The government has a message for bankers worried about cybersecurity: incorporate new quantum-encryption standards right now.
In its announcement last week that it had finalized a standard for encryption that can resist decryption by quantum computers, the National Institute of Standards and Technology (NIST) implored all interested parties — companies, government agencies, military, and others — to start adopting the standards "immediately."
For the uninitiated — and even for those familiar with quantum computing — it might seem unnecessary to rush the adoption of so-called post-quantum cryptography (PQC). No quantum computer in existence today can break classical encryption, and the expert consensus is that it will take
Yet the banking industry has been preparing for more than a year for the moment that NIST finalized the post-quantum cryptography standards. There are two main reasons for this: the first is that it will take a long time for the world to transition to post-quantum encryption standards, and the second is that any data stolen today can be decrypted later.
In a March 2023 report, the Financial Services Information Sharing and Analysis Center recommended that banks, credit unions and other financial services companies start preparing "immediately" for post-quantum cryptography standards.
"Regardless of our ability to predict the exact arrival of the quantum computing era, we must immediately begin preparing our information security systems to resist quantum computing capabilities that fall into the wrong hands," the FS-ISAC report reads. "There is no urgent cause for alarm. However, financial services organizations should be aware of quantum cryptography's potential impacts."
Many experts agree, to varying degrees. On the side of great urgency is Karl Holmqvist, founder and CEO of identity management company Lastwall. According to Holmqvist, "time is not on our side" in the effort to adopt the new standards.
"We need to address this now," Holmqvist said. "It's time to get to work and eliminate outdated cryptography."
The new standards mark "the start of a new era for CISOs and their security teams," according to Duncan Jones, head of cybersecurity for quantum computing company Quantinuum. CISOs need to respond to the threat that data stolen today could be decrypted at any time in the future, he said, a threat that FS-ISAC's report also discusses.
"Every CISO now has a mandate to urgently adopt these new standards alongside other methods for hardening their cybersecurity systems," Jones said.
There's no reason for banks to wait on adopting post-quantum cryptography, according to Kevin Bocek, chief innovation officer at identity management company Venafi.
"The most work will come in knowing where machine identities like TLS certificates and code signing certificates are being used," Bocek said. "There are thousands or even hundreds of thousands of certificates in use. Once applications are updated, new certificates using new standards can be replaced."
Bocek pointed out that, last year,
The proposal does not directly relate to the new post-quantum encryption standards, and it does not mean banks need to try to implement post-quantum cryptography within the next 90 days. Rather, the proposal relates to what Google sees as the need for websites to adopt a greater level of security.
Google proposed the change with an eye toward quantum computing. In
Bocek compared these proposed changes to a "dry run" for institutions becoming quantum-proof.
"If we can't be prepared for 90-day certificates, then we'll be really challenged when it comes to post-quantum readiness," Bocek said.