Quantum Supremacy’s Cyber Challenge: Are You Up for It?

The Bank for International Settlements (BIS) is sounding an alarm, echoing through the corridors of global finance, on the imminent perils that quantum computing poses to the security of our most sensitive financial data. This wake-up call is not one to be taken lightly, for it unveils a chilling revelation: The encryption methods built over decades to protect the bedrock of our financial systems are on the verge of crumbling under the power of quantum computing’s decryption capabilities.

As an international financial institution owned by 63 central banks, the BIS calls on the financial industry to invest in and deploy technologies safe from quantum decryption methods before critical global financial data is made vulnerable.

In a report published by the BIS, author Raphael Auer lays out how quantum computers could undermine digital signatures that are used to verify access and data integrity in the financial sector and to ensure that sources or recipients of data are who they say they are. Hackers are dangerously close to breaking the encryption used in these signatures, as mathematical formulas are beginning to leverage quantum properties even before the scientific community achieves quantum computing at scale.

Once the world reaches that threshold, hackers may gain the ability to manipulate the core of global economic systems: communications between financial centers as well as financial data in transit. By cracking and imitating digital signatures, hackers could create chaos within the financial system, making seemingly authentic fund requests between banks and disrupting global money supplies. Even a smaller, isolated attack could undermine the integrity of the interlinked structure of the entire financial industry. 

According to a report by the Global Risk Institute, among 40 experts surveyed, nine of them expressed a belief that there is a 50% probability or higher of witnessing a quantum computer capable of challenging contemporary encryption techniques within a span of 10 years. Additionally, 23 out of the 40 experts foresee this possibility within 15 years, while a significant majority of 37 out of 40 anticipate such a development within a 20-year timeframe. Although pinpointing the exact emergence year of a decryption-capable quantum computer remains difficult, some of the experts surveyed are indicating the potential availability of this technology within the next five years.

Nation-state hackers have already begun taking steps in preparation for this technology by conducting “harvest now and decrypt later” attacks. This type of attack works by stealing information now and storing it with the expectation of decrypting it with quantum computers when they become available. After an attack like this has taken place, it is for all intents and purposes impossible to recover from the hacker, which means organizations have to wait and hope that any sensitive data is not cracked and distributed.

Furthermore, according to a Deloitte poll in late 2022, 284 of 566 surveyed cybersecurity professionals believe their organizations are at risk of these “harvest now and decrypt later” attacks. This reality — in tandem with another statistic that only 26.6% of all polled organizations have conducted a risk assessment for quantum computing technologies — demonstrates an identifiable danger that American organizations face from quantum threats. The failure of most polled organizations to conduct risk assessments means that their opportunity to make meaningful changes in time is dwindling.

The same Deloitte poll found that only 85 of the 411 cyber professionals believe that organizational change will come from within. Some of the most common reasons companies refuse to change likely stem from financial, technical, or regulatory barriers that delay decisive action. To quote Auer again, when preparing for quantum computing, central banks as well as other organizations “need to address this threat well in advance.”

In a May 2022 memorandum, the White House outlined several actions it plans to take to mitigate the risks of quantum computing to America’s security. One significant step highlighted is the release of guidance and standards for post-quantum cryptography, which is expected to be completed by the end of 2025. However, the commercial sector need not await the publication of NIST’s guidance before taking action.

Commercial industry has the opportunity to promptly initiate proactive measures, such as appointing a quantum expert well-versed in the subject, identifying all instances where cryptographic methods will require updates, identifying data classification requirements, formulating a roadmap for transitioning to post-quantum algorithms, factoring in equipment refresh rates in alignment with cryptographic updates, procuring crypto-agile equipment, educating and training the workforce on forthcoming changes, and exploring solutions that are information-theoretically secure, which refers to a level of cryptographic security that ensures that encrypted data remains secure regardless of the computational power of an adversary. In short, organizations need to develop a quantum transition roadmap.

For a successful transition to post-quantum cryptography, it is crucial to foster collaboration between the government and the private sector. The U.S. government should actively promote partnerships, facilitate the sharing of information, and drive research initiatives that engage academia, industry, and independent experts. One effective approach could involve organizing conferences in which private partners educate Chief Information Security Officers (CISOs) about the intricacies of quantum computing, its associated risks, and strategies to effectively counter potential threats. These proactive measures are essential for addressing the diverse array of challenges posed by quantum computers to our most sensitive data.

Jordan Bass, an intern at the Foundation for Defense of Democracies, contributed to this op-ed. Dr. Georgianna Shea is the chief technologist of the Center on Cyber and Technology Innovation (CCTI) at the Foundation for Defense of Democracies (FDD), a Washington, D.C.-based, nonpartisan research institute focusing on national security and foreign policy.