British businesses need to start planning their post quantum cryptography strategies now, the UK's National Cyber Security Centre has warned, with the organization saying migrations should be complete within a decade.
Rapid advances in quantum computing mean scientists and researchers expect the technology to move from the possible to the practical in the coming years. Or not at all.
This could revolutionize who areas of research that are beyond the capabilities of “classical computing”. But those areas include the complex mathematics underpinning asymmetric encryption models such as RSA. This would bring the time needed to crack these encryption models from millions of years to mere minutes.
And while suitably powerful quantum computers are, likely, years away, the fear is that hostile entities could harvest encrypted traffic now to decrypt later. The nightmare scenario is that someone secretly develops suitably powerful quantum tech to crack encryption sooner and manages to keep it quiet.
Researchers at NIST unveiled new “post quantum” cryptography algorithms last year, but this raises the question of how organizations actually implement them. Just remember the complexities that came with unpicking the millennium bug in a far less connected age.
The NCSC reassured SMEs that for most, “migration will be routine”, with service providers such as the cloud platforms embedding the new algorithms in their services.
But things will be more complicated for those organizations – mainly larger – with a “mixed estate”. The NCSC recommends setting an initial migration plan, centered on “priority services” by 2028.
The second phase, carrying out the migration of the “highest priority” activities and refining a broader plan should be achieved by 2031.
That leaves 2035 as the outside target to “complete migration to PQC of all your systems, services and products.”
That sounds straightforward, but as the NCSC notes, migration is “a global-scale change to IT and operational technology (OT) systems, and will typically involve activity that spans multiple leadership cycles in most large organisations.“
It’s not just straightforward enterprise technology that will have to be migrated. Critical national infrastructure, or manufacturing platforms, for example, will be riddled with digital devices that will have to be identified.
But the nature of embedded IoT or ICS devices means they might not be easily accessed or managed, or even have the hardware resources to accommodate the longer keys that the new algorithms generate.
See also: British post-quantum cryptography startup raises £37m
So companies will also have to consider replatforming, retiring devices, running till end of life or simply whether to “tolerate the risk”.
Some sectors will likely need earlier migration, the NCSC added, such as regulated sectors and companies operating in global markets, such as banking and finance, and telecoms.
The NCSC added that it would “soon launch a pilot scheme to assure those consultancy companies that offer support to the discovery, assessment and planning activities.” And it put out a call for companies to come forward and share their experiences and examples of good practice.
The NCSC’s call to arms came just hours after NVIDIA expanded its ambitions in quantum computing, announcing a research centre in Boston to advance the technology in collaboration with quantum compute specialists and academics from Harvard and MIT.
The NVIDIA Accelerated Quantum Research Center (NVAQC) will employ the NVIDIA CUDA-Q quantum development platform, "enabling researchers to develop new hybrid quantum algorithms and applications."
Greg Wetmore, Vice President Product Development at Entrust, said “unlike previous technological advancements and threats, we can only guess at when a scaled quantum computing will arrive. When it does, and if we are unprepared for it, there will be an immediate and overpowering vulnerability for all sensitive information.”
This year was crucial for ‘post-quantum’ preparedness, he said “Because organisations are starting to put quantum safe infrastructure in place, and regulatory bodies are beginning to address the importance of ‘post-quantum cryptography’."
