John Scott, 4Quays Technology Inc., Imraan Bashir, Partner KPMG, National Public Sector Cyber Leader, Samer Lahoud, Associate Professor, University Research Chair, Faculty of Computer Science, Dalhousie University
Every day Canadians' personal records, on-line behaviours, financial transactions, and government communications are recorded and stored somewhere.
If encrypted, this data is considered unreadable and inaccessible, but for data stored in clouds, the master keys to access this data are controlled by the cloud vendor.
Data locks also open when quantum processors solve the parameters needed to access today's encrypted keys. If history is a guide, we won't know when today's encryption cracks—this is exponentially more than Y2K.
The "harvest now, decrypt later" threat is a risk formally acknowledged around the world.
The opportunities and threats from AI are also acknowledged around the world. AI has a "harvest now, use now" problem.
AI cloud systems ingest and transform vast quantities of data at machine speed creating new outputs from Canadian inputs, while depending on the same at-risk encryption that quantum computing can destroy. Actors already use AI clouds to automate intrusion attempts, craft targeted attacks, siphon data and IP at scale.
While quantum computing removes data locks, AI harvests and stores vast quantities of data and meta-data in the Cloud for its own purposes and then controls the methods used to access data.
The digital locks and keys of the last three decades face these existential pressures.
Political Risks
Cryptography isn't just technical—it's also political. Access to quantum computing and AI allows these powers to be used for and against nations, companies, populations and individuals. These powers can be used for good, but they can also be used to diminish trust and confidence in economic relations, alliances, IoT, deprecate military capabilities, secrets, and IP investments.
Prime Minister Carney made clear Canada needs a sovereign cloud. A sovereign cloud is a Canadian-controlled computing platform where data, workloads, and digital locks and keys stay in Canada and one that is operated and governed by Canadian operators, laws and oversight. We applaud those who have long advocated for this (including the Council of Canadian Innovators).
In truth however, the risks sought to be addressed by a sovereign cloud have been in plain sight for decades.
Inaction is Risk
Canada has relied on technology vendors operating in global markets to provide and secure our advanced compute capabilities. In the AI and quantum age however we must intentionally develop the cryptographic agilities and controls needed to harness these advanced compute capabilities to secure a better future. One that can also work with the uneven pace of vendor roadmaps and their validations.
A definition of cryptographic agility is the ability for cryptographies to be changed without disrupting operations. There are now very good reasons for this agility be controlled not just by vendors, but by the entity that uses the technology in its operations and bears its risks.
As bi-lateral trade orders emerge, the use of vendor selected embedded cryptographies, if they are not made agile for sovereign nations, enterprises and their users, may no longer be fit for purpose—a middle power strategy is needed.
In today's geopolitics, measured passivity—waiting for non-Canadian vendors to solve this in Canada's best interests—is a security risk, not a strategy.
As Europe aligns a common approach across member states and funds domestic providers, China and the U.S. invest significantly in quantum and AI with the explicit aim of dominance.
Most nation states mandate their agencies to inventory and plan quantum-safe migrations with vendors as first steps. This approach is a big risk, task, and expense for Canadians.
In compute environments, digital sovereignty requires a layer of cryptographic agilities. These agilities must be part of the Cloud for Canada and must further be designed and operated by Canadians, aligning domestic data and compute controls to our own cryptographic agility.
Small and medium enterprises power most of Canada's GDP. They require a practical and affordable way to become quantum-safe—starting with the first cryptographic migrations and then over every change.
The Road Chosen
In a bi-lateral world, middle powers need an agile approach to adapt to how each trading pair digitally protects itself. Adopt global standards where we decide it makes sense, but we should do so through our own agile cryptographic infrastructures with policies and operations we choose, own and control. Access and entitlement to our data and IP assets should be capable of being governed by us.
This moment should encourage us to resist becoming takers of the new core security technologies and instead become builders of them. We are a G7 country with world-class universities and research institutions and a positive history in the first trusted digital cryptographies.
This is how Canada remains a trusted trading partner and a credible player in the long age of the digital economy.