Telecom Quantum Readiness: Why the Urgency and Where to Start

Introduction

An increasing number of telecom leaders have been pinging me lately about quantum readiness. And frankly, that’s exactly what they should be doing. New regulations and mandates are emerging left and right (in various jurisdictions and across the industry) requiring critical infrastructure to become quantum-safe in the coming years.

As someone who used to run global telecom cybersecurity practices – and served as interim CISO for several telcos – I can attest that preparing a large telecom for the post-quantum era is far from a trivial “patch update.” In fact, transitioning a telco to post-quantum cryptography (PQC) is an enormous, multi-year effort – likely “the largest and most complex digital transformation [an] organization has ever undertaken”.

Telcos are critical national infrastructure (arguably the most critical) and also among the most complex IT/network environments out there. Every element of modern telecom networks – from the 5G radio access and core, to IMS systems, to countless OSS/BSS applications – is woven with cryptography. Replacing or upgrading all those algorithms is a marathon, not a sprint. By now every telco should be well underway with a quantum readiness program. If you haven’t started, the second-best time is now.

The quantum threat isn’t science fiction or “next generation” hype; it’s a tangible risk within the strategic planning horizon (many experts project powerful quantum computers by the 2030s). The good news is that the readiness is still achievable on time if you approach it in a disciplined and comprehensive way.

The Challenge: Quantum Proofing a Telco Is Harder Than It Looks

Why is quantum readiness particularly challenging for telcos? To put it bluntly, adopting PQC at telecom scale entails far more than swapping algorithms. Telecom networks have so many moving parts, legacy systems, and vendor-dependent components that the transition requires strategic foresight and technical rigor at an unprecedented scale. This isn’t just a software upgrade – it’s a strategic initiative touching every layer of the network and ecosystem, from standards bodies defining new protocols, to vendors delivering compliant gear, to operators coordinating upgrades across global footprints. As an anecdote, one telecommunications provider I worked with has been grappling with quantum readiness for over 10 years, and they’re still not close to completing their PQC migration. That’s how sprawling and multi-faceted this effort can be.

The complexity for telcos comes from a perfect storm of factors: massive device and software diversity, long equipment lifecycles (telco gear can stay in networks for decades), strict uptime requirements (you can’t just take the network down for a crypto upgrade), and heavy reliance on third-party vendors who control much of the tech stack. A mobile operator’s network involves everything from SIM cards and RAN base stations to cloud orchestrators and customer handsets – and every piece uses cryptography. Hence, achieving quantum readiness means systematically hunting down and fixing every instance of vulnerable crypto, often in equipment you don’t fully control. It’s like changing the engines on a jetliner while it’s in flight. Yet despite these challenges, it can be done – with careful planning, phased execution, and industry collaboration.

Key Resources for Kicking Off a Telecom Quantum Readiness Program

To help telco CISOs and security teams get started (or refine their plans), I’ve compiled a list of in-depth articles I’ve written over the years on various aspects of telecom security and quantum readiness. Each of these posts dives into a different piece of the puzzle – together, they form a toolkit of insights for building your own quantum-safe telecom roadmap. Below I summarize each resource and why it matters:

• Telecom’s Quantum‑Safe Imperative: Challenges in Adopting Post‑Quantum Cryptography – This article (Feb 2024) explains why migrating a telco to PQC is so daunting, laying out the unique hurdles operators face. It covers how 5G/6G mobile networks and IMS cores will need upgrades to support quantum-resistant algorithms, and how a quantum adversary could roll back 5G security gains (for example, by breaking 5G’s SUPI encryption and exposing IMSIs). It discusses the industry’s dependency on vendors – noting that until 3GPP standards include PQC, operators must work with interim solutions and pressure their suppliers for updates. The post also delves into backward compatibility (e.g. using hybrid crypto so 5G devices that aren’t PQC-capable can still connect) and thorny issues like lawful intercept implications. A key takeaway is that PQC migration touches every part of the telecom ecosystem and will be a gradual, multi-phase effort. Executive leadership must treat it not as a routine tech upgrade but as a strategic resilience project, investing accordingly.
• Quantum-Readiness / PQC Full Program Description (Telecom Example) – In September 2025 I published a comprehensive, 10+ year roadmap for quantum enabling a large telco’s entire estate. If you need a holistic view of what a quantum readiness program looks like, this is it. The article breaks down the journey into four major phases: Discovery (asset and cryptography inventory), Assessment & Planning (risk prioritization, strategy design), Implementation (deploying PQC and crypto-agility), and Operations (long-term maintenance of crypto-agile systems). It dispels the myth of any “silver bullet” solution – there is no one-click fix in a telco environment. One striking point: Phase 1 (Discovery) alone can take a year or more, because you have to find all the places where encryption is used. This involves building a detailed Cryptographic Bill of Materials (CBOM) for your network and IT systems – essentially a living inventory of all cryptographic algorithms, libraries, certificates, and keys in use. (For a large operator, that inventory effort can cost millions and require scanning thousands of systems!) The output of Phase 1 – a full cryptographic asset list – then feeds a risk analysis to prioritize which vulnerabilities to tackle first, and a strategic plan approved by management. The post goes on to estimate timelines and costs: for example, a full telco PQC migration might cost on the order of hundreds of millions of dollars spread over a decade, factoring in new hardware, software updates, testing labs, vendor coordination, and so on. It’s a sobering read, but also an optimistic one – it shows that with structure and executive buy-in, a telco can navigate this marathon and come out quantum-safe. If you need to educate your board or leadership on why “quantum-proofing” is not just another 6-month IT project, this detailed program outline is a great reference.
• Cryptography in a Modern 5G Call: A Step-by-Step Breakdown – One big reason telco PQC migration is challenging is simply the sheer scale of cryptography in telecom networks. This March 2022 post is a technical deep-dive that walks through every cryptographic step in a typical 5G voice call (with roaming) – from the SIM authentication and AKA handshake, to radio link encryption, core network TLS/IPSec tunnels, all the way to billing systems. The goal was to make the invisible visible. Many telecom executives vastly underestimate how many different crypto mechanisms are running behind the scenes of even a single call. In the article, I note that some of my advanced telecom clients only began grasping this when they kicked off PQC programs. Indeed, from the moment a user’s device attaches to the network, through the call setup and into every backend system, there are hundreds of cryptographic operations at work. The step-by-step breakdown in this post highlights where those algorithms are (e.g., the SUPI concealment using ECIES, the IPsec tunnels between network functions, the HTTPS APIs in the 5G core, etc.) and discusses which are vulnerable to quantum attacks. For a CISO, this is a great explainer to share with your team or stakeholders – it vividly illustrates why a thorough cryptographic inventory (CBOM) is necessary, and why quantum-proofing telecom isn’t just a matter of patching a few SSL libraries. It’s an eye-opener that underscores the importance of crypto agility: after reading, you’ll appreciate that securing a 5G network means addressing a lot of crypto touchpoints.
• Quantum Computing – Looming Threat to Telecom Security – In 2021, I published this piece to paint a picture of what’s at stake if telcos don’t get quantum-ready in time. It uses a fictional scenario (“Zenith Telecom”) to imagine the “day-before-launch nightmare”: a future quantum-enabled attacker wreaks havoc on a 5G network. In the scenario, encrypted data flows that were assumed secure suddenly become readable in plain text, VPN tunnels are silently compromised, authentication tokens get forged allowing intruders in, and even 5G SIM-based authentication (5G-AKA) is broken, exposing millions of subscribers’ credentials. The fallout? Massive outages, failures of emergency calls, critical IoT systems going haywire, financial fraud – in essence, a nation-scale cyber catastrophe. Now, to be clear, this scenario is not reality today – as the article notes, such an attack “is not immediately plausible” with current technology. But it’s a thought exercise illustrating how deeply entwined our telecom networks are with cryptography, and how a quantum breach could have cascading real-world consequences (from public safety to national security). The post then explains the basics of quantum computing and why it breaks current crypto, reinforcing that it’s a matter of when, not if, these threats materialize. For telecom security leaders, this is a good article to sensitize non-technical stakeholders. It answers the “so what?” question around quantum risk with a vivid example, and then brings the reader back to the present: we still have time to prepare, but the window for proactive action is finite.
• Quantum Readiness for Mission-Critical Communications (MCC) – Telecommunications isn’t only about public networks; many countries and enterprises run mission-critical comms networks (for police, emergency services, military, utilities, etc.) These systems (often land-mobile radio or dedicated LTE/5G networks for public safety) have extremely high resilience requirements and sometimes operate for decades once deployed. I used to lead end-to-end MCC implementations, so this is close to me. I included this 2023 post because it provides a slightly different angle on quantum readiness, one that telecom folks can appreciate especially if you interface with government or critical infrastructure clients. MCC networks might be separate from commercial telcos, but the technologies and challenges overlap – and in many cases, MCC environments are even less flexible in terms of upgrades. The post points out that MCC projects often cost tens of billions and are built for 20-30 year lifespans, so they absolutely need to worry about the quantum threat in their long-term planning. It reiterates the core quantum threat (Shor’s and Grover’s algorithms threatening RSA/ECC and weakening symmetric crypto) and the “harvest now, decrypt later” risk – adversaries could be eavesdropping on critical communications today, planning to decrypt them in a few years when quantum computers are ready. One highlight from this article is its discussion of cryptographic inventory challenges in specialized networks. MCC systems often involve thousands of devices from multiple vendors (radios, base stations, dispatch consoles, etc.), and crypto is deeply embedded in firmware and hardware. The post describes how cryptography can be “invisible” to the operator – for example, a radio might have an outdated RSA key baked in, or a satellite link uses hard-coded algorithms that aren’t obvious. This makes creating a CBOM for MCC gear a bit like peeling an onion; you often have to engage vendors or use specialized tools to identify all the crypto. The takeaway for telcos is similar: don’t assume you know where all your crypto lives – you must discover it methodically, and expect surprises. Even in highly controlled MCC networks, that proved challenging, which is all the more reason for large telcos to start early on inventory and vendor engagement. Overall, this resource reinforces general lessons (inventory, risk prioritization, vendor management) in a high-stakes context that might resonate if you handle any critical communications infrastructure.
• Cryptographic Bill of Materials (CBOM) and Open RAN Security – I’m combining two related topics here. As you embark on quantum readiness, one of your best allies is the CBOM concept mentioned earlier. I’ve written a deep-dive on CBOMs (Apr 2023) explaining how a Cryptographic Bill of Materials is an evolution of the SBOM (Software BOM) idea, focused specifically on cryptography. A CBOM is essentially a structured inventory of all crypto components in a system – algorithms, key lengths, protocols, certificates, etc. It’s incredibly useful for quantum readiness because it lets you pinpoint where you’re using vulnerable algorithms and will need upgrades. The article “Bills of Materials for Quantum Readiness: SBOM, CBOM, and Beyond” goes through not only CBOM but also data BOMs and hardware BOMs – reflecting that a full inventory spans software, cryptography, sensitive data, and hardware devices. The key point is that visibility is everything: you can’t secure or upgrade what you don’t know you have. Leading telcos are already creating CBOMs for their network equipment and software, and industry groups are pushing this forward. (Notably, ATIS in North America released a report on telecom CBOM standards, and GSMA has included cryptographic inventory in its post-quantum security guidelines.) On the flip side, as we modernize networks we’re also adopting new architectures like Open RAN – which come with their own security considerations. Open RAN (O-RAN) disaggregates the traditional RAN into interoperable components (RUs, DUs, CUs from different vendors). It’s great for flexibility and avoiding vendor lock-in, but it increases the attack surface and complexity of the network. In an Open RAN security post (Nov 2022), I argued that while Open RAN can improve security in some ways (more transparency, competition on security features), it also “invites greater complexity in supplier management” and many more interfaces that need securing. With a plethora of new vendors providing software, the burden is on the operator to vet each one’s security rigor – and to ensure that open interfaces (like the fronthaul) are properly hardened. The article notes that if security doesn’t receive the same attention as the commercial and political push behind O-RAN, we risk security gaps in these new deployments. So why do I pair Open RAN with CBOMs in a quantum readiness discussion? Because if you’re going to embrace Open RAN’s modular approach, you should also adopt CBOM practices to manage the complexity. Each O-RAN software component or network function you deploy should come with a cryptographic inventory from the vendor. This way, as you integrate multi-vendor 5G networks, you maintain an up-to-date map of all cryptography across the whole system – making your future PQC migration (and ongoing crypto-agility) much more feasible. In summary: Open RAN is an exciting evolution in telecom, but it doesn’t eliminate the need for strong security fundamentals – if anything, it amplifies the need for supply chain security and cryptographic transparency (CBOM) from all those diverse components.
• 5G Security Architecture and Privacy Primer – Finally, I’ll mention a couple of broader 5G security resources I’ve published that, while not explicitly about quantum, are very relevant to any telco security leader’s knowledge base. One is an Introduction to 5G Core Architecture (Service-Based Architecture) – essentially a breakdown of the 5G Core’s key components, interfaces, and how things like the AMF, SMF, UPF, etc., all fit together. Understanding the SBA and the 5G core’s modular design is important when planning crypto upgrades, because it shows you where encryption and authentication occur in the network. (For example, the SBI interfaces between core NFs use TLS, which will need PQC versions; the control-plane vs user-plane separation means different considerations for securing each, etc.) The primer highlights that the 5G core is built of many interdependent functions “knit together” as network slices and services – in other words, complexity abounds, and security must be layered throughout. I also wrote about 5G network slicing and its use cases, and about the privacy challenges in a 5G-enabled smart world. As 5G enables massive IoT and smart cities, it dramatically expands the threat surface (billions of connected devices, many lacking robust security). One article from 2018 notes the explosion of IoT devices – tens of billions – and how regulations and security standards for those lag behind, creating an “exponentially expanding ‘attack surface’” in the 5G era. This context is useful when making the case that quantum security is part of a bigger picture: telecom networks are evolving (virtualization, cloud, IoT, edge computing, etc.), and with each innovation comes new vulnerabilities. Quantum attacks are one looming category of threat, but 5G networks already face cyber-physical risks, privacy issues, and more. The bottom line is that telco CISOs need a holistic security strategy for 5G and beyond – and quantum readiness should be seen as an integral part of that, not an isolated project. The more you understand your network’s architecture and current security posture, the better you can execute a quantum-safe transition with minimal disruption.
• Getting Started With Quantum Readiness and PQC Migration – finally, if you are embarking on a quantum readiness program, this list might help as well – a curated, non‑industry‑specific hub that organizes my quantum‑readiness content into a practical end‑to‑end program flow – from executive briefings & budget justification, to crypto discovery/CBOM, risk scoring, roadmap & governance, PQC/hybrid pilots, and ongoing operations.

Final Thoughts

The telecom industry is on the clock to become quantum-ready. This isn’t just coming from government edicts – it’s driven by a real technological shift that will upend the security of the systems we rely on every day. The good news is that we aren’t flying blind: tools, guidelines, and success stories are emerging (as the resources above illustrate) to help operators navigate this journey. From my perspective, having been in the trenches of telecom security for decades, quantum readiness is a challenge we can meet – but only if we treat it with the urgency and gravity it deserves. That means starting now, if you haven’t already, and mobilizing a cross-functional effort (network engineers, IT, vendor management, legal/compliance, etc. all have a role to play).

I hope the articles and posts linked here serve as a helpful starting point. They dive into the specifics – from technical pilot results to program management tips – that can inform your strategy. Feel free to explore them in depth, share them with your team, and extract any insights relevant to your organization. Each telco will have its own roadmap, but we can also learn from each other as an industry. The next decade will likely bring the first real quantum attacks; when that moment comes, the goal is to have every operator prepared and resilient, so that our global communications infrastructure remains secure.

On a personal note, this is an area I’m deeply passionate about. I’ve dedicated a lot of writing (and work) to it because quantum risk in telecom sits at the intersection of my two loves: advanced tech and securing critical infrastructure. If you’re a telecom security leader grappling with these questions, you’re not alone – and the conversations happening now are the right ones.