The Problem
Every day, millions of emails, phone calls, text messages, and other digital communications are exchanged worldwide, facilitated by the network connectivity services of telecommunications companies. These networks are of the highest interest to cyber criminals, who seek to obtain invaluable customer data that would allow them to access personal records, commit identity theft, and derail entire network infrastructures. Current security protocols to protect user data rely on public-key cryptography, which are composed of complex mathematical formulas which are at present very difficult to decrypt using traditional binary computers. However, the expected arrival of cryptographically relevant quantum computers within the 10-20 years will change the landscape of cybersecurity, enabling cyber criminals to decrypt once-uncrackable safeguards in a matter of minutes. Criminals have already begun collecting encrypted data with the intention to decrypt them as large error-corrected quantum computers become available, in a scheme known as store now, decrypt later (SNDL).
The Landscape
Quantum hacks may be a few years away, but building resilience must begin now to stay ahead of the curve. Regulatory bodies are already creating cryptographic standards for the post-quantum era. Not the least of them will be Post-Quantum Cryptography (PQC), as NIST (National Institute of Standards and Technology) completes the standardization of quantum-resilient algorithms in 2024. Whether it’s FIPS, PCI-DSS, PQC or internal security policies, regulated organizations do not have the adequate tooling today to fully automate and scale cryptography compliance processes. Failure to do so entails hefty fines and potentially compromised sensitive data information. Leading telecommunications companies are therefore already collaborating with third-party industry experts to secure their network, from endpoint to endpoint and everything in between. On the consumer side, there is increased pressure for telco service providers to develop and implement quantum-safe solutions, following the actions of early adopters.
The Solution
There are different ways in which telco providers can adopt and benefit from PQC, even today. These include the implementation of quantum-safe virtual private networks (VPN), wide area networks, connection of enterprise customers to telco cloud computing centers, public and private cloud linkage, IoT connectivity, satellite communication links for enterprises and governments, and cloud storage. A large communications company collaborated with SandboxAQ to perform extensive testing on the application of a quantum-safe VPN solution for standard smartphones using PQC algorithms, demonstrating the ability to safeguard network connection within a server and across sites without compromising the smartphone user experience.
The primary goal of the study was to determine if and how the provider could implement PQC cryptosystems without disrupting the user experience or network performance. A series of experiments were carried out to test both end-user-to-server configurations (e.g., mobile phone to server) and site-to-site VPN scenarios, such as in an enterprise setting. The experiments involved both real and synthetic network traffic to test PQC’s effect on common activities such as web browsing, social media/chat application usage, video and audio streaming, and mobile gaming. Assessments found that the best-fit PQC algorithms selected for standardization by NIST indeed perform well in a telecom setting. PQC algorithms showed relatively little impact on user experience for users of smartphones and fixed broadband services.
Beyond its ability to actively monitor and report expired and unsecure certificates and keys, the SandboxAQ Security Suite also facilitates remediation via cryptographic algorithms and/or protocol switching. Failure to comply with current cryptographic standards has measurable financial consequences and diverts manpower. Improperly encrypted customer data has resulted in multi-million dollar settlements for financial institutions, and application outages caused by expired certificates can cost $1 million USD per hour in lost revenue. To tackle cryptographic vulnerabilities effectively, the initial step involves prevention, achieved by rigorously enforcing compliance and policies.
