The telecom industry now needs to mobilise to define guidelines and processes for the Post-Quantum Cryptography (PQC) transition
The transition to Post-Quantum Cryptography has started…
Quantum Computing has great potential, but also brings business risk with far reaching consequences on telco networks and customers. Governments have begun planning and issuing guidance to mitigate these risks.
Business Risks |
Store Now, Decrypt Later
Store sensitive data with the goal to decrypt when quantum computers are available |
Code-signing and Digital signatures
Compromise service authentication leading to vulnerabilities in software updates |
Rewriting history
Compromise the integrity of digitally signed data e.g. contracts. |
Key Management Attacks
Long-term data storage can be vulnerable by attacking key management |
How can the Industry prepare?
- GSMA Members have defined impact assessment (1) for the transition to Post-Quantum Cryptography in telecom networks
- Refresh of existing security architecture is required as existing algorithms become vulnerable
- Engage with industry groups, government, and vendors on the roadmaps to implement Post-Quantum Cryptography
- Understand how to treat legacy systems, services and products that may not be updated
- Reduce the creation of cryptographic debt
- Consider impacts to key management systems
How can Operators prepare?
- Establish a cryptographic inventory: understand where cryptographic algorithms are used in systems or vendor products
- Plan a cryptography risk assessment
- Develop expertise in Post-Quantum Cryptography and security
- Support standardisation & open-source
- Support related research.
- Engage with customers and vendors for requirements
- Develop a Post-Quantum Cryptography transition plan
Potential New Services
- Quantum-Safe VPN
- Quantum-Safe SD-WAN
- Quantum-Safe connection between enterprise customers and hybrid cloud
- Quantum-Safe IoT connectivity
- Quantum-Safe satellite communications links
- Quantum-Safe data archive
Government Response
Governments are aware of the risks and recommend industry to begin planning.
Country | PQC Standards | Published Guidance |
Australia | NIST | CTPCO (2021) – early implementation from 2025 |
Canada | NIST | Cyber Centre (2021) – implementation from 2025 |
China | China Specific | CACR (2020) – start planning |
EC | NIST | ENISA (2022) – start planning |
France | NIST (non-exclusive) | ANSSI (2022) – transition from 2025 |
Germany | NIST (non-exclusive) | BSI (2022) – start planning |
Japan | Monitoring NIST | CRYPTREC – start planning |
New Zealand | NIST | NZISM (2022) – start planning |
Singapore | Monitoring NIST | MCI (2022) |
South Korea | KpqC | MSIT (2022) – competition started 2022 |
UK | NIST | NCSC (2020) – start planning |
USA | NIST | NSA (2022) – implementation from 2023 |
In summary, Operators and Industry Partners are advised to…
- Plan for future implementation to the transition to Post-Quantum Cryptography.
- Begin deploying Post-Quantum Cryptographic algorithms as they are standardised.
- Take advantage of cross- industry and Government moment.
Post Quantum Telco Network – Impact Assesment – Whitepaper
You can find further detail information on the published Post Quantum Telco Network Impact Assesment Whitepaper here.