Financial Services and the Post-quantum Migration – What You Need to Know

  • Andersen Cheng, CEO at Post-Quantum

  • 24.06.2022 02:15 pm
  • #cybersecurity

Applying emerging quantum technology to challenges across the financial services industry is viewed by many to be hugely advantageous for first movers. From being able to effectively analyse large or unstructured data sets, to having the technological power to react faster to market volatility, or being able to rapidly anticipate customer behaviours to deliver personalised products, tapping into the power of quantum technology is anticipated to be transformative.  

While some of these broad commercial applications are likely to remain several years away, quantum computers are widely expected to produce breakthrough products and services that could solve very specific problems in the industry within the next 3 to 5 years.

Yet, this is a rose-tinted view of the impact quantum machines will have on the industry. There is a darker, more threatening side of the technology, which will be far more impactful for the future direction of financial institutions if it isn’t confronted. And those that move first to address this side of the technology will lay the secure foundation that is needed to take advantage of the promise quantum computers clearly hold.

The Quantum Threat

Put simply, this more threatening aspect of quantum technology is the fact that the public-key encryption (PKC), which is widely relied upon today to protect information data across the world, will become obsolete as the first functioning cryptographically relevant quantum computer (CRQC) emerges. This is because these machines are extremely good at performing vast amounts of computations in parallel whilst today’s computers have to solve problems one at a time. As such, quantum machines can derive knowledge from small datasets, which will allow them to break current encryption standards.

The problem is that PKC is used everywhere in our daily digital interactions, and nowhere more so than in financial institutions, as it has long been used to ensure the security of transactions, data transfers, bank cards, online payments and mobile apps. With the whole industry also having vast amounts of data that needs to remain secret or protected for a long period of time, it will likely become an immediate target of any criminal who gets their hands on a CRQC.

And the effects of any quantum attack on financial institutions could be catastrophic. Preliminary econometric research at the Hudson Institute’s Quantum Alliance Initiative estimates that a single quantum attack on one of the five largest financial institutions in the U.S. that disrupts access to the Fedwire Funds Service payment system would cause a cascading financial failure costing anywhere from $730 Billion to $1.95 Trillion.

Harvest now, decrypt later  

And, concerningly, this day is closer than many in the industry think. We’re not talking about the timescales needed for a commercial quantum computer that JP Morgan or Wells Fargo can use to do their own trading analysis – this could take 15+ years. We are talking about the pure power to do code-breaking under lab conditions, which the cybersecurity community estimates could be in as little as 5 years.

Adding to this urgency is the possibility that, even today, any data with a multi-year lifespan could be collected today and decrypted in the future. In other words, financial institutions with sensitive data that has a long shelf life, of which there is plenty, could see that data being harvested and captured by criminals, who have the intention of decrypting it once a sufficiently powerful quantum computer arrives. In the context of financial services, this means, for example, any encrypted data that has a long shelf life, such as primary account numbers (PAN), could be being harvested en masse, with a view to decrypting it once and CRQC emerges.

This ‘Harvest Now, Decrypt Later’ risk is also why talk of the ‘quantum threat’ being futuristic hyperbole is simply untrue – the threat is already here today and we’re now playing catch-up.

Mapping a path to protection

To remedy this danger, the National Institute for Standards and Technology (NIST) has been running a competition to identify new quantum-safe encryption algorithms (also known as Post-Quantum Cryptography, or PQC) since 2016. Any day now, it will make its decision on what algorithms will become the new standard, which means that financial services firms that have been waiting for certainty on the new encryption to use, can now begin the task of migrating their infrastructure to protect their data.

Adding to this have been recent developments coming out of the White House, with President Biden announcing two presidential directives that aim to mitigate the risks that quantum computers pose to America’s national and economic security. While government agencies are required to upgrade their infrastructure first, emphasis is also placed on the need for collaboration between the Federal Government and the private sector to ensure critical industries, such as financial services, are protected.

Some of the bigger financial institutions with more muscle have already started this process but, even for these industry leaders, it will be no easy task. With this in mind, here are a few things everyone in the sector should be considering today:

  1. If you haven’t done so already, set up your Y2Q crypto-migration project now, and give it significant backing and investment. Just as would be the case with any large IT programme or project, you will need to have a dedicated team that is responsible for the migration. 

  2. A key part of getting this project team functioning properly is ensuring that you have the right skills and talent on board. Although most of the PQC knowledge is pigeonholed in academia, normal engineers can grasp PQC quite quickly, making upskilling and reskilling existing team members a priority. External consultancies will also have a role to play here in terms of bringing in external talent to add vital resources.

  3. Once you have the talent in place, the initial goal of the project team should be to conduct a crypto audit. This means taking stock of where cryptography is deployed today across the organisation, making sure that you can map out a migration path that prioritises high-value assets, whilst identifying any expected impact on operational systems.

  4. One of the main considerations needing to be made by your project team is adopting crypto-agility. This means choosing and deploying solutions that keep the tried and tested classical cryptography we use today, like RSA, alongside one or more post-quantum algorithms. Taking this approach offers greater assurance against both traditional attacks and future threats. 

Related Blogs

Other Blogs