Financial services businesses have been warned to prepare themselves for the emergence of quantum machines that will soon be capable of cracking – “in a matter of seconds” – today’s most reliably secure cryptographic codes.

Global financial services intelligence consortium, the FS-ISAC, called on financial institutions to move towards achieving a state of “post-quantum cryptography (PQC)” – that is, to develop cryptography that is “quantum-proof, quantum-safe, or quantum-resistant”.

This would mean creating cryptographic algorithms that can resist cryptanalytic attack by a quantum computer.

While public-key encryption – one of the most common methods used today to protect data in transit – protocols remain “satisfactory for securing data against most code-breaking tools” utilised by modern threat actors, the FS-ISAC said, the emergence of “large-scale quantum computers… capable of breaking many of the current public-key cryptography systems” could upend this tried-and-true data security method.

“When large-scale quantum computers are built, they will be capable of breaking many of the current public-key cryptography systems,” the FS-ISAC wrote in its recent report, adding that it will “gradually erode the security of our public-key systems”.

“Without significant preparation for moving to post-quantum cryptography, quantum computers in the wrong hands would significantly compromise the privacy and security of the digital communications on which the world, and the financial system, increasingly relies on.”

Global funding for quantum computing startups increased by 13.5 per cent last year, to $1.1 billion. According to researcher McKinsey, China plans to invest $15.3 billion in the industry, with the European Union setting aside $7.2 billion for investment in the technology.

Roadmap for PQC

The FS-ISAC report provided a roadmap to help prepare FSIs for a post-quantum world.

1. Develop an inventory of existing encryption assets: creating a clear inventory of cryptographic assets ensures organisations can “proactively identify risks and challenges being introduced by advances in PQC”, and enables them to be “crypto agile in planning for future changes in cryptographic requirements”. The information, such as understanding which in-house and vendor apps are using cryptographic algorithms, as well as regulatory and data provenance concerns, is necessary for developing risk models.
2. Assess risk: Effectively identifying assets, threats, vulnerabilities, and potential impacts of a security incident or data breach.
3. Assess vendors: While acknowledging the process may be “premature”, with industry standards still “in their infancy”, the FS-ISAC urged FSIs to “begin thinking about vendor PQC requirements, updating existing risk assessment processes, and updating legal/contract requirements to include PQC provisions”.
4. Create a risk assessment framework: Understand and evaluate threats quantum computing may pose to an organisation’s information security. These frameworks provide an initial point of reference for risk assessments, allowing processes to develop over time.
5. Apply a risk model: With the timeline for the emergence of quantum threats still unknown, the FS-ISAC noted that immediate best practice suggests creating several scenarios on risks a quantum threat may pose to a specific asset.
6. Remediation: Remediation will require companies to migrate to PQC algorithms once they become available. Throughout this process, organisations should consider increasing their crypto agility to keep up with the changes in cryptographic technologies and protocols that will consistently change and evolve due to quantum computers.

This year, the FS-ISAC said its Post-Quantum Cryptography Working Group will work with member institutions to: complete infrastructure, current state, and risk assessments; identify common gaps or needs across the industry for remediation; and work with NIST on standards applicability to financial services use cases, among other priorities.

“Regardless of our ability to predict the exact arrival of the quantum computing era, we must immediately begin preparing our information security systems to resist quantum computing capabilities that fall into the wrong hands.

“There is no urgent cause for alarm,” the FS-ISAC added. “However, financial services organisations should be aware of quantum cryptography’s potential impacts.”