Why the NCSC and telecoms firms are at loggerheads over quantum key distribution
(IT.Pro) BT is among a number of companies that have, for years, advocated for the potential of QKD, with the firm behind the majority of recent developments. The National Cyber Security Centre (NCSC), however, hasn’t subscribed to this view, believing the technology is still a considerable distance from maturity.
Duncan Jones, head of cyber security of the quantum computing company Cambridge Quantum, tells IT Pro he wholeheartedly agrees with the NCSC’s position, adding that QKD won’t be suitable for production use for “a while” – potentially five years. In this respect, QKD is similar to 6G; at the moment, the technology is far from maturity, let alone there being any smartphones capable of supporting it. That shouldn’t, however, stop networking firms from exploring 6G, in the same way companies like BT shouldn’t refrain from continuing to research QKD.
In a whitepaper published in March 2020, the NCSC stated it doesn’t endorse the use of QKD, and cautioned against relying on the technology to protect networks. Although the technology has evolved considerably since the start of the pandemic, the NCSC’s position hasn’t. “While the NCSC welcomes continuing research into QKD,” a spokesperson tells IT Pro, “it does not endorse its use in government or military systems and cautions against its sole reliance on networks used by critical infrastructure.
“Developments in quantum computing present challenges to cyber security in the long term that must be managed, and the UK is preparing new technologies to mitigate the threat and protect our digital lives. The NCSC considers quantum-safe cryptography to be the most effective mitigation to adopt, and advice to help organisations prepare for the transition has been published on our website.”
Although QKD promises a secure way of communication that’s “unhackable” by quantum computers, it’s still susceptible to man-in-the-middle (MITM) attacks, in which an exchange between two computer systems is breached by a third party. This is because QKD doesn’t have adequate authentication protocols in place, meaning that a threat actor could pose as person B to person A, and as person A to person B, leading them to believe that they are communicating with each other. Apart from that, the technology is also limited by specific hardware requirements, as well as the assumption the code used won’t contain any exploitable bugs which could sabotage the efforts of ultra-secure communication.
Despite the private and public sector being at loggerheads over the readiness of QKD, Jones believes the technology’s “in a good place” thanks to the multiple grants, funds, and innovation projects that encourage research in the technology. One such initiative is a £10 million partnership between the UK and Singapore to build and fly a satellite QKD test bed. After three years of work, the satellite is set to become operational by the end of 2021.
Research and development of QKD can be described in one way: full steam ahead