An Interview with Brad McInnis Part 1
Brad McInnis is a cybersecurity and cryptographic resilience expert with more than twenty-five years of experience spanning industry, Canadian defence intelligence, the Five Eyes community, U.S. government and defence environments. His work has focused on long term confidentiality, enterprise key management, and large-scale cryptographic modernization for national level systems. He is the founder of cyberzero and the creator of Quantanaut, a cryptographic intelligence platform that helps organizations uncover hidden cryptographic dependencies and plan a practical transition to post-quantum security. In this conversation with Touraj Riazi, Brad cuts through common misconceptions about Canada’s readiness for the quantum era.
Encryption Is Evolving
Humans have used codes and ciphers to encrypt sensitive communications for thousands of years. Modern cryptography now forms the backbone of digital trust across society.
Without the right key, modern encryption is like a safe with too many combinations to guess in any practical amount of time. For symmetric encryption like AES, brute force is not the concern organizations lose sleep over. The real quantum cliff is public key cryptography. If a Cryptographically Relevant Quantum Computer (CRQC) arrives in the 2030s, Shor’s algorithm can break the Rivest–Shamir–Adleman public-key encryption system (i.e. RSA) and Elliptic-Curve Cryptography (ECC), which underpin digital identity, key exchange, and trust across the internet.
Quantum technologies have recently permeated the general public’s consciousness by creeping into news headlines and government budgets. While this raises awareness of what Canada’s quantum future might look like, it also fosters a dangerous misconception: that quantum risks are abstract, distant and safely confined to the future.
Cybersecurity practitioners helping enterprises address the quantum risks they confront today know the opposite is true. Organizations that store confidential data and depend on secure digital authentication face present-day quantum risks that they need to understand practically and address operationally, not study theoretically under a false sense of security.
Those who focus solely on short-term threats like zero-days or ransomware create a blind spot. They delay the necessary governance reforms and financial investments required to become quantum safe, thereby giving adversaries a head start.
There is no visible smoke yet, the house has not burned, but the fire has already started in the basement. Organizations can still choose to ignore it, but those who procrastinate will find far less to save once the flames reach higher floors.
Post-Quantum Cryptography (PQC) is the fire extinguisher we must deploy now to help save the house. PQC refers to mathematical algorithms that are designed to withstand quantum computing attacks without requiring any quantum hardware. In its PQC migration Roadmap, the Canadian Centre for Cyber Security (CCCS) expects all government departments and agencies to have completed migrating their systems to PQC standards by the end of 2035.
Since the algorithms that protect us today cannot be replaced wholesale overnight, Canada’s PQC migration must be staged, incremental and collective. Misconceptions about the threat combined with uncertainty about where to start risk producing paralysis, procrastination or panic.
What is required instead is deliberate action. Companies like cyberzero, supported by platforms such as Quantanaut, help organizations convert quantum uncertainty into operational resilience through prudent planning and prioritization that treats PQC migration as a series of manageable steps.
In Part 1 of this conversation, Brad McInnis shares sagacious insights about his world of PQC, “where quantum computing and cryptography intersect”, and Canada’s posture in the quantum era. In Part 2, Brad draws on his unique defence intelligence and military experience to discuss why a new defence strategy is required to secure NATO and 5-Eyes in a post quantum world.
Why Act Now?
Quantum computing, Brad declares, “will not break our systems overnight.” “It will break the assumptions those systems were built on.”
When Brad began his quantum work in defence intelligence almost two decades ago, he was already “managing systems carrying data that had to stay confidential for decades.” In that environment, “quantum threats and ‘future cryptographic breaks’ were always considered present-day risks” because “cyber threat actors were constantly improving their ability to exfiltrate encrypted material.”
Brad recalls when “a consensus emerged that a quantum attack will eventually break the current public key algorithms such as RSA and ECC that protect the information stored by enterprises and on the Internet today.”
This shift surfaced two immediate risks.
One is “Harvest-Now-Decrypt-Later” (HNDL). In HNDL operations, “the goal is not to break the encryption immediately because that is computationally infeasible with classical hardware.” Instead, adversaries surreptitiously stockpile encrypted data for decryption once a CRQC emerges.
Throughout his career, Brad observed how “more intelligence assessments started to highlight the prevalence of HNDL attacks,” reinforcing quantum threats as “real operational risks, not theoretical research topics.”
HNDL campaigns are especially insidious because they leave no logs, signatures, or alerts. Traditional cybersecurity detection is not designed to detect adversaries that passively collect encrypted traffic.
Data lifetime is critical to understanding the impact of HNDL operations. “Government, defence, identity, financial and operational data often require confidentiality guarantees measured in decades rather than quarters.” Brad points out that “when data must remain secure for that long, quantum becomes a present-day risk, not a future one.”
Canada’s nation-state adversaries “are already collecting encrypted traffic,” which includes email, VPN traffic, and satellite links, by targeting networks and endpoints.
What has changed is not adversary tradecraft, but the timeline. Brad is concerned that the confidentiality of harvested data will evaporate in the very likely event that a CRQC emerges before multi-decade (25–50+ year) confidentiality requirements for classified intelligence expire.
The second, more urgent quantum risk is forgery. “Once a CRQC exists, classical digital signatures can be faked” allowing malicious actors to mask compromised updates as legitimate ones. A forged firmware update delivered to a critical infrastructure operator could cause immediate and severe damage.
Brad summarizes the stakes succinctly: “Decryption threatens confidentiality. Forgery destroys trust.” PQC, therefore, goes beyond protecting long-lived data. “It is also about safeguarding identity, authentication and national infrastructure.”
Managing quantum risk is not tomorrow’s optional homework. Brad is unequivocal: “PQC initiatives are not research experiments. They are a part of modernizing enterprise operations and enhancing their resiliency.”
Ultimately, “quantum advances do not replace classical vulnerabilities.” “They amplify them.” “Every weakness in cryptographic governance becomes more dangerous under quantum pressure.”
What Is the Government of Canada Doing?
Last year, the U.S. National Institute of Standards and Technology (NIST) finalized three post-quantum cryptography standards, marking a shift from quantum defense as a theoretical concern to an operational necessity. Both NIST and the National Security Agency (NSA) have reaffirmed the 2035 timeline, set under National Security Memorandum-10 (NSM-10), for U.S. government agencies and departments to complete their migration from classical to quantum resistant cryptography.
Canada’s Roadmap, led by CCCS and Treasury Board Secretariat, aligns with the 2035 U.S. timeline. It outlines a phased approach that initially requires all Government departments and agencies to deliver their PQC migration strategies by April 2026.
These timelines are not arbitrary. They reflect a shared threat assessment that a CRQC could emerge in the 2030s, and they bake in the time it actually takes to migrate cryptography safely across complex systems without disrupting operations. Organizations will first need to understand “where their cryptography lives, which algorithms are vulnerable, which systems protect long lived data, and which vendors are essential to the migration.”
Brad lauds Canada’s approach as “one of the most flexible, pragmatic and operationally grounded in the world” precisely because it avoids the fantasy of “a wholesale overnight transformation.” It focuses “on the fundamentals: inventory, visibility and prioritization” and allows departments “to plan intelligently rather than react out of fear.”
Canada’s Roadmap may be more circumscribed than the EU or U.K.’s all-sector approach, but it creates a powerful ripple effect. As Brad asserts, “by setting these timelines for itself, the government effectively spurs industry action too.” Whether they realize it or not, “vendors, integrators and supply chain partners must now all modernize to meet the government’s updated cryptography standards.”
A staged path to quantum safety also provides vendors and operators the opportunity for “real world testing, global evaluation and operational hardening” of newer PQC algorithms that have not matured as RSA / ECC have before they are fully integrated into products and supply chains.
In the interim, Canada and its allies have endorsed the implementation of hybrid cryptography. Hybrid deployments combine classical and PQC algorithms to provide a multifaceted defence against both classical and quantum threats.
A hybrid approach enables Canada and its allies to “preserve the trust we have in classical algorithms” while safely transitioning to PQC as standards mature without destabilizing existing systems.
Hybrid cryptography also provides an effective defence against HNDL attacks by requiring enterprises “to identify sensitive data assets or those that must remain confidential” and establish a long-term plan to ensure security over the required timeframe.”
For Brad, Canada’s strategic advantage lies in the alignment of quantum expertise and timeline. Canada now has a “unique window of opportunity to convert this alignment into operational readiness.”
How Is the Private Sector Coping?
The Procrastination Paradox
A procrastination paradox sits at the heart of Canada’s private sector. Even though 59% of Canadian organizations surveyed by KPMG in 2023 expect the emergence of a CRQC within the next decade, barely half of them (53%) admitted to taking any steps to become quantum safe. 55% have not assessed how quantum advances threaten their operations.
Yet, a separate survey showed 70% of Canadian CEOs plan to devote 10-20% of their 2026 budget to AI initiatives that make for more compelling business cases. Confusion about when a CRQC will emerge compound the uncertainty around the present value of quantum defence investments.
Brad’s perception differs. He prefers to “avoid terms like Q-Day or Y2Q” because “they reduce a complex, long term modernization effort to the idea of a single catastrophic moment.”
This framing “is misleading because quantum risk is not a countdown clock.” “This is an architectural and governance issue that exposes weaknesses already embedded in our systems.” Brad likens this to being told that a building will collapse at midnight on an unknown date yet choosing not to reinforce or evacuate it because the exact day is uncertain.
That is “the wrong mentality” because “it implies an event with a before and an after.” “Event based thinking leads to procrastination,” he avers, whereas “architectural thinking leads to action” that is required to build crypto agility and resilience now.
Without mandated timelines, however, PQC adoption by Canadian and American private sector organizations has been more fragmented. Some large cloud and internet platforms, including Google, Cloudflare, and AWS, have already begun deploying hybrid post-quantum cryptography in production, especially for TLS connections, to reduce long-term HNDL risk.
“Visibility Beats Fear”
Early in Brad’s career, one truth became unavoidable: “most organizations do not actually know where their cryptography lives.” Organizations can “point to their servers, APIs and cloud environments, but they rarely see the cryptographic machinery that holds those systems together.” “The certificates, keys, and trust relationships that secure operations are often invisible. Unfortunately, this is “where the real risk accumulates.”
Brad points to a familiar pattern from major breaches over the past decade: the math did not fail; the organization’s visibility did. “Most organizations do not have a quantum problem”, he says. “They have a visibility problem that the quantum threat makes impossible to ignore.”
According to Brad, “this visibility problem is not new.” “It is accumulated cryptographic debt that has built up quietly over years and continues to compound.”
The lesson is blunt. When teams cannot see where certificates, keys, and signing live across their environment, small cryptographic gaps can sit quietly for months, until they suddenly become a breach.
- In 2014, a CRA breach related to the Heartbleed vulnerability occurred after attackers exploited a bug in the OpenSSL cryptographic software library.
- In 2017, Equifax detected a breach after it belatedly updated an expired TLS security certificate. Keeping TLS certificates up to date is a basic information security practice and was part of Equifax’s stated policy yet they had expired certificates that were silently disabled for 19 months without anybody noticing.
- In 2020, the SolarWinds attack was even “more alarming” because “attackers were able to slip into the software supply chain by abusing a trusted signing infrastructure that organizations assumed was safe.”
None of these incidents were “quantum problems”, Brad observed, “but they exposed the same root issue: cryptography fails quietly.” “It fails in places organizations cannot see, which carries significant consequences for Canada’s national security.”
Plan, Prioritize, Don’t Panic
“If you think post-quantum cryptography is a software upgrade, you will manage it like one and the scope will surprise you,” warns Brad. “Cryptography is a system of trust.” It spans certificates, key management, code signing, protocols, and supply chains. As a result, the path to quantum safety is not a one click patch, but a staged modernization effort built on visibility and crypto agility. Brad reassures that “once you can see your cryptography, quantum becomes a manageable modernization problem, not a crisis.” He frames PQC migration as 5 governable steps that enable organizations to be surgical, and intelligence driven in their journey to quantum resilience.
1. Prioritize Assets
- Identify high-value data assets such as those with long-term confidentiality requirements
2. Establish Visibility
- Inventory where cryptography lives across applications, libraries, certificates, APIs, devices and hardware so you can sequence migration.
3. Engage Vendors
- Align your timeline to supplier roadmaps because most migrations are effectively impossible without vendor participation.
4. Become Hybrid
- Use hybrid deployments that maintain operational continuity as a bridge while standards and vendor support mature.
5. Defence in Depth
- Address governance around keys, certificates, and signing. PQC doesn’t replace fundamentals.
Legacy platforms add another layer of complexity. In some cases, “it may not be possible to upgrade legacy systems to ensure compliance with the latest NIST PQC standards without updating or replacing the system.”
Brad finds that “many private sector organizations are still struggling with these foundational elements of quantum resilience.”
He emphasizes: “modernization is not an overnight project.” “PQC is the upgrade. Visibility is the requirement. Governance is the guarantee.”
Cyberzero & Quantanaut
As more Canadian organizations recognize the immediacy of quantum risk, “they will require support from Canadian platforms and professional services who provide the missing but crucial element of cryptographic visibility into their systems which store multiple types of cryptographic assets.”
This is where companies like cyberzero and cryptographic intelligence platforms like Quantanaut play a role. They help enterprises build cryptographic resilience and treat cryptography as infrastructure instead of code. With these tools, cryptography finally becomes visible, measurable and governable for enterprises.
Brad created Quantanaut to “solve the visibility problem directly.” Its mission is to “shine light in the darkness of cryptographic libraries where cryptographic risks often hide.”
The platform provides a ‘CISO’ view to facilitate the essential process of asset prioritization through “holistic visibility into the systems of an enterprise.” It reveals “exactly what CISO’s need to examine to establish PQC enterprise readiness.”
Consider, Brad says, that “throughout the course of this conversation, our phones have likely performed a number of different cryptographic operations without our knowledge.” “Every authentication, every secure channel, every dependency involves cryptography you rarely see.” “Now imagine if that invisible layer of trust evaporated.” “They would fail together, undermining the systems we assume protect our privacy, secure our most sensitive data, and safely deliver online updates and digital signatures.” “Quantanaut exposes these hidden layers: algorithms, libraries, certificates, APIs, supply-chain dependencies and scores them all from a risk perspective; it transforms hidden dependencies into a navigable roadmap for PQC migration.”
Once an organization understands its cryptographic posture, Quantanaut helps clarify how its vendor ecosystem affects its path to PQC. Brad is cognizant of the fact that “PQC is a supply chain challenge as much as it is a cryptographic one, and Quantanaut operationalizes that reality.”
One challenge Brad repeatedly encountered when guiding enterprises was “the inability to replace classical cryptographic libraries with post-quantum ones or even hybrid versions because this could only be accomplished through the respective vendor.” Brad also recognizes there is no single panacea and “many tools are needed across sectors to achieve quantum resilience.”
Public-Private Collaboration Is Key
Public-private sector cooperation is also “non-negotiable” because “industries cannot secure their systems alone.”
Prescriptive guidance beyond migration timelines by the government is essential “because enterprises need clarity on topics such as how to prioritize hybrid deployments, how to assess vendor readiness and how to evaluate long lived data across different business lines.”
Enterprises across different sectors require clarity on practical questions that cannot be answered by high-level timelines alone.
For example, “a financial institution may need to determine which payment channels require immediate hybrid protection while also deciding whether older legacy systems should be retired rather than upgraded.” A hospital network “may need guidance on how to prioritize patient data that must remain confidential for a lifetime while also modernizing medical devices that cannot support the new algorithms.”
To eliminate this ambiguity, industries require “detailed standards, testing frameworks and procurement rules that government and industry must shape together.”
Ultimately, all ecosystem actors have a responsibility to act collectively and pre-emptively to avoid the complacency that endangers Canada’s quantum resilience, instead of reactively only after a quantum attack that leads to significant harm occurs.
At the end of the day, as Brad reminds us, “technology does not produce quantum resilience.” “Visibility, coordination and shared commitment across government and industry do.”
Cover Photo: AI-generated image by author. Chat GPT. Date generated: December 20, 2025.
Disclaimer: Any views or opinions expressed in articles are solely those of the authors and do not necessarily represent the views of the NATO Association of Canada.
