Every bank account, hospital record, military communication and online transaction in Canada depends on cryptography. It is the foundational layer of security that secures the systems we depend on.

For decades, that foundation has been stable. Classical encryption largely works against today’s cyberthreats.

But quantum computers are coming. Some already exist, and fault-tolerant versions are in the works. They are exponentially more powerful than classical computers at certain tasks, including breaking the mathematical problems that classical encryption depends on. That means quantum-powered cyberattacks will be able to hack our existing systems at speed.

What is quantum computing?

Classical computers operate in binary: ones and zeros. Quantum computers operate on qubits, which exist in all states simultaneously. The applications are unlimited — from quantum sensors capable of detecting infinitesimal earth’s magnetic field for precise global positioning to quantum computers that could cut research and development times for vaccines down from years to months or even days.

In practical terms: cracking today’s cybersecurity systems would take a classical computer tens of thousands of years, but will take a quantum computer a matter of minutes. Our digital world is built on a foundation designed for today’s classic computing capability. Not tomorrow’s quantum era.

The working assumption among policymakers has long been that quantum computers were still more than a decade away. New research is challenging that timeline. Researchers and developers like Google now suggest that quantum computing is advancing faster than anticipated. AI is accelerating that pace further still, acting like a turbocharger for the quantum threat.

Why does the timeline matter so much?

Cryptographic infrastructure is not software you can update overnight. It is tied to hardware – the physical devices embedded across every network, defence platform and critical system globally.

Defence platforms, financial infrastructure, satellites and industrial control systems can remain in service for decades. The cryptography protecting them must remain secure for that entire period.

The device at the heart of this is called a hardware security module (HSM). Every tank Canada operates has one. Banks and payment networks need hundreds to keep financial transactions secure. An HSM generates, stores, and manages the cryptographic keys that protect everything else. Your everyday internet trnsactions ar possible because HSMs ensure the digital trust they depend on.

Adversaries already know this. Foreign state-sponsored actors are currently harvesting encrypted data with the explicit intent of decrypting it later, once quantum computing matures. The threat is here, and it is quickly building.

How will we know when we’re safe?

The global benchmark for post-quantum cryptography is set by the U.S. National Institute of Standards and Technology, which recently finalized the first set of quantum-safe cryptographic standards and established FIPS 140-3 Level 3 as one of the highest internationally recognized certification for cryptographic hardware. Achieving it requires a device to withstand physical tampering, enforce strong authentication and securely manage encryption keys against both today’s threats and the quantum threats of tomorrow.

Large companies, like financial institutions, are already upgrading their HSMs and network security to be quantum-safe. The solutions exist, and they work.

Where does Canada stand?

Canada’s National Quantum Strategy includes post-quantum cryptography as a pillar. Non-classified federal departments were required last month to submit plans for migrating their IT systems to quantum-safe cryptography, with full transition expected by 2035.

But that deadline may already be lagging the curve. If meaningful quantum threats emerge sooner, as researchers at Google Quantum AI now suggest, that risks being too little, too late. A country that completes its post-quantum cryptographic transition ahead of schedule can protect its own assets and those of its allies. Those that don’t are at risk.

What’s less well known is that Canada doesn’t need to import the solution. The talent pipeline that feeds the global quantum-safe industry runs through Canadian cities. Three decades ago, Canada developed key technologies that still underpin the security of today’s digital economy. The next generation of quantum-safe solutions is again being built here. Our solutions can be sovereign. For both classified and non-classified assets, we can develop and manufacture the cybersecurity locks in Canada, and make sure the keys are forged and held in Canada.

Digital sovereignty is quickly becoming as important as energy sovereignty or defence sovereignty. The countries that move early will control theirs. Those that move late, or that outsource the foundational layer of their digital security to foreign providers, will not.

Ottawa has the ingredients. What’s needed now is a timeline calibrated to the AI-accelerated curve. The quantum countdown clock is running.

Bruno Couillard is the CEO and co-founder of Crypto4A, a Canadian quantum security company producing quantum-first, future-proof security platforms to safeguard Canada and the world’s most critical digital systems. He previously served as a telecommunications officer in the Canadian Armed Forces and at the Canadian Communications Security Establishment, Canada’s national cryptologic agency.