- The Europol report on the “priority of migrating post-quantum cryptography into financial services” is classic official gibberish and trivializes how urgently financial institutions need to overhaul their security systems – now.
- Although quantum computers do not yet have the computing power required to break common encryption methods, you do not need quantum computers to steal and illegally store the data that will be hacked in the future today.
The time when banks and other financial service providers could view the threat of quantum computing as a future scenario is over. Although there are currently no quantum computers that can break classic encryption in real time, the risk of a criminal “harvest now, decrypt later” strategy is growing.
Attackers collect already encrypted financial data to later decrypt it using more powerful machines. For an industry whose business model is based on trust and data security, this creates an immediate need to take action.
Potentially affected institutions must act today
Most cryptographic methods currently in use – such as RSA and elliptic curves – are not secure against a sufficiently powerful quantum computer. But Europol emphasizedthat financial institutions are not allowed to react until quantum attacks are possible in practice. It is mainly about master data that can be current for an entire generation and in several contexts at the same time.
The transition to post-quantum cryptography (PQC) is complex, primarily affects mid-range systems and requires long lead times. In addition, companies must ensure that their data remains protected retroactively. The threat situation is worsening because criminals, but also state actors, are already accessing encrypted data on a large scale, the cryptography of which is still secure today, but will be decrypted tomorrow or the day after.
The financial industry must therefore develop strategies at an early stage to ensure the integrity, confidentiality and availability of its systems in the long term.
Measures
Financial service providers can take steps now to be prepared against future quantum attacks. This initially includes a comprehensive inventory of all cryptographic processes in the company.
Only those who know where which algorithms are used can realistically assess future risks. Institutes should test hybrid encryption models that combine classical and post-quantum-proof methods. Such interim solutions allow the systems to be gradually modernized without endangering operational stability. Equally important is the introduction of a “crypto-agility” approach.
This means: Security architectures must be designed in such a way that algorithms can be flexibly replaced as soon as new standards are established. In addition, close cooperation with regulatory authorities, technology providers and industry initiatives is recommended in order to benefit from best practices and certification processes at an early stage.
And finally, companies should start training their staff immediately, because the transition to the post-quantum era must begin now, and it is not only a technical but also an organizational change that must take place simultaneously and while operations continue.
No Comments