An international and intergovernmental group this week called on the financial sector to prepare for “impending threats” brought by developments in quantum computing.
The G7 Cyber Expert Group (CEG), which is chaired by the US Treasury Department and the Bank of England and advises G7 finance ministers and central bank governors on cyber issues, issued a statement recommending that financial authorities and institutions assess quantum computing risks and develop plans to mitigate them.
The statement notes that quantum computers are being developed that could solve computational problems that are currently deemed impossible for conventional computers to solve within a reasonable amount of time.
Financial institutions are likely to benefit from the technology through services such as more efficient payments processing, but quantum computing also poses cybersecurity risks, the CEG pointed out. “In anticipation of large-scale quantum computing becoming prevalent, threat actors may be implementing a ‘harvest now, decrypt later’ scheme to intercept confidential data now with the intent of decrypting it once quantum computers become more capable and widely available,” stated CEG.
“[these steps] are important to economic security and prosperity, and strongly encourages financial institutions to provide the funding and other resources needed to support it.”
Todd Conklin, Deputy Assistant Treasury Secretary for Cybersecurity and Critical Infrastructure Protection
This is particularly true with regard to the potential of the technology to thwart encryption used to protect digital communications and IT systems.
CEG recommendations
The CEG made three recommendations for financial institutions to address the potential cybersecurity risks posed by quantum computing:
- Develop a better understanding of the technology and its risks.
- Build a sound understanding of quantum computing risks to the business’s particular areas of responsibility, whether that is an individual company or a jurisdiction.
- Develop a plan for mitigating quantum technology risks. That plan should identify key stakeholders and their roles and responsibilities; so as to identify the level of effort the entity should dedicate toward the issue and the specific area(s) where it should focus.
- Establish milestones for key actions based on the anticipated deployment of a quantum computer able to defeat modern-day encryption. This may include planning for the orderly replacement of vulnerable technologies with those that are quantum resistant.
Alluding to these plans for the quantum transition, Todd Conklin, Deputy Assistant Treasury Secretary for Cybersecurity and Critical Infrastructure Protection, said in a press release that the CEG believes these steps “are important to economic security and prosperity, and strongly encourages financial institutions to provide the funding and other resources needed to support it.”
Use trusted standards
In August, the National Institute of Standards and Technology (NIST) announced a principal set of encryption algorithms designed to withstand cyberattacks from a quantum computer.
The three standards unveiled by NIST contain the encryption algorithms’ computer code, instructions for how to implement them and their intended uses. The CEG encourages firms to consult it, along with resources from the UK’s National Cyber Security Centre and ENISA.