Organizations in the UK face a monumental shift as they prepare for the challenges posed by post-quantum computing. Ollie Whitehouse, CTO of the National Cyber Security Centre (NCSC), emphasized that this transition will far outpace the preparations for the millennium bug in 2000.
The UK’s ten-year strategy for post-quantum cryptography (PQC) involves scrutinizing every piece of cryptographic code to assess its vulnerability to quantum attacks. This effort echoes the extensive work done two decades ago to prevent software failures tied to date calculations.
The looming threat is that advanced quantum computers could undermine essential encryption used in banking and online identities. Nations are also wary of hostile actors collecting sensitive data today, anticipating that these future quantum technologies might crack existing protections.
While predicting the arrival of usable quantum computers is tricky, experts suggest they could emerge as early as the 2030s. The NCSC has mapped out a gradual transition to PQC by 2035, with early adopters already in place. Government departments working on sensitive issues have started using PQC standards, and tech giants like Google are incorporating them into their cloud services.
Today, the NCSC launched a consultancy initiative to aid organizations in implementing PQC in their frameworks. By 2028, companies should pinpoint which cryptographic services need upgrades and craft a migration strategy. The actual upgrades should unfold between 2028 and 2031, culminating in a full transition by 2035.
Security officials stress that the goal is a smooth shift, not a panic response. Small to medium-sized businesses can lean on managed service providers for PQC enhancements. In contrast, larger organizations will need considerable planning and investment to ensure a robust transition.
These guidelines also arm cybersecurity leaders in critical sectors with the information they need to convince their boards of the importance of funding this change. This approach aims to curb pressure from overly eager suppliers pushing premature PQC solutions on crucial infrastructure.
Artificial intelligence further complicates the landscape, shortening the window for firms to safeguard against newly discovered vulnerabilities before they can be exploited by sophisticated automated attacks.
Whitehouse urged organizations to manage their “technical debt,” as rushed software releases can lead to lasting security gaps. Suppliers also must create resilient products to withstand attacks. Failing to do so could lead to repeat security failures seen over the last three decades, with potentially far worse consequences.