The National Cyber Security Centre (NCSC), which operates under the UK Government Communications Headquarters (GCHQ), has issued new guidance aimed at preparing organisations for the impending challenges associated with quantum computing. The guidelines focus on the adoption of post-quantum cryptography (PQC), a new encryption method designed to protect sensitive data from future quantum-enabled threats.
Quantum computing promises to bring transformative changes to technology. However, it also threatens the integrity of current encryption standards. Traditional encryption relies on complex mathematical problems that so-called classical computers find difficult to solve. In theory, quantum computers would have the potential to break these encryptions much faster, posing a risk to secure communications, financial transactions, and other protected data. The NCSC’s guidance highlights the need for organisations to adopt quantum-resistant encryption before these vulnerabilities can be exploited.
“Quantum computing is set to revolutionise technology, but it also poses significant risks to current encryption methods,” NCSC chief technical officer Ollie Whitehouse said. “Our new guidance on post-quantum cryptography provides a clear roadmap for organisations to safeguard their data against these future threats, helping to ensure that today’s confidential information remains secure in years to come. As quantum technology advances, upgrading our collective security is not just important – it’s essential.”
NCSC’s PQC migration roadmap
The roadmap outlines a three-phased approach to PQC migration. The first phase, leading up to 2028, involves identifying cryptographic services requiring upgrades and developing a comprehensive migration plan. The subsequent phase, from 2028 to 2031, calls upon the organisations for the execution of high-priority upgrades and ongoing refinement of migration strategies as PQC technology evolves. The final phase, extending from 2031 to 2035, aims for the complete transition to PQC across all systems, services, and products.
For many small and medium-sized enterprises, the shift towards PQC is expected to be integrated into routine service and technology updates. Larger organisations, however, may face a more complex transition requiring careful planning and significant investment.
The NCSC emphasises that early preparation will help ensure a smooth and secure migration, reducing risks associated with rushed implementations. The agency stated that the guidance is primarily directed at technical leaders and risk owners within large-scale enterprises, operators of critical national infrastructure, and businesses with specialised IT systems. It also noted that the intensity and focus of migration activities may differ during the three outlined phases. However, the NCSC contended that adherence to the dates is crucial for making informed investment choices and ensuring a cohesive cybersecurity posture in the quantum age.
Read more: Are harvest now, decrypt later cyberattacks actually happening?
