Expert: Rapid AI and quantum advances raise cyber risks for local governments

Dr. JPY, director of the George Mason Center for Excellence in Government Cyber Security, Risk Management, and Resilience, told the Information Technology Advisory Commission in June 2026 that rapid advances in artificial intelligence and quantum computing are changing how local governments must manage cybersecurity.

"One aspect of cyber security—and I think it's even more important today than previously—is the role of leadership and governance and human capacity in addition to technology," Dr. JPY said, arguing that technical fixes alone are insufficient.

The presentation covered two linked topics: current AI developments, including generative and agentic systems, and the growing need to prepare for quantum threats to widely used cryptography. Dr. JPY traced AI's evolution from rule-based expert systems to machine-learned models, saying modern systems can behave differently than human-designed rules and that "the local context has a very large impact." He cited the 2021 Jason Allen/Midjourney copyright dispute as an example of legal and policy questions that have followed AI adoption.

On quantum computing, Dr. JPY described industry road maps and academic projections and referenced NIST's guidance that organizations should be "postquantum ready" because encrypted data stolen today could be decrypted later if quantum capabilities mature. Asked whether he expects that capability by 2030, he said, "2030 is really quite close" and that vendor road maps target commercially viable systems but not necessarily the cryptanalytic capability needed to break current algorithms.

To manage the risks, Dr. JPY urged practical actions local governments can take now: inventory cryptographic assets and certificates, implement data-classification programs to prioritize protection, upgrade certificate lifecycle management, assess which legacy systems cannot be updated to postquantum cryptography, and vet vendors for AI and cryptographic practices. He recommended sandboxes and testbeds to validate systems before deployment.

He also highlighted governance and staffing challenges: many small jurisdictions have one IT staffer or none, while larger counties such as Arlington and Fairfax have more resources but still face hard choices about budgets and procurement. Dr. JPY warned that organizational models must adapt because AI requires ongoing validation that it 'works' and remains appropriate as models and data change.

Commission members pressed on technical timelines and budget impacts. One participant with quantum-industry experience said that cryptography-breaking applications may require thousands of logical qubits—putting some uses farther out than headline road maps suggest. Dr. JPY agreed there is uncertainty but emphasized planning now while the horizon remains open.

The commission thanked Dr. JPY for the briefing and discussed local policies: some jurisdictions encourage controlled experimentation with AI (Boston), others tightly limit use (Portland). Several members noted their jurisdictions have already blocked or restricted access to certain third-party tools to limit risk.

The next procedural step for the commission is routine: no formal policy was adopted at the meeting; Dr. JPY recommended that jurisdictions consider risk assessments and board-level benchmarking to secure funding and make prioritized investments.