Image: © alones/Stock.adobe.com
According to the NCSC’s timeline, organisations in the UK should migrate all of their systems to post-quantum cryptography by 2035.
The UK’s National Cyber Security Centre (NCSC) has issued guidance today (20 March) on how the country can prepare for future quantum-driven cyberattacks.
The guidance outlines a three-phase timeline of recommendations designed to help key sectors and organisations prepare for the transition to quantum-resistant encryption methods by 2035.
In particular, the NCSC has emphasised the importance of adopting post-quantum cryptography (PQC), which is a new type of encryption designed to protect sensitive information and data from future quantum-enabled cyberthreats.
The cybersecurity agency has urged organisations to start preparing now, and has outlined milestones and objectives as part of its recommended timeline.
By 2028, the NCSC stated that organisations should have identified cryptographic services that need upgrades and built a migration plan accordingly.
From 2028 to 2031, the agency advised entities to carry out its early “high-priority upgrades” and refine their plans as PQC evolves. Finally, by 2035, organisations are encouraged to have completed the migration to PQC for all systems, services and products.
While the NCSC advised that PQC migration be completed by 2035, it acknowledged that the migration deadline may be difficult to achieve for a “small set of more rarely used technologies”, which may affect certain sectors, such as those with complex physical infrastructure.
Commenting on the guidelines, senior fellow at Sectigo Jason Soroko said that taking inventory of cryptographic assets is going to be a “critical step”.
“Businesses cannot manage what they don’t know they have. Part of this inventory needs to also be the most important secrets that they are transmitting over an encrypted session using RSA or ECC cryptographic algorithms,” he said. “That ensures that they know how to prioritise a mitigation strategy. All of the above will require a top-down driven approach that will need a cross-disciplinary team.
“In other words, C-level risk owners are required to drive this work to completion, and it will take more than just technical people to solve it.”
Today’s prep for tomorrow’s threats
The subject of quantum cryptography, which uses naturally occurring properties of quantum mechanics to secure and transmit data in a way that cannot be hacked, has been gaining momentum across the cybersecurity world, as the realities of a post-quantum age draw closer.
Earlier this year, PQShield’s chief strategy officer Ben Packman spoke to SiliconRepublic.com about the importance of integrating PQC sooner rather than later, as threat actors continue to carry out ‘harvest now, decrypt later’ attacks.
Harvest now, decrypt later refers to a method by which threat actors gather encrypted, sensitive data that they are unable to crack and holding it for when they can utilise quantum technology to decrypt it.
Packman explained that organisations should start preparing now, especially since it won’t be immediately clear when the quantum tech capable of decrypting current methods is actually realised.
“If you’d broken RSA and ECC, like, why would you tell everyone? Right? You wouldn’t. You’d just happily sit there reading everybody’s information and having a lovely time and taking that advantage,” he explained.
“It’s going to become apparent at a point in time. There is no Q-Day, as some people like to call it. It’s happening all the time, it’s evolving all the time.
“The hacking is already happening, the harvesting is already happening and, as they say, the person who actually does do that breakthrough or the nation that does do that breakthrough is not going to broadcast it and certainly not going to do a press release I would imagine.”
Don’t miss out on the knowledge you need to succeed. Sign up for the Daily Brief, Silicon Republic’s digest of need-to-know sci-tech news.
