Guest blog by Dr. Daniel Shiu, Chief Cryptographer at Arqit Quantum Inc. #techUKCyberInnovation
The time is now
It is globally agreed that the world needs to rethink its usage of cryptography and migrate away from legacy methods to secure the twenty-first century Internet. This is potentially an exceedingly long journey that might take years or decades to complete; how then should we start? The experts studying the challenges of migration agree that the first step for cryptography users needs to be discovery and inventory of their current use of cryptography. Unfortunately, they offer less advice on how users are supposed to take this first step. For almost all users, cryptography is not a hands-on experience; understanding the subject requires great expertise. Most consumers rightly look to cryptography to quietly perform its job unnoticed. This is true even at the Sys Admin and CISO level.
People will need help to take that initial step of cataloguing and understanding their network’s use of cryptography. This creates a demand for Cryptographic Inventory as a service. This allows companies to identify, organise, assess, and adjust the totality of their encryption usage, and get ahead of the game of upgrading their cryptography for the twenty-first century. In this piece, we will walk you through the stages of what a good Cryptographic Inventory service can and should provide.
Discovery
Experienced security professionals know that almost all Internet encryption makes use of a small handful of protocols, whose connections can be tied closely to port numbers on an enterprise’s computers. With light-touch probing, it is easy to identify the usage of the protocols and the other end of the connection whether inside or outside of the home network. External connections can often be geolocated so that users understand their use of Internet services based in other countries and decide if this represents a risk.
The scanning can also identify which version of a protocol is being used, and whether that version is considered legacy or future-proof. An in-depth understanding of the internals of a protocol also allows the service to identify the cryptographic building blocks that have been chosen in that instance to authenticate the communicators and secure their data in transit. Again, some of these choices might have been made a long time in the past, and better options could be possible today.
Reporting
Generating the information in the Discovery step is important, but data is only as useful as it is to consume. Cryptographic Inventory tooling then needs to process the Discovery findings to make it easier for the network owner to understand. User experience is key here. Interactive summary screens give an overview of the full estate, but Cryptographic Inventory should also provide the user with the ability to drill down for more detail.
Analysis
Being aware of the cryptography that is used within a network is important, but being able to tell legacy cryptography, from current best practice, and from methods resistant to future attacks is not straightforward. Good Cryptographic Inventory should triage out deprecated cryptography such as MD5, DSA, or RC4. It should also be quick to identify uses of cryptography that are known to vulnerable according to CVE databases. It should compare key sizes used for other algorithms against the recommendations of standards bodies and national agencies, so that users can select security appropriate to their regulatory environment. It can also inform as to the appropriateness of mitigations against future threats such as quantum computing.
Again, these findings should be presented in a consumable way to customers, using easy grading of threats using Red-Amber-Green warnings, which can be filtered according to the source of the guidance. Common threats across multiple connection should be grouped so that it is clear whether an issue is unique or repeated across many devices.
Actionable intelligence
Knowing of a problem is not the same as solving the problem. Where simple defences and mitigations can be applied, these should also be communicated. The correction might be as simple as a change to a configuration file or a software upgrade. Other cryptographic choices might be outside of the control of the customer: an external server might be limited in the cryptography that it supports, or cryptography may be operating at the hardware level. Simple instructions on the best way to communicate the risk to the service provider or hardware vendor should also be provided. Cryptographic Inventory should also make clear when the issues do not have a simple remedy and when expert cryptographic consultancy is required.
Summary
Cryptographic Inventory is a vital part of a robust cyber security posture, particularly as the cryptographic landscape is undergoing major changes. These services must be thorough in their discovery of encrypted connections, but accessible in their reporting. The raw data must be triaged and explained clearly to owners so that the threats and risks are easily understood. The steps that can be taken to mitigate the dangers should also be detailed simply. These are the principles that Ampliphae and Arqit have cleaved to when designing their Encryption Intelligence offering. We encourage you to reach out and contact us for a demonstration.
techUK’s Innovation in Cyber Security and Resilience Impact Day 2024
We will be highlighting our members experience and expertise in this space, as well as shedding light on the challenges and opportunities when it comes to developing new innovations which strengthen the UK’s CNI and economy in the face of an ever-evolving cyber threat landscape. #techUKCyberInnovation
Jill leads the techUK Cyber Resilience programme, having originally joined techUK in October 2020 as a Programme Manager for the Cyber and Central Government programmes. She is responsible for managing techUK's work across the cyber security ecosystem, bringing industry together with key stakeholders across the public and private sectors. Jill also provides the industry secretariat for the Cyber Growth Partnership, the industry and government conduit for supporting the growth of the sector. A key focus of her work is to strengthen the public–private partnership across cyber to support further development of UK cyber security and resilience policy.
Before joining techUK, Jill worked as a Senior Caseworker for an MP, advocating for local communities, businesses and individuals, so she is particularly committed to techUK’s vision of harnessing the power of technology to improve people’s lives. Jill is also an experienced editorial professional and has delivered copyediting and writing services for public-body and SME clients as well as publishers.
Olivia Staples joined techUK in May 2025 as a Junior Programme Manager in the Cyber Resilience team.
She supports the programs mission to promote cyber resilience by engaging key commercial and government stakeholders to shape the cyber resilience policy towards increased security and industry growth. Olivia assists in member engagement, event facilitation and communications support.
Before joining techUK, Olivia gained experience in research, advocacy, and strategic communications across several international organisations. At the Munich Security Conference, she supported stakeholder engagement and contributed to strategic communications. She also worked closely with local and national government stakeholders in Spain and Italy, where she was involved in policy monitoring and advocacy for both public and private sector clients.
Olivia holds an MSc in Political Science (Comparative Politics and Conflict Studies) from the London School of Economics (LSE) and a BA in Spanish and Latin American Studies from University College London (UCL).
Outside of tech, Olivia enjoys volunteering with local charities and learning Norwegian.
Annie is the Programme Manager for Cyber Resilience at techUK. She first joined as the Programme Manager for Cyber Security and Central Government in September 2023.
In her role, Annie supports the Cyber Security SME Forum, engaging regularly with key government and industry stakeholders to advance the growth and development of SMEs in the cyber sector. Annie also coordinates events, engages with policy makers and represents techUK at a number of cyber security events.
Before joining techUK, Annie was an Account Manager at a specialist healthcare agency, where she provided public affairs support to a wide range of medical technology clients. She also gained experience as an intern in both an MP’s constituency office and with the Association of Independent Professionals and the Self-Employed. Annie holds a degree in International Relations from Nottingham Trent University.
Programme Marketing Assistant for Public Sector Markets, techUK
Tracy Modha
Programme Marketing Assistant for Public Sector Markets, techUK
Tracy supports the marketing of several areas at techUK, including Cyber Exchange, Central Government, Cyber Resilience, Defence, Education, Health and Social Care, Justice and Emergency Services, Local Public Services, Nations and Regions and National Security.
Tracy joined techUK in March 2022, having worked in the education sector for 19 years, covering administration, research project support, IT support and event/training support. My most outstanding achievement has been running three very successful international conferences and over 300 training courses booked all over the globe!
Tracy has a great interest in tech. Gaming and computing have been a big part of her life, and now electric cars are an exciting look at the future. She has warmed to Alexa, even though it can sometimes be sassy!
Programme Team Assistant for Public Sector Markets, techUK
Francesca Richiusa
Programme Team Assistant for Public Sector Markets, techUK
Fran serves as the Programme Team Assistant within techUK’s Public Sector Market Programmes.
In this role, she is responsible for delivering comprehensive team support, managing administrative functions, and fostering strong relationships with members.
Prior to joining techUK in May 2025, Fran built a meaningful career in the charitable and local government sectors. She worked extensively with both victims and perpetrators of crime, and notably led the coordination of Domestic Homicide Reviews across Surrey—an initiative aimed at identifying lessons and preventing future incidents of domestic abuse.
Outside of work, Fran is an avid traveller and a proud cat mum who enjoys unwinding with her feline companions.