They are concerned that the imminent arrival of quantum computing will leave data and traffic vulnerable unless all parts of the supply chain are protected.
“We want to get a requirement for post-quantum cryptography into the specifications for 6G,” said Luke Ibbetson, Vodafone’s head of group research and development.
But it’s not just the sixth generation of mobile telecoms he’s worried about: quantum security is also a concern for fixed services to enterprises, including data centres.
“We’re concerned about VPNs, SD WANs and other services, initially for the public sector,” Ibbetson told Capacity.
Lory Thorpe, IBM’s director for global solutions and offerings in telecommunications, added: “Governments are looking at the impact of this, some more aggressively than others, and they are updating cyber security guidance for critical national infrastructure.”
The US is the only government so far to have set public standards, she said. Last November the Office of Management and the Budget (OMB), part of President Joe Biden’s executive office at the White House, told federal agencies to “prepare now to implement post-quantum cryptography”, and “to submit a prioritized inventory of information systems and assets”, itemising quantum-vulnerable cryptographic systems, by April 2023.
Thorpe and Ibbetson are both involved in the GSMA’s Post Quantum Telco Networks (PQTN) taskforce – Thorpe is chair – which last month produced a white paper on how the mobile industry should prepare for the post-quantum world.
IBM is already making quantum computers (pictured), and has one at its innovation studio in central London.
“We’re looking at the positive benefits [of quantum technology],” said Ibbetson, who is vice chair of the GSMA taskforce. They include making data quantum safe. “But the inconvenient truth is that quantum will also be able to break encrypted data. People are harvesting data for when that’s possible.”
The GSMA taskforce includes 45 member companies, including a number of significant operators from around the world, said Thorpe.
Ibbetson likened the quantum task to the Y2K challenge of 25 years ago, when IT companies around the world struggled with a deadline of 1 January 2000 to ensure their programs and data were compatible with 21st century dates – until the 1990s, many years were shown just as two digits, rendering them liable to misinterpretation.
“But there isn’t a one-time fix,” he said. “It’s like Y2K but this is an evolving threat” as quantum technology continues to develop.
The telecoms industry “is hugely dependent on standardisation”, said Thorpe, who worked with Ibbetson at Vodafone until 2019, when she moved first to Nokia and then to IBM.
“We’re looking at standards in the wider ecosystem, so companies can enable their post-quantum journey. This needs to be done at an industry level,” she said.
Vodafone is tackling the challenge at a number of levels. First, it is identifying systems that are likely to be refreshed over the next five years, for which replacing now with post-quantum solutions is less urgent. Some boxes are going to be retired in 18 months, said Ibbetson.
“But customer data is more vulnerable,” he said, pointing out the need for all telcos and other networks to tackle the challenge. “Companies need to own their own plan.”
And in Vodafone, “we need to make sure the equipment we aspire to buy” is suitable for a post-quantum world. That means ensuring new services are on quantum-secure systems. “We want to understand the impact on enterprise, and recognise the opportunity for operators to offer quantum-safe services.”
Thorpe added: “Telcos have a lot of security risks. Crytography is everywhere.” The industry needs to create an inventory of its vulnerable systems, she said. “They need to quantify the risk.”
Ibbetson told Capacity: “Start planning. Be aware of the risk.”