Once considered too futuristic to pose a real risk, quantum computers will soon become a reality – and financial institutions (FI) are not yet prepared to deal with potential threats to cybersecurity. The industry remains split on how soon the day will come when the vision of the next high-tech assaults become a reality.
Financial service firms are being warned to start preparing for the quantum threat now.
“The future threat from quantum computers to all widely-used public-key cryptographic algorithms means financial services companies need to start preparing today for the transition to quantum-safe cryptography,” said Brian LaMacchia, distinguished engineer and head of the security and cryptography group at Microsoft Research, in an email.
On October 23 Google announced it had reached “quantum supremacy”, referring to the ability of a quantum computer to perform tasks that classical computers cannot. The group working on the project claimed their quantum processor Sycamore had performed a task in 200 seconds what would have taken the world’s best supercomputer 10,000 years to complete. While Google’s claim has not faced universal acceptance (quantum rival IBM almost immediately countered it), it has nonetheless brought the possibilities of quantum – both positive and negative – back into the market’s imagination.
The pace of technological advance over the past few years has been startling, with new market phenomenon – like cryptography – gathering pace and widespread adoption. Andersen Cheng, CEO of cyber security company Post-Quantum suggests the same pattern could see quantum computer applications take off just as quickly.
“A few years ago when we were trying to sell cryptos, it was difficult because people said, ‘Oh, does it work?’ or ‘Let's wait until these computers arrive – why should I worry about it?’ However, migrating across is not an overnight job.
“It's a bit like if the UK government decides to go left-hand drive in five years’ time – it doesn't mean you can start building the cars and the roads in five years. You have to do it now. You have to start training now. So that's the same analogy, that you have to start future proofing what you have today.”
Several market participants from Microsoft to JPMorgan believe that a commercial quantum computer will be available within a decade – perhaps in as little as three years. JP Morgan has been working with IBM since 2017 to explore quantum computing’s potential in risk analysis and trading strategies. The bank declined to comment on whether it is preparing for quantum cyber threats; IBM did not respond by time of publication.
Microsoft is building post-quantum cryptography, collaborating with four separate cryptographers for the National Institute of Standards and Technology (NIST) Post-Quantum Project, a competition aiming to develop a new global encryption standard.
“We are actively developing quantum-safe cryptographic algorithms and demonstrating how they can be integrated with commonly used security protocols and solutions. Financial services enterprises can use our work to test both the cryptographic agility of their own systems and their operations with post-quantum cryptography,” said LaMacchia.
“The best way to start preparing is to ensure that all current and future systems have cryptographic agility, the ability to be easily reconfigured to add quantum-resistant algorithms.”
However, the US Securities Industry and Financial Markets Association (SIFMA) does not consider quantum an imminent threat to financial services, considering it a problem to be dealt with when quantum computers become a viable reality.
“Nobody's really broken through yet,” says Thomas Wagner, SIFMA’s managing director, financial services operations.
“Google recently claimed that they got it, but it’s probably another five years before it becomes practice.”
However, Post-Quantum’s Cheng discourages a focus on commercial quantum computers.
“To crack encryption, you do not need a commercial quantum computer – you just need a working one,” he says.
“As long as the engine works, we’re not talking about building a car to get all the emissions and all the safety regulations done … All we need to crack encryption is to have an engine that is working. Whoever’s been able to do that quickly, I can almost guarantee will not make any announcements. Because they’ve become the master of the universe – why would they tell the world that they’ve got something working?”
A number of studies show that while awareness of a quantum threat is growing, most organisations are ill-equipped to confront it. A recent report by cybersecurity provider DigiCert found that 71 percent of enterprises surveyed consider quantum computing a somewhat to extremely large threat in the future. Of these enterprises, only 35 percent have a post-quantum cryptography budget in place.
“It’s not yet here,” says Daniel Cukier, CTO at the Bank of France.
“It’s not yet foreseeable for an attack to use this kind of technology, but it will be in a few years, or if you ask some suppliers they’ll say maybe in five to 10 years. We are monitoring this point currently, but are not yet at the point where we have to make changes to some of those technologies. But we know there are cryptographic algorithms much less vulnerable to quantum computing.”
Advanced encryption standard (AES) – the encryption standard approved by the US government in 2001 – was established to make systems less susceptible to quantum attacks. AES has been utilised in everything from payment security providers such as Bluefin, to messaging services such as Whatsapp. Ruston Miles, chief strategy officer at Bluefin, believes that unlike public key algorithms such as RSA and Elliptic-curve cryptography (ECC), AES is future-proofed.
“[Public key infrastructure] is actually quite susceptible to quantum computing. In a way that quantum computing works with cascading and looking at cascading information, it renders that pretty vulnerable,” says Miles.
“AES is not asymmetric but symmetric encryption, and is much harder to break. Quantum computing has less of an effect.
“Now these hackers have to get a quantum computer, which they won’t be able to get for another decade maybe, and all they’re able to do is shave off two and a half years to crack one credit card number. The tech is future-proofed against at least what everyone is saying is the largest new leap for computing power.”
Currently, a variety of public, private, and combination key algorithms are utilised within financial services. Asymmetric cryptography such as RSA and ECC can easily be cracked by a quantum processor using Shor’s algorithm, a quantum computer algorithm for integer factorisation invented in 1994. Symmetric crypto like AES are more protected, but could still be broken by Grover’s algorithm, a quantum algorithm devised in 1996.
According to Cheng, not even the best encryption is sufficient for protecting against quantum threats. He refers to a “master key” problem that lies in multi-signature protocols, an integral part in the security of a blockchain. Custodians of multi-signature protocols possess the ability to access an entire blockchain, a feature that renders the entire transaction vulnerable.
“If your interface has not been signed properly, then someone internally will have access to look at the entire database, look at the entire transaction, look at those keys. And all they have to do – and I'm even assuming the custodian is honest – is just take a copy and then they have all of the key. That is another area of concern – You need to break up that master key or golden key into different bits,” says Cheng.
Post-quantum cryptography (PQC) typically falls into code-based or lattice-based categories. A prominent PQC example is McEliece’s code-based encryption system, which is considered immune to attacks featuring Shor’s algorithm.
The original McEliece crypto system dates back to the late 1970s, around the same time that RSA was orginated.
“[The McEliece algorithm] was never adopted because at the time, no one would have thought there would be a quantum computer available and everyone thought RSA would be secure forever,” says Cheng. Today, the McEliece system has matured and is being considered in NIST’s PQC competition. The competition started in 2017 and set out to create a new global encryption standard.
“Some people will still argue: ‘why don’t we just wait until NIST has come up with its final choice on what to use?’ In the last two to three years I’ve been promoting a different concept of hybridisation,” says Cheng. IBM, Cisco, and Google are also trying this approach.
He recommends firms to “wrap” their current RSA protocols with a post-quantum adapter, saying that this method removes the need to wait for a new encryption standard to be announced.
According to figures from DigiCert, 59 percent of enterprises claimed to be employing hybrid protocols made up of both RSA/ECC and PQC – a nearly impossible figure considering that PQC solutions are currently limited to early testing. These findings suggest confusion surrounding PQC, but the general indication is that market participants are aware of the quantum threat.
“The level of [cyber] attacks are increasing, both with frequency and sophistication. The different types of organisations thinking about it and needing to prepare is increasing, and organisations seeking advice in order to be prepared is increasing,” says Nicola Fulford, privacy and cybersecurity partner at law firm Hogan Lovells.
“At the moment encryption is still a good and sensible thing to do, but I would imagine that would change over time.”
Held to ransom
The financial sector remains focussed on malware and ransomware attacks. SIFMA has been conducting cyberattack tests since 2011 when it launched the first of its Quantum Dawn series. The exercise was targeted at preparing participants for a systemic cyberattack on market infrastructure and has been conducted every other year since. The latest exercise, Quantum Dawn V, was a targeted ransomware attack that involved participants from over 200 institutions across 19 countries.
“We wanted to make something that was extreme, and relevant to the current threat environment because we're seeing those types of attacks in municipalities and elsewhere in the US,” says Thomas Price, SIFMA’s managing director, technology, operations, and business continuity.
A new organisation suffers a ransomware attack every 14 seconds, and will fall victim to ransomware attacks every 11 seconds by 2021, according to research by CyberSecurity Ventures.
Regarding future attacks, SIFMA’s Wagner does not consider quantum computing a significant concern.
“I’m not sure that that’s a big threat at this point,” he says.
Price shares Wagner’s sentiments.
“Technology is still evolving. And then as that technology evolves, certainly the defence of that technology will continue to evolve, too ... There are different points of view on that. And I don't think we're in a position to really speculate.”
BM reported that financial institutions experienced 64 percent more cyberattacks than other organisations in 2016.
“One of the threats the financial industry should be most worried about is man-in-the-middle attacks – whereby an attacker inserts themselves between a two-party transaction to filter and steal valuable data,” said Darren James, head of internal IT at cybersecurity provider Specops Software, in an email.
“To protect themselves and their customers/clients from man-in-the-middle attacks, financial firms should take steps such as strong WEP/WAP encryption on all access points, not have HTTPS alternatives and make sure router/Wi-Fi login credentials are very difficult to guess”.
James declined to comment on the quantum threat to encryption in financial services.
While some firms are hesitant to comment on quantum threats, Cheng believes the shift towards a post-quantum mentality has already occurred.
“I know a lot of the banks will be studying this in much more detail because it is kind of like common logic, isn't it? Now that billions of dollars have gone into building a quantum computer. And all the banks have been investing hundreds of millions into all the quantum simulation, all the calculations and so on.
“So you're already working on the basis that it will happen.”