Looking ahead: Quantum computing and cyber security

The arrival of quantum computers brings new possibilities to science and technology by providing tremendous data processing power, but these improvements also come with serious cyber security risks.

To protect the information entrusted to the Government of Canada (GC), departments and agencies must begin to plan for the transition to post-quantum cryptography (PQC). The Communications Security Establishment Canada (CSE) assesses that a quantum computer powerful enough to break many cryptographic standards could be available as soon as the 2030s, putting much of the GC’s data at risk.

One of the objectives in the GC Enterprise Cyber Security Strategy is to transition GC systems to use standardized PQC, as quantum computers pose cyber security threats to communications and data, including Virtual Private Networks (VPNs) and secure websites. They could also break authentication processes, like certificates used in public key infrastructure (PKI) for purposes such as software updates.

How this affects the GC

All devices and systems across the GC that use encryption will need to be transitioned, either through upgrades or replacement, to use PQC that is designed to be resistant to quantum computer threats. Legacy systems lack the flexibility to integrate new quantum-resistant algorithms and must be overhauled to ensure protection against future threats.

What Shared Services Canada (SSC) is doing

SSC is developing a plan and strategy for the post-quantum transition in collaboration with CSE and the Treasury Board of Canada Secretariat (TBS). SSC is committed to maintaining and extending these collaborative efforts with strategic partners and will communicate with SSC partners and clients regarding developments stemming from the collaboration.

SSC is also evolving its cyber security measures with modern concepts like zero trust architecture (ZTA) to prepare for PQC as part of the GC’s comprehensive cyber security roadmap.

What CSE is doing

As the national authority for Communications Security (COMSEC), CSE manages the modernization of classified cryptographic equipment with COMSEC custodians across the GC. This modernization is in line with Five Eyes and NATO partners.

CSE, and its Canadian Centre for Cyber Security (Cyber Centre), are providing advice and guidance to GC departments on the nature of the quantum threat and how to transition from current cryptography to PQC. They are also working with international standards organizations to support the adoption of PQC algorithms.

Steps GC organizations can take now to prepare

• Identify all systems that will need to be transitioned: This includes, but is not limited to, computers, PKI, web servers, authorization frameworks, VPNs and digital certificates

• Identify organizational interoperability requirements, life cycle requirements and key management options: A sensitivity assessment of the information being protected may help determine the priority of systems that need to be transitioned

• Talk with vendors to determine their plans and timelines to transition to PQC: This information can be used to develop a plan and a budget, which will be necessary for the transition

• Ensure newly procured products and services support standardized and validated PQC: Products must be tested and validated under the Cryptographic Module Validation Program (CMVP) and must follow industry protocol standards to reduce cyber security risk and avoid vendor lock-in

For more information on the transition to PQC, see the Cyber Centre’s publications on preparing your organization for the quantum threat to cryptography (ITSAP.00.017) and addressing the quantum computing threat to cryptography (ITSE.00.017).

If you have questions or would like more information, please contact cryptography-cryptographie@cyber.gc.ca.

Related links

• Cryptographic Module Validation Program

• Cyber Centre celebrates new NIST post-quantum standards

• NIST releases first 3 finalized post-quantum encryption standards

• FIPS 203

• FIPS 204

• FIPS 205