Your Encrypted Data is Already Being Stolen: The Alarming Reality of Cybersecurity Threats
Financial Institutions Face Imminent Quantum Threats to Encrypted Data
The notion that quantum computing poses a distant threat to financial institutions is a misconception, according to Ronit Ghose, Global Head of the Future of Finance at Citi Institute.
The “Harvest-Now, Decrypt-Later” Activity
Ghose argues that adversaries can harvest encrypted data today and decrypt it later, creating long-term exposure for banks handling sensitive identity and transaction data.
This “harvest-now, decrypt-later” activity means that financial institutions are already at risk, despite the common assumption that quantum threats will only materialize on a future “Q-day” when quantum machines can crack encryption.
The Misconception About Quantum Risk
The misconception about quantum risk persists due to several factors. Firstly, the concept of Q-day oversimplifies the continuous nature of risk and the complexity of migration programs.
- The concept of Q-day oversimplifies the continuous nature of risk and the complexity of migration programs.
- Cybersecurity teams are accustomed to responding to immediate threats, whereas quantum risk requires institutions to act on probability distributions and systemic consequences.
- Organizations often conflate the existence of standards with the ease of implementation, when in reality, deploying post-quantum cryptography at scale is a significant challenge.
Quantum Risk as a Near-Term Cyber Risk and Balance Sheet Risk
Ghose views quantum risk as both a near-term cyber risk and a strategic “balance sheet risk” that firms are failing to quantify properly.
Consequences of Quantum Risk
The first place where quantum breaks the financial system is likely to be high-value payment settlement and the trust fabric surrounding it, with potential downstream effects propagating quickly across markets and the real economy.
However, the initial breach may not be dramatic; instead, it may manifest as compromised authenticity, such as forged digital signatures, impersonated privileged identities, or software updates that appear legitimate.
Mitigating Quantum Risk
To mitigate this risk, institutions must prioritize identity, public key infrastructure (PKI), and signature integrity as foundational elements, while also addressing payment infrastructure and external-facing secure communications.
CISOs and boards should plan around a realistic timeline, focusing on the probability of widespread breaking of public-key encryption by 2034 and the program clock for migration, which requires multi-year change cycles.
A Phased Migration Approach
The most realistic path forward is a phased migration using hybrid approaches, anchored by crypto-agility as an architectural goal.
This involves identifying where public-key cryptography is used, prioritizing critical systems and long-lived data, enabling crypto-agility and hybrid approaches, migrating via a phased plan, and sustaining continuous key management and rotation.
Conclusion
Ultimately, financial institutions must recognize that quantum risk is not a future problem, but a present reality that demands immediate attention and action.
About Author
English