UK cybersecurity agency urges organizations to migrate to PQC by 2035
The British National Cyber Security Centre has issued new guidance on post-quantum cryptography for large organizations including vital infrastructure, with the goal of preventing future quantum technology hacks.
Threat to encryption
The British National Cyber Security Centre (NCSC) warns that quantum computers, though still in development, will eventually be capable of solving the complex mathematical problems that support asymmetric public key cryptography - a widely used encryption method in everyday applications such as mobile phones and online banking. With their immense computational power, quantum computers pose a significant threat to encryption, the NCSC highlighted.
The new guidance encourages organizations to begin preparing for the transition now to allow for a smoother, more controlled migration that will reduce the risk of rushed implementations and related security gaps. It outlines three phases for migration:
- To 2028 – identify cryptographic services needing upgrades and build a migration plan.
- From 2028 to 2031 – execute high-priority upgrades and refine plans as PQC evolves.
- From 2031 to 2035 – complete migration to PQC for all systems, services and products.
For many small and medium-sized businesses and organizations, transitioning to PQC will be straightforward, as service and technology providers will include it in their regular upgrades. However, larger organizations may face a more complex process, requiring careful planning and substantial investment, the NCSC added.
PQC Migration Handbook
The guidance is similar to the PQC Migration Handbook, published by the AIVD, CWI, and TNO. This handbook provides organizations with concrete steps and advice to mitigate the threat quantum computers pose to cryptography.
Experts predict that by around 2030/2035, sufficiently developed quantum computers will be available to be of practical use, the AIVD states. However, it adds that “the point at which quantum computers will pose a threat to currently used cryptography is unpredictable.”
Store now, decrypt later
Quantum computers are not a future threat, the White House warned last year. Malicious actors are already pursuing a “store now, decrypt later” strategy, collecting encrypted data to decrypt later with quantum computers.
Certain organizations must therefore already start working on solutions now, the PQC Migration Handbook notes. This includes those handling data that must remain confidential for at least 20 years, as well as organizations developing systems with a long lifespan.
Additionally, the Dutch National Cyber Security Centre and Digitale Overheid advise organizations to draw up an action plan. This should clarify within which timeline measures must be taken to protect data from quantum computers.
