Post-Quantum Cryptography in Australia: What Security Leaders Should Do Now
Australia’s Quantum Security Wake-Up Call
Australia occupies a distinct position in the global quantum security landscape. Its heavy reliance on a small number of submarine cable routes, deep integration with Five Eyes and allied intelligence ecosystems, and geopolitical exposure in the Indo-Pacific combine to make it an unusually high-value target for the “harvest now, decrypt later” campaigns that now dominate nation-state cyber strategy. Add a small domestic cryptographic vendor base and near-total dependence on global technology platforms, and the picture becomes clear: post-quantum cryptography in Australia is not a future-dated agenda item. It is an active operational risk.
This article outlines where things stand, why Australia’s exposure is distinct, which sectors carry the greatest risk, and what security leaders can do to begin preparing in a structured, defensible way.
Three Key Takeaways for Australian CISOs
The quantum threat is already here, even if quantum computers are not.
Large-scale quantum computers capable of breaking today’s encryption have not yet been built, and no one knows exactly when they will arrive. But adversaries may already be collecting encrypted data today with the intention of decrypting it in the future once quantum capabilities become available.
Post-quantum cryptography protects tomorrow’s secrets today.
Data that must remain confidential for years or decades is already at risk from “harvest now, decrypt later” attacks. Adopting post-quantum cryptography now helps safeguard your most valuable information assets with the strongest available protections against future quantum-enabled threats.
The time to start is now because transition takes years, not days.
Moving from existing cryptographic systems to post-quantum cryptography is a complex organisational change that can take years to complete. Waiting until quantum computers arrive will be too late; early action is an investment in the long-term security and resilience of your organisation.
Why quantum security is becoming a global priority
The core concern is not that quantum computers are widely available today – they are not. The concern is that the encryption underpinning most of the world’s digital infrastructure – RSA, elliptic-curve cryptography, Diffie-Hellman key exchange – is mathematically vulnerable to a sufficiently powerful quantum computer, and that the transition to quantum-resistant alternatives takes years, not months.
This creates the “harvest now, decrypt later” threat: state-sponsored adversaries are systematically collecting encrypted data today, intending to decrypt it once cryptographically relevant quantum computers are available. For data that must remain confidential for five, ten, or twenty years, this is not a future problem, it is a present one.
In August 2024, the US National Institute of Standards and Technology (NIST) finalised its first post-quantum cryptography standards: ML-KEM, ML-DSA, and SLH-DSA. These are the algorithms that will replace RSA, elliptic-curve cryptography, and Diffie-Hellman key exchange across the world’s digital infrastructure. Migration is a matter of when, not whether – and for Australian organisations, the clock is already running.
Post-quantum cryptography in Australia: why local organisations face distinct risk
Australia is not cryptographically weaker by design, but several structural factors amplify its exposure in ways that set it apart from comparable economies:
- Submarine cable concentration. Australia’s international connectivity is unusually dependent on a small number of submarine cable routes. Disruption or interception at these chokepoints has a disproportionate impact on the confidentiality of data in transit.
- Five Eyes integration. Australia’s deep participation in allied intelligence-sharing ecosystems makes its government, defence, and critical infrastructure networks a primary target for adversaries seeking to penetrate allied data at the weakest point.
- Indo-Pacific threat environment. Australia’s geopolitical positioning means it faces sustained, sophisticated threat activity from state actors with both the capability and the motivation to pursue long-horizon cryptographic attacks.
- AUKUS and defence industry exposure. Australia’s participation in the AUKUS partnership, covering advanced nuclear-powered submarine technology, AI, and hypersonic capabilities, significantly elevates the cryptographic risk profile for the entire Australian defence industrial base and adjacent commercial sectors. Any organisation in the AUKUS supply chain is, by extension, a target.
- High-value, long-lived data. Australia holds significant concentrations of data with long confidentiality requirements: resources sector contracts, genomic research, financial instruments, government and diplomatic records: precisely the data that harvest-now-decrypt-later campaigns are designed to reach.
- Small domestic crypto vendor base. Australia’s reliance on global technology platforms means that quantum safe encryption in Australia depends almost entirely on the PQC roadmaps of overseas vendors. This creates a sovereignty risk: organisations that do not begin developing internal cryptographic expertise and governance now will have limited options when timelines compress.
Sovereignty is the underappreciated risk. Countries that build internal PQC expertise and governance early will be in a position to make independent decisions about migration sequencing, vendor selection, and national standards alignment. Those that defer will be at the mercy of vendor roadmaps and offshore timelines. This is a structural vulnerability that mirrors current debates in Australia about critical supply chain sovereignty.
The regulatory picture: ASD timelines and compliance obligations
Australia has been one of the more engaged Five Eyes partners on quantum security in Australia, and the picture is becoming clearer by the month. The Australian Signals Directorate (ASD) has published a concrete transition timeline that gives organisations a planning framework:
- By end of 2026: Organisations should have a refined plan for their PQC transition.
- By end of 2028: Transition should have commenced, starting with the most critical systems and data.
- By end of 2030: Full transition complete; traditional asymmetric cryptography (RSA, Diffie-Hellman, ECDH, ECDSA) retired from use.
For Commonwealth entities, the 2030 endpoint is embedded in ASD’s Information Security Manual (ISM). ISM Control ISM-1917, introduced in March 2024, already requires that future cryptographic requirements and dependencies be considered in all new procurements, making PQC a live compliance obligation now, not later.
In regulated sectors, APRA’s CPS 230 (Operational Risk Management) creates parallel obligations: entities must identify, assess, and manage operational risks broadly, and boards in financial services, insurance, and superannuation are increasingly expected to demonstrate awareness of PQC risk. The Security of Critical Infrastructure Act extends similar expectations across energy, telecommunications, water, and transport.
The preparation window is tighter than it appears. Most large organisations have accumulated cryptographic assets across hundreds of systems over decades. Understanding where quantum-vulnerable encryption lives, and what depends on it, is itself a substantial undertaking. For organisations that have not started, 2030 is not as far away as it sounds.
Industries most exposed to quantum risk in Australia
Not every organisation faces equal exposure, but several sectors carry particularly acute risk within the Australian context.
1. Financial services
Banks, superannuation funds, insurers, and payment processors handle long-lived, high-value data that may need to remain confidential for decades. Quantum computing and cybersecurity in Australia’s financial sector are increasingly appearing together in APRA conversations. PQC migration is a board-level issue here, not just a technical one.
2. Government and defence
The combination of Five Eyes integration and AUKUS participation makes this the highest-risk sector. Classified information, diplomatic communications, and national security infrastructure are the primary targets for sophisticated harvest-now-decrypt-later campaigns. AUKUS supply chain participation extends this risk significantly into adjacent commercial sectors, including engineering, manufacturing, and technology services firms that may not yet recognise their exposure.
3. Resources sector
The cryptographic risk to Australia’s resources sector is materially different from comparable sectors in other countries. Mining and energy assets have operational lifecycles of fifteen to forty years – well beyond the horizon at which quantum computers may become relevant. These operations rely heavily on operational technology and industrial control systems, with remote operations dependent on satellite, microwave, and undersea connectivity that presents interception risk at multiple points. Resources companies are both high-value targets for state actors and structurally limited in their ability to execute rapid cryptographic migration. Growing SOCI coverage and regulatory attention mean this exposure is becoming harder to ignore.
4. Critical infrastructure
Energy, water, telecommunications, and transport networks carry operational technology with long replacement cycles and limited ability to receive software updates remotely. Migration is both technically complex and operationally high-stakes. SOCI obligations are adding regulatory weight to a technical challenge that was already significant.
5. Health and life sciences
Healthcare organisations hold patient records, genomic data, and clinical trial results that require long-term confidentiality. The timescales involved make harvest-now-decrypt-later directly relevant, and many clinical systems have limited cryptographic agility.
How organisations can start preparing for PQC migration in Australia
For most organisations, the right starting point is not algorithm selection or vendor procurement. It is establishing a clear, accurate picture of the cryptographic estate: what algorithms are in use, where they live, and what depends on them.
A typical large Australian enterprise will have TLS certificates distributed across hundreds of servers, cryptographic libraries embedded in dozens of applications, hardware security modules, identity and access management infrastructure, and a long tail of third-party integrations, many with no cryptographic documentation at all. Without structured discovery, any PQC migration in Australia effort is working blind.
A practical preparation programme typically involves the following stages:
- Cryptographic asset discovery. Identify every location in the environment where cryptography is in use: network layer, application layer, storage, identity infrastructure, hardware, and third-party services. The output should map not just which algorithms are present, but which systems depend on which cryptographic assets, so migration can be sequenced safely.
- Risk prioritisation. Data with long confidentiality requirements, systems most exposed to external interception, and assets with the longest migration timelines should be addressed first. Risk classification needs to be systematic, not intuitive.
- Vendor and supply chain assessment. Identify which systems depend on vendor-managed cryptographic updates and what their PQC roadmaps look like. This is particularly important for hardware, cloud platforms, and SaaS providers where the organisation has limited direct control.
- Migration planning. Develop a sequenced migration plan aligned to ASD’s milestones: transition plan by end of 2026, critical systems migrating by end of 2028, full transition by end of 2030. For Commonwealth entities, this is a direct compliance requirement. For regulated sectors, the plan should also account for APRA’s CPS 230 expectations.
- Building crypto-agility. The longer-term goal is an environment in which cryptographic algorithms can be updated quickly and safely as standards evolve. This is not achievable without first having comprehensive visibility into the cryptographic estate.
The Venari Adaptive Cryptographic Intelligence Platform is designed to support organisations at this stage. It provides continuous, real-time visibility across the full cryptographic estate – mapping algorithms, certificates, keys, and dependencies – and translates that visibility into a risk-prioritised migration plan. For security teams that need to demonstrate PQC readiness to boards, regulators, or auditors, it replaces static point-in-time audits with a defensible, continuously updated picture of cryptographic posture.
Building cryptographic visibility across infrastructure
The most common gap in PQC preparation is not a lack of intent, rather a lack of visibility. Organisations that begin looking seriously typically discover that their cryptographic estate is far larger, more distributed, and more complex than expected.
Several practical challenges compound this:
- Shadow cryptography. Cryptographic assets that exist and are actively in use, but have never been formally catalogued. This is the norm in most large organisations and is essentially impossible to find without dedicated discovery tooling.
- Third-party and supply chain opacity. Many sensitive cryptographic operations happen in systems managed by third parties: cloud providers, SaaS vendors, managed security service providers. Understanding their quantum safe encryption posture requires structured assessment, not assumptions. For Australian organisations with AUKUS or SOCI obligations, this extends to the entire supplier ecosystem.
- Heterogeneous environments. Cryptography in a modern enterprise spans on-premise infrastructure, cloud workloads, containerised applications, operational technology, and legacy systems with long replacement cycles, each requiring different discovery techniques and carrying different migration constraints.
- Point-in-time limitations. Manual audits produce a snapshot that is immediately out of date. New certificates are issued, new applications are deployed, and new integrations are onboarded continuously. Effective cryptographic visibility is continuous, not periodic.
The organisations that will navigate quantum computing and cybersecurity in Australia most effectively are those that treat cryptographic visibility as an ongoing operational capability, not a project with a start and end date.
For a detailed treatment of the end-to-end migration journey, Venari’s post-quantum cryptography guide provides a structured overview from cryptographic discovery through to algorithm selection and crypto-agility.
Common questions
What is post-quantum cryptography and why does it matter for Australian organisations?
Post-quantum cryptography refers to cryptographic algorithms designed to resist attacks from quantum computers. Today’s widely used encryption (RSA and elliptic-curve cryptography) can, in theory, be broken by a sufficiently powerful quantum computer. For Australian organisations, the additional context is that Australia’s geopolitical positioning, Five Eyes integration, and AUKUS participation make it a particularly attractive target for nation-state adversaries pursuing harvest-now-decrypt-later campaigns. Boards should treat this as a live risk management issue.
Has the Australian government issued specific guidance on post-quantum cryptography?
Yes. ASD has published a clear transition timeline: refined transition plan by end of 2026; migration of critical systems underway by end of 2028; full transition complete by end of 2030. For Commonwealth entities, the ISM mandates ceasing traditional asymmetric cryptography by 2030, and ISM Control ISM-1917 (introduced March 2024) requires PQC considerations in all new procurements, making this a live obligation now. Regulated sectors face parallel expectations under APRA’s CPS 230 and the Security of Critical Infrastructure Act.
Which Australian industries face the greatest PQC risk?
Financial services, government, and defence carry the clearest short-term exposure. Australia’s resources sector presents a distinctive risk given its long operational asset lifecycles (15–40 years), heavy OT reliance, and remote connectivity dependence. Defence industry participants, including commercial firms in the AUKUS supply chain, face elevated risk that many do not yet fully recognise. Critical infrastructure operators face both technical complexity and growing SOCI obligations.
Where should security leaders start with PQC migration?
The most important first step is cryptographic asset discovery: a comprehensive, accurate inventory of every location where cryptography is in use, including algorithms, key lengths, certificate chains, and dependencies. Without this foundation, migration planning is not meaningful. From there, risk prioritisation and vendor assessment allow security leaders to build a sequenced roadmap that is defensible to boards and regulators. For a detailed guide, visit Venari’s post-quantum cryptography guide.
What is the "harvest now, decrypt later" threat and which organisations are most at risk?
“Harvest now, decrypt later” refers to the practice of collecting encrypted data today, intending to decrypt it once quantum computers can break current encryption. For Australian organisations, the concern is amplified by submarine cable concentration, Five Eyes data integration, and AUKUS-related defence data. Any organisation holding data with long confidentiality requirements (patient records, financial instruments, classified information, resources contracts) should treat this as a present risk, not a future one.
Related Content
Why organisations are delaying post-quantum cryptography migration (and how to fix it)
Banks are not delaying post-quantum cryptography migration because they don’t understand the threat. They are delaying it because…
Quantum Risk for Boards: A Guide for CISOs
Key Takeaways Timeline: Immediate action required – regulatory deadlines begin in 2028, but enterprise migration requires multi-year planning…