0

Harvest now, decrypt later makes quantum-safe security a present-tense infrastructure risk for CSPs

For communications service providers (CSPs), the quantum-safe security question isn’t a future hypothetical that hinges on when a cryptographically relevant quantum computer comes into play. The more urgent question is whether the encrypted data, credentials, signaling information and network traffic moving through telecom infrastructure today will still be secure when quantum computing becomes capable of breaking widely used public-key cryptography.

That is the central issue explored in RCR Tech’s new report, “Securing telecom infrastructure for the quantum era.” The report examines why quantum-safe migration has to begin now, how prepared CSPs are for the transition, and what operators can learn from early work by organizations including GSMA, VIAVI Solutions, Singtel, BT and AT&T. Download the full report here.

The immediate threat model is known as harvest now, decrypt later. In this scenario, adversaries capture encrypted data today and store it until future quantum capabilities make decryption possible. For CSPs and enterprises that handle long-lived sensitive data, that turns quantum security from a future-state technology discussion into an active infrastructure-planning problem.

The transition will not be simple. Telecom networks depend on asymmetric cryptography across a wide range of systems and processes, including TLS, eSIM, roaming, authentication, transport security, control-plane security and vendor-to-vendor interfaces. Updating that cryptographic foundation will require more than adopting new algorithms. It will require crypto inventories, vendor coordination, interoperability testing, standards alignment, procurement discipline and long-term crypto agility.

As GSMA Senior Director Yolanda Sanz told us, “You may think that 2030 is still far away, but for a crypto migration, that is nothing.” Her point is that operators cannot wait for Q-Day to begin preparing for Q-Day. The timelines now taking shape across standards bodies and national security authorities point toward major migration milestones in the 2030–2035 window, while the operational work required to get there will take years.

RCRTech/VIAVI research included in the report shows that CSP awareness is growing, but readiness remains uneven. Most respondents recognize Q-Day and understand harvest now, decrypt later as a real concern. But many organizations are still in the awareness, research or early validation phases. The gap between recognizing the risk and executing a practical migration strategy is where the industry now has to focus.

The report also examines the role of post-quantum cryptography and quantum key distribution. PQC is likely to become the broad migration path because it can be implemented through software and integrated into existing protocols, network functions and services. QKD, by contrast, offers high-assurance protection for select links but depends on specialized optical infrastructure and is better suited to targeted use cases, such as inter-data center connectivity, government networks, critical infrastructure and regulated enterprise services.

The most advanced deployments point toward hybrid architectures. Singtel and BT are using combinations of PQC, QKD, managed services and national readiness programs to bring quantum-safe networking closer to commercial use. AT&T’s PQC-enabled SD-WAN strategy is focused on embedding quantum-safe capabilities into enterprise networking services customers already use, rather than forcing wholesale infrastructure replacement.

But technology selection is only one part of the migration. Quantum-safe networks have to be tested before they can be trusted. CSPs need to understand how PQC affects latency, throughput and connection rates at scale; how QKD performs under optical impairments or attack conditions; how key management systems interoperate; and how hybrid fallback behavior works when systems degrade or fail.

The conclusion is that quantum-safe migration is not a future compliance checkbox. It is a present-tense infrastructure program. Operators that begin now will have more time to inventory risk, validate implementations, coordinate vendors, sequence deployments and build crypto-agile networks that can evolve as algorithms, standards and threats change.

For CSPs, the quantum era is not waiting at the edge of the network. It is already shaping security decisions inside the network.

For additional content, check out:

• Webinar: Securing telecom infrastructure for quantum era
• Research: Preparing for Q-Day and the path to quantum-safe networks