Quantum technologies have already had a major impact on the global banking system, from creating new applications for financial models to breakthrough strategies for trading or risk profiling. However, when fault-tolerant quantum computers become available, they will also be able to break existing public key encryption (PKE) and compromise financial information, transactions and customer data on an unprecedented scale.
This, and other factors, prompted the White House to issue a National Security Memorandum (NSM 10) mandating that federal agencies comply with quantum resistant encryption algorithms approved by the National Institute for Standards and Technology (NIST).
The memorandum applies to critical infrastructure “so vital to the United States that their incapacitation or destruction would have a debilitating effect on the Nation’s security, economy, public health and safety, or any combination thereof.” Although banks themselves are not “federal agencies,” the Cybersecurity and Infrastructure Security Agency considers them to be a vital part of our national infrastructure, thus warranting the same security countermeasures.
Although no one knows when quantum computers will be powerful enough to break PKE (the Dept. of Homeland Security predicts it could be as soon as 2030), adversaries have already initiated Store Now, Decrypt Later (SNDL) attacks, which could have devastating consequences for banks and their customers. As the name implies, SNDL attacks harvest and store encrypted data until working quantum computers become available to unlock that data. Financial data, in particular, is very attractive to adversaries as it tends to have a very long “shelf life” and will most likely remain relevant and/or viable over time.
To protect their organization and customers against SNDL, banks must identify and inventory every instance of vulnerable public-key cryptography throughout their entire IT infrastructure so that both hardware and software systems can be upgraded with quantum-resistant protocols - called Post-Quantum Cryptography (PQC).
PQC represents the next evolution in cryptography. For the past six years, the National Institute of Standards and Technology (NIST) has been working with a consortium of cryptologists and mathematicians from 25 countries to develop new quantum-resistant algorithms that will become the new global encryption standard. This July, NIST unveiled four PQC candidate algorithms and several alternates that are still being evaluated for standardization. This was the sign that banks, corporations and government agencies had been waiting for to begin migrating to PQC.
After an initial discovery process, which could take several months or more, depending on network size and complexity, CIOs and CISOs will have a better understanding of their cybersecurity posture and can decide what areas to prioritize for PQC migration – starting with the most vulnerable data and critical systems. The key is to begin the discovery process immediately. Once encrypted data has been stolen, it can no longer be protected.
The discovery phase also represents a great opportunity for CIOs and CISOs to update or rearchitect their IT infrastructure. The typical bank IT architecture is an amalgam of modern and legacy systems, oftentimes the by-product of numerous M&A events. The hardware and software upgrades needed to make their systems quantum-resistant could also make them more modern and responsive to their customers’ needs.
Once critical systems and data have been upgraded, banks can transition other systems to PQC on a timetable that fits their budget or other obligations. But in order to maintain the highest level of cyber protection, banks will also need to implement solutions that bestow “crypto-agility” — the ability to seamlessly switch between a variety of algorithms in real-time depending on the nature of the threat. In addition, banks will likely need to create a hybrid cybersecurity architecture – a mix of existing and new technologies – to maintain regulatory compliance and to protect against both classical and quantum-related threats. Crypto-agility is essential in this regard.
Without a doubt, migrating to PQC will be complex, time-consuming and costly – relative to the size of the bank. Larger institutions have already begun the discovery phase – through partners like SandboxAQ and/or Global System Integrators (GSIs) like Deloitte or EY, who have the domain expertise, scale and knowledge of their clients’ IT architecture.
Even without such GSI relationships, smaller institutions should still begin the discovery phase and then work with technology providers to develop migration strategies. A great resource for information is NIST’s National Cybersecurity Center of Excellence (NCCoE), where organizations can find and share business insights, technical expertise, and challenges via a variety of Communities of Interest. Selected by NIST as one of only 17 technology collaborators for the NCCoE, SandboxAQ is helping the government to initiate the development of practices to ease migration from current public-key cryptography algorithms to replacement algorithms that are resistant to quantum computer-based attacks.
For organizations that are still researching their options, several of SandboxAQ’s cryptography and cybersecurity experts wrote an insightful white paper titled, “Transitioning Organizations to Post-Quantum Cryptography,” which was published in Nature, the world’s foremost international scientific journal. The paper outlines current and future quantum-related threats, steps organizations need to take to become quantum-resistant and crypto-agile, and other helpful information. We encourage you to read this and contact us with any questions you may have.
Regardless of which vendor, partner or technology approach banks choose, one thing is certain: the longer they wait, the greater the risk to their organization, investors and customers. It is imperative that banks begin the process of migrating to PQC as soon as possible.