NCSA warns state websites at risk, urges urgent upgrade to new standards

The National Cyber Security Agency (NCSA) presented an overview of Thailand’s cyber threat landscape and key response strategies at the “Building the Digital Future” seminar on September 19, 2025. 

The agency stressed the urgent need for government bodies to upgrade their defences in line with new national security standards published in the Royal Gazette, while also unveiling long-term plans to prepare for the risks posed by quantum computers capable of breaking current encryption systems.

Air Vice Marshal Chalermchai Wonggate, Director of the NCSA Cybersecurity Research Centre, reported that Thailand recorded more than 3,172 cyber incidents. Government agencies were the most targeted, accounting for 32% of attacks, followed by the education sector at 23%. The most common attack types were fake websites and credential leaks.

To address these threats, the NCSA has issued the 2025 Website Security Standard, now mandatory for all government agencies and operators of critical national infrastructure. 

Chalermchai stressed that “no government agency is exempt” and must conduct annual self-assessments, while for private organisations the standard remains advisory, reflecting the need for each to manage its own risk exposure.

He also underscored the importance of multi-factor authentication (MFA), describing it as “a basic necessity, like essential medicine,” that provides fundamental protection. 

In assessing website risk, the agency will apply the “High Water Mark” principle: if a site is deemed “high risk” in any of four area, financial assets, operations, public safety, or national security, its overall risk level will automatically be considered high.

Future challenge: the quantum threat of ‘Harvest Now, Decrypt Later’

Addressing the risks of next-generation threats, Suchittra Pongpisutsopa, Director of Data Analytics and Processing at the NCSA, explained the disruptive potential of quantum computing, which can solve mathematical problems that are intractable for today’s machines. 

Among the most concerning risks, she highlighted the “Harvest Now, Decrypt Later” (HNDL) scenario, where malicious actors store encrypted data now with the aim of decrypting it in the future once quantum computers become powerful enough.

Impact on encryption systems

The implications vary depending on the cryptographic method:

• Asymmetric/Public-Key Cryptography (RSA, DH, ECC): These are the most vulnerable, as Shor’s Algorithm could break them, undermining key exchange and digital signatures. A 2021 report by Gutsan estimated that 2048-bit RSA encryption could be cracked within 177 days on a sufficiently advanced quantum computer.
• Symmetric Cryptography (e.g., AES): Less exposed, but still at risk from Grover’s Algorithm. Increasing key length can mitigate the threat, though it comes at the cost of reduced efficiency.

Thailand’s quantum-readiness roadmap

The NCSA has outlined a national action plan, first published in 2023, to guide the country’s transition into the quantum era. The plan sets out seven key measures:

1. Developing a clear national roadmap
2. Raising public and institutional awareness
3. Defining roles and responsibilities
4. Conducting a cryptographic inventory of critical assets
5. Assessing the suitability of emerging technologies
6. Running pilot projects and testing solutions
7. Ensuring continuity and long-term monitoring

NCSA warns government websites at risk, urges urgent upgrade to new standards

As part of its quantum-readiness efforts, the NCSA has launched a pilot project funded by the Digital Economy and Society Development Fund (DEF) to survey the digital assets of seven lead agencies. 

These organisations received on-site visits in 2024 to assess requirements and develop migration plans, before sharing their lessons with 93 other agencies nationwide, serving as mentors in the transition.

The NCSA has set out key national targets:

• By 2025: Raise awareness of post-quantum cryptography (PQC) and establish working groups.
• By 2030: Require all new projects involving sensitive data to adopt PQC or hybrid encryption.
• By 2035: Achieve full national migration to PQC.

This roadmap mirrors international timelines, with both the United States and the United Kingdom aiming for full PQC adoption by 2035. Other countries are also advancing rapidly—China is prioritising quantum communication satellites, while South Korea has built an 800-kilometre quantum key distribution (QKD) network.

To support the transition, the NCSA is developing a self-assessment platform, expected to go live in November, enabling agencies to evaluate their own readiness. Large-scale training programmes and international collaborations with leading quantum technology developers are also planned, ensuring Thailand can strengthen its cybersecurity posture in the quantum era.