Quantum-Equipped Financial Services Council Proposal:

Quantum-Equipped Financial Services Council Proposal:

In the realm of regulated industries and highly confidential systems, "quantum computing" has undeniably become a common term. As the Chief Risk Officer of a major digital banking company, I manage the protection of millions of consumers' sensitive financial data. I devote a significant portion of my time to forecasting future threats and the challenges that will arise in the coming years. In this post, I will share insights on post-quantum cryptography (PQC), which is rapidly becoming an essential component of future-proofing financial services, and why you should start considering it now.

The Inevitable Quantum Catastrophe

There exists an ominous truth that whatever data you safeguard with currently used encryption technologies may become vulnerable to attackers gaining uninhibited access in the near future. With their colossal computational power, quantum computers will soon effortlessly breach legacy cryptographic schemes, such as RSA and ECC (Elliptic Curve Cryptography). Traditional encryption hinges on mathematical problems that are challenging for classical computers to solve. Even in theory, even the largest supercomputers would require trillions of years to compute the secret key protecting sensitive data with RSA or ECC. However, with a quantum computer? This task could be accomplished in merely 10 seconds.

The quantum computers capable of performing this feat are yet to become widely available to jeopardize global financial services. Recently, researchers employed such a device to crack a smaller version of RSA (14 bits versus 2048 bits used in standard implementations). Nevertheless, these devices are rapidly growing in power, and the principles behind them are well understood; the only thing missing now is time before legacy encryption algorithms offer no protection. This concern has reached a fever pitch as organizations like FS-ISAC and the G7 are warning about "Y2Q," the date beyond which any encrypted data will be exposed without PQC.

Securing the Future of Digital Financial Services

A term heavily steeped in sci-fi jargon, PQC refers to the set of future technologies that will replace the classical algorithms widely used today. With time, all cryptography technologies succumb to innovation and research, rendering the previously assumed-safe approaches of yesterday inadequate in the present. Regrettably or not, we are entering an era dominated by relatively safe RSA and ECC, the compatibility and support for which are now widespread and even rigidly imposed.

Replacing these algorithms is a daunting task, considering they are present in various applications, from TLS encryption over the internet to encryption integrated into solid-state drives to mutual authentication deep within complex enterprise applications and even within email. Many tech stacks powering financial services and healthcare do not possess "crypto agility," or the ability to swap out or upgrade our current encryption methods. Consequently, adopting PQC will be costly for internal use cases where teams have the necessary control to upgrade, test, and embrace newer algorithms. However, addressing all the intermediaries in our digitally connected ecosystems will be far more intricate, time-consuming, and expensive.

FS-ISAC is a neutral consortium of respected financial services entities that collaborate to adapt and protect against security threats, including those posed by quantum computers to legacy cryptography. Recently, they published a whitepaper outlining a thorough readiness and transition plan, which I have summarized into four key phases:

1. Inventory and assess uses of legacy cryptography to gain an overall understanding of the areas internal teams must address and the external parties with which your organization must collaborate to affect change.
2. Assemble the oversight, project management, and technical talent required to evaluate, select, and implement post-quantum cryptography practices.
3. Utilize or develop flexibility to swap out legacy algorithms with PQC upgrades.
4. Coordinate with stakeholders to schedule, test, deploy, and monitor PQC replacements. Even mid-sized financial services organizations may require several months to address potentially hundreds of touchpoints within an enterprise and across a broader ecosystem.

Conclusion

The threat of quantum computers is not a new one, but its presence is becoming increasingly urgent for every organization responsible for preserving data security and confidentiality. Delivering quantum-ready digital services will be difficult for numerous institutions, given the pervasive use of susceptible legacy encryption technology and the intricate interdependencies each organization must navigate to effect change. Strategies to tackle this challenge exist, and firms of all sizes should inquire about their vendors' preparations for the post-quantum leap.

Our Technology Council is an exclusive community for elite CIOs, CTOs, and technology executives. Do I qualify?

In the context of the text, Sean McElroy could potentially be the author of the whitepaper outlining a readiness and transition plan for post-quantum cryptography, published by FS-ISAC. Another sentence could be: Sean McElroy, as a member of the Technology Council, is leading discussions on how organizations can prepare for the transition to quantum-resistant cryptography.

Read also: