Telecom’s Quantum‑Safe Imperative: Challenges in Adopting Post‑Quantum Cryptography
Table of Contents
The race is on to quantum‑proof the world’s telecom networks. With cryptographically relevant quantum computers (CRQC) projected to arrive by the 2030s, global communications providers face an urgent mandate to upgrade their security foundations. Today’s mobile and fixed‑line networks rely on public-key cryptography that quantum algorithms could eventually break. In response, the telecom industry is turning to post-quantum cryptography (PQC) as the primary defense. Yet adopting PQC at telecom scale is a complex journey, entailing far more than a simple swap of algorithms. It demands strategic foresight and technical rigor to overcome unique architectural and operational hurdles. As an anecdotal example, my team has been working with one telecommunications provider on quantum readiness for over 10 years, and the company is not even close to completing their PQC migration.
Executive leaders in telecom need to understand that preparing for quantum threats is not just a security upgrade—it’s a strategic resilience initiative. PQC migration will touch every layer of the network and ecosystem: standards bodies must define new protocols, vendors must deliver compliant hardware and software, and operators must coordinate upgrades across global footprints.
Upgrading 5G/6G and IMS Networks for Quantum Safety
Adopting PQC in modern telecom networks will require upgrades to core mobile systems (5G today, 6G tomorrow) as well as IMS voice/data platforms. 5G networks, with their service-based architecture and extensive use of encryption, illustrate the scope of change. For example, 5G introduced subscriber identity encryption (SUPI concealment) using classical public-key ciphers to thwart IMSI catchers. A sufficiently advanced quantum computer could break this encryption, re-exposing IMSIs and undoing 5G’s privacy gains. In effect, a cryptographically capable quantum adversary would reinstate vulnerabilities that 5G was designed to eliminate, akin to bringing 5G security back to 4G-era risks. While 6G standards are expected to bake in quantum-resistant algorithms from the start, current 5G systems may require interim fixes or risk acceptance until upgrades can be rolled out.
Core network protocols will need quantum-safe alternatives. In 5G, all network functions communicate over mutually authenticated TLS/IPsec channels. Migrating those interfaces to PQC (e.g. using hybrid TLS handshakes or PQC-based IPSec/IKEv2) is non-trivial. Larger key sizes and cipher suites must be supported by every element in the chain, from baseband units to core servers. Even the IMS that supports voice (VoLTE/VoNR) and messaging will need its SIP signaling and media security mechanisms upgraded to quantum-safe algorithms. As many IMS nodes run on vendor-specific appliances, operators depend on those vendors for PQC-ready software updates across Session Border Controllers, call servers, and media gateways.
Crucially, industry standards are only just catching up. The 3GPP has begun studying how to introduce PQC in mobile network specs. But until formal 3GPP specifications (for 5G-Advanced or 6G) adopt PQC, any deployment in live networks will use interim solutions. Early movers are already experimenting: in South Korea, SK Telecom and Thales demonstrated post-quantum protection of 5G subscriber identities by using quantum-resistant SIM cards (CRYSTALS-Kyber) to encrypt the SUPI in a live standalone 5G network. This trial showed that quantum-safe algorithms can be implemented in standard 5G frameworks to enhance privacy today, protecting against “harvest now, decrypt later” threats. Similarly, Japan’s SoftBank has piloted a hybrid PQC encryption approach on live 4G/5G traffic, combining classical elliptic-curve and lattice-based algorithms. The result was a working quantum-safe VPN with only marginal added latency, proving that careful integration can secure data streams without degrading performance.
These examples highlight both progress and complexity. Upgrading nationwide mobile infrastructure to PQC will be a gradual, multi-phase effort. Telecom operators must map out which network interfaces and components are most critical to secure first (for instance, inter-carrier roaming links, core control-plane traffic, or subscriber databases), and coordinate with equipment vendors on software releases or hardware replacements. 6G development offers a strategic opportunity: as 6G standards take shape, there is a window to embed quantum-resistant cryptography by design. In the meantime, 5G networks may need stop-gap measures (like hybrid cryptographic modes) to ensure security for the next 5–10 years. The challenge is to implement PQC upgrades in 5G/IMS cores without disrupting service—a task that demands extensive testing, given the mission-critical nature of telecom services.
Dependency on Vendors and Supply Chain Readiness
Telecom operators cannot go it alone in the quantum-safe journey: they are heavily reliant on their hardware and software vendors to implement PQC capabilities. From radio access gear and transport routers to core network software and SIM cards, much of the telco environment is vendor-supplied and often proprietary. This dependency poses a fundamental challenge: if vendors are slow to adopt PQC, operators will be stuck with quantum-vulnerable gear longer than they’d like. Many network elements use embedded cryptography (e.g. in base station chipsets or SIM/UICC secure elements) that can only be changed via vendor-issued firmware or hardware refresh. For instance, PQC-protecting the link between a 5G base station and core (N2/N3 interfaces) would require the base station’s IPsec module to support new algorithms – something an operator can’t do until the base station vendor provides an update.
A coordinated supply chain strategy is therefore essential. According to GSMA’s post-quantum guidelines, early preparation and definition of requirements by operators helps ensure critical PQC capabilities will be available from vendors in time and aligned to the operator’s deployment plans. In practice, this means updating RFPs and procurement contracts to mandate support for NIST-approved PQC algorithms and crypto-agility in new equipment. Some telecom groups and governments may even move toward certification mandates, for example, requiring that MPLS routers or 5G core software be certified quantum-safe by a certain date, which could pressure vendors but also risk slowing deliveries if certification processes lag.
There is evidence the vendor ecosystem is waking up to the challenge. Leading mobile suppliers like Ericsson and Nokia have begun publishing quantum-security roadmaps and prototypes, and network equipment makers such as Cisco are adding support for hybrid key exchange in protocols like IPsec and TLS. Specialized vendors are also emerging with bolt-on solutions (for example, startups offering quantum-safe VPN software to retrofit existing routers ). However, widespread readiness will take time. Many suppliers are waiting for finalized standards and proven demand before integrating PQC, meaning full vendor support may lag behind the urgency felt by operators. This lag is a serious constraint: without compatible SIM cards, base stations or CPE (customer-premises equipment), an operator cannot unilaterally switch to quantum-safe mode.
Finally, telecom executives must consider broader supply chain risks and constraints. Hardware replacements (e.g. new cryptographic accelerators or secure modules) could be slowed by semiconductor supply issues or export controls. There’s also security-of-supply to think about: relying on a single vendor for PQC technology could be risky if that vendor experiences delays or if geopolitical factors intervene (as seen with 5G equipment bans). To mitigate this, operators can pursue multi-vendor strategies and participate in industry groups to synchronize timelines. In summary, navigating the PQC transition will require close collaboration with the supply chain—demand signals to vendors, joint testing, and perhaps even co-development efforts—to ensure the needed solutions arrive on schedule and interoperate across a heterogeneous network.
Integration Across Hybrid Cloud and Edge Environments
Modern telecom networks are highly distributed systems, spanning centralized clouds, regional data centers, and edge sites (like base station hubs or MEC nodes). This heterogeneity makes the integration of post-quantum cryptography across the network fabric particularly challenging. Telecom workloads now run on various platforms – virtual machines, containers, bare-metal appliances – often in a hybrid cloud setup. Ensuring that PQC is consistently implemented across all these environments is a non-trivial task.
One complexity is performance and resource constraints at the network edge. PQC algorithms generally have larger key sizes and heavier computation than legacy crypto. Studies show that many post-quantum schemes are slower or produce much larger ciphertexts than RSA/ECC, which can strain network devices and low-power edge hardware. For example, just an extra 1 kilobyte in a TLS handshake (due to a PQC key) can increase response times by ~1.5%. In latency-sensitive applications like voice, video, or real-time IoT control, such overhead can degrade quality of service. Baseband units, IoT gateways, and customer devices with limited CPUs or memory may struggle with the computational load and bigger certificates, making PQC deployment at the edge a significant performance engineering problem. Operators will need to assess whether their current servers, routers, and even HSMs can handle PQC algorithms; in many cases, hardware upgrades or offload engines (e.g. FPGA or ASIC accelerators for lattice math) might be required.
Another issue is the complex web of software components and middleware in telecom clouds. Networks rely on numerous supporting services (orchestration platforms, load balancers, databases, API gateways, etc.) Many of these use TLS/IPsec for internal communication or data encryption. All such middleware must be made quantum-aware. Early experiments by Google and others have found that some middleware or middleboxes break when faced with unexpectedly large keys or novel cryptographic parameters. For instance, a firewall or proxy that hasn’t been updated might reject a longer TLS certificate chain or an unknown cipher suite, causing traffic to fail. Telecom operators need to thoroughly audit and test their cloud and IT systems for PQC compatibility, ensuring that container platforms (Docker/Kubernetes), service meshes, message buses, etc., can support new algorithms or at least pass them through unimpeded. As the GSMA guidance notes, even ostensibly simple upgrades can be derailed by “non-compliant middleware” in the environment; identifying and fixing such issues early is key to a smooth migration.
The hybrid cloud context also raises the challenge of coordinating PQC across multiple domains. Many telcos use a mix of private telco cloud and public cloud services. If parts of a network’s functions run in public cloud, the operator must work closely with the cloud provider to ensure support for PQC libraries and hardware in those environments. Data that travels between cloud and edge (over VPNs or SD-WAN) will need quantum-safe encryption on those links as well, again with both sides upgraded. Multi-access edge computing (MEC) nodes, which often handle sensitive data caching or local breakout, should ideally be secured with PQC to prevent any local tapping from yielding long-term secrets. In short, the entire chain from central cloud to far edge must be quantum-safe, which means upgrading a vast array of systems consistently.
One approach to ease integration is adopting a crypto-agile architecture. This involves abstracting cryptographic functions so they can be updated centrally and uniformly. For example, using software-defined networking and centralized key management can help deploy new PQC algorithms quickly across distributed sites. Several open-source projects and libraries (OpenSSL, TLS stacks, etc.) are already adding PQC support. Telecom operators can leverage these in their private cloud platforms and push vendors to use them, which would create a more uniform, interoperable PQC implementation across the network. Nonetheless, building quantum-safe telecom clouds and edges will require meticulous planning, performance tuning, and likely an iterative rollout (starting with non-critical links or dual-stack crypto modes) to ensure that customer experience remains unaffected while quantum security is introduced.
Key Management and PKI Complexities in Distributed Infrastructure
Telecommunications networks depend on extensive public key infrastructure (PKI) for identity management, authentication, and encryption services. From SIM provisioning and network element authentication to VPN tunnels and software signing, PKI is everywhere in a telco environment. Transitioning this vast PKI ecosystem to post-quantum cryptography presents unique challenges in terms of key management, certificate formats, and overall lifecycle.
Firstly, existing certificate standards and protocols need updates. The X.509 certificates and certificate management protocols used today were not designed with PQC in mind. For instance, Certificate Management Protocol (CMPv2), commonly used for managing certificates in carrier networks, lacks the needed crypto-agility and extension support for PQC keys. Similarly, standard X.509 certificate fields will have to accommodate much larger PQC public keys (which can be several kilobytes) and potentially multiple keys or signatures (for hybrid schemes). Telecom CAs may need to issue hybrid certificates containing both a classical and a post-quantum public key/signature. There is ongoing work in standards bodies like ITU-T and IETF on defining such formats, but no universal solution has been settled as of 2024. The lack of an agreed approach means early adopters might have to use interim or proprietary certificate solutions, and then later realign once standards mature.
Managing key sizes and lifetimes will also become more complex. PQC algorithms (particularly some code-based or hash-based ones) may have significantly larger keys and different trust properties. Telecom operators must ensure their HSMs and key stores (which secure root keys for authentication servers, subscriber databases, etc.) can handle keys that might be much larger than RSA keys. GSMA notes that server-grade systems can handle PQC algorithm computations relatively well, but the bigger storage and bandwidth overhead is a concern. For example, distributing a post-quantum certificate chain to thousands of base stations or millions of SIM profiles could tax databases and increase update times. It’s essential to verify that key distribution channels (like OTA SIM provisioning systems, network configuration management, etc.) can support these larger cryptographic objects without failure. In one positive sign, NIST’s chosen PQC algorithms (like Kyber for KEM and Dilithium for signatures) are designed to be quite efficient; early tests show their computation speed is comparable or even faster than RSA/ECDSA at equivalent security levels. However, the supporting infrastructure around them (certificate chains, CRLs, authentication protocols) will need optimizations to deal with size and bandwidth impacts.
Another critical aspect is distributed key management. Telecom networks consist of many distributed nodes (e.g. base stations, edge servers, user devices), which means keys and certificates are deployed widely and need periodic rotation. Introducing PQC will require a sweeping update of these credentials: every network element certificate, every device authentication token, every internal service key may need a PQC or hybrid replacement. This has to be done in a coordinated fashion to avoid service disruption. During migration, systems might need to maintain dual key pairs (classical and PQC) to communicate with different counterparts. Keeping track of multiple keys per entity and ensuring they are rotated and revoked properly adds to administrative complexity. Key lifecycle management tools will need enhancements to handle new key types and possibly shorter validity periods if recommended. There is also the case of certain PQC signature schemes (like stateful hash-based signatures) that require careful management of one-time keys to avoid reuse – a nuance that typical telco PKI operators have not had to consider before. Mistakes in these processes could undermine security; thus, robust governance and inventory of cryptographic assets are necessary.
In summary, telecom operators must renovate their PKI and key management practices for the quantum era. Efforts should include upgrading certificate infrastructures for crypto-agility, testing PQC-capable versions of protocols like TLS, IKE, and OAuth that are used internally, and possibly standing up new PKI hierarchies dedicated to PQC credentials. According to GSMA’s guidelines, a sensible approach is to perform a comprehensive cryptographic inventory and impact assessment on all use cases, then prioritize which PKI components to upgrade first. By investing early in quantum-safe PKI solutions, telecom providers can ensure that when the flip is switched to PQC, their authentication and trust mechanisms will continue to run smoothly across their distributed infrastructure.
Backward Compatibility and Multi-Algorithm Transitions
The transition to quantum-safe cryptography in telecom will span many years, during which not all systems and devices will be upgraded in sync. This raises a fundamental challenge: backward compatibility. Telecom networks thrive on interoperability – from global roaming between operators to handovers between 4G, 5G, and Wi-Fi. Introducing PQC into this mix must be done in a way that doesn’t fracture connectivity or exclude legacy equipment.
One risk is that a network element upgraded to use PQC may find that its peers are not yet upgraded, potentially breaking communication. Many telecom protocols follow a “fail secure” principle, meaning if two nodes can’t agree on a common cipher, the connection is not established to avoid downgrade attacks. In a scenario where, say, a core network node only offers a post-quantum TLS cipher suite but a neighboring node only knows classical ciphers, they won’t be able to set up a secure channel. A PQC-enabled node could even be isolated or “cut off” from the network if surrounding systems don’t recognize the new algorithms. For a telecom operator, such incompatibilities are unacceptable, as they could lead to dropped traffic or an inability to manage network elements remotely. Therefore, careful planning is needed so that critical pairs or groups of systems are upgraded in tandem, or that nodes support dual modes (both classical and PQ) during the transition.
The current best practice to address this is implementing multi-algorithm (hybrid) approaches. In a hybrid cryptographic mode, connections are established using both a traditional algorithm and a post-quantum algorithm. For example, the IETF has proposed extensions for TLS 1.3 that perform a dual key exchange – combining an ECDH exchange with a Kyber KEM exchange, so that the session key is secure as long as at least one of the two algorithms remains secure. This allows a gradual migration: even if a client or server doesn’t understand the PQC part, it can fall back to the classical part, and if both understand PQC, they get quantum-resistant security. Similarly, hybrid IPsec/IKE modes are being standardized to mix Diffie-Hellman and PQC exchanges. Many telcos see hybrid modes as a pragmatic strategy for the 2020s. However, hybrids come with their own costs: they increase computational overhead (doing two handshakes instead of one) and add protocol complexity, which can introduce new interoperability issues if not carefully tested. Moreover, managing hybrid certificates (with two sets of signatures/keys) complicates the certificate validation process and bloats message sizes.
Legacy compatibility also extends to end-user devices. Mobile handsets, IoT sensors, customer routers—these might not be replaced or updated as quickly as network infrastructure. Telecom operators may find themselves supporting classical algorithms for older devices well into the future. A concrete example is 4G/LTE networks: as 5G adoption grows, 4G use declines, but completely phasing out 4G will take time. Operators must judge if it’s worth retrofitting quantum-safe algorithms into 4G systems or simply accept that 4G communications will remain quantum-vulnerable until they’re retired. Most indications are that focus will be on forward-looking technology (5G, 5G-Advanced, 6G) for PQC upgrades, while older networks operate in a risk-accepted state until decommissioned.
It’s also important to note that regulatory and national differences can influence multi-algorithm environments. Some national security agencies are / will soon mandate hybrid use – requiring that post-quantum crypto be deployed alongside classical crypto until PQC’s strength is proven over time. Others, like NIST in the US, allow pure post-quantum usage at certain security levels. A global operator must often comply with the strictest common denominator to be safe in all jurisdictions. GSMA highlights this “misalignment between governmental recommendations” as a key issue and urges identifying a set of crypto parameters that can satisfy all countries of operation. This often means supporting multiple algorithm suites in parallel to meet different market requirements.
In summary, backward compatibility will be an ongoing concern throughout the PQC migration. Multi-algorithm (hybrid) operations are a necessary bridge – they ensure security while the old and new coexist, but they demand robust implementation and governance. Operators should prepare to run hybrid cryptographic environments for an extended period, with comprehensive testing to ensure that devices and network elements negotiate algorithms correctly. The goal is a graceful transition, where customers and services see no disruption or degradation whether sessions are secured by classical RSA today or by lattice-based cryptography tomorrow. Achieving that goal will require discipline: maintaining support for legacy crypto until it’s safe to turn it off, and keeping the network flexible enough to introduce or remove algorithms as needed (the essence of crypto-agility).
Lawful Interception and Regulatory Compliance Implications
Telecom operators have legal obligations to support lawful interception (LI), enabling law enforcement agencies (LEAs) to access communications or metadata under proper authority. Any major change in network cryptography inevitably raises questions about LI capabilities and compliance. Adopting post-quantum cryptography is no exception: operators must ensure that their move to quantum-safe encryption does not inadvertently thwart lawful intercept or make it less secure.
It’s important to clarify that in telecom networks, lawful interception typically occurs at a point of trust (within the operator’s network) rather than by breaking encryption. Even so, the systems that enable LI are themselves secured by cryptography. For example, the interface between an operator’s LI management system and an LEA’s monitoring facility is usually protected by strong encryption and authentication, to prevent any unauthorized access or tampering with intercepted data. These handover interfaces and warrant delivery mechanisms will need to be upgraded to PQC just like any other secure link. GSMA’s guidance on LI explicitly notes that the first step to make LI systems quantum-safe is updating the confidentiality and integrity protection of LI requests and data as they transit between the operator and law enforcement. In practice, this might mean deploying quantum-resistant VPNs or tunnels for LI data delivery and using PQC-based digital signatures on warrant orders to ensure they cannot be forged by a quantum-capable adversary in the future.
Another consideration is the upgrade of the LI platforms themselves. LI systems (often comprised of a mediation device within the network and a monitoring facility outside) are supplied by specialist vendors and integrate with various network functions (mobile core, IMS, etc.) These systems use embedded cryptography for access control and secure storage of intercepted content. Operators will need to work with LI solution providers to implement post-quantum algorithms in these products. For instance, the database storing retained data or call content might encrypt entries with classical AES or RSA-based keys today; moving forward, it may require quantum-safe symmetric encryption (with longer keys or new modes) and PQC for key wrapping or data encryption keys. Ensuring data confidentiality over long retention periods is crucial, since intercepted data could be kept for years and thus must remain secure against future quantum decryption attempts. The GSMA document underscores that LI data is exceptionally sensitive and must never be altered, so any cryptographic transition has to be done without risking data integrity.
From a lawful access standpoint, PQC might prompt discussions between operators and regulators to reaffirm interception capabilities. Because PQC will strengthen encryption, one might ask: does it make it harder for authorities to intercept? The answer, in the telecom context, is generally no since intercept is executed by the operator within the network, stronger encryption on the radio or transport links doesn’t prevent the operator from capturing communications in clear (after decryption at the core) and handing them to law enforcement. However, regulators will want assurance that new encryption measures won’t introduce blind spots. For example, if an operator uses end-to-end quantum-safe encryption in an application layer (beyond the standard 3GPP scope), LEAs might need new solutions or updated legal frameworks. Most telecom PQC efforts, though, are focused on securing network layers without impacting the operator’s own visibility (i.e., securing between nodes, not against the operator). As long as that remains the case, lawful interception should remain feasible.
One specific implication to manage is timing and coordination. If an operator upgrades parts of the network to PQC but the associated LI components are not upgraded concurrently, there’s a potential vulnerability: the LI system could become the weakest link. For instance, if core network interfaces use quantum-safe TLS but the LI handover link to the agency still uses RSA, an attacker with a quantum computer in the future might target that handover link to obtain intercept data. So, operators must include LI systems in their overall PQC migration plan, even though those systems might be out of the normal IT upgrade cycle and involve third-party government coordination. According to GSMA, all the internal X-interfaces defined by ETSI for LI (between network functions and the LI mediation system) will also need to be made quantum-safe to protect against any breach of the interception process. This likely means updating security on interfaces in mobile cores that feed intercept data.
In conclusion, while PQC implementation should not impair lawful interception in principle, it adds an extra layer of systems to be upgraded and vetted. Telecom executives must liaise with both LI vendors and government stakeholders to guarantee that quantum-resistant encryption is deployed hand-in-hand with lawful access mechanisms. By doing so, they ensure that improving customer security doesn’t inadvertently create gaps in lawfully authorized monitoring, and that intercept data itself remains secure from any quantum-enabled adversary.
Supply Chain Constraints and Lifecycle Complexity
Adopting post-quantum cryptography in telecom is not a one-time project, but rather a continuous journey that will span technology generations. Two overarching challenges frame this journey: supply chain constraints (delivering the necessary components and updates at scale) and lifecycle complexity (managing the transition and future updates over time).
From a supply chain perspective, timing is everything. The transition to PQC requires new or updated chips, devices, and software across potentially millions of network elements and end-user devices. If these arrive late or in insufficient quantity, operators could face security exposure or deployment delays. For example, consider the simple case of replacing customer home gateways (routers) with PQC-capable versions: manufacturing and distributing new hardware to customers worldwide is a massive logistical feat that could take years. Any hiccup—such as semiconductor shortages or slow certification—could constrain an operator’s ability to upgrade its base in time. Telecom equipment typically has long lead times, so orders for PQC-supporting hardware (like crypto accelerator cards for core routers, or new 6G base stations with built-in quantum-safe encryption) need to be placed well in advance. Operators who plan early and engage vendors now are at an advantage in the supply queue.
Global operators also have to juggle multi-national regulatory landscapes when it comes to cryptography imports/exports and standards. In some regions, certain PQC algorithms might not be approved (for example, a country could mandate a locally developed algorithm instead of NIST’s choices). This can fracture the supply chain if equipment vendors have to produce country-specific variants of software or hardware. The GSMA notes that divergent national approaches (US, EU, China, etc.) are already leading to inconsistent recommendations on algorithms and key sizes, complicating the job of telecom standards that aim for worldwide interoperability. One illustrative example: European agencies like ANSSI/BSI recommend very high security parameters (NIST Level 3 or above) for PQC, whereas some other guidelines might accept lower levels. Likewise, Germany’s BSI has shown favor to certain algorithms like Classic McEliece or FrodoKEM which NIST did not select, meaning vendors might need to support multiple algorithm options to satisfy different markets All this diversity means operators and their suppliers must carefully navigate requirements to ensure a product is compliant everywhere it is deployed. Building consensus via bodies like ETSI, ITU, and the GSMA Task Force will be critical to streamline the supply side.
Turning to lifecycle complexity, we must recognize that PQC migration is not an event but an ongoing process. Cryptographic algorithms can have unforeseen weaknesses – already during the NIST PQC competition, some candidates got cracked or significantly attacked, and alternative algorithms had to be considered. It is very possible that in 5–10 years, new PQC algorithms (or improved versions) will emerge that supersede the current choices. Telecom networks, due to their longevity, must be prepared for a “crypto agility” mindset: the ability to swap out algorithms or adjust key sizes with minimal disruption. As emphasized earlier, building crypto-agile frameworks into today’s upgrades will save pain later. This could mean deploying support for multiple PQC algorithms even if you standardize on one now, so that a patch or configuration change could move to another if needed.
The lifecycle challenge also involves phased execution and coexistence. A recommended approach (as per GSMA and NCSC guidance) is to break the migration into phases: discovery, planning, implementation, operation. During implementation, there will likely be a period of running dual infrastructures or at least dual configurations: one using classical crypto and one using PQC, to ensure everything works before fully cutting over. Operators will have to maintain these parallel systems, which is resource-intensive but necessary for risk mitigation. Continuous monitoring is needed as well—both for threat evolution (e.g., tracking quantum computing progress and updating risk assessments) and for new vulnerabilities in the post-quantum solutions themselves. The first few years of PQC deployment might reveal performance issues or bugs (like the middleware failures mentioned earlier, or perhaps a PQ algorithm not handling certain traffic patterns well). Operators must treat this as a living process, incorporating feedback and improving configurations.
Another facet of lifecycle management is customer and business processes. Telecom services often come with contracts and SLAs that span multiple years. Enterprises that buy VPN or leased-line services will need assurance that those services will be quantum-safe by the end of the decade. Operators will have to manage customer migrations, possibly offering quantum-safe options as premium or default features and handling the upgrades of CPE (Customer Premises Equipment) as part of service lifecycle. Similarly, internal systems like billing, provisioning, and OSS/BSS may contain cryptographic components (e.g., secure APIs, databases of credentials) that have long lifecycles and require updating. Each of these systems might follow a different release schedule, so aligning them in a coherent PQC transition program is a major program management exercise.
In summary, embracing PQC in telecom involves navigating the supply chain wisely and committing to a long-term evolution path. By influencing the supply chain early, operators can mitigate delays and ensure technology readiness. By acknowledging lifecycle complexity, they can allocate budgets and teams for an extended migration, rather than treating it as a one-off upgrade. The quantum threat will continue to evolve, and so must the telecom defenses against it—this is a new permanent facet of network planning going forward.
Coordination with Standards and Industry Bodies
No telecom transformation would be complete without alignment to standards and industry consortia, and the quantum-safe transition is no exception. Given the global interoperability requirements (especially in mobile networks), coordination with bodies like 3GPP, ETSI, GSMA, ITU, and national cybersecurity agencies is crucial to ensure a smooth and unified adoption of post-quantum cryptography.
3GPP (Third Generation Partnership Project) – which defines the standards for 5G, LTE, and 6G – plays a pivotal role. Security Working Groups in 3GPP (such as SA3) have started work to study and specify PQC transitions. We can expect that 3GPP Release 19 or 20 will include options or requirements for quantum-resistant algorithms in areas like AKA (Authentication and Key Agreement), encryption of subscriber identifiers (SUPI/SUCI), and inter-network security. Telecom operators should actively contribute to and follow these 3GPP efforts, because any solutions standardized there will form the baseline of future equipment and software. Aligning one’s internal roadmap with the 3GPP timeline (e.g., planning network upgrades to coincide with Release 19 features) can reduce duplication of effort and avoid proprietary approaches.
ETSI (European Telecommunications Standards Institute) is another key player, particularly through its Quantum-Safe Cryptography (QSC) working group. In fact, ETSI has been working on quantum-safe cryptographic standards for years, often in collaboration with academia and government agencies. The QSC group’s work, such as hybrid key exchanges and quantum-safe VPN profiles, is directly relevant to telecom networks (many of which use ETSI specs for lawful intercept, lawful disclosure, etc.) ETSI is urging organizations to begin using quantum-resistant encryption as soon as possible, even ahead of some standards, to safeguard data and be prepared for future requirements. For telecom operators, keeping track of ETSI releases (and participating if possible) ensures that their implementations will be compliant with emerging European and global norms.
The GSMA (GSM Association) has also taken a lead through its Post-Quantum Telecom Network Task Force. Founded in 2022, this task force has grown to include 50+ telcos and 20+ major operators collaborating on PQC readiness. The GSMA has already produced reference documents (like the PQ.01 Impact Assessment and PQ.03 Guidelines I’ve cited) that serve as playbooks for the industry. They cover use cases, technical challenges, and migration strategies specifically tailored to telecom. By following GSMA’s recommendations and participating in their working groups, operators can share knowledge and push for solutions to common problems (for example, agreeing on how to handle roaming with one network using PQC and another not yet, or defining best practices for hybrid certificate usage). GSMA also serves as a liaison to 3GPP and IETF, conveying operator requirements. Indeed, 3GPP SA3 has acknowledged and responded to GSMA’s liaison statements on PQC, indicating a healthy dialogue between standards makers and industry. The outcome of this coordination is likely to be more coherent guidance and possibly faster standardization.
On the global stage, bodies like the ITU-T (International Telecommunication Union – Standardization Sector) and national institutes such as NIST in the US and ENISA/NCSC in Europe provide overarching direction. NIST’s selection and standardization of PQC algorithms (to be finalized in 2024) is a cornerstone – telecom security will revolve around those algorithms (Kyber, Dilithium, Falcon, etc.) for the foreseeable future. Many operators and vendors have participated in NIST’s process or followed its outputs. The NSA in the US with CNSA 2.0 has mandated government systems to transition by 2035, which indirectly affects telecom suppliers who serve government contracts. These directives shape the environment in which telcos operate, essentially setting target dates and providing justification for investing in PQC now (which executives can use in business cases for funding these upgrades).
Finally, one should mention the role of the broader cryptographic community and open-source initiatives. The IETF has multiple draft standards for incorporating PQC into internet protocols (TLS, IPsec, SSH, etc.), and opensource cryptographic libraries are implementing those. Telecom operators rely on many of these protocols in their IT and cloud segments. Active engagement with these communities or at least monitoring their progress is vital to avoid diverging implementations. Embracing widely accepted standards (once finalized) also reduces the risk of vendor lock-in or incompatibility.
In essence, the telecom PQC transition must be a concerted, industry-wide effort. Through standards bodies and alliances, the industry can share the burden of development and ensure interoperability. Executives should encourage their teams to not only follow standards but to contribute requirements – for instance, highlighting the need for efficient PQC handshakes that work over satellite links, or stress-testing candidate algorithms under telecom workloads. A coordinated approach will help avoid fragmentation (which could be disastrous in a global network scenario) and will give equipment vendors clear targets to build towards. The good news is that such coordination is well underway: forums are established, and the telecom sector is recognized as a priority in the quantum-safe discourse. The task now is to translate these collaborative efforts into concrete standards and products, in time to outpace the adversaries who would exploit quantum computing against our networks.
Conclusion
Adopting post-quantum cryptography is one of the most significant security upgrades in telecom’s history, on par with the shifts from analog to digital or from circuit to packet networks. As I have detailed, the challenges are multifaceted – spanning technology, operations, vendor management, and regulatory spheres – but they are surmountable with proactive strategy and industry collaboration. In confronting the quantum threat, telecom operators have a duty to protect the global communications infrastructure that societies and economies rely on. The window to act is finite. On the other hand, the telecom industry has a strong track record of coming together to tackle security challenges, from establishing world-standard GSM encryption to collaborating on 5G security assurance.