With data centres now Critical National Infrastructure, the UK must prioritise quantum security to safeguard vital systems against emerging cyber and physical threats, says Ben Packman, Chief Strategy Officer at PQShield.
The UK Government has designated data centres as Critical National Infrastructure (CNI). This means that the government can intervene quickly and give extra support to protect data centres from critical threats, helping to respond rapidly to security incidents.
This is a necessary and long-awaited step. Data centres play an increasingly vital role, supporting the operations of the NHS and protecting sensitive information flowing through our financial and communication networks. CNI designation means that the government affords the same protection to data centres as it provides to hospitals, nuclear facilities, and communications hubs, and signals a recognition of their strategic function in our digital economy as well as an intention to invest in their security and resilience going forward.
CNI designation not only ensures a swift government response to physical threats – it also provides additional safeguards for them against cyber attacks. This comes at the beginning of a major revolution in cybersecurity that the entire technology supply chain, including data centres, will need to take into account – the transition to quantum security.
The quantum threat
The development of quantum computers is going from strength to strength, and with that comes the ability to solve complex problems. However, quantum computers could also pose an existential threat to data security. It is expected that quantum computers will soon be able to crack our current global encryption methods, rendering sensitive data vulnerable to an attack, particularly if legacy data has already been obtained in a ‘harvest now, decrypt later’ attack.
In response, the cybersecurity community has proposed new encryption methods in a field known as post-quantum cryptography (PQC). These advanced PQC techniques, based on mathematical problems that would potentially be unsolvable by a quantum or classical computer, are designed to resist attack and protect sensitive data.
After an eight-year standardisation process initiated by the National Institute of Standards and Technology (NIST), a select group of PQC standards were released earlier this year.
The NIST PQC standards fired the starting gun on a global compliance process. The US Government has already mandated that national security systems adopt NIST’s standards (as set out in the Commercial National Security Algorithm Suite (CSNA) 2.0) with a timeline for cloud services and traditional networking infrastructure to begin the transition by 2025 and 2026 respectively, and to then be exclusively using PQC by 2033 and 2030. Meanwhile, tech giants such as Google, Apple and Meta have already begun.
With data centres now designated as CNI, protecting them from the quantum threat should be a priority.
How data centres can protect against quantum attacks
There are some immediate steps data centres can take, as well as some long-term planning processes to consider. CNI designation gives the government the impetus to invest in these steps, and collaboration with security authorities will be key to progressing data storage and management on the PQC journey.
The first step is to establish a roadmap to quantum readiness. The UK’s National Cyber Security Centre (NCSC) has recommended that preparing this should be a priority now, due to the scale of the migration. As data centre storage is now considered CNI, the government’s priority should be to help and support data centres to carry out a full cryptographic audit.
Managing encryption for data centres is complex – multi-cloud architecture and legacy hardware can lead to key management challenges and inconsistent protocols that only make the process of migrating to PQC more complicated. Data centres need to understand which elements of their operating systems, hardware and software are vulnerable to quantum attacks, paying close attention to points where the most sensitive data is stored and exchanged. Any PQC migration should prioritise the most sensitive data first.
This is a detailed process – data centres should also be inspecting their supply chain to understand where vulnerabilities occur. Increasingly, hardware manufacturers (including semiconductor producers) are building PQC-native products based on NIST’s standards. Prioritising PQC-enabled technology will help protect from future attacks, but adding new encryption also brings forward a range of new technical challenges, not least maintaining high performance and low latency. Governments can support this process by helping connect data centres to expert PQC vendors, many of whom can also carry out the initial cryptographic audit.
Hybrid encryption schemes, combining traditional cryptography with PQC, will also be a key stepping stone on the long transition to quantum security. These schemes help manage the transition by providing powerful combinations of classical and post-quantum techniques.
Preparing for the quantum future
With CNI designation, the government has incentivised the need for data centres to protect themselves against cyber threats as well as physical ones. Further incentivisation towards PQC would help secure this transition – collaborating closely with PQC vendors, and working with international security organisations across the private sector, to ensure that no-one is left behind during this global transition.
This is likely to be a gradual rollout over the next five to 10 years. In the interim there will certainly be competition as the market for quantum-secure tech opens up, driven by customers who need to ensure regulatory compliance.
In the UK, data centres support and safeguard everything from financial transactions, NHS patient records, personal, business, and government communications. The downstream impact of PQC for data centres is unprecedented. CNI designation is an important first step. Now the global technology community needs to unite to make sure that infrastructure is given the protection it needs to resist future threats.
