GUEST OPINION: The rapid growth of quantum computing technology may catch unprepared institutions off guard, with detrimental impacts on cybersecurity and business risk.
Many business leaders remain unprepared for quantum computing due to its relatively nascent stage of development. Differing from their conventional counterparts, quantum computers process information using quantum bits, commonly known as qubits, which possess very different qualities than conventional computer bits. Quantum computing presents a multitude of advantages to businesses by enhancing operational efficiency and facilitating advanced data analysis at speed and scale. However, among their many potential use cases is the ability to break current data encryption methods which form the foundation of digital data security.
Consequently, organisations – in particular financial institutions (FIs) – must take immediate action to fortify their information security systems by adopting Post-Quantum Cryptography (PQC). This proactive step is essential to establish resilience in the face of such emerging threats.
Firms Must Prepare Now
Estimates of when quantum computing will be able to break current encryption methods range from 5 to 30 years. While current quantum computers have considerable limitations, including hardware that is incredibly difficult to build and maintain, significant investments from powerful nations and tech giants could expedite progress, potentially creating quantum computers that might render current encryption methods obsolete very quickly. Back in 2019, Google claimed “quantum supremacy,” solving a problem in seconds that would take classical computers millennia. Such breakthroughs resemble the trajectory of artificial intelligence (AI) advancement and could experience rapid acceleration.
In addition, threat actors are already preparing for a post-quantum world, collecting encrypted data that can be decrypted in the future as part of a strategy dubbed, “harvest now, decrypt later”. Employing this strategy, malicious actors extract large amounts of encrypted data and retain it until they can break the encryption using quantum computers. Such attacks enabled by quantum capabilities might substantially jeopardise the confidentiality and security of the global financial system, as well as that of its customers.
These accelerating developments mean that the private as well as public sectors must begin preparing for a post-quantum future. Australia has taken significant steps on this front, with the Australian federal government unveiling the National Quantum Strategy – a comprehensive roadmap that prioritises research, essential infrastructure access, a skilled workforce, robust standards, and ethical inclusivity to solidify Australia’s status as a frontrunner in the quantum technology landscape. Moreover, according to a CSIRO report, Australia’s quantum tech potential could reach $2.2 billion and generate 8,700 jobs by 2030, increasing to nearly $6 billion and 19,400 jobs by 2045. Australian quantum enterprises already draw noteworthy venture capital funding, claiming a 3.6% slice of global quantum venture capital between 2017 and 2021, surpassing international rivals.
Globally, a substantial increase is expected in the technology’s use within the next five years, necessitating organisations to adapt even as they await regulatory guidelines. A recent report from EY Quantum Computing Lab, part of the Global Innovation team, underscores the importance of businesses preparing for action and highlights the potential for a competitive edge among early adopters. According to McKinsey, global funding for quantum computing startups increased by 13.5% last year to $1.1 billion, with China planning to invest $15.3 billion and the European Union $7.2 billion in the industry.
Meeting the Challenge – State of Play
In preparation for the post-quantum era, substantial efforts are underway to create robust tools, technologies, and algorithms to combat this emerging threat. This includes sophisticated post-quantum encryption algorithms, which are specifically designed to counter potential threats posed by quantum computers. Furthermore, quantum-safe blockchain technology bolsters cyberattack resilience in contrast to centralised systems, while quantum key distribution leverages principles from quantum mechanics to guarantee secure and tamper-proof communication.
Achieving Post-Quantum Preparedness
While the complete impact of quantum computing on cyber and business risk in financial services and other sectors is uncertain, it is important for organisations to understand their ability to react to and be ready for changes in the PQC landscape. This entails developing protocols that secure data against both quantum and classical computers and interoperate with existing practices. To help FIs and other organisations prepare for a post-quantum future, FS-ISAC – through its Post-Quantum Cryptography Working Group – has put together a framework to building post-quantum resilience.
- Create a comprehensive list of existing encryption resources: Establishing a complete catalogue of cryptographic assets and their respective purposes empowers an organisation to preemptively recognise the risks associated with advances in PQC, allowing the company to maintain agility in its cryptographic practices.
- Develop a risk assessment framework and assess all potential risks: Establish an organisation-wide framework to comprehend and evaluate potential threats arising from quantum computing. This facilitates clear risk communication among stakeholders and aligns security and operational goals. Then, enumerate all assets, threats, vulnerabilities, and the potential consequences of security breaches or data incidents. The outcome of this risk assessment should encompass a comprehensive inventory of risks, measures to counter these identified risks, and action plans for mitigation.
- Apply a risk model: Given the limited understanding of risks arising from cryptographically relevant quantum computers (CRQC), the advised approach is to promptly devise multiple risk scenarios tailored to particular assets, some of which are deemed “more probable” than others. After identifying and ranking these potential risk scenarios, take proactive steps to mitigate the highest-impact risks as a priority.
- Vendor evaluation: Incorporate preparations for Post-Quantum Cryptography (PQC) needs in vendor planning. Enhance existing risk assessment protocols and legal/contractual frameworks to encompass PQC specifications. Organisations should also actively educate vendors about PQC advancements.
Financial Institutions and Organisations Must Act Now
While there is no need for panic, rapid advancements in quantum research call for early adoption of quantum-resistant measures. Access to quantum technology is expected to become more widely available and less concentrated in the hands of government, academia and Big Tech in the near future, though how near we cannot know. In response, FS-ISAC’s Post-Quantum Cryptography Working Group has produced publicly available white papers, guiding FIs and other organisations to initiate their post-quantum strategies.
As technology continues to advance, institutions must not only keep pace but also fortify their quantum resilience strategies. This demands a comprehensive approach that encompasses intelligence sharing, knowledge dissemination, practising incident response scenarios, and a fundamental shift in mindset to give paramount importance to quantum-related risks. The journey to achieve resilience against these emerging threats begins now, with FIs laying the groundwork for quantum resilience to confidently navigate the intricate landscape of post-quantum threats that lie ahead.
About the author, Lachlan Pope:
Lachlan is an Entrepreneur, having started a number of successful businesses with a BSC-Applied Psychology and an MBA. In his 20+ year career, he has worked primarily in the FMCG, Finance, and Health Sectors. The common link has been fulfilling leadership roles that drive businesses forward by valuing each individual relationship and creating a culture of success.
Source link
