Natalie Gapp June 16, 2020

Preparing financial firms for the post-quantum era

QC_image_12062020

The internet, email, and most firms depend on encryption to keep data secure. Even when a nefarious actor gain's access to private data, strong encryption methods can keep the information safe. However, quantum computers - powerful computers that can perform extremely fast calculations - pose a future, yet very significant threat to standard encryption techniques. In this article, we explain the threat quantum computing poses to encryption and provide a five-step plan for firms to prepare for the post-quantum era.

What risk does quantum computing pose to encryption?

Encryption involves turning information into a secret code using keys. If you know the keys for a piece of encrypted data, you can use them to decrypt (turn the secret code back into information) the data. The safety of our information depends on the strength of these keys - how difficult they are to guess - generally, the longer key, the harder it is to guess. There are multiple means of 'breaking' these codes - either by trying to guess all possible keys until one works or using public keys to calculate the private key (for encryption known as public key encryption, PKI). In either of these scenarios, making keys sufficiently long and complex means even the world's most powerful computers would need to work for thousands of years to break them. However, quantum computers may be able to speed up this process.

Standard computers, even the most powerful ones in use today, process information in sizes known as bits - where data are represented by combinations zeros and ones. Quantum computers process information using qubits (quantum bits) where data can be represented by any value between zero and one. For example, if a classical computer solves a maze, it will try each path, one at a time. If a quantum computer solves a maze, it will try each path simultaneously. This parallel computing ability allows for greatly increased computing speed - this means increased ability to compute keys and decode encryption.

While the quantum computing remains a future risk, great strides are being made in the field. Last year, Google became the first to achieve quantum supremacy - the ability of a quantum computer to outperform a standard computer - paving the way for future quantum computing developments. With their computer they were able to perform in three minutes computations that would take the world's most powerful computer 10,000 years.

How can firms prepare for the post-quantum era?

Quantum computing, as a major risk to encryption, is not here yet. However, due to its serious potential to disrupt our current systems, we need to understand and prepare for it sooner rather than later. This is especially true in financial firms, where legacy systems may slow down the network updating process.

When analysing the impact of potential quantum threats and the cost of building defences, financial services firms should follow a five-step plan:

  1. Assess their firm’s potential risk
    • Due to the high cost of quantum computing, nation-states will be the first to have access to such technology. If nation-states are a potential adversary to their industry or firm, post-quantum capabilities should be prioritised.
    • Firms at high risk may benefit from hiring encryption risk specialists to help assess
  1. Identify critical and vulnerable systems
    • Assess the level of encryption required in different areas of the firm in order to handle current and future threats. Specifically, anywhere encryption is used, firms should be able to answer:
      • What type of encryption is used? How vulnerable is this encryption?
      • Is there external access to this system?
      • How valuable are the information/systems/devices that can be accessed?
    • Perform a focused examination of the firm’s current encryption procedure for highly valuable information and systems.
  1. Create a timeline for updating their system
    • Firms with a high potential risk should create a clearly defined timeline for implementing post-quantum encryption with a focus on the most valuable and vulnerable systems.
    • Firms need a thorough understanding of the current network. This means understanding the potential costs in terms of finances and time required for creating a post-quantum system.
    • Legacy systems can be an obstacle when updating networks and must be accounted for when considering future encryption risks.
    • For third-party managed systems, contact providers to review their current encryption systems and updating timelines. If they are unable to provide either of these, firms should begin to consider alternative providers.
  1. Focus on crypto-agility
    • When updating and building encryption systems, firms need to focus on crypto-agility. Crypto-agile systems are those capable of adopting an alternate encryption method without substantial infrastructure change.
  1. Keep relevant employees up-to-date on post-quantum encryption developments
    • Firms should ensure that those working on building post-quantum systems are aware of the most recent research in post-quantum algorithms.


References

[1] SecurityBrief. Quantum computing will pose risks to enterprise encryption. 2019 Link: https://securitybrief.eu/story/quantum-computing-will-pose-risks-to-enterprise-encryption

[2] Will Hurd. Quantum computing is the next big security risk. Wired. 2017 Link: https://www.wired.com/story/quantum-computing-is-the-next-big-security-risk/

[3] Wayne Rash. Quantum computing poses an existential security threat, but not today. 2019. Link: https://www.forbes.com/sites/waynerash/2019/10/31/quantum-computing-poses-an-existential-security-threat-but-not-today/#96ef6745939a

[4] Dorothy E. Denning. Is quantum computing a cybersecurity threat? American Scientist. April 2019. Link: https://www.americanscientist.org/article/is-quantum-computing-a-cybersecurity-threat

[5] Maren Hunsberger. The future of quantum computing could live on a cryogenic chip. The Seeker. April 2020. Link: https://www.seeker.com/videos/space-innovation/the-future-of-quantum-computing-could-live-on-a-cryogenic-chip

[6] Timothy Hollebeek. Five strategies top prepare for quantum computing risks to your network. SC Media. January 2020. Link: https://www.scmagazineuk.com/five-strategies-prepare-quantum-computing-risks-network/article/1668665

[7] Mark B Cooper. Preparing your enterprise for a post-quantum future. Infosecurity Group. January 2020. Link: https://www.infosecurity-magazine.com/opinions/enterprise-post-quantum/

Photo by Piotr Jeng courtesy of Unsplash