The G7 Cyber Expert Group (CEG) released a public statement Sept. 25 highlighting the potential cybersecurity risks to the financial sector from the expected advancements in quantum computing.
Chaired by the U.S. Treasury Department and the Bank of England, the G7 CEG warned that cyber threat actors could use quantum computers to break existing cryptographic methods that secure communications and IT systems today, potentially exposing financial data and customer information.
G7 CEG's membership includes representatives of financial authorities across all G7 countries, as well as the European Union. The group was founded in 2015 to serve as a multi-year working group that coordinates cybersecurity policy and strategy across the member jurisdictions.
“The G7 CEG believes that planning for the quantum transition is important to economic security and prosperity, and strongly encourages financial institutions to provide funding and other resources needed to support it,” said Todd Conklin, deputy assistant secretary for cybersecurity and critical infrastructure, U.S. Treasury, and co-chair of the G7 CEG.
Quantum computers promise to process data exponentially faster, which will let automated systems react more quickly to new data or changes to data, potentially delivering many benefits. Potential benefits include the ability to simulate matter, analyze compounds to make new drugs, optimize supply chains, and identify fraud and risk patterns in financial transactions.
While the exact timeline for quantum computers to enter the marketplace remains uncertain, there’s a real possibility that such capabilities could emerge within a decade. However, the G7 CEG said quantum computers would not just put future data at risk, but also puts at risk any previously transmitted data that cyber adversaries have intercepted and stored with the intent of decrypting later with quantum computers.
That’s why security experts say teams should start planning now.
Harvest now, decrypt later
“This is not a future problem, but an immediate problem,” said Jason Soroko, senior vice president of product at Sectigo. “Malicious actors may already be employing ‘harvest now, decrypt later’ strategies, intercepting and storing encrypted data to decrypt once quantum computing becomes viable. This puts even currently secured data at future risk, compromising customer information and organizational integrity. Secrets that are encrypted in-transit today with at-risk cryptographic algorithms need to be evaluated. Every organization needs to determine which secrets are most at risk if they were decrypted by 2030.”
An initial set of quantum-resilient encryption standards was released by the National Institute of Standards and Technology (NIST) in August. And, additional standards from NIST and other standard-setting bodies are expected in the future. To help organizations better prepare for the post-quantum encryption world, the G7 CEG offered the following advice:
- Develop a better understanding of the issue, the risks involved, and strategies for mitigating those risks.
- Assess quantum computing risks in their areas of responsibility.
- Develop a plan for mitigating quantum computing risks.
The challenges for IT and security teams are significant, from ensuring compatibility with existing systems to managing the transition of cryptographic keys, explained Adam Everspaugh, cryptography expert at Keeper Security. However, we cannot overstate the urgency of this shift.
“The potential for quantum computers to break widely used encryption algorithms like RSA and elliptic curve cryptography is a very real threat that could compromise the security of sensitive data worldwide,” said Everspaugh. “As quantum computing advances, the risk of current encryption methods being compromised grows. By understanding and planning for adoption now, practitioners can help their organizations stay ahead of emerging threats, ensuring that sensitive data remains secure.”
Jon France, chief information security officer at ISC2, added that the recommendations from the G7 CEG are a sound starting point: understand where cryptography is deployed, classify if it’s quantum-vulnerable, plan for a change, and then execute that change.
“Crypto agility – the ability to change suites/algorithms – is useful, but not always possible in short timeframes,” said France. “Fortunately we have time until a commercial quantum-relevant computer becomes available, but we must start planning for the change now.”
