The Road to PQC-Readiness

The transition to PQC-safeguarded, trustworthy communication and information by a joint undertaking with many stakeholders, their perspectives and interests acknowledged, and managed rigorously can only be accomplished with a suitable project management. The fundamental tasks of project coordination, monitoring, and reporting (to the mandating authorities) of resources, progress, and results are concentrated in a central effort to guarantee highest quality of the project outcome. Hereto, Q-PrEP defines a set of key performance indicators (KPIs) to be monitored, making its progress traceable. The KPIs comprise engagement activities to support synergies among the stakeholders, collaborative actions, conduction of workshops, and the dissemination of (intermediate) results, usually focusing on knowledge exchange between (national) cybersecurity agencies and public administrations. Q-PrEP aims for

• semi-annual collaborative workshops,
• concluding white papers,
• multiple blog entries,
• periodic webinars, sessions, and a newsletter on latest developments,
• an exchange and collaboration platform,
• and everal online surveys

The project coordination & governance enables the purposive collaboration on the key objectives, starting from the establishment of the project network & community. The Q-PrEP community incorporates

• academic and industrial representatives (researchers and institutes, IT experts and providers),
• national and EU-wide cybersecurity agencies (public sector or attached),
• public administrations and attached entities

and will be supplemented by further, prospective members during the project period. The stakeholders are selected by their distinctive expertise and knowledge of PQC, especially when it comes to the representatives from academia and industry and the cybersecurity agencies, but also to preferably cover a wide range of end users and use cases, represented by public entities of different types. Most important, the community is restricted to institutions, companies, and persons from inside the EU. Risk mitigation demands to avoid leakage of information to non-EU entities (private/corporate or public/governmental) while economic robustness asks for an IT supply chain in PQC located inside and distributed all over Europe. The latter requirement underlines the importance to reach full coverage of EU countries by our PQC network and its members. The prospective members of the Q-PrEP community are introduced and invited to the project by a first mailing that also includes an online survey on personal (direct contact address, affiliation, position, etc.) and institutional (background and prior knowledge in the institution, additional person in charge, etc.) information. The aim is to make the concept of PQC known to all stakeholders contacted, while reaching at least a basic idea of the challenge imposed by QC on state-of-the-art encryption in public administrations. The dissemination is supported from the very beginning by an sophisticated communication kit. Subsequently to the introduction and invitation to the project, the onboarding process forms, from a group of committed stakeholders, the Q-PrEP network for raising awareness of PQC in the public sector.

The introductory onboarding is then deepened into specific, collaborative activities of the community, as heading for measures to PQC readiness. The project team of Capgemini Engineering and NMWP coordinates, while fostering the interplay of experts both from academia and industry and national/EU-wide cybersecurity agencies with the public administrations to run a robust network. The technical implementation of the network covers a standard process and a platform for the exchange of ideas, knowledge, and documents, and for collaborative work in general. In a constellation unique to the Q-PrEP project, the public administrations (and connected entities) take the role of the customer or recipient, performing a “knowledge pull” for information and instruction how to implement PQC measures in the setup most suitable to them. Needs and requirements expressed by the public operators are taken up by the cybersecurity agencies which act as drivers or controllers, conducting a “knowledge push” of their expertise into the public administrations. This process comprises measures of information, education, and implementation which are maintained by the project team and broadcasted via the webpage of the project, via targeted mailings or other dissemination measures. The IT manufacturers and service providers do a “knowledge push” of their respective key expertise while incorporating information obtained from the cybersecurity agencies in a “knowledge pull” into their products and services. All the knowledge transfer activities take place in dedicated workgroups to stimulate active engagement and ensure effective and purposive work. The project hosts meetings, topic sessions, and workshops (partially online, e.g. Webinars) including the kick-off meeting. This approach for collaborative activities spreads inside the Q-PrEP community and beyond both awareness and knowledge of technical, legal, regulatory, and other aspects of PQC. The collection of insights and knowledge on PQC technology and its implementation in the context of the public sector serves as the basis of recommendations, white papers, and, finally, the PQC roadmap.

Heading for the final document of the Q-PrEP project, the roadmap PQC for public administrations, the community condenses the results and documents on partial aspects, creating a comprehensive and standardized guide for the implementation of PQC in the public sector. The roadmap aspires to provide PQC-readiness, i.e., to enable coordinated action, implementation, and transition to PQC to be accomplished by public administration entities. Using their decades long expertise in policy on questions of safeguarding IT, here again the European cybersecurity agencies take the lead and ensure the preparation of a document fulfilling all requirements of a guide of highest quality and usability.

The prospect of enhanced cybersecurity resilience and long-term security of sensitive communication and data, plus the contribution to safeguarding critical infrastructure in this respect, emphasizes the impact the PQC roadmap and therefore the full project is supposed to have. This does not only correspond to the primary objective of the work programme cybersecurity issued by the EC but constitutes an important contribution to a cornerstone of European digitalization.

The challenges of the project should, however, not be underestimated. The average level of migration is low so far, both in large parts of industry and almost any public sector entity, though PQC has gained increased interest recently, e.g., for quick implementation in the financial sector. The basis for further advances in realization of PQC is definitely the roll-out of NIST or EU standards, which might deviate from each other for different (technical, regulatory, etc.) reasons. IT manufactures and service providers are not only waiting for the finalization of PQC and algorithmic standards but for the algorithms to become practically available, to incorporate them into their products and services. However, some highly-specialized enterprises (amongst them utimaco, secunet, SSH) in the field of IT and communication security have already integrated PQC measures effectively, conveying optimism that Q-PrEP will end in a significant success.