In recent times, we’ve seen widespread damage caused by cybersecurity events impacting the telecommunications industry. Unfortunately, we’re rapidly approaching another monumental cliff for security of telecommunications (and all the industries that rely on electronic communications). The same cliff is something the OSS/BSS industry also needs to be patently aware of.
Traditional cryptographic algorithms, which underpin the security in the telecommunications sector, communications over the Internet and even data exchanges between OSS/BSS systems, are vulnerable to quantum computing attacks. Current encryption techniques are predicated on mathematical problems that are challenging for classical computers but potentially trivial for quantum computers.
The threat is not hypothetical; quantum computers are rapidly advancing and could soon undermine today’s commonly-used encryption methods like RSA and ECC. These techniques also safeguard data transmission and storage in OSS/BSS systems. Other than the SolarWinds hack, I’m not aware of any other significant breaches within the OSS industry yet. However, a breach in any of our OSS/BSS could lead to unauthorised network access, sensitive data exposure, service disruption and significant financial / reputational damages for telecom providers.
How likely is this? There have been billions of dollars of investments already made by various nation-states in quantum computing. In part, this reflects the global race to develop technologies that could potentially break widely used data protection mechanisms. We mentioned earlier that the public-key cryptographic cliff is rapidly approaching, but it’s possible that nation-states have already produced deciphering tools and haven’t alerted the global community (for obvious reasons). [For comparison: The Enigma Machine is a well-known story about how Alan Turing cracked the ciphers of Nazi Germany without their knowledge in the early 1940s and arguably changed the outcome of World War II. What’s less widely known is that Polish mathematicians had deciphered earlier versions of The Enigma Machine as early as 1932]
Today’s article delves into the significance of post-quantum cryptography (PQC) for use in telco and OSS/BSS, the available PQC algorithms, and the potential consequences of us not transitioning to quantum-resistant cryptographic methods.
Recognising this imminent threat, the U.S. National Institute of Standards and Technology (NIST) has been proactive in developing quantum-resistant cryptographic standards. NIST’s recent selection of four quantum-resistant algorithms, after a comprehensive six-year vetting process, marks a significant milestone in PQC.
For securing data at rest, CRYSTALS-Kyber emerges as a strong candidate, offering small encryption keys and efficient operation – ideal for the vast data repositories typical in OSS/BSS systems. For data in motion, such as management network communications, CRYSTALS-Dilithium and FALCON stand out for their digital signature capabilities. They offer high efficiency and smaller signatures crucial for ensuring data authenticity and integrity during transmission. These algorithms are currently in a developmental phase, available for exploration but not yet finalised for integration into existing systems.
The transition to PQC is not merely a technical upgrade but a strategic necessity for telecom operators. It involves significant infrastructure and software modifications, implying a need for long-term planning and investment. The longevity of data held in OSS/BSS systems and/or carried by telco networks makes early adoption of PQC critical to mitigate retrospective security risks.
Data longevity is an important factor that might not be fully comprehended by many in the telco industry yet. It’s already surmised that nefarious actors are siphoning large volumes of encrypted data. They may not be able to decrypt this data today, but are assuming that quantum computing will be realised imminently, allowing vast amounts of historical data to be decrypted in the near future. Data that can’t be retroactively encrypted with PQC. Data that could include national secrets, intellectual property, private / personal information and much more.
Moreover, regulatory compliance is likely to evolve quickly alongside these technological advancements. Telcos will need to anticipate and adapt to these changes to avoid potential legal and financial repercussions. Maintaining customer trust and ensuring business continuity are likely to hinge on the proactive adoption of PQC.
The transition to PQC is likely to involve significant changes in infrastructure and software. Early adoption, or pre-planning at minimum, should facilitate a smoother transition. This will reduce the risk of sudden changes being forced upon telcos and OSS/BSS suppliers as a result of future quantum advancements.
I should highlight that I’m no expert at quantum technologies, just an avid onlooker. If you have more accurate, pertinent information to share about PQC, I’d love to hear from you in the comments section below.