Why it’s time to wake up to the quantum threat – Finextra – Finextra – Finextra

Quantum computing is proving to be enormously exciting for financial institutions. Already,Goldman Sachs and Deutsche Brse are exploring quantum algorithms to calculate risk model simulations 1,000 times faster than currently possible, whileBBVA is looking to quantum to optimise investment portfolio management.

But a more sinister aspect to the technology also lurks just around the corner. Because of their computing power, quantum machines will be able to smash through the mathematical algorithms underpinning all modern encryption - posing an unparalleled cybersecurity risk.

It would take a traditional computer years to break the public-key encryption relied on today by just about every financial services company, but a fully-scalable quantum computer could achieve the same in a matter of hours.

According to roadmaps laid out by major players in the field, we will have a quantum computer capable of doing this within the next decade.

Mapping the vulnerabilities

Banks and financial institutions use a range of cryptographic algorithms to ensure the security of transactions, including symmetric key cryptography (e.g. 3DES) and public key cryptography. Although public key cryptography is most exposed to the quantum threat, some types of symmetric key cryptography are also vulnerable to attack.

Core to these operations are hardware security modules (HSMs). These form a key part of the physical infrastructure that stores and generates secure keys using cryptographic asymmetric algorithms to authenticate and validate transaction information.

A chain is only as strong as its weakest link, so unless up-to-date, quantum-secure HSMs are in place, theres a risk of quantum attackers exploiting a single vulnerability to expose all data within the payments ecosystem.

What complicates the issue is that quantum decryption can be applied retrospectively.

Bad actors could begin collecting encrypted data from institutions today, with the intent to harvest now, decrypt later. Financial services companies could unknowingly be victim to an attack today, and only suffer the consequences in the future when quantum computers become available.

Thankfully, some institutions are already paying attention, with early movers likeScotiabank,JP Morgan and Visaall taking the threat seriously.

Beginning the fight back

The world began to take note of the quantum threat when, in 2016, the US National Security Agency issued an officialwarning to industry. Shortly thereafter, the US National Institute of Standards and Technology (NIST) launched a post-quantum cryptography standardisation project to lay out the path to a quantum-secure future.

NIST is running the process as a competition. The project is now in its final stages, with seven finalist algorithms left after 80 submissions from six continents. The final algorithms will be chosen in 2021, with draft standards to be published thereafter.

Its anticipated that the US government will require contractors to incorporate the new NIST standards in order to conduct business with its agencies. As critical infrastructure, financial institutions are also likely to find that quantum-secure cryptography soon becomes a technical necessity.

The path to quantum security

The migration to new cryptography standards will be a massive undertaking - one of the biggest cybersecurity shifts in decades.

The transition will be complicated for banks, too. Each institution will be starting from its own unique position, with its own legacy systems and infrastructure, and each will be vulnerable to the quantum threat in a different way.

Financial institutions can save time in the long-run by taking steps to plan their own transition before NISTs new standards are even announced.

The first step is to conduct an audit, pinpointing each and every place where encryption is being used within the organisation. This will help to identify weak spots, find areas in need of rationalisation, and so on.

NISTagrees that companies should start preparing for the transition today: 'Itis critical to begin planning for the replacement of hardware, software, and services that use public-key algorithmsnow, so the information is protected from future attacks'.

Looking ahead

Institutions have invested huge amounts of time and effort building customer trust in digital banking, and cryptography was the main mathematical tool that allowed this to happen.

Now that quantum computers threaten to break it, its time for the sector to fight back.

The security of all sensitive data, past and present, relies on it.

View original post here:

Why it's time to wake up to the quantum threat - Finextra - Finextra - Finextra