Quantum technologies will have a profound impact on the telecommunications industry, from improving the speed, fidelity and integrity of wired or satellite communications to creating the next generation of Quantum Internet and more.

In the meantime, telecommunications providers are both a prime target for and a critical first line of defense against emerging quantum threats. That’s because when fault-tolerant quantum computers are finally available they are expected to break the existing Public-Key Encryption (PKE) standards that have been in place for nearly 50 years, exposing sensitive government, business and personal data, communications and transactions on an unprecedented scale. The key to overcoming these challenges will require implementing new quantum-safe encryption standards as part of a larger effort to achieve cryptographic agility.

Kelly Richdale is an independent board director and senior advisor on quantum-safe security at SandboxAQ, an enterprise SaaS company providing solutions at the nexus of AI and Quantum technology (AQ) to address some of the world's most challenging problems. She was a panelist for the “A Quantum Leap Into The Future” session at Mobile World Congress 2023 that took place in Barcelona earlier this week. Here Richdale sets out the scale of the quantum threat to telecommunications, the security measures needed to counter them and why they must be implemented sooner rather than later.

The Rising Cyberthreat to Telecommunications

Due to the volume of sensitive data that travels across their networks, cyberattacks on telecom providers are increasing. For example, a Q3 2022 report from security provider Lumen indicated that telecommunications is the top industry targeted in the largest 500 cyberattacks. They also reported a 21% increase in attacks over the prior quarter.

In 2021, a report from the U.S. National Security Telecommunications Advisory Committee noted that replacing dedicated routers and switches with SDN, APIs and NFVs has contributed to greater network resiliency, but certain aspects of these improvements make networks more vulnerable to new quantum threats – some of which are happening right now.

Although quantum computers are still many years away from commercial use, adversaries have already initiated Store Now, Decrypt Later (SNDL) attacks, acquiring and storing encrypted data until quantum computers become available to decrypt it. This can be done via direct network penetration (via hacking, social engineering, etc.) or by siphoning data in transit via a compromised node or vulnerable VPN, SD-WAN or SDN. Once encrypted data has been stolen, it can no longer be protected and could negatively impact customers for many years to come.

A New Era in Cybersecurity

To protect against SNDL, telecommunications companies need to inventory their entire IT infrastructure, including hardware, firmware, and software, to identify where quantum-vulnerable protocols are used and upgrade them to quantum-resistant protocols.

For more than six years, the National Institute of Standards and Technology (NIST) has been working with a consortium of cryptologists and mathematicians from 25 countries to develop new quantum-resistant algorithms that will become the new global encryption standard. Last July, NIST unveiled four potential candidate algorithms and several alternates for standardization by 2024. These algorithms are already being integrated into new quantum-safe solutions that are starting to hit the market.

Getting Started

After an initial discovery process, which could take months or years, depending on network size and complexity, CIOs and CISOs will have a better understanding of their cybersecurity posture and can decide what areas to prioritize for migration – starting with the most vulnerable data and critical systems. The key is to begin the discovery process as soon as possible.

Finding a balance between network security and performance is a major concern for telecom providers. The next step would be to evaluate the impact that these new algorithms will have on network performance by running benchmarks on all relevant channels (e.g. Wi-Fi, 5G, etc.) using a variety of web traffic patterns and scenarios (e.g. gaming, content streaming, webpage loading, etc.).

Another major concern is regulatory compliance. Completely replacing existing cyber architecture with new protocols could result in non-compliance. As such, many providers will opt for a hybrid cybersecurity architecture – combining newer quantum-resistant algorithms with traditional RSA/ECC protocols.This will ensure continued compliance with existing government regulations and protection against both classical and quantum-related threats.

Maintaining the highest level of threat protection in a hybrid cybersecurity architecture will require cryptographic agility — the ability to encapsulate cryptographic primitives or algorithms, making it easy to switch and replace these primitives as new standards or threats emerge. Achieving crypto agility will take many years and significant resources, but afterward, providers will have greater control and sovereignty over their cybersecurity architecture.

Time is Essential for Protecting Against Future Threats

According to the Department of Homeland Security transition roadmap, harvested data could be decrypted as early as 2030. If so, any encrypted data acquired today will have a maximum confidentiality period of seven years. In other words, if an organization doesn’t complete its cryptographic transition until 2026, the confidentiality period of all data acquired before the transition will be just four years.

Because of the enormous implications of threats like SNDL, providers must begin planning migration strategies now to protect customer data, intellectual property, and other valuable assets, while reducing regulatory risk and exposure. Some forward-looking providers have already begun the migration process and they stand to reap enormous benefits such as being first to market with value-added services or differentiating themselves by touting their quantum-resistant networks featuring the latest cryptographic protocols.

Implementing cryptographic agility will entail an unprecedented, generational change in global cybersecurity architecture. Ultimately, every major enterprise and government agency will have to switch to these new quantum-safe protocols. Because telecom networks play such a pivotal role throughout our society, the industry must take a proactive approach to protecting those entities. Otherwise, a critical component of the world’s cybersecurity apparatus will be unprotected and vulnerable. For smaller businesses that are not equipped for full-scale crypto agility implementations, their telecommunications provider might be their only line of defense against quantum threats.

Available Resources

Providers looking for resources on best practices and how to get started should check out NIST’s National Cybersecurity Center of Excellence (NCCoE). There, organizations of all types can find and share business insights, technical expertise, and challenges organized into Communities of Interest. It is also developing best practices to ease the migration from current PKC algorithms to quantum-resistant ones.

Another resource worth exploring is an insightful white paper titled, “Transitioning Organizations to Post-Quantum Cryptography,” which was published in Nature, the world’s foremost international scientific journal. The paper outlines current and future quantum-related threats, steps organizations need to take to become quantum-resistant and crypto-agile, and other helpful information.

Regardless of which vendor, partner or technology approach telecom providers choose, one thing is certain: the longer they wait, the greater the risk to their organization and customers. That’s why telecommunication providers must begin the process of migrating to cryptographic agility as soon as possible.

This article first appeared in IoT World Today's sister publication Enter Quantum.