Guidelines for Quantum Risk Management for Telco

Cryptographically Relevant Quantum Computers (CRQC) pose new threats to telecommunication systems and significant new cybersecurity challenges, because they disrupt widely used encryption algorithms and protocols.

The overall objective is to ensure that key stakeholders and business owners have the information required to make proportionate decisions in Quantum Risk Management (QRM) in the right timeframes. We believe that a Quantum Cryptanalytic Risk Assessment (QCRA) for Telco is a critical methodology that supports Telecommunication Service Providers and the extended Telecommunication supply chain building a multi-year plan to address quantum risk.

Given the complexity and breadth of the impacts on current cryptography related to both legacy and future cybersecurity capabilities used in Telecommunica

tion environments, an important element of proactive threat management is the ability to identify, evaluate and prioritise risks on an ongoing basis.

Improving education and awareness about Quantum Computing, building skills and knowledge, are important aspects for all organisations in creating an effective Quantum Risk Management (QRM) capability.

This document provides an analysis of how some common risk assessment frameworks can be adapted specifically for a Cryptanalytic Risk Assessment for Telco, using telco relevant use cas

es as examples.

The recommendation is to consider relevant risk assessment methodologies as part of the overall risk framework.

“A Methodology for Quantum Risk Assessment” and “Crypto Agility Risk Assessment Framework (CARAF)” are two examples of Quantum Cryptanalytic Risk Assessment (QCRA), while the NIST Risk Management Framework [2] and ISO/IEC 27000 [1] can be adapted to address quantum risk.

Common considerations across risk assessment frameworks and a QCRA include: definition of roles and responsibilities, threat identification, asset and cryptographic inventory, impact calculation, and control selection.

Two attacks should be considered for threat identification:

  • immediate threat from “Store now decrypt later” where a Quantum Capable Threat Actors (QCTA) gains access to sensitive data with a long shelf life that can be accessed once a CRQC is available; and
  • future threats that originate from Quantum Capable Threat Actors (QCTA) that will have access to CRQC.

The result of the impact assessment aids the analysis and prioritisation for identified threats.

The QCRA informs a holistic, balanced and full lifecycle risk management program that drives significant change to the cryptographic mechanisms used by Telecommunication Service Providers. It guides the Telecommunication supply chain management to address the Quantum threat.

While the focus of the document is specifically on Quantum related security aspects in Telco, we fully recognise that CRQC is one of the many threats that Telco organisations face going forward. The document also highlights the rapidly and continuously evolving compliance and regulation landscape for Quantum security.

Guidelines for Quantum Risk Management for Telco

Executive Summary Risk Management

Contact the GSMA

Please get in touch if you need more information or have any queries about anything you see on our website.

Contact us