BankThink

Quantum computing poses an existential threat to banks' security

Quantum computing is rapidly moving from sci-fi tech to the real world, and regulators and financial institutions must both have a plan in place to address soon-to-be-obsolete cybersecurity. Left unchecked, the risk is beyond systemic. For some institutions, it is existential.

For the uninitiated, quantum computers are an emerging technology that apply quantum mechanics to computation. The result is unmatched speed and the ability to quickly crack problems that require hundreds if not thousands of years for classical computers to solve. These could provide game-changing applications like the rapid analysis and simulation of potential drugs.

IBM Cyber Security Training Exercise on 18 Wheels

The cost is cryptography. Cutting-edge cryptographic technology fundamentally depends on hiding data behind math that takes lifetimes to unravel, rendering attempts to breach security unreasonably time intensive. As quantum computer processing accelerates, however, so too grows the specter of a cybersecurity meltdown.

In finance, all client data, balance sheets, asset purchases and money transfers could be left defenseless. One average of expert predictions estimates we have until perhaps 2033, though the threat could take longer to materialize once the capability is fully developed. Either way, that's not a lot of time for a huge undertaking.

Thankfully, some initial steps are being taken. In May, the Biden administration released an action-oriented executive order directing several agencies to begin the ambitious process of transitioning the economy to quantum-secure cryptography by 2035. In July, the National Institute of Standards and Technology provided the needed tools, releasing a suite of quantum-secure algorithms that will form the basis of future standards.

 For the financial sector, however, the clock is running out. Even with NIST's tools, securing the financial system from quantum computers will require heavy lifting. Every database must be re-encrypted. Routers, replaced. Apps, recoded. Websites, edited. Standards, rewritten. Networks, fortified.

Having led security-critical hospital IT software transitions, I can attest that quantum security cannot be activated with the press of a button. Specialists will need to discover and map physical devices, often on foot, to ensure all are secured. Then, firms must consult with numerous vendors to ensure the coding, testing and updating of these systems. Finally, they must verify all other institutions they interface with have done the same. In sum, this process will take time and money.

In the United States, there are around 4,000 banks and thousands more nonbanking financial institutions. Large institutions have the bandwidth to finance, prepare and act. Some may have already begun. I worry about the rest. The George Baileys of the world likely haven't even heard of quantum computers. It is unreasonable to expect small businesses to follow and plan for exotic computing developments, and they don't necessarily have the funds for a sudden IT overhaul. Further, it's unlikely that the QC-transition industry will suddenly ramp up capacity enough to service every business by 2033. Many financial institutions are going to be left behind.

 Sadly, no one is rushing to their aid. From financial regulators, it's radio silence. The Cybersecurity and Infrastructure Security Agency — tasked by Biden to solve the quantum problem — delegated authority over the financial sector response to the Treasury Department. Treasury's 2023 budget contains no explicit mention of quantum computing nor appropriations to plan, prepare and respond. An analysis of posted Federal Deposit Insurance Corp., Federal Reserve, Office of the Comptroller of the Currency and Financial Stability Oversight Council reports finds similar results.

Regulators seem to understand this threat on some level, but precious few treat it with appropriate urgency and gravity. One is former FDIC innovation chief Sultan Meghji, who noted serious concerns during an official meeting. Mr. Meghji has since resigned, citing "technophobia" and people in leadership who "don't know — and worse, don't want to know" about quantum computing.

Given this regulatory vacuum, how do we proceed?

While we should assume the worst case, our runway may be somewhat longer than 2033. With whatever time we have, it's incumbent on financial institutions to quickly educate themselves, begin preparations and make use of the NIST's defensive tools. Finance institutions must also push for change. The Financial Industry Regulatory Authority and other self-regulatory bodies should lobby agencies and begin messaging.

Most important, the federal government must fully play its role. Regulators should begin immediate and active collaboration and build on their already successful efforts to harmonize some cybersecurity through joint alerts and rules. That said, these things carry significant overhead and building momentum and consensus takes time.

Regulators' most important and easy task is messaging. They can raise the alarm while counseling constituents on the financial and logistical resources needed to respond. While rules take time, simple messaging can go a long way.

The timeline is increasingly tight, but not all is lost. In 2000, the financial industry remained stable in the face of the very real Y2K bug. Institutional rigor alongside regulatory messaging, reporting and inspections were so thorough that many now falsely believe the bug was a hoax. The quantum computing threat, while more serious and wider in scope, isn't substantially different in terms of required effort. If regulators can manage to adapt this road map and act decisively today, we'll stand a chance of turning a potential catastrophe into a Y2K-esque nonevent.

For reprint and licensing requests for this article, click here.
Regulation and compliance Bank technology Cyber security
MORE FROM AMERICAN BANKER