Security

G7 Publishes 2030 Deadline for Post-Quantum Migration

Leave a comment

We’re a few weeks into 2026 and the G7 Cyber Expert Group has released their roadmap for post-quantum cryptography transition in the financial sector. While it’s framed as non-binding guidance this document signals regulatory timelines are tight.

Six Phases

The roadmap uses phases to describe the migration pattern: Awareness & Preparation, Discovery & Inventory, Risk Assessment & Planning, Migration Execution, Migration Testing, and Validation & Monitoring.

The visual timeline on page 5 puts “non-critical” system Discovery & Inventory squarely in 2025-2027.

G7 calls this their “sample, illustrative visual summary of the quantum-resistant transition of a notional non-critical system at a financial entity.”

Since we already are in January 2026, your cryptographic inventory for non-critical systems now should be looking at its final year, which means critical ahead of that. And algorithms should be migrating before 2030. Note that their diagram begs the question of a cycle, rather than a linear approach, perhaps as a blog post topic for another day.

More pointedly, the G7 suggests prioritizing critical systems for migration by 2030. A later date is for a comprehensive migration, which means the nearest deadline is for data that actually matters, most likely 2027.

Three Requirements

  1. Comprehensive cryptographic inventory. The document calls for mapping “cryptographic assets, communication protocols, and relevant third-party dependencies.” Not just your certificates. Not just your endpoints. Everything that touches cryptography across your infrastructure.
  2. Quantifiable metrics to track progress. The roadmap emphasizes “mechanisms for ongoing monitoring and recalibration” and metrics that “demonstrate accountability.” Point-in-time assessments won’t cut it. You need to know whether you’re getting better or worse over time.
  3. Third-party visibility. Financial institutions are “highly dependent upon and interconnected with information technology products, vendors and other third-party providers.” Your migration plan is only as good as your visibility into your supply chain’s cryptographic posture.

Beyond Finance

The roadmap is for financial institutions, and these principles apply universally. If you handle sensitive data with long retention requirements the “harvest now, decrypt later” threat cited in the document applies to you today. Anything that is useful five years from today is vulnerable right now. Data encrypted with targeted algorithms and intercepted now can be stored and then broken by quantum computers.

The G7’s complete migration target date of 2035 is when they expect no more classical algorithms in use. The threat window opens much, much earlier. Technically it started years ago.

What To Do

Hello discovery. You can’t plan a migration without knowing what you’re migrating. I speak with a lot of organizations and they are surprised by what they find and where—legacy protocols in production systems, certificates with longer validity periods than their algorithms will remain secure, third-party integrations using deprecated cryptography.

The G7 roadmap explicitly calls for tools for “quantifiable metrics to track progress.” That means every discovery process needs to be repeatable, far beyond manual and one-time audits.

Everyone needs right now to measure their quantum migration velocity, not just document current state risks. The G7 gave us another roadmap, saying what we already should know: the quantum clock has been running.

History, Security

Nelson’s Ghost Chip: Mind the Quantum Gap

Leave a comment

French Admiral Brueys anchored his fleet in a defensive line he considered unassailable at Aboukir Bay in 1798. Armed broadsides faced anyone approaching from the sea. The landward side went largely ungunned.

Mind the gap.

Along came Admiral Nelson who simply sailed the gap and unloaded cannons into the vulnerable French broadside. L’Orient exploded so massively everyone paused in awe at the catastrophic miscalculation.

Perhaps France’s infamously aggressive “move fast, break things” dictator should be referenced today more often as being Mr. Napoleon Blownapart? The gargantuan French warship L’Orient explodes at 10PM. Source: National Maritime Museum, Greenwich, London

Fast forward to France in 1992 when banks deployed chip-and-PIN nationally. They were a decade ahead of others with a celebrated “secure” alternative. Apparently Bernard Vian, then interning at Gemplus, stared into the gap. He says he watched engineers extract PINs from these cards in under ten minutes.

I believed my card was secure. I believed the system worked. But watching strangers casually extract something that was supposed to be secret and protected was a shock. It was also the moment I realized how insecure security actually is, and the devastating impact security breaches could have on individuals, global enterprises, and governments.

The gap was known. The cards shipped anyway, vulnerable like a modern day L’Orient.

Lucky for him he was an intern who calmly sipped espresso while watching the world go up in flames, instead of being a sad conscript of Napoleon blown to bits off the coast of Egypt.

Vian writes that he sees “counterintuitive wisdom” in breaking your own systems. He frames that as philosophical rigor, instead of admitting it’s the norm for survival. In context, we are talking about ancient gap management discipline: document the weaknesses, deploy them anyway, position knowledge asymmetry as a sophistication that nobody should be able to exploit.

The way he uses history, however, gives me some worry about his new product that claims post-quantum readiness. The threat is real. The structure is old.

Brueys knew where his ship was vulnerable. Boom.

Vian knew where his payment card PIN was vulnerable. Boom.

The best question today of quantum readiness and security is more about routine work than any secret squirrel lab and revolution, like do you know which systems rely on classic asymmetric encryption? See the obvious gaps? Vian isn’t asking that.

The engineers who built and work on them… must.

History, Security

Bessent’s Weakness and Desperation on Full Display: US “needs” Greenland

Leave a comment

What’s different between Trump and Hitler is the speed. Hitler took years to move from rhetorical revisionism to Anschluss to Sudetenland.

  • Anschluss logic for Canada (“51st state” rhetoric, economic coercion framing)
  • Sudetenland logic for Greenland (protecting strategic interests, the current holders are inadequate)
  • Panama Canal “recovery” (revanchist claims to previously held territory)

Which crisis do allies prioritize? Which does Congress address first? The media covers each as a separate story rather than a unified program of territorial revisionism.

Shock doctrine applied to imperial expansion. Bessent’s illogical rant today is that he believes “Europeans project weakness. U.S. projects strength”. That is remarkably naked as a statement of might-makes-right ideology, from a very scared sounding man who just says whatever he is told.

Bessent sounds a lot like a scared 16-year-old Hans-Georg Henke, member of an anti-air squad, taken in Germany in the spring of 1945. The photo was reprinted many times, including in school books, and became a famous warning against the horrors of war. Henke had been sent to serve in the army near the East German town of Magdeburg because of insubordination in the workplace.

This administration announced three territorial ambitions rapidly and the Overton window moved instantly to accommodate the debate. We’re now discussing which emergency powers might justify seizing Greenland rather than whether the ambition itself has disqualified Trump from legitimacy.

The debate has already moved past the threshold of democracy into dictatorship without acknowledging it was crossed.

The other difference: there’s no external constraint yet. No larger power to intervene, although it could be China. If Trump continues to fail at democracy, the alignment of Canada and the EU with China becomes the logical counter-balance to American tyranny—the logic America itself used to ally with Stalin to defeat Hitler.

Democratic accountability is being tested to destruction. The mechanisms that would constrain this—congressional war powers, alliance treaties, international law—exist on paper. Whether they function as anything more than paper is now the open question.

History, Security

Trump Sells Venezuelan Oil to Fund Domestic Shock Troops and Concentration Camps

Leave a comment

Mayor Frey called it “shocking” that Trump would invoke the Insurrection Act to deploy troops to Minneapolis.

Shocking? It’s not shocking.

That’s like saying it was a shock when Trump put up Andrew “concentration camp and genocide” Jackson’s portrait in the White House.

Donald Trump’s favorite president: Andrew “white republic” Jackson.

Trump in 2016 said he could murder someone on 5th Avenue, and he meant back then what he has been doing now. He campaigned in 2024 explicitly on using the military domestically. He’s been threatening the Insurrection Act for a year. The 11th Airborne is on standby in Alaska because the military has been getting signals for a decade that they will be used to setup a dictatorship.

The shock was available many, many years ago. Everything since has been the obvious, slow end of democracy.

The last piece was the budget. That’s why Venezuelan oil being seized by America and sold for billions means Trump has no hurdles left.

What’s Already Built

Did you know the concentration camps exist already? ICE plans are headed towards 100,000 beds, to hold political opponents to Trump. Warehouse facilities are being snapped up, designed to hold 10,000 people each, with poor ventilation, inadequate plumbing, and built for things not humans. Notably, already 48% of current detainees have no criminal record, a percentage that is expected to go way, way up.

The troops are deployed. National Guard already rolled into DC, Memphis, and 19 states to prove they would. “Rapid response forces for civil disturbances” were created by executive order. The Pentagon’s new National Defense Strategy prioritizes domestic political operations over foreign threats. Venezuelan oil seized by the military and sold with profits going to a bank account in Qatar for the President, means zero accountability.

You read that right. The American military invaded Venezuela to seize assets and create independent funding to enable their shift to domestic violence, bypassing any and all Congressional oversight.

The legal architecture is in place. DOJ investigating elected officials for public statements. Courts being ignored when inconvenient.

The Historical Base Rate

I looked at authoritarian cases since 1900 where an elected leader attempted Trump-like consolidation.

Mussolini, Italy 1922-25 Consolidated
Hitler, Germany 1933-34 Consolidated
Franco, Spain 1939-75 36 years, died in bed
Pinochet, Chile 1973-90 17 years, never convicted
Marcos, Philippines 1972-86 14 years, then military split
Orbán, Hungary 2010-present Consolidated
Putin, Russia 2000-present Consolidated
Erdoğan, Turkey 2014-present Consolidated
Kapp Putsch, Germany 1920 General strike, 4 days
Nixon, US 1974 Elite defection
Gandhi, India 1977 Called election, lost
Poland 2015-23 Electoral defeat before full capture
Bolsonaro, Brazil 2023 Military refused

Success rate once security services are aligned and no elite defection occurs within 18-24 months: over 80%.

We’re six months away from a lock into the wrong pattern.

The cases where consolidation failed: Kapp Putsch (1920)—general strike shut down the economy in 4 days. Nixon (1974)—elite defection when Goldwater said he’d be convicted. Marcos (1986)—military split plus mass mobilization. Gandhi (1977)—called an election and lost. Poland (2023)—electoral defeat before full capture.

The pattern: elite defection plus mass mobilization, or genuine electoral loss before the system is fully captured.

The Window

The 2026 midterms are in 10 months, so it’s the next six that really matter.

The administration already attacked election infrastructure—purging voter rolls, restricting poll access, limiting election authority independence, gerrymandering maps the Supreme Court allows.

If 2026 elections are compromised, the historical base rate says American democracy is over. The Trump regime ends only when he dies, or the military splits, or the economy collapses so badly the elite defects.

Franco ruled for 36 years and died in bed. Pinochet held power for 17 years and was never convicted. Orbán is at 14 years and counting. Hitler committed suicide.

The window is the next six months.

Because after Trump reaches capture, the base rate for recovery drops to single digits until something breaks catastrophically.

What Closed Windows Look Like

Mussolini consolidated in roughly 18 months. Hitler in about 14. In both cases, people who could have acted earlier said it was “too soon” to panic, then “too late” to resist.

The people performing shock at each predictable step—the mayors, the pundits, the institutional voices—are telling you they won’t act. Their role apparently is to narrate the closing of the window, not to keep it open.

The question is whether anything remains that will stop fascism now, given a historical record is not encouraging about what that something might be.

What stopped it before: general strikes, elite defection, military splits, mass mobilization sustained long enough to matter, or world war.

What didn’t stop it: public statements and lawsuits that get ignored, faith in institutions already captured.

The window is nearly closed.