The Monetary Authority of Singapore has issued an advisory to financial institutions about the cybersecurity risks associated with quantum computing. Quantum computers, which operate on the principles of quantum mechanics, have the potential to solve complex mathematical problems faster than traditional computers. However, they also pose a threat to encryption and digital signature algorithms, potentially compromising the security of financial transactions. Experts predict these risks will materialize in the next decade. The advisory recommends financial institutions prepare for these risks by adopting quantum-resistant cryptographic algorithms and other quantum security solutions.
Quantum Computing and Cybersecurity Risks
Quantum computers, which utilize the principles of quantum mechanics, have the potential to solve complex mathematical problems at a speed exponentially faster than traditional computers. This capability could bring significant transformations across various industries. However, the potential of these computers to break commonly used encryption and digital signature algorithms presents a significant cybersecurity concern. The security of financial transactions and sensitive data processed by financial institutions could be at risk with the advent of cryptographically relevant quantum computers (CRQCs).
Experts predict that cybersecurity risks associated with quantum computing will become a reality in the coming decade. CRQCs could break commonly-used asymmetric cryptography, while symmetric cryptography might require larger key sizes to remain secure. In response, the National Institute of Standards and Technology (NIST) has initiated a global standardization process for post-quantum cryptography (PQC). This process involves shortlisting quantum-resistant public-key cryptographic algorithms that can operate with existing networking and communication protocols and protect sensitive information against CRQCs.
Quantum Key Distribution and Quantum Security Solutions
Research initiatives involving Quantum Key Distribution (QKD) technology are underway to establish secure communication channels for distributing encryption keys. To address the cybersecurity risks associated with quantum computing, financial institutions need to achieve crypto-agility. This means they must be able to efficiently transition from vulnerable cryptographic algorithms to PQC without significantly impacting their information technology (IT) systems and infrastructure.
Financial institutions could also implement other quantum security solutions, such as QKD, as part of their risk mitigation strategies. This advisory highlights some measures that financial institutions should consider as part of their quantum transition efforts, including keeping abreast of the latest developments in quantum computing and raising awareness of the associated cybersecurity risks.
Quantum Transition Efforts and Risk Mitigation
Financial institutions should monitor ongoing quantum computing developments for cybersecurity threats and risks that may impact financial services. They should also consider possible mitigation strategies using quantum security solutions such as PQC and QKD. It is crucial for senior management and relevant third-party vendors to understand the potential threats of quantum technology and the importance of supporting efforts on transitioning to quantum security solutions.
Financial institutions should work closely with third-party IT vendors to assess the institution’s IT supply chain risks arising from quantum threats. They should request that vendors provide quantum-resistant solutions when they become commercially available. Connecting with relevant industry groups, research bodies, or Information Sharing and Analysis Centres (ISACs) can also help to exchange information and collectively mitigate systemic quantum risks.
Inventory of Cryptographic Assets and Quantum-Resistant Encryption
Maintaining an inventory of cryptographic assets and identifying critical assets to be prioritized for migration to quantum-resistant encryption and key distribution is another important step. Financial institutions should identify and maintain an inventory of cryptographic solutions used in the institution, and determine those which are potentially vulnerable and need to be replaced with quantum-resistant alternatives when the solutions become commercially available.
The classification of IT and data assets that are dependent on potentially vulnerable cryptographic solutions should be based on the sensitivity, criticality, and risk exposure of the IT and data assets, and the period for which they are deemed sensitive. Financial institutions should assess whether existing system infrastructures can support crypto-agility, and consider upgrading them over time if there are limitations that may hinder the transition to quantum security solutions.
Developing Strategies and Building Capabilities for Quantum Security
Financial institutions should uplift the technical competencies of relevant staff to equip them with the requisite skillsets for supporting the transition to quantum security solutions. They should review the institution’s internal policies, standards, and procedures, to ensure that they remain relevant as the institution transitions to quantum security solutions.
Developing risk mitigation strategies for assets which cannot be migrated to PQC, and planning for contingency scenarios where cybersecurity risks associated with quantum materialize substantially ahead of the predicted timeline is also crucial. Where resources permit, financial institutions should consider proof-of-concept trials with quantum security solutions to sensitize the institution on their potential impact to operations and implementation challenges. Early experimentation would help the institution to make informed decisions on solutions that become commercially available as the nascent market matures.