From ATMs to high-frequency trading and the current fintech wave, technological innovation in the financial services industry has always had to balance risks like fraud and theft against the new opportunities it brings like access to capital, greater margins and new customers. The coming wave of quantum computers promises more of the same, though on an even greater scale. Worryingly there is a widespread lack of awareness in financial services of the cybersecurity risks posed by quantum technologies.
Quantum computers pose an existential threat to banks’ cybersecurity infrastructure and the sensitive data they hold. This was the agreed view among attendees at a recent workshop hosted by the FCA with the UK Quantum Computing & Simulation Hub, with 25 stakeholders including the Bank of England.
The FCA recently organized a virtual workshop with the UK Quantum Computing & Simulation Hub (QCS), attended by 25 stakeholders including the Bank of England to explore the ways in which organisations can take advantage of quantum computers but also prepare to meet the threats that arise from them.
Modern cryptography works because classical computers cannot factor large numbers into their underlying prime factors. When it comes to many of the most popular cryptographic protocols used today, quantum computers have no such limitation.
Using methods such as Shor’s algorithms, they will be able to deliver an exponential increase in speed of prime factorization, crack the prime factors and solve the discrete logarithm problem used in current public-key cryptography protocols like RSA and Elliptic Curve Cryptography.
Given the current uptick in innovation from tech companies like IBM, Google and IonQ, it is not unfeasible that a quantum computer capable of breaking current encryption standards could emerge by the end of this decade.
- Check out the best antivirus solutions on the market today
Where are banks most vulnerable?
Given the glut of sensitive (therefore valuable) data that financial institutions hold, it should not be surprising that they heavily rely on cryptography at all levels of their businesses from bank cards and ATMs to mobile apps and online payments.
Banks rely on a wide range of different cryptography protocols including public-key cryptography (which, as we have established above, is vulnerable to quantum computers) but they also use symmetric key cryptography, eg. 3DES, which can also be broken by quantum computers. The arrival of quantum computers threatens to undermine this critical foundation.
Complicating matters is the fact that a quantum hack can be done retrospectively. This means that an institution can be targeted today with what is known as a ‘harvest now and decrypt later’ attack. A financial institution and its customers may already be victims of an attack and not learn of the breach for years, if ever.
This is particularly concerning for banks that hold highly valuable information and IP on behalf of some of the world's leading corporations and high net worth individuals. The need for enduring information integrity and security is therefore particularly acute.
- These are the best Windows 10 antivirus software right now
Looking ahead to new quantum-secure standards
Both the US National Security Agency and UK National Cyber Security Centre have issued warnings imploring organizations to prepare for the quantum threat immediately.
Another key topic of conversation at the FCA workshop mentioned earlier was exploring the ways in which organizations can take advantage of quantum computers but also prepare to meet the threats that arise from them. One of the outputs was a call for regulators and industry to join the debate around international efforts to develop quantum-secure standards.
Chief among these is the US National Institute of Standards and Technology’s (NIST) post-quantum cryptography standardization project. Since 2016, NIST has been in the process of identifying and standardizing post-quantum algorithms to establish a clear roadmap to guide us toward a quantum-secure future, with the new algorithms replacing the current classical-security standards. With over 80 submissions from over six different continents, it has truly been a global effort followed closely by academia, industry and government.
At the moment, we are in a transition phase; the ‘winners’ will be selected by the end of this year, but that doesn’t mean we should be waiting until the results to begin preparations. NIST itself says that companies should start preparing now: “It is critical to begin planning for the replacement of hardware, software, and services that use public-key algorithms now so that the information is protected from future attacks.”
The changes necessitated by the quantum threat will fundamentally alter how banks and other institutions use cryptography. It is no exaggeration to say this will be one of the biggest cryptographic transitions in generations.
Financial institutions cannot approach this period of radical change with the same piecemeal approach used in the (almost) 20-year process for the adoption of current standards. It must be a more systematic, deliberate and comprehensive approach.
Why? Because it almost definitely won’t be a simple drop‐in task, particularly for some financial institutions which are already a generation behind requiring a double leapfrog (e.g. to replace algorithms such as 3DES which will be disallowed after 2023 according to FIPS 140-3) to get up to speed with the upcoming NIST-mandated standard. Another factor to consider: as heavily regulated businesses, banks are also subject to the oversight of dozens of regulators around the world on issues around data security.
Laying the groundwork now means there won’t be a scramble to rip and replace cryptosystems when new standards do eventually arrive. This process is driven by a concept called ‘Crypto-Agility’ which refers to the mechanism by which companies can upgrade to quantum-secure cryptography safely and securely over time.
An audit of security architecture and system design is something that financial institutions can - and should - be doing now. At a basic level, this analysis should account for hurdles like backward compatibility and interoperability with legacy systems and infrastructures.
At the end of this process, an organization should have a list of systems that can or can’t be upgraded easily, allowing it to identify key areas of concern. Once the analysis phase is done, an organization can then look towards providing cryptographic implementations to support changes as needed and with minimal disruption to core business activities. NIST has even suggested certain solutions to be used in the transition phase which combine one or more post-quantum candidates to get the best of both worlds.
To ensure a smooth and timely transition to the upcoming NIST standards, the prudent way forward for all companies in the financial services sector is to start preparing for the worst now; the question of when the quantum threat will be realized is a matter of when, not if.
- Keep your organization safe with the best business antivirus solutions right now
Dr Ali El Kaafarani, founder and CEO, PQShield