Adrian Fern, CTO, Prizsm Technologies
Banks hold a huge amount of personal and business data; from account and transaction details to personal and corporate security details, settings, and data obtained from devices used to access banking services.
It should come as no surprise then that, according to Statista, the financial services sector is the second most-targeted industry for cyber attacks. The rise of AI in banking and the growth in real-time payments is only set to increase this vulnerability.
As a result, digital security has moved up the banking agenda over recent years but, while existing threats are well known, awareness of a much greater security threat is far lower.
That threat? The arrival of quantum computing.
What is quantum computing and how does it work?
Quantum computing has been heralded as ‘the next big thing’ for several decades. Unlike classical computing that processes data as ‘bits’ – represented as ones or zeros – in the quantum realm of subatomic particles, things behave very strangely and can exist in more than one state at a time. This means ‘qubits’ – which are processed by quantum computers – can be both zeros and ones simultaneously.
These ‘qubits’ can be arranged in superpositions and entanglements to explore different paths through calculations, with incorrect paths cancelling each other out and correct answers being revealed when the ‘qubits’ are revealed to be ones or zeros. ‘Qubits’ can therefore be processed in ways that have no equivalent in conventional computing, enabling problems to be solved far more quickly than in ‘classical computing’, probably thousands of times faster.
So what does this mean for data processing and security?
With this dramatically increased data processing power comes opportunities – like quicker Big Data analysis – but also threats.
Current data encryption has evolved to meet the challenges of the classical computing age but the arrival of quantum computing will throw existing encryption and storage techniques out of the window. There is a very real threat that bad actors – harnessing the increased processing power of quantum computers – could access sensitive data in a matter of hours and decrypt it for a variety of purposes, leaving businesses and individuals exposed.
Since the 1990s, we’ve known that quantum computers will devour the complex mathematics underpinning encryption. While the development of quantum cryptography may provide new and unbreakable forms of data confidentiality, current security methods will likely be rendered useless long before these new forms of quantum-enabled cryptographic systems arrive.
With classical encryption, information is secured alongside everything needed to decode it. This is not a big problem as the maths of decryption is much more difficult than that of encryption, meaning classical computing would take an age to decipher it. Quantum computing handles problems in a much more multi-dimensional way, equalising what has – until recently – been an asymmetrical challenge.
So what can banks do to protect sensitive data?
Quantum computing is already operating in laboratories around the world. Its wider-scale arrival is likely to be similar to the ‘rapid’ rise of Large Language Models: We all knew that intelligent writing assistants were coming, but their ‘sudden’ appearance left many shocked by the disruptive potential they pose.
Data storage systems typically last around 10 years so the time for action is now and, while quantum encryption solutions are not yet available, quantum-resistant, site- and public-cloud-based systems are.
Tested right up to Ministry of Defence requirements, these systems disaggregate and distribute data at bit level to multiple end points, effectively creating a series of sparsely-populated data boxes. No single ‘box’ contains all the bits needed to decrypt the information so even a quantum computer, working at speed, could not decrypt or rewrite the original information with only part of the story to work from.
These systems also tackle the risk of disruption while migrating data storage architecture head on. Banks can set up new regimes in parallel with existing architecture. Once a new, multi-cloud environment is created, they can rebalance what data is held where across multiple providers, moving the most-sensitive data first or creating schedules for different classifications of data.
What is most striking is that, not only is the risk diluted by spreading storage across multiple endpoints but, the more data is managed in this way, the more obfuscated it becomes and, therefore, the more secure it is.
What’s more, in the event of loss of functionality or data corruption, the algorithm (accessed only by key holders) can recalculate missing digits stored in the corrupted endpoint, restoring the original information to data owners quickly and efficiently.
It is a secure and resilient solution that not only reduces security risks but also simplifies the storage regime while ensuring data continuity.
But what about Post Quantum Cryptography?
Some banks have invested in protection technology such as ‘Post Quantum Cryptography’ (PQC). This is fundamentally a more-sophisticated version of existing encryption techniques that aims to develop secure, cryptographic systems for both quantum and classical computers that can interoperate with existing communications protocols and networks.
The fundamental problem is that these systems are still based on public-key cryptographic algorithms.
We already know that quantum computers get better at solving problems as those problems become more complicated, so it is inevitable that these ‘new’ PQC algorithms will also be broken very quickly.
Conclusions
The arrival of the quantum computing age is an opportunity to get security right from the outset, not to simply hope that relying on updated versions of old approaches will suffice.
A new computing era provides a unique opportunity to reimagine data security ‘as it should have been’ designed in the first place; an opportunity to build inherently secure data storage processes into banking systems that can protect critical data both now and into our quantum future.
Banks store petabytes of data in the cloud; some generated today, some dating as far back as the 1960s. And while it is impossible to predict the full impact of quantum computing, what is clear is that it will be transformative.
Just last month, the G7 Cyber Expert Group (CEG) – chaired by the U.S. Department of the Treasury and the Bank of England – released a public statement highlighting the potential cybersecurity risks associated with developments in quantum computing and recommending steps for financial authorities and institutions to take to address those risks. An initial set of quantum-resilient encryption standards was also release by the National Institute of Standards and Technology, with further updates expected.
Incorporating proven quantum-resistant data storage systems into data storage networks – alongside existing or PQC systems initially if required – is the only logical approach that will protect banking data when the ‘light-switch moment’ happens and it is important that banks maintain the agility required to incorporate new encryption standards in a timely manner as they become available.
Chinese researchers have already claimed to exploit the power of a D-Wave quantum computer to crack commonly used encryption algorithms, jeopardising the security of critical sectors; while Google’s Sycamore quantum computer has also demonstrated its ability to outperform the world’s most powerful supercomputers in specific computational tasks.
Like it or not, quantum computing is coming. Can your organisation risk being under-prepared?