Experts in bank cybersecurity are encouraging financial institutions to start planning now to implement quantum-proof encryption technology, which will ensure any encrypted data that cybercriminals harvest today cannot be decrypted in the coming decades.
Although there is no urgent cause for alarm, sophisticated actors with the ability to harvest encrypted data will eventually (nobody knows exactly when) be able to decrypt that information with quantum computers. As such, industry experts are promoting a proactive approach to quantum-proof encryption to protect any data that might still be useful to hackers years after they collect it.
The top recommendations on post-quantum cryptography come from a report released this March by the nonprofit Financial Services Information Sharing and Analysis Center (FS-ISAC), which calls for banks to catalog all instances where they are using classical encryption today so they can identify their greatest opportunities for mitigating quantum decryption risk.
“Regardless of our ability to predict the exact arrival of the quantum computing era, we must immediately begin preparing our information security systems to resist quantum computing capabilities that fall into the wrong hands,” The FS-ISAC report reads. “There is no urgent cause for alarm. However, financial services organizations should be aware of quantum cryptography’s potential impacts.”
Most dastardly among those impacts is the ability for cybercriminals to decrypt any data that is protected only by classical cryptography, which includes any data they collect before achieving that capability. FS-ISAC described this strategy, dubbed “harvest now, decrypt later,” as threat actors hoarding encrypted data intercepted today as they wait to decrypt it with quantum computers.
Quantum computers work thanks to the quirky behavior of particles like photons and electrons. Although they are often discussed and thought of as vanishingly small ping pong or billiard balls, these particles also have properties of waves.
Quantum computers exploit this so-called wave-particle duality to work with imaginary and complex numbers, which you might recall from precalculus or calculus classes. This type of mathematics differs from the type that classical computers (everything from laptops to alarm systems) do well.
Classical computers can work with complex numbers, but quantum computers solve problems involving complex numbers much faster than classical computers can. As such, quantum computers have numerous applications besides the disruptive task of breaking classical encryption.
Classical encryption effectively protects all financial information that banks and credit unions use and exchange. Banks protect their transactions, trade secrets and every other piece of their business with classical encryption, though that is not the only layer of protection they use. They also hide this data behind layers of authentication technology, data fragmentation and other strategies that make it hard to access.
But once this valuable data leaves the data center where it lives, it runs the risk of interception as it travels across the internet. When hackers grab data in transit, they are then liable to hoard it while they await large-scale quantum computing to decrypt it.
The Government Accountability Office this March said it could take 10 to 20 years for quantum computers to gain the ability to break classical encryption, but estimates vary widely. Regardless, the timeline financial institutions should follow to prepare for large-scale quantum computing is much shorter because of the harvest now, decrypt later strategy.
As part of its efforts to establish post-quantum cryptography standards, the National Institute of Standards and Technology (NIST) announced a candidate for the new standard in encryption last year that banks can start using to protect their data today. The algorithm, known as Crystals-Kyber, is secure against decryption by either classical or quantum computers, as far as anyone can tell so far.
While no definitive proof exists that Crystals-Kyber is unbreakable, the same goes for the classical encryption algorithms (like RSA and ECDSA) that are widely used today. Soft proof comes instead from the numerous attempts at breaking the encryption algorithm that scientists have made over the years and the fact that none of them have fully succeeded.
NIST therefore promotes the use of certain classical encryption algorithms that have stood up to this heavy scrutiny, and in 2024, it is expected to weigh in on whether Crystals-Kyber meets the same standard. In the meantime, banks can use a two-layered encryption approach involving both this novel algorithm and whatever tried-and-true classical algorithm they use today.
That recommendation comes from Konstantinos Karagiannis, director of quantum computing services at consulting firm Protiviti. According to Karagiannis, using a two-layered encryption algorithm ensures that, even if advanced hackers secretly discover a way to reverse Crystals-Kyber encryption with a classical computer, they would still be left trying to also break classical encryption.
“There are ways to add these extra layers now, and it’s okay to do that stuff, but I wouldn’t [use Crystals-Kyber] in production as the only defense,” Karagiannis said.
An even more fundamental planning step that financial institutions can take is cataloging every instance of encryption they use today. FS-ISAC recommended this step in its March report. Ray Harishankar, a fellow in IBM’s Quantum Safe initiative, says doing so will help make financial institutions “quantum-agile.”
“If there is one step financial institutions should take today, it’s beginning to identify their cryptography usage,” Harishankar said. Ahead of NIST publishing its post-quantum encryption standards, generating this so-called “Cryptography Bill of Materials” will help financial institutions ensure they make a smooth transition to new standards, he added.
The need to migrate to post-quantum cryptography is not urgent for most institutions, according to Clement Jeanjean, the head of the commercial team for the cybersecurity division of SandboxAQ, an Alphabet spinoff focused on artificial intelligence and quantum computing. Rather, financial institutions need to start preparing to transition.
“The urgency today is not to deploy quantum-resistant cryptography this year or next year,” Jeanjean said. “Where there is more urgency is in building internally this capability to inventory cryptography, to change cryptography, to become agile with cryptography, because the day you need to migrate to quantum-resistant cryptography, if you don’t have that capability, you will not be able to do it.”