Why Banks Need to Heed the Quantum Threat to Cybersecurity
(GlobalBanking&Finance) JP Morgan, Barclays, Visa, and BBVA and like banking organizations are monitoring the technological advancements in quantum computing technology from leading players like Google, IBM and IonQ as well as the global encryption standardisation projects trying to mitigate the risks. However, the path to a quantum-secure future is by no means clear: precise timelines are uncertain for the development of quantum computing technology, adding to the risk, so the need to prepare for it today is crystal clear.
NOTE: This article by Dr Ali El Kaafarani, CEO and founder, PQShield, and is summarized here by IQT-News.
Th need to prepare for quantum security is especially true for banks and other highly regulated businesses, which must demonstrate to regulators that their systems meet the highest standards of security, trustworthiness, reliability and interoperability, to safeguard the valuable financial data that they collect and store.
For banks which hold highly valuable information and IP on behalf of some of the world’s leading corporations and individuals, the need for information integrity and security is particularly acute.
A single powerful quantum computer will be able to break the current public key encryption algorithms (cryptography) used by virtually every financial institution today, threatening to compromise everything from client data, to the secure websites and software they use to interact with customers, to the hardware used to authenticate, encrypt and decrypt payments.
Adding to this problem is the fact that quantum decryption can be applied retrospectively. The groundwork for a ‘harvest now, decrypt later’ attack could be laid today, with encrypted data collected and stored for future decryption when quantum computers become available.
NIST’s post-quantum cryptography standardisation project has been working to establish a clear roadmap to guide us toward a quantum- secure future, with the new algorithms replacing the current classical-security standards in applications. With over 80 submissions from over six different continents, it has truly been a global effort followed closely by academia, industry and government.
Last year, the initiative entered its third and final stage selecting seven finalist algorithms (two of which were co-authored by members of the PQShield team). NIST recently confirmed that it would select its ‘winners’ towards the end of this year, which will be standardised by NIST following an additional phase of consultation and evaluation, around 2024. Looking forward, NIST says that companies can and should start preparing for the transition NOW: “It is critical to begin planning for the replacement of hardware, software, and services that use public-key algorithms now so that the information is protected from future attacks”.
The ease or difficulty with which certain cryptographic algorithms can be switched out of embedded hardware and software in a bank’s existing security infrastructure – which, as we have discussed, is extensive – will be a key determinant of success. For banks, this audit could revolve around looking at the list of components provided in Section 3 of the NIST whitepaper on “Migration to Post-Quantum Cryptography”.