Over the past 25 years, financial institutions have used encryption to maintain the security and privacy of computer-based information. Most of today’s encryption methods use algorithms that might break only after thousands of years of nonstop processing by the world’s largest conventional computers. Now experts realize that quantum-based computers will have the power to break those codes in seconds. Some estimate that the majority of data protected with conventional encryption techniques could be vulnerable within the next decade.
In partnership with Protiviti, a global consulting firm, DTCC has taken early steps to educate itself on the risks, inventory encryption methods in use, and determine if and where the organization has post-quantum risk. Our new paper, Post-Quantum Security Considerations for the Financial Industry, brings this near-term risk into focus for the financial industry, to identify initial steps financial institutions can take, and to provoke a more intentional dialogue about how the industry can act now to ward off post-quantum risk.
Related: Find Out How Systemic Risks are Impacted by Global Interconnectedness
Quantum computing leverages the phenomena of quantum physics to perform certain types of calculations millions of times faster than conventional binary computing. While classical computing will still exist, quantum computers will soon outperform classical computers in certain contexts for governments and large institutions.
By delivering new ways to analyze and solve complex problems, quantum computing therefore carries the potential to disrupt industries. Unfortunately, as with any type of new technology, this provides bad actors with a real possibility to threaten today’s cryptography.
Mind Your PQCs
Since 2016, the National Institute of Standards and Technology (NIST) has worked to develop standard approaches for post-quantum cryptography (PQC). Even with broad adoption of quantum computing still quite far off, NIST has responded to an “unprecedented urgency” to develop quantum-resistant cryptography standards. This effort is known as PQC standardization.
Given the status of PQC standardization and other developments, business leaders are advised to watch for new information. While NIST has selected four algorithms to date, they’ve indicated those algorithms are not unchanging and will be selecting additional algorithms to include in their standard.
Current State Assessment
Organizations just starting to consider post-quantum readiness should assess their current state as a basis for articulating a post-quantum risk strategy:
- Quantum-Awareness: Most organizations are quantum-unaware, meaning they haven’t thought about post-quantum threats. Quantum-aware organizations are taking steps to build familiarity with quantum computing developments and forecasts.
- Crypto-Readiness: Crypto-advancing organizations have begun identifying their critical data and use of cryptography, while crypto-agile organizations have already implemented processes and resources to replace their existing algorithms and protocols.
If the current expectations for quantum progress prove to be true, it is already time to be concerned about post-quantum risk. As Konstantinos Karagiannis, Protiviti Director of Quantum Computing bluntly stated, “The time to start looking at this was yesterday.”
Quantum computing will present more opportunities than today’s experts have predicted, but it also brings new risk by invalidating some existing data-protection methods.
“We recognize that the quantum technology threat is coming. With some experts estimating that many the industry’s protected data could become vulnerable within the next decade, the time to act is now,” said Ajoy Kumar, DTCC Managing Director and Chief Information Security Officer. “DTCC is already taking proactive steps to ensure all of our data is resilient and secure.”
This paper is a call to action for financial industry leaders to begin the dialogue and to prepare for the emergence of PQC standards to ensure that the security, privacy, and integrity of the financial industry is sustained. We encourage you to read and share this paper to ensure your organization isn’t impacted by various post-quantum vulnerabilities.