Post-quantum cryptography, the next evolution of digital security

If you were to find yourself on the lovely streets of Amsterdam, a tourist looking for the trendiest shop to buy stroopwafel or the way to The Dam, the best person to run into might just be Anita Wehmann. 

That's because she is friendly, approachable, and most importantly, totally unassuming.  

But in place of being a tourist, this writer meets Wehmann in Singapore, and so, instead of directions, we speak about how post-quantum cryptography represents a critical evolution in digital security.  

In the same friendly and unassuming manner, she explains, in simple terms, why this is essential in the coming age of quantum computers. 

Wehmann is the programme manager for Digital Resilience, Central Dutch Government, which is part of the Netherland’s Ministry of the Interior and Kingdom Relations. 

Speaking to GovInsider, on the sidelines of the recent Festival of Innovation, she shares that quantum secure cryptography is a vital part of the Dutch government’s digital resilience programme, which is the main priority of the country’s overall information strategy. 

Wehmann, who took part in FOI, was in Singapore as part of a delegation from the Netherlands and she met, among others, officials from the Cyber Security Agency of Singapore (CSA). 

What was once a literary sub-genre in science fiction, post-quantum cryptography now represents a critical evolution in digital security and is designed to protect sensitive information from potential future threats from powerful quantum computers. 

To subscribe to the GovInsider bulletin click here. 

“Unlike current cryptographic systems that rely on mathematical problems [which are] difficult for classical computers to solve, post-quantum cryptography uses encryption methods also resistant to quantum computational capabilities,” Wehmann notes.  

European Commission also onboard 

In Europe, not only for instance the German, French and Dutch governments, but also the European Commission has recognised the strategic importance of post-quantum cryptography, Wehmann explains. 

The Commission has launched a recommendation to develop a coordinated EU implementation roadmap for the transition to post-quantum cryptography (PQC).  

The goal of the roadmap is to ensure that digital communications and data remain protected, even as quantum computing technology advances, thereby maintaining the integrity and confidentiality of sensitive information in an increasingly complex technological landscape, she adds. 

To develop the EU roadmap on PQC, France, Germany, and the Netherlands co-chair the established EU workstream and work together with 21 other EU member states, the EU Commission and the EU agency ENISA.  

As part of this co-chair team, Wehmann helps to establish the roadmap. “No country or organisation can do this in isolation. We need to work together and help each other. This includes exploring opportunities for further collaboration between the Singaporean and the Dutch government on this common challenge”, she notes. 

The workstream is currently working on a first paper with recommendations focused on the EU member states. These recommendations involve creating cryptographic inventories, conducting risk assessments, developing a timeline and implementation plan, but also creating awareness among all stakeholders, she explains.  

By following the recommendations in the paper, countries are not only preparing for potential quantum threats but are simultaneously improving their overall cybersecurity maturity and organisational security practices, she adds. 

Singapore has also been working to develop digital resilience in the era of quantum computers.  

In 2023, Singapore launched its National Quantum-Safe Network Plus (NQSN+). NQSN+ is part of Singapore’s Digital Connectivity Blueprint, which outlines the next bound of Singapore’s digital connectivity to 2030. 

Netherlands digitalisation strategy 

Talking about the Netherlands' One Nation Digitalisation Strategy, Wehmann emphasises that without digitalisation the Dutch government cannot function and “a lot of investments are needed for this”. 

There are four independent layers of government in the Netherlands: the national government, provinces, municipalities and the water board. 

Noting that these four layers cannot be independently digitalised, a country-wide digitalisation strategy has been formulated.  

The priorities for the strategy include a uniform application of cloud technology and the responsible use and sharing of data across all levels of government.  

On top of that, the government will utilise artificial intelligence (AI) while putting citizens and entrepreneurs first. 

“We will also strengthen the government’s digital resilience and digital autonomy so that data is secured, and we can provide the continuity of essential services both in normal and extreme conditions,” she adds. 

To make all this work, the government has digitally equipped all civil servants with the necessary digital skills, Wehmann says. 

Difference between a crisis and an incident 

Making a subtle distinction between crisis management and incident management, during her presentation at the Festival of Innovation, Wehmann shares that these two represent distinct approaches to handling disruptions.  

Incident management operates within the framework of standard operational procedures, addressing issues through established protocols and routine problem-solving techniques, she notes.  

“These are typically predictable scenarios that can be resolved using existing organisational structures, with minimal deviation from normal business operations.” 

Crisis management, by contrast, says Wehmann, emerges when an event transcends routine handling and threatens the fundamental functioning of an organisation.  

“Such situations are characterised by high uncertainty, significant potential impact on continuity, reputation, and assets, and require an extraordinary response,” she adds.  

The key difference lies in scale and complexity.  

While incident management focuses on immediate resolution using standard processes, crisis management demands a holistic approach that encompasses not just solving the immediate problem but also managing broader implications, Wehmann notes.

“In the digital age, particularly with cybersecurity challenges, the line between an incident and a crisis can be increasingly blurred, making sophisticated crisis management frameworks crucial for organisational resilience,” she says. 

Wehmann notes that having, what she calls, “a lukewarm phase” bridges the gap between crisis management and routine incident handling.  

“During this phase, a dedicated team maintains a 24/7 vigilance, conducting regular team meetings and systematically gathering information about a developing situation, particularly in digital and cybersecurity contexts where threats can evolve rapidly,” she adds.  

The lukewarm phase allows teams to track media reactions, assess infrastructure implications, and make timely, adequate responses before a situation potentially transforms into a full-blown crisis, ultimately enhancing overall organisational resilience and response capabilities, she says. 

Wehmann’s Festival of Innovation presentation on Crisis Management and Preparedness: Benefits of a Lukewarm Phase can be found here.

She also took part in a Fireside chat on Securing Third-Party Applications and Cloud Infrastructure in Government, which can be found here.