Q: Why is digital trust such a pressing issue for the UK public sector right now?
Digital trust is the invisible glue that holds public services together. From digital ID cards to secure communications between government departments, it ensures that citizens can interact with the state safely and with confidence. But that trust is under strain. We’re seeing an unprecedented rise in cyberattacks, supply chain compromises, and geopolitical tensions that place critical systems at risk.
The lesson for the UK’s critical energy networks – increasingly digitalised, interdependent, and constantly targeted by state actors and criminals – is that resilience cannot be left to chance. The same principle applies across the public sector: if we neglect the foundations of digital trust, the very integrity of government services is at risk.
Q: Thales’ new whitepaper focuses on securing the UK’s energy backbone. What insights from that sector apply to public services more broadly?
Energy networks provide a vivid case study because they combine old infrastructure with cutting-edge technology, all under relentless attack. Operators there have learned three things that are relevant to every public body:
Resilience must be designed in, not bolted on. You can’t retrofit secure systems effectively – principles like Secure by Design and Zero Trust have to be embedded from the start.
Hidden dependencies are the real weak points. A single expired certificate or unpatched API can cause cascading failures across interdependent systems.
Partnership is essential. Energy resilience now depends on a “whole-of-society” approach – government, regulators, and private operators working together. For digital government, that means treating suppliers and third-party service providers as part of the trust fabric, not bolt-ons.
Q: You mentioned Secure by Design. Why is that so critical for the public sector today?
Secure by Design is about constantly adapting your security to an ever changing landscape and identifying weaknesses before they can be exploited. In energy, Digital Twin simulations are used to continually stress-test systems against both physical and cyber threats. The public sector can adopt the same mindset. Think of benefits systems, health records, or transport coordination – all are complex digital ecosystems with hidden interdependencies. If you only focus on perimeter defence, you miss the weak links. Designing resilience into the architecture, and regularly auditing it against evolving threats, is the only way to keep services available when they’re needed most.
Q: Where does crypto-agility fit into this conversation?
Crypto-agility – the ability to update algorithms and keys quickly without disrupting services – is going to be a survival skill in the next decade. Quantum computing is the obvious driver, but even today we see attackers exploiting outdated algorithms and mismanaged certificates. Too many organisations still treat Public Key Infrastructure (PKI) as “set and forget.” In reality, it’s the hidden plumbing of digital trust, and if it fails, the whole house collapses. Public bodies need to adopt automated certificate management, modernise cryptographic standards, and start planning now for post-quantum migration.
Q: The UK Cyber Security and Resilience Bill is expected to raise the bar. How should public bodies respond?
The bill is rightly pushing for a more comprehensive approach to resilience – extending protections to managed service providers, critical suppliers, and data centres. For the public sector, that means two things:
- Governance first. Get visibility of your trust assets, build clear lines of accountability, and don’t assume that outsourced PKI or identity services are problem-free.
- Invest in people as well as technology. The best cryptographic systems are useless if no-one in the organisation understands how to govern them. Building in-house expertise, even if supported by external partners, is essential.
- Don’t forget about insider threats. Threats don’t just come from outside your organisation but by accidental and malicious acts by your team and contractors working in your organisation. Being able to ensure appropriate access control to systems and spotting anomalies is key to mitigating that threat.
Q: What happens if we neglect the “hidden plumbing” of trust?
The risks are very real. In energy, poor certificate governance has caused outages that disrupted services for thousands of households. In government, the same weaknesses could bring down essential services – benefits payments, health appointments, even election systems. Beyond disruption, attackers are increasingly targeting trust itself: stealing keys, manipulating certificate chains, or injecting rogue credentials. Once trust is broken, restoring public confidence is far harder than restoring systems. That’s why digital trust needs to be treated as critical infrastructure in its own right.
Q: Collaboration is another theme you emphasise. What does effective collaboration look like in practice?
It means moving beyond compliance checklists and information silos. In energy, operators now share threat intelligence across the sector and with government, enabling faster adaptation to new attack methods. The public sector needs the same openness. That means transparent incident reporting, joint exercises across departments, and closer integration with suppliers. It also means regulators playing an active role in setting standards for resilience and crypto-agility, not just reacting after the fact.
Q: Finally, what’s the single most important step public sector leaders can take now to strengthen digital trust?
Start by treating PKI and digital trust systems as strategic assets, not background utilities. Visibility, automation, and governance are the three foundations: know what assets you have, automate their management, and ensure you have the expertise to govern them effectively. From there, embed Secure by Design, plan for quantum-safe cryptography, and invest in collaboration. Rebuilding trust takes time, but the cost of inaction will be far higher. As we’ve seen in critical infrastructure, resilience isn’t a luxury – it’s the bedrock of national confidence.
