Canada's Harvest Now Decrypt Later & Post-Quantum Migration

Canada Announces Its Aspiring 2035 Quantum Cyber Defence Initiative Deadline

Canada takes proactive steps to counter the Harvest Now Decrypt Later (HNDL) threat by accelerating its transition to post-quantum encryption standards across critical sectors.

To strengthen its government information technology (IT) systems against the growing threat of future quantum computers, Canada has formally unveiled a comprehensive, multi-year strategy. The program, which went into force on June 23, 2025, calls for the complete conversion of all government IT systems that are not classified to post-quantum cryptography (PQC) by 2035. This audacious timetable demonstrates the government’s dedication to safeguarding private information against possible decryption by suitably potent quantum machines.

Strict benchmarks for government ministries are outlined in the roadmap, which was created by the Canadian Centre for Cyber Security (Cyber Centre). By April 2026, initial PQC migration plans and yearly progress reports are due. By the end of 2031, high-priority systems should be transitioned, and by the end of 2035, all other systems should have finished their upgrades. This covers both in-house and outside managed IT infrastructure, including cloud providers.

You can also read Using Cryo CMOS for Quantum Computing Scales Spin Qubits

The Quantum Threat: “Harvest Now Decrypt Later”

Quantum computers, which could replace current encryption methods, make this project urgent. The plan discourages “harvest now, decrypt later” (HNDL). This implies that malevolent actors might already be gathering encrypted material now to decrypt it later on when quantum computing is practical. Systems that safeguard the privacy of data when it is being transmitted over public networks are given priority for migration since they are especially vulnerable to this HNDL danger.

By replacing susceptible public-key cryptography used for user authentication, communication security, and other vital tasks, the switch to PQC is intended to lessen this cryptographic hazard. By international standards being finalized by the National Institute of Standards and Technology (NIST) of the United States, the Cyber Centre suggests the adoption of standardized PQC algorithms.

A Whole-of-Government Approach with Clear Responsibilities

Significant dedication and cooperation throughout the Government of Canada (GC) are needed for this intricate, multi-year project. Important parties involved are:

The Communications Security Establishment’s Canadian Centre for Cyber Security (Cyber Centre), Canada’s IT security authority, provides technical guidance, supervision, and compliance monitoring throughout the multi-phase process. They will also keep a shared resource repository up to date and update network protocol configuration guidelines.
The Treasury Board Secretariat (TBS) is in charge of strategic direction, policy leadership, and managing a security management strategy that involves the entire government. TBS will release the required policy tools to mandate progress reports and departmental PQC migration plans.
In addition to managing the IT services and infrastructure for numerous ministries, Shared Services Canada (SSC) is actively working on its PQC migration plan and providing advice to TBS and the Cyber Centre regarding its viability.
Federal Departments and Agencies: Within their respective program areas, each agency bears direct responsibility for handling cybersecurity threats. They must create and carry out customised PQC migration plans for the systems they are in charge of, including cloud services that they have contracted to use.

You can also read Quantum Feature Maps And Classical Data In Quantum Space

Phased Execution for a Seamless Transition

The three suggested PQC migration phases listed in the roadmap are anticipated to overlap:

Preparation: Departments are required to create an initial plan for the migration of PQC. This entails the formation of a cross-functional committee, the appointment of a PQC Migration Technical Lead for coordination, and a PQC Migration Executive Lead (usually the Designated Official for Cyber Security or a delegated executive official) for supervision and accountability.

Important financial planning is also included in this phase, to utilize current IT equipment lifecycles and modernization plans to cut costs. This is because delays may result in hurried buying and increased expenditures. To educate employees on the quantum threat and the status of the migration, an education plan is essential. To guarantee that new systems support PQC, contain cryptographic agility, and include contract provisions and certification standards suggested by the Cyber Centre, procurement regulations must also be changed.

Identification: To find every instance of cryptography usage across IT systems, a thorough audit is conducted during this crucial phase. Network services, operating systems, applications, and tangible assets like server racks, laptops, printers, and smart cards are all included in this broad scope. Building an exhaustive inventory that includes information on system components, vendors, security measures, current configurations, dependencies, and accountable contacts is the goal.

Systems vulnerable to the “harvest now, decrypt later” danger must be given priority by departments. Existing IT service management (ITSM) procedures and software tools, including network monitoring, endpoint detection and response (EDR) technologies, and security information and event management (SIEM) solutions, will be used in the discovery process. It is anticipated that the Cyber Center’s sensors program will help with this identification. Early vendor engagement is advised in order to learn about the PQC roadmaps and product compatibility of the vendors.

You can also read Nord Quantique Unveils Multimode Encoding for Efficient QEC

Transition: Based on inventory, organise and execute system replacements, upgrades, secure tunnelling, or network isolation. Transition plans should include IT change management procedures like impact studies, rollback playbooks, testing staging environments, and post-transition monitoring. Although the initial selection of PQC-capable devices may be small, suppliers are quickly embracing new standards. During the transition, systems might need to preserve backward compatibility, with a second phase devoted to turning off outdated, vulnerable encryption. Complete replacement or temporary security via network isolation or secure tunnelling may be required for legacy systems that cannot be retrofitted.

Governance and Continued Support

The IT Security Tripartite, a collaborative group made up of the Cyber Centre, SSC, and TBS, is in charge of overseeing the initiative’s governance. It also handles compliance and provides further guidance. The Enterprise Architecture Review Board (GC EARB) of the Government of Canada will also make sure that new systems adhere to cybersecurity and digital service standards. In order to maintain openness and help departments modify schedules and resources, progress reports will be incorporated into the federal digital services planning process.

Interdepartmental Quantum Science and Technology (S&T) Coordination Committees are in charge of this roadmap, which is in line with Canada’s larger National Quantum Strategy. Using the TBS GCxchange platform for resource sharing and the Cyber Center’s Learning Hub for instructional materials on the quantum threat, the Cyber Centre will continue to offer counsel and direction.

You can also read HHL Algorithm For Quantum Modeling Of Nuclear Systems

Quantum Computing News