Quantum Technology for Securing Financial Messaging
Executive Summary
The financial industry depends on secure messaging in transactions sent between banks, merchants, customers, and government agencies; credit card authorizations; wire transfers; account information; and other types of communications. The monetary and systemic value of financial messaging makes it especially vulnerable to cybersecurity attacks. Cryptography is therefore central to trust in the financial system and critical to the financial industry and to the economies that rely on it.
The advent of quantum computing creates a new cybersecurity challenge for financial institutions, as quantum computers will one day become powerful enough to break many of the cryptographic algorithms currently used to protect data and communications. Most notable is the ability for quantum computers to run Shor’s algorithm, which threatens many of the commonly deployed encryption methods used to protect messaging. Running Shor’s algorithm requires a cryptographically relevant quantum computer (CRQC), which is likely still years in the future. However, the concept of “harvest now, decrypt later” means that encrypted data taken today compounds the overall risk. Furthermore, the technology upgrade path to post-quantum security readiness will take many years. Financial institutions need to take steps today to mitigate future risks.
There are two technologies that provide different forms of security against a CRQC: post-quantum cryptography (PQC) and quantum key distribution (QKD); we describe each. They offer different benefits and, if combined, may provide increased protection.
The two technologies have potential applications in the following high-feasibility, high-impact use cases identified by stakeholders in quantum security and financial services:
- More secure cross-border transactions
- Security-enabling physical infrastructure
- Third-party validation of financial institutions’ quantum security posture
- Post-quantum transport layer security
- Quantum communications service providers
Three important themes emerged during this study:
- The threat posed by a future CRQC requires immediate evaluation of exposure risk to a cybersecurity breach due to the threat posed by ‘harvest now, decrypt later’.
- Combined approaches that employ multiple technologies may increase security
- Third-party service providers can help ensure timely risk mitigation by smaller institutions.
In addition, three recommendations are suggested for advancing security in the financial industry:
- Support the financial industry in the implementation of PQC standards: Federal agencies should support migration to PQC algorithms by sharing information and resources with financial institutions and by providing grants to help institutions implement the new algorithms. Grants to state and local government entities that handle sensitive financial information should also be considered. While large financial institutions will have the financial and technological resources to swiftly implement the change, small, community-based banks, and credit unions — of which there are thousands in the United States — are more vulnerable as they have fewer resources and thus will be less prepared. Federal grants or loans to small and medium-sized financial institutions to support PQC technology adoption could be vital to maintaining a robust, quantum-resistant financial industry.
- Increase quantum expertise at financial institutions: The financial industry should grow in-house quantum expertise to raise awareness of the implications of quantum technologies in terms of both benefits and risks. Financial institutions should hire quantum networking and security experts to assist with conducting an inventory of quantum-vulnerable cryptographic assets and implementing PQC standards. Financial institutions can also partner with companies developing QKD to trial this technology as it grows in its capabilities. Investment banks can further stay at the forefront of quantum technology by investing in companies that offer quantum communications and security as a service.
- Explore QKD + PQC combined approaches: While QKD and PQC each have advantages and limitations, using both technologies in a combined approach could lead to higher levels of security than either approach on its own. The United States government has prioritized deploying PQC but should also fund R&D in QKD-related technologies to ensure that the nation stays competitive and protected. Federal agencies should invest today in research that aims to make QKD more scalable and certifiable. Investments in R&D on approaches that combine QKD, PQC, and classical cryptography will drive innovation in ways that support cryptographic defense-in-depth. The financial services sector stands ready to collaborate with telecommunications companies, researchers, and government to help assess and advance combined approaches for possible implementation before a CRQC becomes available.