In December 2024, Australia took a significant step forward by formally recognising the need to transition to post-quantum cryptography (PQC) within its updated Information Security Manual (ISM). Under these new guidelines, all legacy cryptographic methods must be phased out in favor of PQC solutions by 2030, providing a relatively short window for a complex and far-reaching shift.

Why This Matters Now

The compressed timeline and the challenge of identifying every instance of encryption underscore the urgency of starting preparations promptly. PQC algorithms - used for key establishment and digital signatures - consume considerably more computational resources than current methods. Simply retrofitting existing architectures and hardware is often not an option. Without careful planning, the complexity involved can quickly become unmanageable.

Implications for Business Leaders

This update translates into concrete action items for CISOs, CTOs, and IT managers. It is important to recognise that quantum-safe transition cannot be executed as a one-time project; in many cases, it requires setting up new cyber capabilities, updating existing ones, and continuing to work on and improve them. The most common steps include:

• Quantum Strategy: Develop a clear plan for the transition from current cryptographic standards to PQC-ready solutions. Due to the process's complexity, it may require setting up a program with robust governance and budget in many cases.

• Migrating Critical Elements: Begin by transitioning crucial components—such as HSM/PKI solutions, network encryption (WAN encryption, VPNs) and crown jewel business systems — even before completing full analysis and prioritisation.

• Quantum risk quantification: As quantum-safe migration is of an enormous scale, it would require prioritisation and progress reporting. For quantum risk quantification (or, as it is also referred to, cryptography discovery), a new cyber capability is needed.

• Procurement and Vendor Management: Update procurement criteria and vendor assessments to ensure new products and services meet PQC standards.

• Skills and Training: Invest in building the necessary internal expertise. Cybersecurity teams must be equipped to manage, maintain, and evolve quantum-safe practices over time.

ISM link: https://www.cyber.gov.au/resources-business-and-government/essential-cyber-security/ism