The Monetary Authority of Singapore has issued an advisory on the cybersecurity risks associated with quantum computing. Quantum computers, which operate on the principles of quantum mechanics, have the potential to solve complex mathematical problems faster than traditional computers. However, they also pose a significant cybersecurity threat as they can break commonly used encryption and digital signature algorithms. The advisory urges financial institutions to prepare for these risks by migrating to quantum-resistant encryption and key distribution systems, and by implementing other quantum security solutions such as Quantum Key Distribution technology.
Quantum Computing and Cybersecurity Risks
Quantum computers, which utilize the principles of quantum mechanics, have the potential to revolutionize various industries by solving complex mathematical problems at a speed exponentially faster than traditional computers. However, this potential also brings with it significant cybersecurity concerns. The ability of quantum computers to break commonly used encryption and digital signature algorithms poses a significant threat to the security of financial transactions and sensitive data processed by financial institutions. This risk is particularly relevant with the emergence of cryptographically relevant quantum computers (CRQCs).
Experts predict that the cybersecurity risks associated with quantum computing will become a reality within the next decade. CRQCs could potentially break commonly-used asymmetric cryptography, while symmetric cryptography may require larger key sizes to remain secure. In response to this, the National Institute of Standards and Technology (NIST) has initiated a global standardization process for post-quantum cryptography (PQC). This process involves shortlisting quantum-resistant public-key cryptographic algorithms that can operate with existing networking and communication protocols and protect sensitive information against CRQCs.
Quantum Key Distribution and Quantum Security Solutions
Research initiatives are also underway to develop Quantum Key Distribution (QKD) technology, which aims to establish secure communication channels for distributing encryption keys. To mitigate the cybersecurity risks associated with quantum computing, financial institutions need to achieve crypto-agility. This means they must be able to efficiently transition from vulnerable cryptographic algorithms to PQC without significantly impacting their information technology (IT) systems and infrastructure.
Financial institutions could also implement other quantum security solutions, such as QKD, as part of their risk mitigation strategies. This advisory highlights some of the measures that financial institutions should consider as part of their quantum transition efforts, including keeping abreast of the latest developments in quantum computing and raising awareness of the associated cybersecurity risks.
Quantum Transition Efforts and Risk Mitigation
Financial institutions should monitor ongoing quantum computing developments for cybersecurity threats and risks that may impact financial services. They should also consider possible mitigation strategies using quantum security solutions such as PQC and QKD. It is crucial for senior management and relevant third-party vendors to understand the potential threats of quantum technology and the importance of supporting efforts on transitioning to quantum security solutions.
Working closely with third-party IT vendors to assess the institution’s IT supply chain risks arising from quantum threats is also recommended. Vendors should be requested to provide quantum-resistant solutions when they become commercially available. Financial institutions should also connect with relevant industry groups, research bodies, or Information Sharing and Analysis Centres (ISACs) to exchange information and collectively mitigate systemic quantum risks.
Inventory of Cryptographic Assets and Quantum-Resistant Encryption
Maintaining an inventory of cryptographic assets and identifying critical assets to be prioritized for migration to quantum-resistant encryption and key distribution is another important step. Financial institutions should identify and maintain an inventory of cryptographic solutions used in the institution, and determine those which are potentially vulnerable and need to be replaced with quantum-resistant alternatives when the solutions become commercially available.
This inventory should include information about the cryptographic algorithm and key length used, the ownership and parties responsible for maintaining cryptographic assets, and the specific system or application where the cryptographic algorithm is embedded or used. IT and data assets that are dependent on the potentially vulnerable cryptographic solutions should be classified, so as to prioritize the risk mitigation efforts.
Developing Strategies and Building Capabilities for Quantum Security
Financial institutions should develop strategies and build capabilities to address cybersecurity risks associated with quantum computing. This includes uplifting the technical competencies of relevant staff to equip them with the requisite skillsets for supporting the transition to quantum security solutions.
The institution’s internal policies, standards, and procedures should be reviewed to ensure that they remain relevant as the institution transitions to quantum security solutions. Risk mitigation strategies for assets which cannot be migrated to PQC should be developed, and plans should be made for contingency scenarios where cybersecurity risks associated with quantum materialize substantially ahead of the predicted timeline.
Where resources permit, financial institutions should consider proof-of-concept trials with quantum security solutions to sensitize the institution on their potential impact to operations and implementation challenges. Early experimentation would help the institution to make informed decisions on solutions that become commercially available as the nascent market matures.
External Link: Click Here For More
