The UK's national cybersecurity agency is urging companies to begin preparing themselves for quantum threats by 2035.
The National Cyber Security Centre (NCSC) has laid out a recommended timeline for transition to quantum-resistant encryption methods, and is strongly encouraging the adoption of post-quantum cryptography (PQC) in the next ten years.
"Quantum computing is set to revolutionize technology, but it also poses significant risks to current encryption methods," said NCSC chief technical officer Ollie Whitehouse.
"Our new guidance on post-quantum cryptography provides a clear roadmap for organizations to safeguard their data against these future threats, helping to ensure that today's confidential information remains secure in years to come."
The public key cryptography (PKC) used today depends on the difficulty of carrying out complex calculations - calculations that quantum computers will be able to solve with ease. PQC, by contrast, is based on mathematical problems that quantum computers can't easily solve.
The advice - aimed mainly at large organizations, critical national infrastructure operators, and companies with bespoke IT - has three major milestones.
By 2028, organizations should have identified which cryptographic services need upgrades and created a migration plan.
Between 2028 and 2031, they should carry out the more high-priority upgrades, and refine their plans as PQC evolves; and by 2035 they should have migrated completely to PQC for all systems, services, and products.
Quantum leap not too far for small businesses
The move shouldn't be too daunting for smaller businesses, the NCSC noted, as service and technology providers will deliver PQC as part of their normal upgrades.
However, it will be a bigger deal for some larger organizations, requiring planning and significant investment.
"Taking inventory of cryptographic assets is going to be a critical step. Businesses cannot manage what they don’t know they have," advised Jason Soroko, senior fellow at Sectigo.
"Part of this inventory needs to also be the most important secrets that they are transmitting over an encrypted session using RSA or ECC cryptographic algorithms. That ensures that they know how to prioritize a mitigation strategy."
The NCSC said it plans to launch a pilot scheme to put organizations in touch with consultancy companies offering support with their discovery, assessment, and planning activities.
The agency is also keen to see organizations share their own experiences, and examples of good practice, perhaps through their relevant industry bodies or in regulator forums.
Post-quantum hardware and software firm PQShield was involved in the development of the global standards for PQC, and its co-founder and CEO Ali El Kaafarani said that higher layers of the supply chain like Semiconductors and OEMs have already started carrying out their own transition roadmaps.
"By 2028, I very much expect the majority of semis and OEMs to have their main product lines post-quantum enabled, which will have the door wide open to the rest of the supply chain, be it telecom, financial, energy, or healthcare, to continue executing their transition roadmaps with actual post-quantum enabled devices or protocols," he said.
“This transition to new cryptographic standards will be the most significant technological shift we have faced this century. IT leaders in every business need to have the PQC transition on their agenda and allocate the time and resources necessary to deliver it, or they risk falling behind the timeline."
MORE FROM ITPRO
