Banks Need to Act Now to Ensure Post-Quantum Cybersecurity

Page 2 of 2

Banks Need to Act Now to Ensure Post-Quantum Cybersecurity

The Financial Services Industry has long been a lucrative playground for cyber thieves. These days, the push toward a digital banking economy has opened financial institutions to an overwhelming number of new and sophisticated cyberattacks. The list of cyberattacks on banks just in 2021 is long, including Flagstar Bank, the European Banking Authority, New Zealand’s central bank, and more. According to a Trend Micro report, banks experienced a 1,318 percent year-on-year increase in ransomware attacks in the first half of 2021.

To make things worse, quantum computers will be used to disrupt service to critical financial cyber-systems, which could have devasting effects on the American economy. A study conducted by Arthur Herman at the Hudson Institute revealed that an attack from a quantum computer that disrupts any of the five largest financial institutions’ access to the Fedwire Funds Service could cost up to nearly $2 Trillion. It is imperative that banks and financial services institutions take measures to protect themselves and the American economy from these future cyberattacks.

The issue has become so pervasive that during a congressional hearing last year, CEOs from six of the largest U.S. banks testified that cybersecurity is the most significant risk for their industry. The dramatic increase in cyberattacks over the past few years has prompted President Biden, NIST, and the FBI to address growing concerns over our nation’s cybersecurity. In addition, in January the White House issued a Memorandum on Improving the Cybersecurity of National Security, which outlines near term standards (including Post-Quantum Cybersecurity (PQC mandates) for National Security Systems (NSS) that are equivalent to or exceed existing cybersecurity requirements.

The challenge of modernizing cybersecurity is exacerbated by the rapid development of quantum computers and the threat of Cryptographically Relevant Quantum Computers (CRQC) which will be capable of breaking public-key encryption.

Public key encryption secures 90 percent of all global encrypted data. It is used by nearly every U.S. financial institution to secure transactions, client data, online payments, highly valuable information, and IP. Using a quantum algorithm, known as Shor’s algorithm, CRQCs will be able to easily factor large prime numbers which form the basis of public-key encryption. Shor’s algorithm will be used via a quantum computer to break public-key encryption and access the contents of the encrypted data at financial institutions in the coming years.

In addition to the future CRQC threat directly aimed at financial services organizations, hackers today are harvesting encrypted data with the intention of retroactively decrypting the data using a quantum computer, a process known as “steal now decrypt later.” It is rumored that one nation state has already harvested 25 percent of the world’s encrypted data, including sensitive information belonging to U.S financial institutions.

It is commonly accepted that the length of time sensitive banking data requires secure protection is at least 25 years. As a result, banks must update their cybersecurity standards now to prevent further loss and liability. Some large financial institutions such as J.P. Morgan, Visa and Barclays are closely monitoring quantum technologies and investing in post-quantum encryption methods to combat classical and quantum attacks. The National Institute of Standards and Technology (NIST) is currently developing standards for post-quantum cryptography, but the implementation of NIST-approved post-quantum algorithms may take decades due to the scale and complexity of today’s security networks. NIST is urging enterprises to begin the transition to a new approach called post-quantum cryptography now to protect their data from future attacks.

Post-quantum cryptography (PQC) uses cryptographic systems for classical computers that can protect against quantum computing attacks. Since PQC is software-based, it can be deployed quickly across networks and data. PQC algorithms such as those studied by NIST use complex mathematics such as 400-hundred-dimensional lattice infrastructures to hide a cryptographic key. Studies so far have determined that these chosen algorithms are highly resistant to quantum attacks.

A successful migration to post-quantum cryptography will be judged, in part, by the ease or difficulty of replacing existing systems. Since NIST has not yet finalized its PQC algorithm choices, it is particularly important that financial services organizations remain crypto-agile as part of their overall PQC transition. Crypto-agility means that a bank can start the transition to post-quantum cryptography without making a final choice on NIST approved algorithms. If a financial organization develops the right crypto-agile architecture, it can use any/all of the final NIST approved algorithms. This allows banks to begin testing PQC now, with little or no risk. Financial services organizations can migrate their cybersecurity systems to PQC as NIST continues to finalize post-quantum cryptography standards.

It is also recommended that banks immediately assess their existing systems to determine which components are most vulnerable to quantum attacks and thus need to be prioritized for future updates. Financial institutions can conduct low-cost experiments with hybrid post-quantum and public key solutions, accelerating the transition toward quantum resiliency. Additionally, they can prioritize extremely sensitive data to mitigate risk as the process progresses. Financial institutions must take it upon themselves to conduct these risk analyses now to prepare for the implementation of future NIST post-quantum standards.

To accelerate the transition into the post-quantum era it is critical that financial institutions begin testing practical PQC solutions that minimize disruption to existing systems. These practices and new approaches will play a pivotal role in securing the future of our financial institutions. Banks should look to PQC solutions that offer quantum resilience, crypto-agility and backwards compatibility.

About the Author

Skip Sanzeri is Founder and COO of QuSecure, Inc.

Featured

  • Video Surveillance Trends to Watch

    With more organizations adding newer capabilities to their surveillance systems, it’s always important to remember the “basics” of system configuration and deployment, as well as the topline benefits of continually emerging technologies like AI and the cloud. Read Now

  • New Report Reveals Top Trends Transforming Access Controller Technology

    Mercury Security, a provider in access control hardware and open platform solutions, has published its Trends in Access Controllers Report, based on a survey of over 450 security professionals across North America and Europe. The findings highlight the controller’s vital role in a physical access control system (PACS), where the device not only enforces access policies but also connects with readers to verify user credentials—ranging from ID badges to biometrics and mobile identities. With 72% of respondents identifying the controller as a critical or important factor in PACS design, the report underscores how the choice of controller platform has become a strategic decision for today’s security leaders. Read Now

  • Overwhelming Majority of CISOs Anticipate Surge in Cyber Attacks Over the Next Three Years

    An overwhelming 98% of chief information security officers (CISOs) expect a surge in cyber attacks over the next three years as organizations face an increasingly complex and artificial intelligence (AI)-driven digital threat landscape. This is according to new research conducted among 300 CISOs, chief information officers (CIOs), and senior IT professionals by CSC1, the leading provider of enterprise-class domain and domain name system (DNS) security. Read Now

  • ASIS International Introduces New ANSI-Approved Investigations Standard

    • Guard Services
  • Cloud Security Alliance Brings AI-Assisted Auditing to Cloud Computing

    The Cloud Security Alliance (CSA), the world’s leading organization dedicated to defining standards, certifications, and best practices to help ensure a secure cloud computing environment, today introduced an innovative addition to its suite of Security, Trust, Assurance and Risk (STAR) Registry assessments with the launch of Valid-AI-ted, an AI-powered, automated validation system. The new tool provides an automated quality check of assurance information of STAR Level 1 self-assessments using state-of-the-art LLM technology. Read Now

New Products

  • Camden CM-221 Series Switches

    Camden CM-221 Series Switches

    Camden Door Controls is pleased to announce that, in response to soaring customer demand, it has expanded its range of ValueWave™ no-touch switches to include a narrow (slimline) version with manual override. This override button is designed to provide additional assurance that the request to exit switch will open a door, even if the no-touch sensor fails to operate. This new slimline switch also features a heavy gauge stainless steel faceplate, a red/green illuminated light ring, and is IP65 rated, making it ideal for indoor or outdoor use as part of an automatic door or access control system. ValueWave™ no-touch switches are designed for easy installation and trouble-free service in high traffic applications. In addition to this narrow version, the CM-221 & CM-222 Series switches are available in a range of other models with single and double gang heavy-gauge stainless steel faceplates and include illuminated light rings.

  • HD2055 Modular Barricade

    Delta Scientific’s electric HD2055 modular shallow foundation barricade is tested to ASTM M50/P1 with negative penetration from the vehicle upon impact. With a shallow foundation of only 24 inches, the HD2055 can be installed without worrying about buried power lines and other below grade obstructions. The modular make-up of the barrier also allows you to cover wider roadways by adding additional modules to the system. The HD2055 boasts an Emergency Fast Operation of 1.5 seconds giving the guard ample time to deploy under a high threat situation.

  • Compact IP Video Intercom

    Viking’s X-205 Series of intercoms provide HD IP video and two-way voice communication - all wrapped up in an attractive compact chassis.