As part of the Post-Quantum Telco Network Taskforce, GSMA, an industry organization, has published the ‘Post Quantum Telco Network Impact Assessment’. With contributions from members IBM, Vodafone, and others, this provides an in-depth analysis of the quantum security threats facing the telecommunications industry and a detailed, step by step list of potential solutions to prepare for these threats.
GSMA says that the report maps out a clear path for telco organizations to work across their ecosystems to protect data from cybercriminals acting today to tap into the potential power of future quantum computers.
- A telco-specific assessment of the business risk of quantum cyber threats, including four of the highest impact attack types: store now, decrypt later; code signing and digital signatures; rewriting history; and key management attacks.
- Discussion of standardization for hardware and software changes, such as SIM cards, public key infrastructure, digital certificates, and CPE devices.
- Specific approaches to quantum-safe algorithms and risk assessment frameworks, including code-based, lattice-based, hash-based, multivariate-based, and hybrid approaches.
- Timelines of several government plans that have been launched to implement quantum-safe encryption (Australia, Canada, China, France, Germany, Japan, New Zealand, Singapore, South Korea, the UK and the US).
- Examples of quantum-safe applications for several telco domains, including devices, 5G networks, SIMs, Operating systems, ERP, infrastructure, and the cloud.
According to the report, it is widely considered that by 2032 there will be completion of a large fault-tolerant quantum computer capable of running crypto-analytic algorithms that could threaten current cryptographic approaches. This requires immediate preparation, as some forms of attack may be retrospective (e.g. ‘store now, decrypt later’). Motivated bad actors may be harvesting and storing data now in order to decrypt it once certain quantum computing capabilities become available. As stated in the report, such actors may do this to “undermine the security of data with long-lived confidentiality needs, such as corporate IP, state secrets or individual bio-data.”