Rebuilding digital trust: PKI must be front and centre in public sector cybersecurity – Thales

Q: Let’s start with the big picture. What are the major cybersecurity challenges currently facing the UK public sector?

A: The landscape has never been more complex. Public sector organisations are facing a surge in cyberattacks, rising regulatory pressure, and the looming disruption of quantum computing. But while there’s a lot of attention on visible threats – like ransomware or AI misuse – there’s far less focus on the trust infrastructure these systems rely on. That’s a real concern, because without secure digital foundations, the integrity of public services themselves is at risk.

Q: That brings us to Public Key Infrastructure (PKI). Why is it so important – and yet so often overlooked?

A: PKI is the hidden engine behind everything from secure logins to encrypted data and verified software updates. It’s essential for authenticating users, devices, and services. In public digital services, it powers everything from IT infrastructure to digital driving licences. The problem is, PKI works silently in the background – so it’s often treated as “set and forget.” But that invisibility leads to neglect, and neglected PKI is a major vulnerability.

Q: What kinds of vulnerabilities or misconfigurations do you typically see in real-world PKI deployments?

A: Unfortunately, the list is long. Common issues include expired or unmanaged certificates, the use of deprecated algorithms like SHA-1, and private keys stored on general-purpose servers instead of secure hardware. Certificate Authorities are often misconfigured or given overly broad permissions. Worse still, many organisations have unsatisfactory governance and real-time visibility into how their cryptographic assets are used, or even a full inventory. These weaknesses make it easy for attackers to spoof trust, hijack communications, or bring systems down entirely.

Q: So how should organisations approach a PKI Health Check? What best practices should they follow—and what should they avoid?

A: A proper PKI Health Check is much more than a checkbox audit. It needs to be a strategic review of your entire trust architecture. Best practice includes mapping out all trust relationships across systems, checking certificate lifecycles, validating CA configurations, and ensuring readiness for post-quantum cryptography. One major pitfall is assuming outsourced PKI is problem-free, it’s not. Another is overlooking crypto agility: the ability to change algorithms without breaking services. That needs to be designed in from the start.

Q: What are the key lessons for managing trust at scale in large public sector IT environments?

A: First, don’t assume you know what assets you have, most organisations don’t. Start with visibility and control. Second, you need automation. Manual certificate management simply doesn’t scale in cloud-native environments where applications are proliferating, and certificate lifecycles are accelerating. Third, governance matters. Having in-house cryptographic expertise, even if you rely on partners, is essential. PKI isn’t just about technology, it’s about policy, people, and process.

Q: Looking ahead, how can public sector organisations stay ahead of the threat curve, especially with emerging risks like quantum computing?

A: Resilience must be built in, not bolted on. The threat landscape is evolving fast, from quantum decryption to increasingly sophisticated nation-state attacks on trust infrastructure.

Public bodies need to adopt crypto agility, follow guidance from NCSC and NIST, and begin planning for post-quantum migration today. They also need to modernise key management to eliminate fragmentation, and ensure new systems are “secure by design”, a principle that’s being embedded in the forthcoming UK Cyber Security and Resilience Bill. Trust is the next battlefield. PKI is how we defend it.