This week, the UK’s NCSC (National Centre for Cybersecurity) published updated guidance on migrating to PQC. Timelines for migration to post-quantum cryptography outlines the roadmap that organizations must follow in order to migrate smoothly to full quantum resistance by 2035, and provides some significant advice on planning, developing, and implementing a robust plan for transition.
Clearly, planning is essential to an effective migration, a point that was echoed recently in our PQShield podcast “Shielded” with special guest Bas Westerbaan, Research Engineer at Cloudflare.
“Once you have executive level buy-in, that’s already a huge deal of the work… it’s not as much a technical problem as it is a change management or lifecycle problem. You have to figure out what you need to upgrade, what is urgent, what is less urgent, what are the steps required?” – Bas Westerbaan.
As part of the NCSC’s guidance, the UK-based agency points out a number of steps for planning PQC migration. According to the report, the key phases are summarised as follows:
Define your migration goals
Migration is, of course, about risk mitigation, but it’s likely that the shift to PQC provides an opportunity to address business-specific risks and regulatory requirements, and aim for cryptographic agility with a ‘simplified estate’. Cryptographic agility is the ability of a system to switch as seamlessly as possible to new technology in the face of unknown threats.
Discovery, inventory and assessment
It’s essential to understand your current digital, asset, hardware and software infrastructure:
- Key services and applications. What’s high priority and why?
- Data inventory. Where is your most sensitive data, what protection mechanisms are currently in place? What about data with long-lifecycles?
- Underlying infrastructure. Are you using on-premise, cloud-based, or managed service providers? What are the conversations you need to have to ensure you can upgrade to PQC in these systems?
- Assets. Hardware, software, IoT devices, workstations, etc. What assets are in use that require protection.
Migration strategy
The NCSC recommends a clear, appropriate approach for each system, service or product. For example, options could be:
- Replacing vulnerable PKC components with PQC equivalents
- Switching platforms to PQC compatibility
- Retiring a particular service to avoid migration
- Allowing a system to run until end of life
- Tolerating the risk, allowing a system to remain unprotected
It’s possible that different systems require different approaches, and the migration plan must be detailed enough to accommodate these variations.
Developing the plan
Initially, migration activities should be carefully planned with timelines for each system, aligned with business continuity plans, cryptoagility, and potential rollback procedures. It’s important to consider priority services, and identify supply chain components and legacy system risks.
Steps might include research, procurement, commissioning, testing, data backup and rollout – potentially a complex network of activity that will need to be strategically managed.
Interestingly, the NCSC also suggests planning for a period of PKC/PQC co-existence and cryptographic agility in a temporary but useful hybrid solution. It’s an interesting nod to the fact that migration to PQC should be thought of as a journey, rather than a single switch. There might be many migrations involved and each will need careful planning.
Execution of the plan
Prioritized activities should be based on the plan, but it’s likely that refinement will be needed as the PQC ecosystem matures. Testing and validation should form a key part of the strategy, along with a rigorous, data-driven assurance process.
The NCSC publication marks a significant point in the story of post-quantum awareness and the migration. In fact, they pin down a three-phase roadmap for migration resolving around a timeline of phased deadlines:
- 2028 – define migration goals and build a plan
- 2031 – high priority migration activity
- 2035 – complete PQC migrations in all services and products
What’s clear is that the timeline is effectively short, and IT leaders will need to work efficiently and strategically to keep pace with the roadmap.
Conclusion
There’s little doubt that expertise is also required when it comes to identifying and prioritizing vulnerable components, planning the migration journey and refining the plan, whether affected systems have been developed in-house or included as part of a supply chain.
One suggestion is a ‘statement of intent’ to demonstrate to customers, suppliers and stakeholders that you are actively addressing the threat.
“This statement of intent,” concludes the NCSC in ‘Next steps’ “…could include recognition of the quantum threat, your proposed responses, level of ambition and timelines, and the desired end-state. This will help suppliers understand the demand for PQC migration and bring post-quantum secure products to market.”
Successful migration is a journey that includes good asset-management, actively managed supply chains and strategic involvement at every level of an organization. At PQShield, we go together with you to make that journey as smooth and as efficient as possible, staying, as ever, one step ahead of the threat, and focused on a quantum-secure future.
You can view the NCSC report in full here and listen and subscribe to the PQShield Podcast Podcast “Shielded – the last line of cyber defense” here: Apple Spotify.