Banks Need to Act Now to Ensure Post-Quantum Cybersecurity

Banks Need to Act Now to Ensure Post-Quantum Cybersecurity

The Financial Services Industry has long been a lucrative playground for cyber thieves. These days, the push toward a digital banking economy has opened financial institutions to an overwhelming number of new and sophisticated cyberattacks. The list of cyberattacks on banks just in 2021 is long, including Flagstar Bank, the European Banking Authority, New Zealand’s central bank, and more. According to a Trend Micro report, banks experienced a 1,318 percent year-on-year increase in ransomware attacks in the first half of 2021.

To make things worse, quantum computers will be used to disrupt service to critical financial cyber-systems, which could have devasting effects on the American economy. A study conducted by Arthur Herman at the Hudson Institute revealed that an attack from a quantum computer that disrupts any of the five largest financial institutions’ access to the Fedwire Funds Service could cost up to nearly $2 Trillion. It is imperative that banks and financial services institutions take measures to protect themselves and the American economy from these future cyberattacks.

The issue has become so pervasive that during a congressional hearing last year, CEOs from six of the largest U.S. banks testified that cybersecurity is the most significant risk for their industry. The dramatic increase in cyberattacks over the past few years has prompted President Biden, NIST, and the FBI to address growing concerns over our nation’s cybersecurity. In addition, in January the White House issued a Memorandum on Improving the Cybersecurity of National Security, which outlines near term standards (including Post-Quantum Cybersecurity (PQC mandates) for National Security Systems (NSS) that are equivalent to or exceed existing cybersecurity requirements.

The challenge of modernizing cybersecurity is exacerbated by the rapid development of quantum computers and the threat of Cryptographically Relevant Quantum Computers (CRQC) which will be capable of breaking public-key encryption.

Public key encryption secures 90 percent of all global encrypted data. It is used by nearly every U.S. financial institution to secure transactions, client data, online payments, highly valuable information, and IP. Using a quantum algorithm, known as Shor’s algorithm, CRQCs will be able to easily factor large prime numbers which form the basis of public-key encryption. Shor’s algorithm will be used via a quantum computer to break public-key encryption and access the contents of the encrypted data at financial institutions in the coming years.

In addition to the future CRQC threat directly aimed at financial services organizations, hackers today are harvesting encrypted data with the intention of retroactively decrypting the data using a quantum computer, a process known as “steal now decrypt later.” It is rumored that one nation state has already harvested 25 percent of the world’s encrypted data, including sensitive information belonging to U.S financial institutions.

It is commonly accepted that the length of time sensitive banking data requires secure protection is at least 25 years. As a result, banks must update their cybersecurity standards now to prevent further loss and liability. Some large financial institutions such as J.P. Morgan, Visa and Barclays are closely monitoring quantum technologies and investing in post-quantum encryption methods to combat classical and quantum attacks. The National Institute of Standards and Technology (NIST) is currently developing standards for post-quantum cryptography, but the implementation of NIST-approved post-quantum algorithms may take decades due to the scale and complexity of today’s security networks. NIST is urging enterprises to begin the transition to a new approach called post-quantum cryptography now to protect their data from future attacks.

Post-quantum cryptography (PQC) uses cryptographic systems for classical computers that can protect against quantum computing attacks. Since PQC is software-based, it can be deployed quickly across networks and data. PQC algorithms such as those studied by NIST use complex mathematics such as 400-hundred-dimensional lattice infrastructures to hide a cryptographic key. Studies so far have determined that these chosen algorithms are highly resistant to quantum attacks.

A successful migration to post-quantum cryptography will be judged, in part, by the ease or difficulty of replacing existing systems. Since NIST has not yet finalized its PQC algorithm choices, it is particularly important that financial services organizations remain crypto-agile as part of their overall PQC transition. Crypto-agility means that a bank can start the transition to post-quantum cryptography without making a final choice on NIST approved algorithms. If a financial organization develops the right crypto-agile architecture, it can use any/all of the final NIST approved algorithms. This allows banks to begin testing PQC now, with little or no risk. Financial services organizations can migrate their cybersecurity systems to PQC as NIST continues to finalize post-quantum cryptography standards.

It is also recommended that banks immediately assess their existing systems to determine which components are most vulnerable to quantum attacks and thus need to be prioritized for future updates. Financial institutions can conduct low-cost experiments with hybrid post-quantum and public key solutions, accelerating the transition toward quantum resiliency. Additionally, they can prioritize extremely sensitive data to mitigate risk as the process progresses. Financial institutions must take it upon themselves to conduct these risk analyses now to prepare for the implementation of future NIST post-quantum standards.

To accelerate the transition into the post-quantum era it is critical that financial institutions begin testing practical PQC solutions that minimize disruption to existing systems. These practices and new approaches will play a pivotal role in securing the future of our financial institutions. Banks should look to PQC solutions that offer quantum resilience, crypto-agility and backwards compatibility.

Featured

  • 91 Percent of Security Leaders Believe AI Set to Outpace Security Teams

    Bugcrowd recently released its “Inside the Mind of a CISO” report, which surveyed hundreds of security leaders around the globe to uncover their perception on AI threats, their top priorities and evolving roles, and common myths directed towards the CISO. Among the findings, 1 in 3 respondents (33%) believed that at least half of companies are willing to sacrifice their customers’ long-term privacy or security to save money. Read Now

  • Organizations Struggle with Outdated Security Approaches, While Online Threats Increase

    Cloudflare Inc, recently published its State of Application Security 2024 Report. Findings from this year's report reveal that security teams are struggling to keep pace with the risks posed by organizations’ dependency on modern applications—the technology that underpins all of today’s most used sites. The report underscores that the volume of threats stemming from issues in the software supply chain, increasing number of distributed denial of service (DDoS) attacks and malicious bots, often exceed the resources of dedicated application security teams. Read Now

  • Milestone Announces Merger With Arcules

    Global video technology company Milestone Systems is pleased to announce that effective July 1, 2024, it will merge with the cloud-based video surveillance solutions provider, Arcules. Read Now

  • Cloud Resources Have Become Biggest Targets for Cyberattacks According to New Research

    Thales recently announced the release of the 2024 Thales Cloud Security Study, its annual assessment on the latest cloud security threats, trends and emerging risks based on a survey of nearly 3000 IT and security professionals across 18 countries in 37 industries. As the use of the cloud continues to be strategically vital to many organizations, cloud resources have become the biggest targets for cyber-attacks, with SaaS applications (31%), Cloud Storage (30%) and Cloud Management Infrastructure (26%) cited as the leading categories of attack. As a result, protecting cloud environments has risen as the top security priority ahead of all other security disciplines. Read Now

Featured Cybersecurity

Webinars

Whitepapers

New Products

  • Mobile Safe Shield

    Mobile Safe Shield

    SafeWood Designs, Inc., a manufacturer of patented bullet resistant products, is excited to announce the launch of the Mobile Safe Shield. The Mobile Safe Shield is a moveable bullet resistant shield that provides protection in the event of an assailant and supplies cover in the event of an active shooter. With a heavy-duty steel frame, quality castor wheels, and bullet resistant core, the Mobile Safe Shield is a perfect addition to any guard station, security desks, courthouses, police stations, schools, office spaces and more. The Mobile Safe Shield is incredibly customizable. Bullet resistant materials are available in UL 752 Levels 1 through 8 and include glass, white board, tack board, veneer, and plastic laminate. Flexibility in bullet resistant materials allows for the Mobile Safe Shield to blend more with current interior décor for a seamless design aesthetic. Optional custom paint colors are also available for the steel frame. 3

  • Unified VMS

    AxxonSoft introduces version 2.0 of the Axxon One VMS. The new release features integrations with various physical security systems, making Axxon One a unified VMS. Other enhancements include new AI video analytics and intelligent search functions, hardened cybersecurity, usability and performance improvements, and expanded cloud capabilities 3

  • Automatic Systems V07

    Automatic Systems V07

    Automatic Systems, an industry-leading manufacturer of pedestrian and vehicle secure entrance control access systems, is pleased to announce the release of its groundbreaking V07 software. The V07 software update is designed specifically to address cybersecurity concerns and will ensure the integrity and confidentiality of Automatic Systems applications. With the new V07 software, updates will be delivered by means of an encrypted file. 3