A £2.6 billion programme to transform how the defence and intelligence services are served their cryptographic (“crypt”) keys has achieved ministerial approval for its next phase, the NCSC has revealed.
Efforts to transform and digitalise the crypt-key industry and “comsec” accounting have been ongoing for years, with many more hurdles than most industry leaders in the rare sovereign British sector would like.
Alongside the US, the UK is one of only two suppliers of crypt-key material to NATO, via “DACAN”. (NATO's NCI agency handles the DACAN Electronic Key Management System for NATO-wide distribution of +50000 keys/year).
Thousands of crypt-keys are still physically delivered across the UK via punched tape as well as CD, using technology that dates back to the WW2 era. (The US’s NSA earlier confirmed to The Stack’s founder that its last punched tape key had rolled off its machines on October 2, 2019.)
NSA technical lead: "It came on 5,000-foot rolls"
As the NSA’s Neil Ziring put it to The Stack’s Edward Targett back in 2019:
"[The NSA] used one-time key tape, or produced one-time key tape for our customers, up into the 1970s; it had to be pretty extensive sometimes, in case you had to encrypt a long message.
"[As a result] the blank tape by the 70s was not all paper, it was paper-mylar-paper sandwich for durability, and came on five-thousand foot rolls. That was for straight-up enciphering bits.
"Then you can use the paper tape for the cryptographic key: we used it to initialise military cryptographic devices, because the paper tape was durable, easy to transport and lightweight. The reader to read it was inexpensive to manufacture even with the technology in the ‘60s and ‘70s and the precision didn’t matter. You could basically position it in the reader and pull it through. And even if you had some variation of speed it worked. So it was very durable and well suited to tactical applications. And that that was part of what really led to its popularity.
"Key tape segments were originally shipped around in plastic bags, until the spies Walker and Whitworth used to nick things out of the plastic bags, copy them and the Russians put them back in the bag. That raised the need to protect the tapes and kicked off NSA’s protective technology programs.
"Ever since 1986, paper tapes are delivered in a tamper-resistant plastic canister that was engineered that you couldn’t take it apart without destroying it. There was no particular doctrine for this. It was just obvious to the recipient: ‘Hey, my plastic canister has been destroyed! Maybe I shouldn’t use this!?’
"[We worked closely with military acquisition to get off tape]. It’s very important for us to get in that upgrade cycle, so if they go ‘hey over the next 10 years we’ll be gradually replacing these radios with new ones’ we get in early and say ‘OK the new one is going to have electronic key management. Right. And let us help you with that work’…
"That’s not the only aspect of modernisation. There’s all sorts of reasons to want a newer radio: newer RF wave forms; improved anti-jam and all sorts of other properties that the military wants also require them to upgrade their kit. So trying to surf that wave and make sure that when things are being modernized, that the key management and other cryptographic properties are also being modernised.
Such keys are used to encrypt military and other communications, and need to be physically entered into devices. The technology uses paper-mylar-paper tape rolls punched with holes to store cryptographic keys (a hole represents a binary 1, and the absence of a hole a binary 0).
NCSC annual report suggests progress
But the NCSC’s 2024 annual report [pdf] shared some rare words on the “UK’s sovereign Crypt-Key industry, a national asset” that “collaborated with us throughout 2024 to deliver world-leading encryption products to protect the UK’s most sensitive data, and that of our partners…”
Working with MOD, the NCSC is “leading major transformation” via the Joint Crypt-Key Programme (JCKP), a £2.6 billion initiative that… “provides high-grade cryptography for mission-critical services,” it added.
During 2024 the JCKP won “Ministerial approval of the next major phase of Crypt-Key transformation. This phase will deliver an adaptable and innovative, architecture, ready to face the threats to defence over the coming decades, through collaboration between government and the UK sovereign Crypt-Key industry” the NCSC revealed in a rare comment on the classified programme, which has been beset by a range of issues.
The pace of hardware refreshes by the Ministry of Defence (a co-programme lead alongside the NCSC) along with other change management challenges have delayed industry transformation and the small number of private companies that support the industry have expressed some frustration over the years about progress on this.
(Progress is not tracked publicly, being one of just a small handful of Government Major Projects Portfolio "GMPP" exempt from scrutiny.)
See also: 20,000 Fortinet devices breached by Chinese hackers – reboots, firmware updates no defence
As one industry leader told us back in 2019 when the JCKP was already well underway: “The challenge is that there is such a wide variety of platforms that these devices are installed into: they’re not always online, and they’re not always in-country. You’ve also got the challenge that we need to talk to other people [e.g. other NATO partners], so interoperability issues belong either below, or on top of that too. But with MOD, they live, breathe and sleep handling physical media and accounting for it.
“There’s a massive business change that needs to take place to move away from that. [On the commercial delivery side] With all the evaluation and rigour that goes into these products you can’t churn them very easily. Products used to take eight years to build. That’s now come down to around three years typically, but in this modern age, that’s still too long.”
Another crypt-key company specialist added at the time: "“The government wants a sovereign capability in its secure communications; particularly encryption. And to do that obviously it needs to have a UK industry that supports that. The government could potentially do it itself – but whether that would be efficient, effective or even viable is an open question. So industry steps in. The issue with the UK market is that it is profitable, but it’s unpredictable; it’s non-linear. At the moment it is pretty much a managed market. Government often seems more like a barrier than an enabler. We’re not a huge company, but equally we’re not a startup of the type that Ministers like to champion. So you kind of end up in the middle, where you’re not really part of industrial strategy…”
Quite what this next and ministerially approved phase of the JCKP actually is remains classified, although The Stack can speculate broadly that it involves much more "over-the-air" key updates with the associated digital infrastructure and procurement programmes from these sovereign SMEs to deliver it..
Have things since changed for the better?
Want to talk off-the-record about JCKP progress? Signal @thestack.01
