters of somebody’s life.

What I do remember is Bub’s BBQ in Sunderland, where we started getting together about eight years ago, every fall: Tim and Judy, Diane and me. A picnic table, plates of barbecue, a few beers, old stories, a lot of laughs. You could see how much Tim and Judy loved each other just in how they sat together. Bub’s closed this year after almost fifty (!) years in business. That’s the kind of detail that tells you how much time had actually gone by without me noticing.

Time moves faster than the people living in it ever plan for. Forty years can pass between two friends who never had a falling out, never had one bad conversation, and just stopped calling. If there’s someone you’ve been meaning to call, calling closes the gap. Waiting only grows it.

Diane and I will be at the celebration of Judy’s life next month. After that, I’m hoping we get back out fishing. He’ll probably still catch more brookies than me. I don’t think I’ve got forty years left to find out.

Wednesday, June 17, 2026

Authentication, Not Encryption, Is Now The Big Quantum Worry

In the chapter on the threat to encryption in Quantum from the Ground Up, I cited a 2025 estimate from Craig Gidney at Google Quantum AI that RSA-2048 could be factored by a quantum computer with roughly one million noisy physical qubits, and noted that most experts placed Q-Day, the point at which a quantum computer can break current encryption, at around 2035. That estimate did not survive the spring.

In late March and early April 2026, two independent research results arrived within weeks of each other. Google published a major improvement to the quantum algorithm used to break elliptic curve cryptography, the math behind most of the internet's key exchange. Then Oratomic, a quantum computing startup, published a resource estimate suggesting RSA-2048 and P-256 could be broken with as few as 10,000 qubits on a neutral atom machine. That is roughly two orders of magnitude below the prior million-qubit estimate.

Why 10,000 Qubits Instead of a Million

The efficiency gain comes from error correction overhead, not from a change in the underlying mathematics. Shor's algorithm, the quantum algorithm that breaks RSA and ECC, has not changed. What changed is how many physical qubits it takes to build one reliable logical qubit on a neutral atom platform. Reporting on the Oratomic estimate put the ratio at roughly three to four physical qubits per logical qubit, a dramatically smaller overhead than superconducting platforms have required.

That ratio matters because it is the number that determines whether an attack is a research curiosity or an engineering project with a budget and a timeline. A million-qubit machine is not something any organization is building in this decade. A 10,000-qubit machine is in the range that QuEra, Atom Computing, and Pasqal have all stated as roadmap targets for 2026 to 2028 in the neutral atom chapters of this book. The number did not just get smaller. It got small enough to be plausible on hardware roadmaps that already exist.

How the Industry Responded

Cloudflare's response is the clearest signal of how seriously the industry is taking this. Cloudflare secures a significant fraction of global internet traffic, and the company had already completed most of its post-quantum encryption rollout, protecting against harvest-now-decrypt-later attacks where adversaries collect encrypted traffic today and decrypt it once a quantum computer is available. That work was largely done. The Google and Oratomic results changed what Cloudflare is worried about next.

Cloudflare's senior product director told reporters that authentication, not data confidentiality, is now the bigger concern. The distinction is worth sitting with. If a quantum computer can forge access credentials, an attacker does not need to decrypt anything. They can log into systems they are not supposed to have access to, or compromise a software update channel directly. That is a more immediate and more damaging failure mode than data theft, and it requires a different and more complex migration than swapping out an encryption algorithm.

Cloudflare set 2029 as its target for full post-quantum security across its platform, including authentication, and has accelerated its existing roadmap to hit that date. Google made a similar 2029 commitment. Coverage of the shift described the timeline change as a direct response to the two breakthroughs, and one report quoted the view that a coordinated attack against a high-value target, what the article called a moonshot attack, could plausibly arrive by 2030.

What This Changes in the Book

Chapter 13 of the first edition gave a 2029 to 2033 range as the accelerated estimate, driven by IonQ's October 2025 fidelity result. That range still holds, but the reasoning behind it has shifted. The IonQ result was a hardware fidelity improvement on an existing approach. The Google and Oratomic results are an algorithmic and architectural efficiency gain that reduces the qubit count needed for the same outcome. Both push in the same direction, but they are different kinds of progress, and the second edition will need to explain both rather than treating the timeline as a single number that moves around.

The Oratomic estimate specifically relies on high-rate quantum error-correction codes to achieve its 3:1 physical-to-logical overhead ratio. It is worth emphasizing that we are talking about 10,000 physical qubits here. Because the cybersecurity industry has spent a decade hearing that breaking RSA requires millions of physical qubits, highlighting that this breakthrough brings the physical hardware requirements down to the low thousands underscores just how radical this architectural shift is. Furthermore, this timeline collapse wasn't driven by hardware breakthroughs alone; as noted in the landmark paper co-published by Caltech and Oratomic, the team heavily leveraged AI-assisted algorithmic design and reconfigurable arrays to optimize these error-correcting codes, proving that classical AI is actively accelerating the software running on quantum roadmaps. Meanwhile, Google Quantum AI's joint research demonstrated that the logical qubit threshold to break elliptic curve cryptography could be slashed by 20x, creating a compounding effect where hardware requirements dropped while algorithm efficiencies spiked.

The organizational guidance from Chapter 13 does not change, it gets more urgent. Inventory your cryptographic dependencies. Specify quantum-resistant encryption in procurement. Re-encrypt long-term sensitive data. Build crypto agility into your architecture so algorithms can be swapped without a system rebuild.

The new addition, following Cloudflare's formal roadmap acceleration announcement, is that authentication systems deserve the same attention as encrypted data. As industry infrastructure leaders begin locking down their platforms against these newly compressed timelines, a compromised root certificate or access token is recognized as a far more catastrophic failure than a decrypted file, and it is the exact vulnerability the industry is now scrambling to patch.

This post will be incorporated into the second edition of Quantum from the Ground Up, out September 1. The full book, updated quarterly, is free at gordostuff.com/p/quantum-from-ground-up-hardware.html