Why the Financial Sector Is Embracing a Dual Quantum-Safe Strategy
December 12, 2024 -- With national security authorities and experts underlining the immediate risk from “Harvest Now, Decrypt later” (HNDL) attacks, the financial sector must begin mitigating the associated security risks to financial assets. Major institutions like JPMorgan Chase are already leading the way with a dual quantum-safe strategy that combines post-quantum cryptography (PQC) and quantum key distribution (QKD).
The urgency of Quantum-Safe migration
The urgency of moving towards quantum-safe infrastructures stems from the advent of quantum computing which, once cryptographically relevant in a not so distant future, renders our current public-key cryptography obsolete. On top of that, experts warn that the combination of Machine Learning and Quantum Computing could pose unforeseen new threats to the freshly released PQC standards. Unsurprisingly, NIST has already called the PQC migration a “dynamic” ordeal, while announcing that more PQC standards are on the way. With past “mini” migrations of deprecated standards such as SHA-1 already proving to be lengthy and hard to manage, IT decision makers are not looking forward to the uncertainty, complexity, and spiraling costs of lengthy and disruptive overhauls.
Governments and regulatory bodies are also becoming aware of the scale of the Quantum threat, especially as it affects the security of the financial ecosystem. A U.S. Department of the Treasury’s G7 Cyber Expert Group report, for example, has emphasized the importance of preparing financial institutions for the challenges and opportunities of quantum computing. The report underscores the need for immediate action to ensure continued trust in the global financial system, a sentiment echoed by QED-C’s 2024 report on Quantum Safe in Finance.
However, the path to quantum safe infrastructure is not as simple as an automated software patch. It requires a complex and phased migration of various components, systems, applications, and layers of infrastructure.
The dual strategy: PQC and QKD
JPMorgan Chase, a pioneer in quantum research in the financial space, has adopted a dual strategy, combining PQC with QKD. This approach – which is also promoted by the Monetary Authority of Singapore (MAS) in its Quantum Technology Advisory – is a pragmatic way to achieve both the defense-in-depth and cryptographic agility required for the coming decades of digital transformation.
Post-quantum cryptography (PQC) is a set of encryption algorithms resistant to quantum computing attacks. NIST has been instrumental in the development of PQC standards that could replace our existing cryptography without lowering the security bar. Moody’s recently noted that the shift towards PQC is essential for maintaining the trust and security that underpin the global financial system, while underlining that “ideally the standards of the future will be based in QKD methods”.
Although PQC is supposed to offer a robust defense against future quantum attacks, it still operates within the classical computational framework and relies on the assumption that new cryptographic vulnerabilities will not be discovered in the future. In contrast, Quantum Key Distribution (QKD) is a quantum-native, physics-based, technology that leverages quantum mechanics for key exchange between distant endpoints. QKD provides for provable long-term security of key exchange, as it ensures that any attempt to intercept or tamper with the key will be immediately detected. In the eyes of the experts, QKD is a complementary solution to PQC, providing for a greater level of security on critical parts of the network as well as for a more agile strategy in PQC migration.
JPMorgan Chase has been proactive in researching the benefits of combining QKD in lower layers of the network stack, and PQC for the application layer in their strategy. In a recent trial, they successfully demonstrated a high-speed quantum-safe and crypto-agile network in Singapore. Their forward-thinking investment is already setting the path for the sector and other financial institutions are jumping on board with a multi-layered defense strategy.
The need for unified action
The financial sector is not moving uniformly towards quantum-safe solutions. While major players like JPMorgan Chase and Wells Fargo have made significant strides towards quantum-secure strategies, other institutions could be lagging. This discrepancy poses a systemic risk to regional and global financial ecosystem. Without coordinated action, the sector risks fragmentation and exposure to related cyber risks.
Importantly, working towards quantum-safe security is not about the future – it’s about protecting today’s data. There is a broad consensus that bad actors can tap or harvest data now with relative ease, store it and decrypt later once they gain access to a cryptographically relevant quantum computer. If financial institutions do not begin their quantum-safe migration today, they may be inadvertently exposing their customers’ sensitive data to future breaches.
How to get started
Cryptographic migration is not an option – it is a necessity that will become pricier and more stressful the more we wait. Most organizations will benefit from combining PQC and QKD technologies on their path to quantum safety. Global financials – who are well-known for being at the forefront of innovation – provide a model both for the entire sector and for other industries. Yet, widespread collaboration and a top-down drive for swift action are essential.