On this episode of The Six Five – CXO, hosts Daniel Newman and Patrick Moorhead welcome Lory Thorpe, Partner, IBM Consulting, and Luke Ibbetson, Head of Group R&D, Vodafone.
Their discussion covers:
- The current state of quantum and its role in telco
- What quantum-safe cryptography is and how organizations should start to implement it
- How future, cryptographically relevant quantum computers affect the security of the telecom industry
- The opportunities and risks involved
- The purpose and objectives of the Post Quantum Telco Network Taskforce
It’s a stimulating conversation, and one you won’t want to miss.
Learn more about IBM Quantum Safe here.
Be sure to subscribe to The Six Five Webcast so you never miss an episode.
You can watch the full video here:
You can listen to the conversation here:
Disclaimer: The Six Five CXO is for information and entertainment purposes only. Over the course of this webcast, we may talk about companies that are publicly traded, and we may even reference that fact and their equity share price, but please do not take anything that we say as a recommendation about what you should do with your investment dollars. We are not investment advisors, and we do not ask that you treat us as such.
Patrick Moorhead: Hi. This is Pat Moorhead and The Six Five is live here in the IBM booth at Mobile World Congress. I can feel the excitement. Hopefully, you can hear the excitement. I have to tell you what, 2023 MWC is a big year, a lot bigger than ’22 and a lot bigger than ’21 because it didn’t even happen. So here we are.
Daniel Newman: It’s got the energy of 2019, but four years of innovation packed in, which is great to see. I hope people can hear, but I hope they don’t hear too much because-
Patrick Moorhead: Exactly.
Daniel Newman: …in the end, I hope our guests can hear us and we can hear us.
Patrick Moorhead: Exactly.
Daniel Newman: But yeah, it is great to be here, Pat. It’s been a great day so far, a lot of really interesting interviews. We got one more here. By the way, it’s been a lot of fun having interviews where we had customers with the vendors.
Patrick Moorhead: Exactly.
Daniel Newman: It really helps tell another level of insight and truth about what’s going on. Because of course, the vendors are going to say everything they’re doing is terrific, but when the customers come on and say it, it tends to be more believable and it tends to be built with a lot of proof and experience.
Patrick Moorhead: Yeah. Well, with that said, introduce our guests, Luke from Vodafone, Lory from IBM Consulting. How are you doing?
Lory Thorpe: Very good, thank you.
Luke Ibbetson: Been a long day so far, but all good stuff.
Patrick Moorhead: Luke, you are the grand purifier here, right? It’s like Daniel said, the difference between pundits, we think we know what we’re talking about, vendors make claims, but you’re here to be the truth teller of the whole thing. So thank you for coming on the show.
Luke Ibbetson: Yeah, very welcome. I appreciate it.
Daniel Newman: Pressure is on. Pressure is on.
Luke Ibbetson: No pressure.
Daniel Newman: Why don’t you both do quick introductions and give us just a little bit about your background and your role? Lory, ladies first.
Lory Thorpe: Thank you. So Lory Thorpe. I am part of IBM Consulting and I lead the portfolio for telco transformation.
Luke Ibbetson: I’m Luke Ibbetson. I lead the group research and development team worldwide for Vodafone, which is a fantastic job that I’m very pleased to be left alone to do, basically.
Patrick Moorhead: No, that’s great. What we are here to talk about, hopefully it’s not a surprise to you, is quantum-safe for telco. Both of our respective companies have quantum computing practices, but we want to take a more definitive slice of that for creating a quantum-safe telco. First off, what is the state of the industry right now? Lory, I’ll kick it off with you.
Lory Thorpe: NIST has been very busy over the last few years in selecting algorithms. We can look at that as a little bit of a starting point in terms of the standardization. Last year, they selected the initial four algorithms that we’ll be going to to standardization. I think one interesting thing you mentioned is quantum-safe for telco. There’s a quantum-safe piece, which is obviously not specific to telco. The work that we are doing is, how do we then apply it to telco and, in particular, what is it that the operators are going to need, what do we need from the supply chain, and how does that work its way throughout the wider ecosystem? That basically is the work that we’re doing from a quantum-safe for telco perspective.
Daniel Newman: Excellent. Give a little background on what that actually is. What is quantum-safe cryptography?
Luke Ibbetson: I guess we could start with saying what is a quantum computer today? We don’t have quantum computers that can currently crack the ciphers and the codes and the securities they put around customer data and how we operate networks. However, quantum computers are expected to be able to crack the security that we use today in a few years’ time. Don’t ask me when it’s going to be because nobody knows. I just do know that there are a heap load of bright people working on this. Good companies like IBM hitting-
Daniel Newman: That’s right.
Luke Ibbetson: …the roadmap in terms of the machinery. What we need to start doing though is adopting a new way of protecting the data that we believe is going to be resistant to quantum attack in the future. The reason why we need to do it now is because people are already harvesting data in anticipation in being able to decrypt it. It doesn’t matter if they’re not actually here yet. The data could be stored and decrypted later. We want to get ahead of that.
Patrick Moorhead: Well, the good news is, and this doesn’t always happen, is you have the industry getting ahead of what it knows what would and could likely be a very big issue. But I’m curious though, what is the overall impact of these quantum computers to the security of telcos? I’ll start with you.
Lory Thorpe: Mm-hmm. Well, cryptography as we know it is compromised, so public key cryptography that is compromised. If you start looking at where that is used in telco systems, you can see that it impacts all different levels of the stack. This is really part of the work that we’re doing, which is really understanding what is going to be vulnerable, what needs to be fixed, in what order, how do you prioritize. The inventory piece becomes very critical because even though we may not need to fix it today, what we want to do is we want to prepare. We want to make sure that we are as prepared as we can be. To Luke’s point around the standards, obviously from a telco, the way that the telco industry works, we have standards that need to be defined, that need to be implemented in the products. Those timelines there, it doesn’t happen overnight, so that preparation piece is really critical.
Luke Ibbetson: Mm-hmm. Maybe I can just build on that very quickly.
Patrick Moorhead: Please.
Luke Ibbetson: Taking it back to the telco piece, and Lory mentioned they need to build a crypto inventory, so understanding where vulnerable forms of cryptography are used in the myriad of IT business systems and the systems you use to protect customer data. We need to understand where that cryptography is being used. We need to do a risk assessment so that we can plan to switch out those algorithms the ones that have been developed as Lory mentioned in the beginning by NIST that are thought to be quantum-safe.
Patrick Moorhead: Now is this status quo for telco has been getting ahead of something before it hits, or is this something that’s new and a little bit unprecedented? I’ve been, I guess in the industry a long time, I haven’t seen this much getting ahead of it. Maybe five, 12, 256-bit encryption when we had the ability to crack 8-bit, but the question, is this something new?
Lory Thorpe: It’s not new. Versions of this have happened in the past.
Patrick Moorhead: Right.
Lory Thorpe: Often, there’s a comparison with Y2K and I’ve heard it called Q2K except we don’t know when the 2K date is going to hit. So no, I don’t think it’s necessarily anything new, but I think one thing that I believe is improving from a telco perspective is maybe a better appreciation of the need for preparation.
Patrick Moorhead: Right.
Lory Thorpe: Obviously, security is really high on everybody’s agenda so this isn’t something that we want to leave until it is too late. The other thing, to your point, we’re not just looking at post-quantum. It’s about crypto agility. Actually, there is an intermediate step where we create the environment where post-quantum cryptography can be implemented in an easier way than maybe is possible today. So a lot of the work that we are looking at, it’s a journey towards post-quantum, but along the way, you’ve got the crypto agility piece, which is really what’s going to enable that going forward.
Patrick Moorhead: Yeah.
Daniel Newman: It sounds like a lot of the risks are shared with some of the other regulated industries that are going to be facing similar issues as quantum cryptography continues to move forward and security analysts and CISOs have a new set of challenges in front of them. It’d be interesting though, getting ahead sounds really positive. Of course, there’s a lot of expense. Not knowing when it’s going to come to fruition means you’re spending in advance of maybe getting benefit. Can you give me a little bit of a risk-reward of taking this action and being so out in front of you?
Luke Ibbetson: I’m going to tell you, because it actually is not spending more, it’s actually spending correctly, spending wisely. We’re trying to future-proof investments and making sure that the equipment we procure, which quite often can be there’s natural refresh cycle. We want to make sure that that security gateway, for example, or EM beam, which is the thing that powers a radio tower, we want that equipment to have the capability to be using quantum-safe cryptographers. It’s all about planning, to be honest, knowing what to do first so that you’re ready to-
Daniel Newman: By the way, because when I said expense, obviously, security’s always been one of those things that’s been a bit of a balance for companies, where they’re like spend now because you know you’re going to get hacked at some point or wait, where even at the board level, it’s been like, should we spend more? Then until you get hacked and you see all the value that your company can lose through having an incident and then you go, we literally should have spent more sooner. So it makes a lot of sense, but at the same time, that balance has always been out there where security’s one of those things people-.
Luke Ibbetson: It’s no different whether the business when they decide to place your bets. Protecting customer data, continuing to protect customer data is fundamental to our existence as a mobile network operator. Likewise, making sure that our network infrastructure can’t be hacked and be switched off or operated by the wrong people is fundamental to our future.
Lory Thorpe: And it is about taking a measured approach. This isn’t about creating unnecessary panic or going too early. It is about creating a measured approach. This is something that we’re highlighting because it is risk-based and we want things to be done at the right times. For example, one of the things that has been discussed at length is around whether the standards are coming too late or whether we should be looking at pre-standards. I would say there isn’t necessarily a case for looking at pre-standards, but there is a case for preparing.
Luke Ibbetson: We should also say something about the fact that there is a good side to this as well. The quantum computers do bring a lot of opportunities, not discoveries. It’s just inconvenient that they happen to be able to solve the mathematical problems that underpin a lot of cryptography.
Patrick Moorhead: And they’re very good at that.
Luke Ibbetson: They’re very good at that.
Patrick Moorhead: Actually, some of the-
Luke Ibbetson: There are other things as well.
Patrick Moorhead: Right.
Luke Ibbetson: We’re looking at the plus sides within the telco industry as well as the need to protect against the risk.
Patrick Moorhead: Yeah. I’d love to wrap up this segment talking about a special quantum telecom security task force that both companies are on. Can you share what the goal of the task force is and what individual roles your two companies play?
Lory Thorpe: The Post-Quantum Telco Network Taskforce, it was established back in September last year. It was initiated by IBM and Vodafone.
Patrick Moorhead: Okay.
Lory Thorpe: We have been working with the GSMA because we felt there was a need for an industry-level initiative. Since then, we have been working with the wider ecosystem. We’ve had huge traction with the task force. We have over 35 members of which I think 13 or 14 are large global operators including Vodafone, obviously. The task force has started with an impact assessment. Last week, we published a white paper, an impact assessment white paper. This was work that we did in collaboration within the task force. IBM and Vodafone have been leading this. I’m the chair. Luke is the vice-chair of the task force.
Patrick Moorhead: Wonderful.
Lory Thorpe: However, there’s been huge collaboration and active participation from the other members of the task force.
Luke Ibbetson: Yeah. I think we’ve built a really good level of consensus so that we’ve able to raise awareness of the risk, not cause panic, but at the same time, set out some very practical steps as to what we should be doing as an industry more globally and also as individual operators. We’re very pleased actually. Just early this weekend, we’ve got the mandate to continue with this group for GSMA. So we’re going to be rolling out the next phase of this task force and we welcome everybody to join with us.
Patrick Moorhead: Well, the industry appreciates your leadership. Somebody has to go first and put resources in and quite frankly, I couldn’t think of two amazing companies to do it. I know everything what IBM is doing on the quantum side and it is one of the leaders, I can make the argument, the leader right now with what it’s doing. And Vodafone, with its leadership opportunities, you guys are out ahead of a lot of folks as well. Sounds like a marriage made in heaven and here we go. I want to thank you both for coming on the show and we’d love to do a follow-up with you maybe next year to hear more as it becomes more a reality and into fruition. Thank you so much.
Lory Thorpe: Absolutely. Thank you.
Luke Ibbetson: Really a pleasure.
Daniel Newman: Thank you so much. All right, everybody, there you have it. We are here in the booth at IBM at Mobile World Congress 2023. Thanks for signing in. We will be back with more videos, so hit that subscribe button. We always love our fans. For Patrick, for myself, for this episode, it’s time to say goodbye. See you all later.