Search
  • Patrick Shore

The Transition to Post-Quantum: Why Banks Need to Act Now

Updated: Sep 17


Financial institutions have become key targets for cyberattacks. The push toward a digital banking economy has opened financial institutions to an overwhelming amount of different cyber-attacks. According to a report from VMware Carbon Black, financial institutions experienced a 238% increase in cyber-attacks during 2020 [1]. The issue has become so pervasive that, during a congressional hearing in May 2021, CEOs from six of the largest banks in the U.S testified that cybersecurity is the most significant risk for the financial industry [2]. The dramatic increase in cyber-attacks over the last few years has prompted President Biden, the NIST, and the FBI to address growing concerns over our nation’s cybersecurity. “The scale of this [cyber-criminal attacks] is something that I don't think this country has ever really seen anything quite like it and it's going to get much worse.” said FBI director, Christopher Wray, during an interview. The challenge of modernizing cybersecurity is exacerbated by the rapid development of quantum computers and the threat of Cryptographic Relevant Quantum Computers (CRQC) which will be capable of breaking public-key encryption.

Public key encryption secures 90% of all global encrypted data. It is used by nearly every financial institution in the U.S to secure client data, transactions, online payments, highly valuable information, and IP. Using a quantum algorithm, known as Shor’s algorithm, CRQCs will be able to easily factor large prime numbers which form the basis of public-key encryption. Shor’s algorithm will be used to break public-key encryption and access the contents of the encrypted data.

Hackers are currently harvesting encrypted data with the intention of retroactively decrypting the data using a quantum computer, a process known as “steal now decrypt later”. It is rumored that one nation-state has already harvested 25% of global encrypted data, including sensitive information belonging to U.S financial institutions. Additionally, quantum computers will be used to disrupt service to critical financial cyber-systems which could have devasting effects on the American economy. A study conducted by Arthur Herman at the Hudson Institute indicates that an attack from a quantum computer that disrupts any of the five largest financial institution’s access to the Fedwire Funds Service could cost up to $2 Trillion [3]. It is imperative that banks and financial institutions take measures to protect themselves and the American economy from future cyberattacks.

Sensitive banking data requires secure protection for at least 25 years; therefore, banks must update their cybersecurity standards now to prevent further loss and liability. Some large financial institutions such as JPMorgan, Visa, and Barclays are closely monitoring quantum technologies and investing in post-quantum encryption methods to combat classical and quantum attacks. The National Institute of Standards and Technology (NIST) is currently developing standards for post-quantum cryptography, but the implementation of NIST-approved post-quantum algorithms may take decades due to the scale and complexity of today’s security networks. NIST is urging enterprises to begin the transition to post-quantum cryptography now to protect their data from future attacks.

Successful migration to post-quantum cryptography will be determined, in part, by the ease or difficulty of replacing existing systems. Crypto-agility will allow the financial sector to more easily update its cybersecurity systems as NIST continues to finalize post-quantum cryptography standards. Assessing crypto-agility will require banks to conduct audits of their existing systems and determine which components of their systems are not crypto-agile and need to be prioritized for future updates. Establishing crypto-agility will allow institutions to experiment with hybrid post-quantum and public key solutions, accelerating the transition toward quantum resiliency. Additionally, banks must prioritize highly sensitive data to mitigate risk as the process progresses. Financial institutions must take it upon themselves to conduct these risk analyses now to prepare for the implementation of future NIST post-quantum standards.

To accelerate the transition into the post-quantum era it is critical that financial institutions utilize practical post-quantum cryptography solutions that minimize disruption to existing systems. Post-quantum cryptography companies, such as QuSecure, will play a pivotal role in securing the future of our financial institutions.

References:

[1] Murphy, Ryan. “Modern Bank Heists’ Threat Report from VMware Carbon Black Finds Dramatic Increase in Cyberattacks Against Financial Institutions Amid COVID-19.” VMware, Inc., 14 May 2020, https://www.vmware.com/company/news/releases/vmw-newsfeed.Modern-Bank-Heists-Threat-Report-from-VMware-Carbon-Black-Finds-Dramatic-Increase-in-Cyberattacks-Against-Financial-Institutions-Amid-COVID-19.0ccd81eb-8142-40a2-9ce9-d77307f15961.html

[2] Berry, Kate. “Cyber security is a top issue for bankers, but not for lawmakers.” American Banker, 11 June 2021, https://www.americanbanker.com/news/cybersecurity-is-top-issue-for-bankers-but-not-for-lawmakers

[3] Herman, Arthur. “Getting the Big Banks to Confront the Quantum Challenge.” Forbes, 26 May 2021, https://www.forbes.com/sites/arthurherman/2021/05/26/getting-the-big-banks-to-confront-the-quantum-challenge/?sh=5ce5d3b73854

135 views0 comments