Quantum-Safety making waves at MWC 2024
Surfing above the AI tsunami, a wave of quantum news surged last week at the MWC in Barcelona. Here's a summary with my views.
Artificial Intelligence (AI), especially the generative kind, was all over the place at last week’s Mobile World Congress 2024 (MWC) in Barcelona, which makes it the technology buzzword of the day. But there was also a growing number of exhibitors and, especially, sessions around quantum technologies, with a particular focus on Post-Quantum Cryptography (PQC) and the transition of cryptography to quantum-safe solutions.
Given the key role of encryption to secure our electronic communications, this surge is unsurprising, and the telecommunications sector finds itself at the forefront of change, demanding swift adaptation and strategic planning. Evidence of the broad interest on the topic comes in the form of over 700 registrations for the 3rd Post Quantum Network Seminar, hosted by GSMA and with a range of high-level speakers and stakeholders. In a more modest setting, the European Quantum Space attracted over 30 industry experts and journalists to a panel covering the activities of deep-tech quantum-comms start-ups, the role of governmental cybersecurity agencies, and the needs of non-IT corporations to surf towards quantum-safety.
How telcos will look like in a quantum-safe world: A call to action, and a set of guidelines
The 3rd PQC Seminar at MWC was a focal point, drawing attention to the profound impact of PQC on the telecom sector. Industry experts emphasized the need for swift action, shedding light on potential costs of infrastructure upgrades and the necessity for regulatory frameworks and standards.
Key speakers, including Taylor Hartley from Ericsson, underlined that migration to quantum-safe practices transcends the role of a Chief Information Security Officer (CISO) and necessitates top-level sponsorship for alignment of planning and resources. Keundae Kim (Director General, South Korea Institute of Information and Communications Technology Planning & Evaluation) shared their national strategy extending to 2035, a timeline akin to that outlined in the U.S. National Security Memorandum-10 (significantly, KT Corp. had fiber and over-air QKD devices on display at their stand).
Lory Thorpe (IBM), Luke Ibbetson (Vodafone), and Yolanda Sanz (GSMA) summarized key messages from the 100-page Guidelines for Telco published during MWC by the GSMA Post Quantum Telco Network Task Force. Hybrid cryptographic approaches emerged as a cornerstone for bolstering industry defenses, with a focus on overhauling public key infrastructure to adapt for the quantum age.
Insights from a multi-stakeholder panel: The diversity of tech solutions calls for a holistic approach
The European Quantum Space sponsored by the EU Quantum Flagship featured a number of strong European quantum start-ups. Among them, leading QRNG provider Quside organized a panel on post-quantum cryptography whose panelists underscored the importance of a holistic, long-term strategy spanning a decade or more (disclaimer: I was one of the panelists).
The discussion involving Monica Espinosa Garcés from Agencia de Ciberseguretat de Catalunya, Vanesa Diaz from Luxquanta and yours truly, highlighted that different technologies will play distinct roles at different stages, pointing to the need for partnerships and long-term collaborations. Espinosa noted the availability of public funding to support the transition in the EU, pointing to the European Cybersecurity Competence Centre's recent EUR 24 million funding call to support PQC standardization and deployment activities by European public and private organizations.
As a rough timeline, following the expected approval of PQC algorithms by NIST in the coming months, PQC —including hybrid solutions— is seen as the technology to adopt in near- and mid-term (0-5 years), with Quantum Key Distribution (QKD) available for specific use cases now, and set to play a key role from 2030, especially in the EU through its Quantum Internet Alliance and QSNP initiatives.
Throughout the transition, Quantum Random Number Generators (QRNGs) appear as a key enabling technology (I bet that soon enough, organizations will be asking for and paying for guaranteed service levels of good-quality "noise" — and governments collecting taxes for it!).
Standardization emerged as critical for future interoperability between telco operators as well as across technology verticals. End-user organizations are requesting network service providers transparency on their roadmaps, and coordination between standard-setting organizations, to ease adoption with as few bumps and back-steps as possible.
My take-home messages: Build crypto-agility and prepare for hybrid solutions
Making transition roadmaps visible:
In the telco industry, major players seem to have taken steps to prepare internally towards the transition, but a crucial gap exists in sharing their migration roadmaps publicly or broadly with downstream customers. Governments and businesses, essential downstream players, would benefit from transparent communication to formulate their own migration strategies and minimize disruption. Without this, bilateral communication with a multitude of customers will become an imperative.
Correspondingly, it would be beneficial if governments and standard-setting organizations engaged openly in collaboration to define oncoming technical standards and regulatory requirements, to minimize as much as possible the splintering of cryptographic solutions that can only be disruptive to organizations and to innovation, e.g., using the language of security levels rather than enforcing this or that cryptographic algorithm. Within the EU in particular, an EU-wide regulation should be enacted to which national regulations should refer and align so that, even if there are national differences, there are automatic recognition mechanisms.
From the strategic viewpoint, organizations should start by conducting a comprehensive inventory of cryptographic solutions and assess true cryptographic needs (what level of protection is required by each data/communications channel, and for how long). This identification process should be followed by the developing a roadmap for a robust crypto-agility framework involving procedures and controls. Ideally, this roadmap will be developed and continuously updated in conversation with telco providers, operators, and system integrators to understand their own migration timelines and minimize disruption to operations.
Regarding tactical steps, organizations should prepare for a short-term adoption of hybrid cryptographic solutions, those combining traditional algorithms with PQC algorithms, in lockstep with commercial deployments by their providers. Those organizations with sufficient resources, are encourgaged to engage in early-testing, e.g., through joint proof-of-concept projects with their providers, which will allow them to spot future impact on network performance and prepare mitigation strategies as needed.
In summary, the range of presentations and one-on-one discussions at MWC 2024 has shown that the migration to quantum-safe communications will be a long process that organizations must start to walk as soon as possible — but there is a lot of partners out there with the knowledge and expertise to support you, so don’t be afraid to take the first steps!