The UK official National Cyber Security Centre (NCSC) has issued guidance for large organisations to protect themselves from the threats posed by quantum computing.
The Centre suggests that by 2028, you should carry out a full discovery exercise (assessing your estate to understand which services and infrastructure that depend on cryptography need to be upgraded to post-quantum cryptography – PQC for short); and build an initial plan for migration. The guidance suggests a three-phase timeline, and ‘complete migration to PQC of all your systems, services and products’ by the year 2035. The guidance is mainly aimed at technical decision-makers and risk owners of large organisations, operators of critical national infrastructure systems including industrial control systems, and companies that have bespoke IT. Industry sectors will have different states of ‘cryptographic maturity’, as the document puts it. For many small and medium-sized businesses and organisations, migration to PQC will be routine, as service and technology providers will deliver it as part of their normal upgrades, the NCSC says.
NCSC Chief Technical Officer Ollie Whitehouse said: โQuantum computing is set to revolutionise technology, but it also poses significant risks to current encryption methods. Our new guidance on post-quantum cryptography provides a clear roadmap for organisations to safeguard their data against these future threats, helping to ensure that today’s confidential information remains secure in years to come.
โAs quantum technology advances, upgrading our collective security is not just important โ itโs essential.โ
Briefly put, encryption methods โ as used to protect banking, secure communications and so much in between โ rely on mathematical problems that current-generation computers struggle to solve. However, quantum computers have the potential to solve them much faster, making current encryption methods insecure.
Comments
Daniel Shiu, Chief Cryptographer of quantum-resistant encryption product firm Arqit, welcomed the “Timelines for migration to post-quantum cryptography”. He said: “As one would hope from a technically capable and influential organisation, the advice is concise, specific, and achievable.
“The capability to act on the advice will vary from organisation to organisation. It’s not trivial even to complete the first step of understanding your current usage of cryptography. The challenges of then understanding which systems will need changing, which have an easy fix, which are less urgent, and which will require significant effort starting as soon as possible require specialised skills that may be outside of the expertise of highly-qualified security experts.
“Even with the necessary cryptographic expertise, there will still be the challenges of deploying agile solutions (to cope with sudden catastrophic cryptographic failures such as SIKE or Rainbow) or which satisfy the security advice of all jurisdictions where the organisation operates (the advice of the NCSC offers different nuance to US advice, the EU varies from both, and nations such as Ukraine, Korea, China, and Russia all propose national alternatives).
“Organisations can best navigate the ever-changing journey to quantum safety with the support of partners in encryption expertise. For example, Arqit and its partners Ampliphae developed their Encryption Intelligence product which helps with the first steps in NCSC advice: carrying out a full cryptographic discovery and building an initial plan for migration. This can identify all uses of the major cryptographic protocols on your network, and highlight those that will be quantum-vulnerable.
“From there it can be determined whether the issue can be corrected by a quick fix such as a change of configuration on a VPN or a browser, or whether service providers you use will need to upgrade their offer. Overall, this can help you identify the most challenging migration problems โ those in embedded systems or with necessary legacy requirements โ that will require the longest path to safety and offer options to how it might be achieved.”
David Higgins, Senior Director, Field Technology Office, at the cyber firm CyberArk, said: “The NCSCโs warning highlights a critical risk โ one that is often overlooked or deprioritised in favour of more immediate threats. But when quantum computing reaches its full potential, it wonโt just be able to break encryption, it could expose machine identities โ the digital credentials that help computers, applications and devices securely communicate and verify each other online, and that underpin digital security.”
He pointed to a ‘state of machine identity’ study by the firm that found nearly half (43pc) of UK organisations have suffered breaches due to compromised machine identities in the past 12 months. “Quantum computing is advancing quickly and over three quarters (76pc) of security leaders anticipate the number of machine identities to grow by as much as 150pc in the next year, so the stakes are only getting higher. Organisations must act now to secure their growing number of machine identities before quantum threats become reality.”
And Tim Mackey, head of software supply chain risk at Black Duck, said: “Developing a quantum resilient cryptographic strategy requires holders of data to understand how the data theyโve collected or been entrusted with is accessed, stored, managed, and modified. Since the starting point is an inventory of systems that interact with data and the cryptographic operations those systems perform, organisations should identify whether cryptographic operations occur within software their team authored, systems or devices that were procured, or software from 3rd parties โ including open-source and AI generated code, or via contracted development. Once this segmentation occurs, the organisation can determine who is responsible for addressing each instance of cryptographic use and triage their efforts to prepare for a quantum resilient future.”
Where to go
To view the guidance, visit https://www.ncsc.gov.uk/guidance/pqc-migration-timelines.
