The transformation required for organisations in the UK to be ready for the threat of post-quantum computing (PQC) will be “colossal”, according to the chief technology officer (CTO) of the National Cyber Security Centre (NCSC).

Speaking at the security agency’s conference, Ollie Whitehouse said that preparing for a post-quantum world will take “a complex change programme that makes fixing the Millennium Bug look easy.”

He warned that autonomous technology has cyber-physical implications with real-world impact and to prepare for this, organisations must learn from the past and make incentives available to produce and consume secure technology.

White added that all organisations must better manage their technical debt and called on vendors to design and sustain their products and services in a way that builds competitive advantage and unlocks sustainable, corporate value whilst being sufficiently resilient.

He warned that not doing so risks repeating avoidable security failures that have manifested since the rise of the internet.

The NCSC, which is a part of GCHQ, said it will announce the launch of a new assured PQC consultancy scheme to offer help and expertise to organisations at the conference.

The organisation says that this will bring PQC expertise to the marketplace and ensure that high calibre skills will be available at the scale the UK needs.

In March, the NCSC published a timeline for organisations to ensure they can efficiently protect themselves against quantum-based cyber hacks.

The organisation says that by 2028, companies should both identify the cryptographic services that need upgrades and build a migration plan.

From 2028 to 2031, the NCSC said firms should execute high-priority upgrades and refine plans as PQC evolves.

By the third phase of the timeline from 2031 to 2035, all organisations should have completed migration to PQC for all systems, services and products.

“Technology continues to diversify in terms of supply and is becoming increasingly complex and investment in technology continues to grow with little incentive to deliver cyber resilient solutions,” White said. “Without radical and sustained interventions, we are at real risk of repeating the last 30 years but with far graver consequences if we do not address the fundamental market failures which have manifested.”

---