Securing Data in the Quantum Computing Era for the ICT Sector

Why Act Now?

Encryption is like a giant puzzle that would take classical computers thousands of years to solve. A sufficiently powerful quantum computer could break it in hours or days, making today’s digital locks unsafe.

Even before such machines arrive, the threat is real: attackers can copy encrypted data now and decrypt it later using future quantum power, a strategy known as Harvest Now, Decrypt Later. This drives the urgent need for Post-Quantum Cryptography (PQC) to protect sensitive data against future quantum attacks. PQC involves developing quantum-resistant encryption methods that remain secure even against quantum-powered attacks.

Similar weaknesses have had real-world impact:

● WEP Wi-Fi (2001–2007) Many ISP-supplied home routers shipped with WEP by default. WEP used RC4 (an old encryption algorithm, now considered weak and deprecated) plus a short, repeating setup code, so by capturing some traffic attackers could crack the Wi-Fi key in 5–10 minutes. A 2007 retail breach exploiting WEP exposed ~45M payment cards with >$250M in direct costs.

● RC4 in TLS (2013–2015) Still protected ~30–50% of web traffic, yet a 16-character HTTPS cookie could be recovered in ~52–75 hour, enabling account takeover; RC4 was deprecated in 2015.

Illustrative Example: How the Risk Plays Out

 
Today (Threat)
Near Future (Impact)
 
Quantum is Loading…
Attacker copies encrypted telco backup: subscriber IDs & numbers, billing records, and payment details.
Data Collecting
Quantum is Ready!
As quantum matures, current encryption can fail, exposing customer credentials and sensitive data.
Enables account takeover, bill/roaming fraud, and trust damage.

Real-World Cases

Web platform (browsers/CDNs)

According to Cloudflare Radar, hybrid post-quantum TLS now protects ~50% of HTTPS traffic globally.

Telecom (5G pilot)

A major telecom operator ran a pilot on a 5G network using post-quantum cryptography to protect customer data. The goal was to reduce “Harvest Now, Decrypt Later” risk and prepare to scale. Service worked as expected; errors were monitored. The side diagram outlines the journey of a 5G telecom operator pilot, from scoping to expansion.

A SUGGESTED COURSE OF ACTION

01
Identify Long-Term Exposure Areas
  • Sensitive data with a long retention period (10+ years).
  • Critical infrastructure systems and embedded devices.
  • Legacy systems that are difficult to update.
  • Cryptographic keys, credentials, and high-value internal assets.
02
Define Strategic Actions
  • Define internal capability needs for post-quantum cryptography (PQC) adoption.
  • Verify vendors’ ability to shift to post-quantum cryptography (PQC).
  • Monitor global guidance (NIST, ETSI, ENISA).
  • Integrate PQC into transformation plans.
  • Assign quantum risk to your enterprise risk register.
  • Map and inventory all cryptographic assets and dependencies.
  • Classify and prioritize data by longevity and sensitivity.
03
Drive Readiness Across the Organization
  • Ensure quantum risk is addressed through governance oversight and board-level visibility.
  • Build knowledge and capability through executive briefings, team training, and awareness sessions.
  • Execute pilot projects with post-quantum cryptography (PQC) technologies and evaluate system and vendor crypto-agility.
  • Leverage global resources such as the NIST PQC Migration Guide and ENISA briefings.