UK Armors Up Against 'Quantum Cybercrime'

The UK's cyber security agency has issued guidance to help the nation prepare for imminent threats posed by adversaries wielding quantum computing technology.

The National Cyber Security Centre (NCSC) outlines a three-phase timeline for organisations to transition to quantum-resistant encryption methods by 2035.

The move emphasizes the importance of post-quantum cryptography (PQC) – a new type of encryption designed to safeguard sensitive information from the future risks posed by quantum computers – to protect everyday citizens.

“While today’s encryption methods – used to protect everything from banking to secure communications – rely on mathematical problems that current-generation computers struggle to solve, quantum computers have the potential to solve them much faster, making current encryption methods insecure,” the NCSC explains. “Migrating to PQC will help organisations stay ahead of this threat by deploying quantum-resistant algorithms before would-be attackers have the chance to exploit vulnerabilities.”

What is post-quantum cryptography?

Post-quantum cryptography (PQC) – also referred to as quantum-proof, quantum-safe, or quantum-resistant – is a new application of cryptography involving hard-to-crack algorithms designed to be secure against a cryptanalytic attack using an advanced quantum computer.

Quantum computers are still in their infancy and lack the power to break widely used cryptographic algorithms. However, cryptographers anticipate a “Q-Day,” when current algorithms become vulnerable to attacks via quantum computers – a considerable leap from traditional computing relying on basic, binary operations.

PQC technology feeds intricate mathematical concepts into the data encryption process – the integer factorization problem, the discrete logarithm problem, or the elliptic-curve discrete logarithm problem – keeping even the quantum hackers of tomorrow at bay.

A three-phase action

The new guidance encourages organisations in key sectors like banking and telecoms to begin preparing for the transition now “to allow for a smoother, more controlled migration that will reduce the risk of rushed implementations and related security gaps.”

The agency says small and medium-sized businesses will find it relatively easy to migrate to PQC, “as service and technology providers will deliver it as part of their normal upgrades.”

However, for some larger organisations, like those handling critical infrastructure for the country, “PQC will require planning and significant investment,” the notice warns.

The three-phase initiative is described as follows:

· To 2028 – identify cryptographic services needing upgrades and build a migration plan.

· From 2028 to 2031 – execute high-priority upgrades and refine plans as PQC evolves.

· From 2031 to 2035 – complete migration to PQC for all systems, services and products.

What this means for you

“Primarily, migration to PQC is a mitigation to a cyber security threat,” the NCSC stresses.“This currently comes from the cryptographic risk that quantum computing poses […] Although the core timelines are relevant to all organisations, this guidance is primarily aimed at technical decision-makers and risk owners of large organisations, operators of critical national infrastructure systems including industrial control systems, and companies that have bespoke IT.”

In plain English, the initiative aims to protect critical infrastructure from adversary states launching cyberattacks, and to protect the companies you do business with from data breaches.

Implemented correctly and within the recommended timeline, PQC will make it hard for cybercriminals to read data even after a successful breach, reducing the risk of compromise on things like credit card information, passwords, citizenship information (like your Social Security Number), healthcare records, or any type of personal data that large organisations have on file on you.

“As PQC adoption becomes more widespread in the future, those who do not migrate in a timely way will end up running significant legacy estates,” NCSC warns.

In other words, cybercriminals will be targeting “unpatched” IT networks and data centers more eagerly than ever, while regulators will make quick work of organisations found non-compliant.

The agency will soon launch a pilot program to ensure that consultants are equipped to support the discovery, assessment, and planning activities.