“Every organization managing information technology systems must migrate cyber security components to become quantum-safe… protecting against the cryptographic threat of a future quantum computer.”
That’s now the view of the Government of Canada, outlined in a recent publication: “Roadmap for the migration to postquantum cryptography for the Government of Canada (ITSM.40.001)”.
As part of the roadmap, Canada outlines a comprehensive multi-year strategy for migrating non-classified IT systems to PQC, and specifies milestones, leading to a full transition of systems by 2035 – aligning the timeline into a synchronous pattern with others, such as those released this year by NSA (USA) and the NCSC (UK).
The Roadmap establishes clear deadlines for Canadian federal departments and agencies, breaking down into three phases:
- April 2026 – Build an initial plan for departmental migration to PQC. Departments are also required to report on progress annually from this point.
- End of 2031 – Complete PQC migration of high-priority systems.
- End of 2035 – Complete PQC migration of remaining systems.
As with similarly aligned strategies around the world, it’s likely that these phases will overlap, and the Roadmap presents advice on planning and migration, as well as transition and post-migration concerns.
For example, it’s clear that planning areas should include roles and responsibilities, financial planning, an education strategy for staff and executives, and certainly, procurement policies when it comes to implementing quantum-safe systems. This first phase (by 2026) also includes identifying where and how cryptography is used across IT systems, including network services, operating systems, applications, physical assets and cloud services.
The Roadmap emphasizes the strategic importance of the planning phase, using the inventory to springboard into real-world system upgrades and replacements during the second and third phases.
That naturally requires integrating PQC transition into existing IT change management plans, crucially, monitoring the process of migration, conducting impact assessments, measuring backward-compatibility, and deploying post-transition monitoring.
Canada is a key player in international cyber security, with the goal of securing critical infrastructure an important part of its ‘whole of society’ approach. As part of the Five Eyes intelligence-sharing alliance, it champions close collaboration with the US, the UK, Australia and New Zealand, and it is a prominent and respected voice in the global cybersecurity community.
This briefing document provides a clear overview of its strategic rationale, its stakeholders and its determination when it comes to migrating to post-quantum cryptography. It’s an important publication, aligning the Government of Canada and its partners in the supply chain to other international timelines, all aiming towards quantum-safe systems within the next decade.