Post‑Quantum Cryptography (PQC) and What It Means for Mobile Network Operators—A Practical Readiness Path
- Gareth Price-Jones
- 6 days ago
- 4 min read
Mobile networks are entering a new cryptographic era. While large‑scale, fault‑tolerant quantum computers are not yet available, the security planning horizon for mobile network operators (MNOs) is long—and the risk window is already open. The shift to post‑quantum cryptography (PQC) is no longer theoretical: it’s becoming a program of work that touches network architecture, vendor ecosystems, device fleets, and operational processes.
This post outlines what PQC is, why it matters specifically to MNOs, and how a structured PQC readiness assessment can help operators move from awareness to an actionable roadmap.
What PQC is (and what it isn’t)
Post‑quantum cryptography refers to cryptographic algorithms designed to remain secure even if an attacker has access to a cryptographically relevant quantum computer. The key driver is that quantum algorithms (notably Shor’s algorithm) would break widely used public‑key cryptography such as RSA and elliptic‑curve cryptography (ECC)—foundational to authentication, key exchange, and digital signatures across telecom infrastructure.
PQC is not “quantum encryption.” It’s a new generation of classical algorithms intended to run on today’s hardware and software, but with different performance and implementation characteristics.
Why PQC is a telecom issue—now
MNOs face a combination of long asset lifecycles, complex supply chains, and high‑value data flows. That makes PQC a strategic risk management topic, not just a security upgrade.
1) “Harvest now, decrypt later” risk
Adversaries can capture encrypted traffic today and store it until quantum capabilities mature. For MNOs, this matters where confidentiality must hold for many years—examples include sensitive operational workflows, enterprise VPN services, roaming and interconnect data, and any long‑retention customer or operational data.
2) Cryptography is embedded everywhere in the network
In mobile networks, cryptography isn’t confined to a single “security layer.” It appears across:
Core network interfaces and service‑based architectures
Transport and IPsec/TLS tunnels
Network management planes and automation pipelines
Interconnect/roaming relationships and partner integrations
Private 5G / enterprise offerings and edge deployments
PKI, certificates, signing, and firmware/software update chains
This breadth makes “swap the algorithm” an oversimplification. PQC readiness is about crypto agility: the ability to change algorithms and parameters without redesigning the entire system.
3) Vendor and standards dependencies
MNOs operate in a multi‑vendor environment with strict interoperability requirements. PQC adoption will be paced by:
Vendor roadmaps (RAN, core, transport, security appliances, OSS/BSS)
Standards and profiles
Device ecosystem readiness (SIM/eSIM, handsets, IoT modules)
Certification and compliance expectations
Operators that start early can shape procurement requirements and avoid being locked into non‑agile designs.
4) Performance and operational impact
Some PQC algorithms have larger keys/signatures and different computational profiles. That can affect:
Handshake latency and CPU load
Certificate sizes and storage
Bandwidth overhead on constrained links
Hardware security module (HSM) compatibility
Logging, monitoring, and troubleshooting practices
For telecom environments where scale and reliability are paramount, these impacts must be assessed—not assumed.
What “PQC readiness” looks like for an MNO
A practical readiness program typically answers four questions:
Where are we using vulnerable cryptography today?Inventory and map RSA/ECC usage across network, IT, cloud, and product surfaces.
Which data and services have long confidentiality requirements?Prioritize based on “harvest now, decrypt later” exposure and business criticality.
How quickly can we change cryptography without major redesign?Evaluate crypto agility in architectures, vendor products, and operational processes.
What is our migration plan and timeline?Define target states (including hybrid approaches where appropriate), dependencies, and a phased roadmap aligned to refresh cycles.
How Price‑Jones Partners can help: PQC Readiness Assessment
At Price‑Jones Partners, we help mobile network operators translate PQC from a strategic concern into an executable plan. Our PQC Readiness Assessment is designed for CTO/CISO and network security leadership teams who need clarity, prioritization, and a roadmap that fits telecom realities.
What the assessment covers
Cryptographic discovery & mapping: Identify where RSA/ECC and related dependencies exist across network domains, management planes, and enterprise services.
Risk and exposure analysis: Focus on long‑lived confidentiality needs and “harvest now, decrypt later” scenarios relevant to operator environments.
Vendor and ecosystem readiness review: Assess supplier roadmaps, interoperability constraints, and procurement levers.
Crypto agility evaluation: Determine how easily algorithms can be swapped, where hard dependencies exist, and what architectural changes are required.
Migration strategy & roadmap: Define phased actions aligned to network refresh cycles, including quick wins and longer‑term transformations.
Executive‑ready outputs: Clear findings, prioritized recommendations, and a plan that supports board‑level risk discussions and budget planning.
Typical deliverables
PQC readiness scorecard and risk register
Crypto inventory and dependency map (by domain and criticality)
Prioritized remediation backlog (people/process/technology)
Vendor engagement and procurement requirements (PQC/crypto‑agility clauses)
12–36 month roadmap aligned to transformation programs
Next step
If you’re responsible for network security strategy, now is the time to establish your baseline: where quantum risk exists, what can be changed quickly, and what must be planned into future network evolution.
Price‑Jones Partners can run a focused PQC readiness assessment to help you move from uncertainty to a practical, operator‑grade migration plan.
Call to action: Reply or get in touch to discuss your target scope (core/transport/OSS‑BSS/private 5G) and we’ll propose an assessment approach and timeline.