“You should be very worried,” warned Elshan Kashefi, Chief Scientist at the UK’s National Quantum Computing Centre. Assuming the role of the mythical Greek priestess Cassandra, Kashefi warned the Sifted Summit about the severe threat quantum computers pose – before they’re even functioning.
Today, malicious actors are stealing confidential, encrypted data en-masse to decrypt it later, with a functioning quantum device. These harvest now, decrypt later (HNDL) attacks mean that sensitive information with a ‘shelf-life’ – or information that will continue to be sensitive and require being secure between five to 10 years – is at high risk of being stolen.
Given the amount and type of information they hold, financial institutions are high on the list of nefarious actors looking to carry out these attacks. Easily mistaken for a Nolan plotline, quantum computers pose the most significant cyber threat to banking and financial infrastructures before they even exist.
What, then, should banks be doing about it?
Why Banks Are Acutely Vulnerable
Banks are acutely vulnerable because their large, sprawling infrastructures make them uniquely challenging to protect. The success of modern banks is intrinsically bound to their interconnectivity, which determines their ability to facilitate the movement of money, trade and business. However, interconnectivity also increases exposure to risks and makes it harder to insulate against threats.
If a chain is only as strong as its weakest link, the banking system (read, world) is only as secure as the weakest bank. Hackers can exploit encryption ‘backdoors’ and weak points to access sensitive information into the broader network, transforming a bank's interconnectivity from strength to crippling weakness.
Alarmingly, The Federal Reserve Bank of New York published research demonstrating how an attack on a vulnerable mid-size bank, defined as less than $10bn in assets, could bring down the entire US banking system. For reference, a bank smaller than 5% of Goldman Sachs could inadvertently wring irrevocable financial damages and loss of trust in banks.
Secure and reliable cryptography is key to the stability of our financial system and society – a cryptographically relevant quantum threat can undermine this and eclipse the damages of the 2008 global financial crisis and the Great Depression.
The risk models above still underestimate the quantum impact. If a bank falls victim to a ransomware attack today, as bad as it may sound, there is an absolute remedial action. If the bank is willing to pay, it can restore its systems, and this ransomware incident will not permanently impact all the other peer banks, suppliers and customers.
The relatedness risk is relatively low and non-contagious. A quantum attack will be much more systemic, affecting the entire industry(ies), and remedial actions will take much longer – if even possible – unless you start the migration much sooner. A better risk profile is COVID lockdowns several years ago when there was neither a cure nor a way of knowing who had been infected. The only difference here is that if you have not completed the quantum migration to make yourself self-sufficient, there is no cure, as no one can trust your information anymore.
What’s Being Done So Far?
For now, at least, solutions exist that preempt the threat. Post-quantum cryptography can be leveraged to secure against quantum computers, similar to how public key encryption protects against classical computers. Over the past 12 months, Google Chrome, Signal, and Apple have announced post-quantum integrations within their platforms to secure their users.
Leading the charge in the financial sector, The Bank for International Settlements (BIS) announced Project Leap, a quantum-resistant secure communication channel between the Banque de France and Deutsche Bank, and outlined six more projects earlier this year.
Encouragingly, we’ve also seen the quantum threat come into focus for legislators in the US, with the Quantum Computing Cybersecurity Preparedness Act passing with bilateral Congressional support.
However, with the risks being so total, encouraging isn’t enough. Besides, the projects are insufficient, exposing last-mile vulnerabilities and little scope for interoperability. For instance, Project Leap secures communications from perimeter to perimeter rather than between the end users, presenting a last-mile vulnerability and an obvious target for hackers.
How Banks Should Build Quantum-Secure Infrastructure
Hopefully, I have impressed the importance of a quantum-proof banking infrastructure, so what should banks do?
While we have seen some regulatory top-down movement, banks cannot afford to wait. Financial quantum security regulations have not been mentioned in the US or the UK's national budgets. I recommend that financial institutions create their own end-to-end secure infrastructures.
This starts with evaluating your IT systems and infrastructures to identify vulnerabilities and prioritizing securing sensitive long-life information vulnerable to HNDL attacks first. Work out from there, securing communications – perhaps with an end-to-end quantum-safe messenger – to your entire infrastructure.
To avoid the issues associated with interoperability, look to the Internet Engineering Task Force (IETF), which recently ratified a VPN protocol that enables multiple post-quantum and classical encryption algorithms to be incorporated into VPNs, ensuring no disruption to the functioning of existing IT systems.
Due to the nature of interconnectivity in the banking sector, there will always be counterparties which will fall victim and not be able to remedy the problem. At a minimum, you must regularly archive the most critical information in your own ring-fenced, out-of-band secure data repository.
In case of a claim, you can then prove their accuracy, validity and completeness to the regulators and underwriters. Therefore, in the event of a breach, you will be best positioned to convince the regulators, make insurance claims and, importantly, onboard new customers from failing banks. It may sound extreme, but I believe it will be a winner-takes-all future.
Within the last 20 years, the advent of a quantum computer has gone from theoretical to absolute. Momentum is building in quantum computing research, and everyday time-to-quantum is reduced. The importance of staying ahead and acting decisively cannot be overemphasized. If we continue on the current track, even the most advanced quantum migrations will not be completed in time.
So, I agree with Kashefi: unless we act – you should all be very worried.