UK NCSC Sets 2035 Deadline for Post-Quantum Migration

The British cybersecurity agency urged critical infrastructure operators to adopt to post-quantum cryptography by 2035 as it and other government agencies prepare for the inevitability of quantum computers capable of breaking current encryption algorithms.

See Also: Embrace Full-Scale Cloud Adoption with a Comprehensive Cloud Data Management Strategy

The National Cyber Security Center on Thursday released a three-step post quantum migration guidance “primarily aimed at technical decision-makers and risk owners of large organizations, operators of critical national infrastructure systems including industrial control systems, and companies that have bespoke IT.”

The agency proposed three staggered deadlines for companies. It says they should assess their IT systems and prepare a migration plan by 2028, switch high-priority systemsd to post-quantum encryption by 2031, and complete overall migration by 2035.

“Organizations should use migration as an opportunity to build broader cyber resilience into their systems,” the NCSC recommended.

Quantum computing today is still more research project that reality but scientists and government officials alike have warned that the transition to post-quantum computing should already be underway.

Most experts anticipate that a “cryptanalytically relevant quantum computer” – as it is known – will likely come online in the first years of the coming decade. Whichever national government controls the computer could use it to read sensitive information encrypted with algorithms built to resist the onslaught of traditional computers rather than superfast computers that use atom-level states of uncertainty.

The U.S. National Institute of Standards and Technology, a global trendsetter for cryptographic standards, in August 2024 finalized three post-quantum encryption algorithms (see: US NIST Formalizes 3 Post-Quantum Algorithms).

Google and Microsoft are among the tech giants that announced plans to integrate post quantum capabilities into their products.

Organizations should consider upgrading to platforms that support post-quantum cryptography, replacing the vulnerable public key cryptography components and retiring existing IT services as part of the migration, the NCSC said.

Two likely challenges will be replacing existing web public key infrastructure and industrial control system protocols, due to their non-compatibility with the post-quantum cryptography.

“For both these reasons, your initial migration plans should include enough flexibility to adapt to future ecosystem developments,” the NCSC said.

Systems that rely on RSA and ECC cryptographic algorithms will “struggle to integrate new algorithms,” said Tim Callan, chief compliance officer at certificate lifecycle management company Sectigo.

Older systems qill require “a significant overhaul of existing technology,” he told Information Security Media Group. “Organizations need to act now to carefully plan and execute their transition – while challenging – to ensure they remain secure and compliant in the quantum era,” Callan said.