The UK’s National Cyber Security Centre (NCSC) has published extensive new guidance to help support organisations as they prepare for the looming IT security risks of the post-quantum world.
Although tantalising in its possibilities, the advent of quantum computing threatens to fundamentally break current encryption methods used to protect sensitive data the world over.
As such, the race is on to develop and deploy post-quantum cryptography (PQC) which, if it can be achieved successfully, promises more secure, quantum-resistant encryption methods that will flummox even the fastest future computers.
In its guidance, the NCSC lays out a three-step timeline for key sectors and organisations to move to quantum-resistant encryption methods, hopefully by 2035, 10 years from now.
The cyber agency believes that if security leaders can start preparing for the transition now, they will lock in a smoother and more controlled migration and reduce the risk of rushed implementations and security gaps.
“Quantum computing is set to revolutionise technology, but it also poses significant risks to current encryption methods,” said NCSC chief technical officer Ollie Whitehouse.
“Our new guidance on post-quantum cryptography provides a clear roadmap for organisations to safeguard their data against these future threats, helping to ensure that today’s confidential information remains secure in years to come.
“As quantum technology advances, upgrading our collective security is not just important – it’s essential.”
The NCSC noted that for many small and medium-size enterprises and organisations, PQC migration will be a relatively routine and smooth process since it will be delivered via managed security services providers. However, for larger organisations and those in critical sectors, PQC will require extensive planning and investment.
By taking proactive steps today, it argued, organisations will be able to help ensure the UK’s digital infrastructure remains robust and secure through the coming changes.
As a first step, organisations should begin work to identify which cryptographic services will need upgrades, and develop a migration plan. Ideally, this should be done by 2028.
The second step, taking place over the subsequent three years from 2028 through 2031, means organisations will need to “execute high-priority upgrades” and refine their plans as PQC technology evolves.
The third and final step, accomplished over the four years from 2031 to 2035, should see a complete migration to PQC for all systems, services and products.
2025 a critical year
Reacting to the NCSC’s suggestions, Greg Wetmore, vice president of product development at Entrust, described the quantum threat as particularly challenging because there is still a significant amount of guesswork as to exactly when scalable quantum computing will arrive.
“When it does, and if we are unprepared for it, there will be an immediate and overpowering vulnerability for all sensitive information. Even the much feared ‘Y2K’ had a fixed deadline. ‘Y2Q’, on the other hand, will arrive one day with no forewarning and change everything,” he said.
“Thankfully, it is possible to prepare for the threat of quantum technology today [and] 2025 is a crucial year for post-quantum preparedness. Organisations are starting to put quantum-safe infrastructure in place, and regulatory bodies are beginning to address the importance of PQC.”
Wetmore told Computer Weekly that establishing post-quantum provisions is not important merely to safeguard against the possible early arrive of quantum computing, but also to protect against the possibility of threat actors harvesting data now, and decrypting it later.
“This is where bad actors will steal encrypted information today in order to decrypt it when quantum computers are available, meaning some organisations could well have suffered a significant cyber breach, and they don’t even know it yet,” he said. “Implementing quantum-safe standards and infrastructure is the key to preventing this.”
