3 Ways Banks Can Prep for Quantum Computing Threats to Cybersecurity
The full potential of quantum computing is still several years away, but banks need to start countering the “existential” security threat right now.
Quantum computing is on the way, and it could end up breaking the bank—literally.
The revolutionary technology will achieve exponentially faster processing speeds than current computers by using qubits to run multidimensional quantum algorithms.
Qubits? We’ll get to that in a moment. The key here is that today’s primitive quantum computers are thought to make use of about 100 logical qubits. But when they advance to the point of being able to process 3,000 to 4,000 of these digital units of information, something many believe could happen within a decade or so, it could usher in a golden age of discovery for medicine, materials science, defense, urban planning, high tech, and other disciplines. Yet, as with most amazing innovations, there’s a flipside: The technology could also be co-opted by cybercriminals, and banks will be a prime target.
In banking, for example, future quantum computers are expected to become so formidable that they will be able to defeat most of the cryptographic algorithms financial institutions currently use to guard private and sensitive customer data, online transactions, and accounts.
That’s not to say your average Joe Hacker will be able to easily weaponize quantum computers to target the likes of BofA or Citigroup. Quantum systems will be far too expensive for most cybercriminals. No, the worry is that hostile nation-states or well-funded hacking gangs could steal, purchase, or develop quantum computers and launch attacks on financial institutions and markets before anyone is the wiser.
What is quantum computing and why must banks take action now?
If you’re unfamiliar with the term, qubit (pronounced “KYOO-bit,” short for quantum bit) refers to a basic unit of information in quantum computing, similar to a bit or binary digit in classical computing, that allows for the processing of information in a fraction of the time required in traditional computing. It’s often depicted as a spinning sphere, in contrast to traditional computing’s binary ones and zeroes. You’ll be hearing more about qubits in coming years, as quantum tech develops and cybercriminals harness its power to attack the financial services sector and other targets.
Even if [quantum computing] doesn’t happen for another decade, planning for the changes that will be needed to head off potential threats needs to start now.
That threat led President Biden to issue an executive order last year setting requirements for federal agencies to make their cryptographic systems quantum-resistant (post-quantum). The mandate was then formalized in the Quantum Computing Cybersecurity Preparedness Act, signed last December.
For their part, banks have known for a while that they’re vulnerable, and they expect to spend billions of dollars to counter the threat. But observers fear that because quantum computing’s full potential is still at least seven to 10 years away, many banks will put off doing much until closer to that time. After all, they’re focused on pressing matters like the economy, mounting losses, and shrinking depositor confidence.
Nonetheless, delaying action on the quantum threat would be a serious mistake, industry watchers say.
For one thing, today’s data may already be vulnerable to quantum computing decryption—just not how you think. Because data remains useful for a while, nation-states could collect encrypted information from adversaries now in hopes of using quantum technology to crack it when that becomes possible. This time-capsule approach is known as a “harvest now, decrypt later (HNDL) attack,” and more than half (50.2%) of quantum-aware organizations believe they are “at risk” from it, according to a Deloitte survey.
Heading off quantum computing’s “existential threat”
Given all of this, Matthew Mittelsteadt, a research fellow at Mercatus Center, a Virginia-based think tank, calls quantum computing “an existential threat to bank security” and warns against underestimating the time and money it will take to adequately address this threat.
“Even if this doesn’t happen for another decade, planning for the changes that will be needed to head off potential threats needs to start now, because those changes are going to be rather significant,” says Mittelsteadt. “If you look at what’s going to be touched by this problem, it’s basically everything. It’s going to be our mobile technology, our databases… Literally, anything that’s digitally communicating and using encryption could be affected and rendered insecure.”
To be fair to bankers, their preparation work will depend on government initiatives to agree on solid, quantum-resistant replacements for common public-key cryptography (PKC) systems, such as RSA, Diffie-Hellman, and elliptic curve cryptography (ECC). Those efforts, led by the U.S. Commerce Department’s National Institute of Standards and Technology (NIST), have been underway since 2015 and are ongoing.
Slow but steady progress in quantum cybersecurity
In fact, NIST only last year released, and began seeking public comment on, a list of four encryption algorithm “finalists”—CRYSTALS-Kyber for general encryption and CRYSTALS-Dilithium, FALCON, and SPHINCS+ for digital signatures—that would presumably become part of its post-quantum cryptographic (PQC) standard around 2024.
You could explain [current cybersecurity algorithms] to most high schoolers in math class. But the math we use for these new post-quantum algorithms is much more complex, and it’s going to take a lot of knowledge and training to understand it.
But the path for approving those standards is uncertain as security researchers poke and prod at the algorithms. Earlier this year, for instance, Swedish researchers managed to break an implementation of CRYSTALS-Kyber using an artificial intelligence (AI)–assisted side-channel attack. Side-channel attacks gather sensitive information like cryptographic keys by measuring coincidental hardware emissions rather than directly targeting code.
Such hurdles were expected, though, given the complexity of quantum algorithms, says Dustin Moody, a mathematician in the computer security division at NIST.
“It’s a very complicated area,” says Moody. “RSA, for example, is an algorithm you could explain to most high schoolers in math class. But the math we use for these new post-quantum algorithms is much more complex, and it’s going to take a lot of knowledge and training to understand it. So, there will be challenges. And vulnerabilities could be introduced if we don’t implement all of this very carefully.”
Moody advises banks to wait until standards come out in 2024 before putting post-quantum algorithms into production, but other experts still emphasize the importance of taking a few steps to get ready for them.
To start, they recommend:
1. Inventory your cryptography
Graham Steel, head of product in the quantum security group at SandboxAQ, a startup spinoff from Google parent Alphabet Inc., tells Focal Point you need to conduct a thorough inventory to know where you are using quantum-vulnerable cryptography across your organization.
Then you need to consider risk assessment, determining where there is data that will need to remain confidential in five to 10 years. This can help head off HNDL attacks down the road.
You can also experiment with the draft NIST quantum algorithms in your environment to see how they might impact your most important applications, he adds.
2. Commit financial resources to quantum cybersecurity
Mittelsteadt says few banks realize how time-consuming and costly it will be to rip and replace all the cryptography underlying their digital systems.
The risk of not doing this is falling behind your competitors, who will soon be communicating on their progress.
“You have to start thinking about what infrastructure might be affected,” he says. “This is a very complex task. There are going to be a lot of systems you don’t realize are insecure.”
[Read also: 5 steps to securing your organization’s “crown jewels” of data]
Many systems, he warns, are not properly documented.
“You are probably going to have to pay somebody to walk through all your entities and branches and, on foot, discover which systems exist, record whether they might be impacted, and create a plan for changing your software to better defend against quantum attacks,” he says. “It won’t be easy.”
3. Redesign your software
Mittelsteadt notes there could be a long runway to the NIST algorithms becoming standardized. Ahead of that, he advises banks to start redesigning their “monolithic” software to accommodate change more readily.
“You want to implement methodologies for cyber agility,” he says. “What this means is designing systems to be modular so you can easily swap components in and out, especially security components. If you design systems like that today, you’ll be ready when these NIST standards are formalized.”
Nobody knows when the quantum threat will hit the fan and become a more serious problem for the banking industry, but experts advise against waiting to find out. By taking baby steps now, banks can spread out the necessary cost and effort over a long period of time, lessening any pain from it.
“It need not be too costly if it’s considered strategically as part of the overall modernization of your IT,” says Steel. “The risk of not doing this is falling behind your competitors, who will soon be communicating on their progress, and also becoming subject to regulatory pressures to migrate in timeframes that might not be achievable (because you didn’t start soon enough), risking compliance fines.”