FS-ISAC unveils ‘seminal’ framework to combat quantum threats

FST Media
9 October 2024

FS-ISAC, the global cyber intelligence sharing network for financial services organisations, has outlined its framework for maximising cryptographic security and building a crypto agile ecosystem for financial services businesses in the face of a looming quantum threatscape.

By improving cryptographic (or ‘crypto’) agility, the FS-ISAC argued, businesses and cyber defenders can maximise their chances of business continuity if or when existing cryptography is compromised or weakened in an attack.

For cyber intelligence sharing forum, the ability to engender ‘crypto agility’ within an organisation will prove critical as quantum computing threats emerge. Quantum will likely render a widely used class of cryptography algorithms – including RSA, ECC and DSA encryption methods – insecure in coming years.

With these common encryption methods embedded “deep in software applications and… in hardware devices”, the emergence of quantum computing, and use by bad actors, will inevitably increase the risk of exposed transmission or storage of sensitive data.

Even in a post-quantum cryptography (PQC) world, where quantum computing emerges on a practical scale, new cryptographic architectures are expected to have much shorter operational lives than current encryption methods, necessitating more regular replacement and updating. Moreover, the FS-ISAC notes, some existing infrastructure may not even be able to make the jump to more nascent cryptographic algorithms.

Cryptographic agility is defined by the FS-ISAC as a measure of an organisation’s ability to adapt cryptographic solutions or algorithms (including their parameters and keys) quickly and efficiently in response to developments in cryptanalysis, emerging threats, technological advances, and/or vulnerabilities.

“By becoming crypto agile, practitioners will be able to quickly replace cryptographic algorithms using a repeatable process with minimal impact or downtime and provide sufficient confidentiality, integrity, and/or non-repudiation guarantees. Importantly, firms will avoid the vulnerabilities of insecure algorithms.”

The paper, Building Cryptographic Agility in the Financial Sector, which the FS-ISAC boasts is the first to define crypto agility holistically for both business and technical audiences, provides a step-by-step guide for stakeholders in building crypto agility within their organisations.

The paper provides an eight-phase framework with a detailed roadmap for replacing algorithms and building crypto agility, including guidance for assessing algorithmic inventory, building a transition and integration plan, testing algorithm performance, as well as implementation, verification and ongoing maintenance.

As well, the paper outlines challenges in achieving cryptographic migration, benchmarks for a successful transition and a dedicated section for technologists and practitioners to advise on architectural changes necessary to achieving this agile state.

FS-ISAC chief strategy and innovation officer Michael Silverman urged the financial services sector to take on a “leadership position in cryptographic agility, ensuring the sanctity and safety of data and storage as threats continue to evolve”.

He added: “The goal of crypto agility is simple: to enable business continuity when existing cryptography is compromised or weakened.

“The transition to crypto agility is vital in maintaining the trust upon which the financial services sector is built and ensuring the safety of business operations in today’s complex, ever-evolving computing environment.”