Reports

We submitted to the DPMC critical infrastructure consultation — here’s what we said

by Simon McCorkindale

Today, on the closing day of the consultation, we submitted our formal response to the Department of the Prime Minister and Cabinet’s Discussion Document on enhancing the cyber security of New Zealand’s critical infrastructure system.

Our submission focuses on a gap we identified across all three published consultation documents: there is no substantive mention of cryptography, cryptographic agility, post-quantum cryptography (PQC), or NZISM Section 2.4. A full-text search of the main document and both supplementary documents returns only incidental matches — “NZISM” cited in passing when defining a “serious impact” incident, and “quantum” used in its legal sense (“penalty quantum”).

This matters because the framework being proposed will govern how New Zealand’s most essential services defend themselves for the next decade — a period during which the cryptographic foundations of the internet are expected to change fundamentally.

What we submitted

Our submission makes three recommendations:

  1. Measure 5 should explicitly require a cryptographic inventory as part of the mandatory risk management programme — so that critical infrastructure entities know which cryptographic primitives their essential services depend on.
  2. The framework should recognise harvest-now, decrypt-later (HNDL) as a material cyber risk for data with long confidentiality tails — health, legal, financial, state-related, and industrial IP.
  3. NZISM should be explicitly listed among the acceptable cyber security frameworks under Measure 5, alongside NIST CSF and ISO/IEC 27001:2022 — and compliance with any listed framework should include its cryptographic controls, not just governance and process controls.

The evidence base

The submission is backed by our NZ Critical Infrastructure PQC Readiness Assessment — a scan of 118 NZ critical infrastructure entities across all seven DPMC essential service sectors. The headline finding: 52.6% of endpoints negotiate post-quantum TLS, but the majority of that is delivered transparently by CDNs. Only 13 entities (11%) run post-quantum key exchange on infrastructure they operate themselves.

We also set out how the threat timeline has hardened over the last twelve months — Gidney’s 2025 qubit reduction, Google and Cloudflare’s 2029 migration targets, and Google Quantum AI’s March 2026 ECC paper — and why New Zealand is currently alone among the Five Eyes in not having set a formal PQC migration deadline.

Read the full submission

The full submission PDF is published openly:

We consented to full publication under the Official Information Act 1982. We believe this conversation should be had in the open.

What happens next

DPMC will review submissions and use them to inform the drafting of the Critical Infrastructure Bill, expected to be introduced later in 2026. We hope the final framework recognises that cryptographic posture is not a niche concern — it is foundational to every other cyber security control the regime proposes.

If your organisation handles data with a long confidentiality tail and you want to understand your own cryptographic exposure, get in touch.

Kaysec is the post-quantum security practice of Spinsphere, a New Zealand-based quantum technology company. We help NZ organisations with cryptographic inventory, HNDL risk assessment, and PQC migration planning.