Banks Need to Act Now to Ensure Post-Quantum Cybersecurity

Banks Need to Act Now to Ensure Post-Quantum Cybersecurity

The Financial Services Industry has long been a lucrative playground for cyber thieves. These days, the push toward a digital banking economy has opened financial institutions to an overwhelming number of new and sophisticated cyberattacks. The list of cyberattacks on banks just in 2021 is long, including Flagstar Bank, the European Banking Authority, New Zealand’s central bank, and more. According to a Trend Micro report, banks experienced a 1,318 percent year-on-year increase in ransomware attacks in the first half of 2021.

To make things worse, quantum computers will be used to disrupt service to critical financial cyber-systems, which could have devasting effects on the American economy. A study conducted by Arthur Herman at the Hudson Institute revealed that an attack from a quantum computer that disrupts any of the five largest financial institutions’ access to the Fedwire Funds Service could cost up to nearly $2 Trillion. It is imperative that banks and financial services institutions take measures to protect themselves and the American economy from these future cyberattacks.

The issue has become so pervasive that during a congressional hearing last year, CEOs from six of the largest U.S. banks testified that cybersecurity is the most significant risk for their industry. The dramatic increase in cyberattacks over the past few years has prompted President Biden, NIST, and the FBI to address growing concerns over our nation’s cybersecurity. In addition, in January the White House issued a Memorandum on Improving the Cybersecurity of National Security, which outlines near term standards (including Post-Quantum Cybersecurity (PQC mandates) for National Security Systems (NSS) that are equivalent to or exceed existing cybersecurity requirements.

The challenge of modernizing cybersecurity is exacerbated by the rapid development of quantum computers and the threat of Cryptographically Relevant Quantum Computers (CRQC) which will be capable of breaking public-key encryption.

Public key encryption secures 90 percent of all global encrypted data. It is used by nearly every U.S. financial institution to secure transactions, client data, online payments, highly valuable information, and IP. Using a quantum algorithm, known as Shor’s algorithm, CRQCs will be able to easily factor large prime numbers which form the basis of public-key encryption. Shor’s algorithm will be used via a quantum computer to break public-key encryption and access the contents of the encrypted data at financial institutions in the coming years.

In addition to the future CRQC threat directly aimed at financial services organizations, hackers today are harvesting encrypted data with the intention of retroactively decrypting the data using a quantum computer, a process known as “steal now decrypt later.” It is rumored that one nation state has already harvested 25 percent of the world’s encrypted data, including sensitive information belonging to U.S financial institutions.

It is commonly accepted that the length of time sensitive banking data requires secure protection is at least 25 years. As a result, banks must update their cybersecurity standards now to prevent further loss and liability. Some large financial institutions such as J.P. Morgan, Visa and Barclays are closely monitoring quantum technologies and investing in post-quantum encryption methods to combat classical and quantum attacks. The National Institute of Standards and Technology (NIST) is currently developing standards for post-quantum cryptography, but the implementation of NIST-approved post-quantum algorithms may take decades due to the scale and complexity of today’s security networks. NIST is urging enterprises to begin the transition to a new approach called post-quantum cryptography now to protect their data from future attacks.

Post-quantum cryptography (PQC) uses cryptographic systems for classical computers that can protect against quantum computing attacks. Since PQC is software-based, it can be deployed quickly across networks and data. PQC algorithms such as those studied by NIST use complex mathematics such as 400-hundred-dimensional lattice infrastructures to hide a cryptographic key. Studies so far have determined that these chosen algorithms are highly resistant to quantum attacks.

A successful migration to post-quantum cryptography will be judged, in part, by the ease or difficulty of replacing existing systems. Since NIST has not yet finalized its PQC algorithm choices, it is particularly important that financial services organizations remain crypto-agile as part of their overall PQC transition. Crypto-agility means that a bank can start the transition to post-quantum cryptography without making a final choice on NIST approved algorithms. If a financial organization develops the right crypto-agile architecture, it can use any/all of the final NIST approved algorithms. This allows banks to begin testing PQC now, with little or no risk. Financial services organizations can migrate their cybersecurity systems to PQC as NIST continues to finalize post-quantum cryptography standards.

It is also recommended that banks immediately assess their existing systems to determine which components are most vulnerable to quantum attacks and thus need to be prioritized for future updates. Financial institutions can conduct low-cost experiments with hybrid post-quantum and public key solutions, accelerating the transition toward quantum resiliency. Additionally, they can prioritize extremely sensitive data to mitigate risk as the process progresses. Financial institutions must take it upon themselves to conduct these risk analyses now to prepare for the implementation of future NIST post-quantum standards.

To accelerate the transition into the post-quantum era it is critical that financial institutions begin testing practical PQC solutions that minimize disruption to existing systems. These practices and new approaches will play a pivotal role in securing the future of our financial institutions. Banks should look to PQC solutions that offer quantum resilience, crypto-agility and backwards compatibility.

Featured

  • Maximizing Your Security Budget This Year

    The Importance of Proactive Security Measures: 4 Stories of Regret

    We all want to believe that crime won’t happen to us. So, some business owners hope for the best and put proactive security measures on the back burner, because other things like growth, attracting new customers, and meeting deadlines all seem more pressing. Read Now

  • Today's Enterprise

    Protecting servers and data has evolved rapidly over the past 15-plus years. Early on, concerns centered around the environmental conditions of where servers were housed within a building and the effects of humidity, temperature and air quality on their performance. This led to a better understanding of the need for a controlled environment to maximize equipment lifespan and capacity. It was also a driving force behind consolidating servers in a common space, i.e., the data center. Read Now

  • Study Proves It: Security Awareness Training Reduces Phishing Attacks

    Attackers are increasingly targeting human-based vulnerabilities to infiltrate organizations. Humans have direct access to insider systems and data – any threat actor can easily phish users, steal their credentials and secure keys to the kingdom without having to fight advanced cybersecurity defenses. Studies show social engineering attacks and human errors are behind 68% of all breaches.  Read Now

  • Security Questions Persist After Attempted Assassination Attempt of Donald Trump

Featured Cybersecurity

Webinars

New Products

  • 4K Video Decoder

    3xLOGIC’s VH-DECODER-4K is perfect for use in organizations of all sizes in diverse vertical sectors such as retail, leisure and hospitality, education and commercial premises. 3

  • HD2055 Modular Barricade

    Delta Scientific’s electric HD2055 modular shallow foundation barricade is tested to ASTM M50/P1 with negative penetration from the vehicle upon impact. With a shallow foundation of only 24 inches, the HD2055 can be installed without worrying about buried power lines and other below grade obstructions. The modular make-up of the barrier also allows you to cover wider roadways by adding additional modules to the system. The HD2055 boasts an Emergency Fast Operation of 1.5 seconds giving the guard ample time to deploy under a high threat situation. 3

  • PE80 Series

    PE80 Series by SARGENT / ED4000/PED5000 Series by Corbin Russwin

    ASSA ABLOY, a global leader in access solutions, has announced the launch of two next generation exit devices from long-standing leaders in the premium exit device market: the PE80 Series by SARGENT and the PED4000/PED5000 Series by Corbin Russwin. These new exit devices boast industry-first features that are specifically designed to provide enhanced safety, security and convenience, setting new standards for exit solutions. The SARGENT PE80 and Corbin Russwin PED4000/PED5000 Series exit devices are engineered to meet the ever-evolving needs of modern buildings. Featuring the high strength, security and durability that ASSA ABLOY is known for, the new exit devices deliver several innovative, industry-first features in addition to elegant design finishes for every opening. 3