At MWC Las Vegas, the GSMA Post Quantum Telco Networks task force released new guidance for telcos to manage post-quantum risks
At last year’s MWC Las Vegas conference, the GSMA established the Post Quantum Telco Network task force, with the goal of coalescing the ecosystem to prepare telcos for the quantum era. The task force has gained significant momentum and now includes more than 50 companies and over 20 major operators, including SandboxAQ. Now, at the MWC Las Vegas 2023 conference, the task force released its “Guidelines for Quantum Risk Management for Telco” whitepaper. This paper is intended to support telcos in their risk assessment process and provides an analysis of how some commonly used risk assessment frameworks may be adapted specifically for the telecommunications industry, using relevant use cases as examples.
The telecommunications industry is vital to how the world connects, from how we work and play, to emergency response and critical national infrastructure. Companies work continuously to ensure these networks are secure and new challenges need to be addressed in a timely way. Quantum computers will be able to solve mathematical challenges beyond the reach of classical techniques, and a thriving research community is exploring how their capabilities may be applied for positive benefit across multiple industry sectors – and society at large. While precise timelines are uncertain, it is also accepted that quantum computers powerful enough to break the most common encryption standards used today will become available in the future. That means the encryption we currently use to protect telco systems, particularly public-key encryption, will be vulnerable once these cryptographically relevant quantum computers reach sufficient maturity.
Even before such systems arrive, threats already exist today. With “store now, decrypt later” attacks – where bad actors harvest and store encrypted data for later decryption — any encrypted data stolen today could become vulnerable should a bad actor gain access to a cryptographically-relevant quantum computer in the future. The telco industry needs to adopt new cryptography algorithms and cybersecurity practices that provide resistance to future attack by quantum computers.
Breaking down the guidelines
In its new guidelines, the GSMA task force recommends several steps for telcos to manage and remediate risks in the quantum era. Some of its recommendations include:
- Establish a cryptographic inventory to understand where cryptographic algorithms are used in systems and third-party products
- Plan a cryptography risk assessment to identify the most at-risk data and systems
- Appoint a team of quantum experts to stay apprised of quantum developments and risks
- Develop a quantum-safe cryptography transition plan
The first step for telcos to take today is also the most critical. Establishing a cryptographic inventory – sometimes called a cryptography bill of materials or CBOM – allows businesses to understand where cryptographic algorithms are currently used in their systems and networks, as well as any third-party systems they use. Additionally, telcos should perform a risk assessment to identify the most at-risk assets protected by today’s cryptography standards. Together, these steps can help to inform which cryptographic data should be prioritized in the transition to post-quantum cryptography.
As organizations like the U.S. National Institute of Standards and Technology (NIST) release post-quantum cryptography standards in the coming years, it will also be important to transition any public-key encryption to new post-quantum cryptography algorithms so that data remains protected now, and in the quantum era.
Ultimately, the transition to new post-quantum cybersecurity standards and practices will be a multi years process, and it will require continued industry cooperation through groups like the GSMA Post-Quantum Telco Network task force to provide guidance and support. While every organization will approach the quantum risk assessment process in its own way, starting now to build and educate the right teams who understand the quantum threats, impacts, and responses as well as formulating future-looking mitigation plans is key to preparing for the quantum future.