Quantum computing may seem like a distant concern for bankers more focused on lending margins and economic conditions, but in the not-too-distant future it could fundamentally transform bank security.
The idea of quantum computing goes back decades, but the basic idea is that every computer and every application is built out of “bits” — tiny pieces of information — that can be either “on” or “off” (hence “1” and “0” in computer code). But quantum computing includes the possibility of a bit being both on and off at the same time — essentially, a third state of existence. And the computational possibilities grow exponentially as you add more of these quantum bits, or qubits.
A quantum computer, then, is not an app or a program, but a way of computing information that is fundamentally different than it is for every computer that has ever existed — from the ENIAC to the phone in your pocket. And there are certain advantages that quantum computing has over so-called “classical” computing, and one of them is the ability to factor large numbers.
To understand why that is important, one has to appreciate that the only thing that keeps online information secure and private is encryption — turning private information into indecipherable mush unless you possess a “key.” And much of what keeps the key safe is that computers today are really bad at guessing what it is.
Quantum computers could change that dynamic dramatically. Whereas a classical computer might take years to guess an encryption key through a brute force attack (that is, just repeatedly guessing wrong answers until it hits on the right one), a quantum computer could guess correctly with great speed, because it could comprehend the entire universe of possibilities at once. Virtually everything that is inaccessible online could be accessible instantly to whomever possesses a quantum computer.
If that is worrisome, the good news is that quantum computers don’t exist — experts suggest that the technology will probably be realized in the next decade, though others say it could be sooner.
But banks — as well as governments, the military and anyone else with a stake in cybersecurity — are increasingly devoting resources to quantum computing. JPMorgan Chase said recently that a significant portion of its technology budget in the coming year is going to be dedicated to quantum computing applications, and Barclays and Morgan Stanley have announced investments in quantum computers as well.
Quantum computing isn’t entirely a cybersecurity issue — the technology also has potential applications for helping banks complete transactions and find promising investments.
The Bank Policy Institute recently launched a Quantum Risk Calculator for its members to assess their potential vulnerability to a quantum cyberattack.
Andrew Kennedy, BPI’s vice president of cybersecurity and risk strategy, said the challenge for banks is to get ahead of the changes that quantum computing will bring rather than falling behind — and in many ways the first step in that preparation is being aware of the problem.
“The thing I compare it to is Y2K,” Kennedy said, referring to the preparation to ensure computers could handle the switch from the year 1999 to 2000. “The difference is, we had a date for Y2K. There’s no date for quantum computing. But it took 10 years for the air traffic controllers to be fully comfortable that Y2K wasn’t going to be a problem. If it takes 10 years, we should be prioritizing it and we are.”
Quantum computing isn’t entirely a cybersecurity issue, either — the technology also has potential applications for helping banks complete transactions and find promising investments.
But in many ways staying ahead of the game in quantum computing is about being able to continue to provide the same core banking service to your customers — keeping their money safe — that banks have been performing since the Middle Ages.
Only instead of protecting their money with a stronger vault or an armed guard, tomorrow’s banks will have to protect themselves against quantum computers.
That could pose an existential threat for smaller banks for which an outlay of millions — or even billions — of dollars is not a realistic option. They could be the easiest targets once quantum computers become more of a reality.
And a former top cybersecurity official with the Department of Homeland Security said there is no way for banks to even be sure that those security threats necessarily lie off in the future. Maybe they’re lurking in the shadows even now.
“I always assume that, if you have a good idea and you’re working on something, someone is already ahead of you,” the official said.
“So what would it be like to assume that somewhere, someone in the world has one of these versions of a quantum computer that works, and they’re benefiting from it right now?”