Image may be NSFW.
Clik here to view.
Last week the NCSC published a report outlining a timeline by which organisations must migrate safely to post-quantum cryptography (PQC), as the development of more capable quantum computers raises the risk that such machines will soon crack traditional encryption measures.
The threat to cryptography from future large-scale, fault-tolerant quantum computers is now well understood. Quantum computers will be able to efficiently solve the hard mathematical problems that asymmetric public key cryptography (PKC) relies on to protect our networks today. However, the national migration to post-quantum cryptography (PQC), mitigating the threat from future quantum computers, is a mass technology change that will take a number of years. To provide a more practical roadmap, the NCSC has outlined three key milestones for organisations:
By 2028: Define migration goals, carry out a full discovery exercise (to understand which services and infrastructure that depend on cryptography need to be upgraded) and build an initial plan for migration.
By 2031: Carry out your early, highest-priority PQC migration activities, and refine the plan to create a thorough roadmap for completing migration.
By 2035: Complete migration to PQC of all systems, services and products.
Although the core timelines the NCSC outlines are relevant to all organisations, this guidance is primarily aimed at technical decision-makers and risk owners of large organisations, operators of critical national infrastructure systems including industrial control systems, and companies that have bespoke IT. Different sectors will have different current states of cryptographic maturity, but the underlying message is that for those organisations most at risk they need to start preparing now so that such programmes are underway in the next 3 years.
It is worth noting that most of the work needed to prepare for and deliver a successful migration involves activities that are central to good cyber security practice. The NCSC recommends organisations should use PQC migration as an opportunity to build broader cyber resilience into their systems.
In our conversations with IT suppliers, the cybersecurity risk from quantum computers has regularly been cited as one of the main conversational drivers around quantum computing. Despite the fairly lengthy timelines to complete such migration activities, especially compared say AI adoption, the higher complexity for PQC combined with uncertainty surrounding how quickly the progression of quantum machines will be, is already driving many organisations to take action. We highlighted this driver in our report last year looking at the progression of quantum technologies and the suppliers seeking to take advantage of the opportunity. TechMarketView subscribers can read the report here: Quantum acceleration is on the horizon
