The development of quantum computing may feel like a distant concern, however, experts are warning of the extreme danger posed to cybersecurity if action is not taken to address the quantum risks soon.
The issue is particularly pertinent in the financial sector, which holds sensitive banking details and processes many billions of transactions every year globally. In November 2023, UK Finance, the UK banking association, warned that quantum computing could unravel the security used to protect the country’s entire payment system.
The problem comes down to when ‘Q Day’ occurs – the moment when quantum computers are able to break existing cryptographic algorithms – meaning all data held online will be vulnerable. Q Day is predicted to occur in the next five to 10 years, but the timeline could be even sooner.
Efforts are taking place at government level, particularly in the US, to develop new quantum-resistant encryption standards, to ultimately enable organizations to prepare for Q-Day.
As one of the sectors likely to be most targeted by quantum-enabled, finance is at the forefront of implementing quantum secure solutions today in anticipation of this future threat.
Infosecurity spoke to Philip Intallura, Global Head of Quantum Technologies at UK-headquartered bank HSBC about this topic. Intallura shared initiatives the firm is taking internally and in collaboration with partners to future-proof banking customers’ information.
Infosecurity Magazine: How much of a cybersecurity concern is the development of quantum computing in the financial sector?
Philip Intallura: Quantum computing is an interesting field because on one hand it offers tremendous commercial opportunity, particularly for financial services. That’s because the problems that a quantum computer can solve are very well matched to approaches we use in banks and financial services, whether that’s machine learning optimization or financial simulation.
On the other hand, it brings a lot of risk when it comes to the potential to break public key cryptography (PKC). That is a serious concern for us because HSBC serves 41 million customers, and processes around 4.5 billion transactions a year.
This threat to cryptography is going to impact every industry. Given the criticality of services that financial organizations provide and the fact that financial services are always a target for cybercriminals, this sector does need to take the emerging threat of vulnerable computers very seriously.
This is one of the reasons we’ve started our quantum program and we’ve been running it for a couple of years now. It’s already looking at how these new technologies pose a threat and what we need to do to mitigate against these emerging threats.
IM: What is the difference between post-quantum cryptography and quantum communications?
PI: Post-quantum cryptography (PQC) and quantum communications are the two key approaches to protect against the potential threats of quantum computing to our current cryptographic standards.
PQC is maths based. These are new mathematical based algorithms that will be resistant to quantum attacks and notably they do not rely on factoring, which is the key vulnerability in protocols like RSA [a public-key cryptosystem] when it comes to quantum computers.
Organizations like the National Institute of Standards and Technology (NIST) are spearheading efforts to develop and standardize PQC algorithms. These new cryptographic systems effectively aim to secure digital communications against these future threats posed by quantum computing.
The key strength of PQC is it’s scalable. For a bank like HSBC that operates across many markets, PQC is likely to be the main solution for most of our applications.
The alternative way to defend against quantum attacks is physics based, through quantum communication or more precisely, quantum key distribution (QKD). QKD leverages the principals of quantum mechanics to enable two parties to exchange cryptographic keys in a manner that’s inherently secure against eavesdropping.
The beauty of this approach lies in the quantum principle that if you observe a quantum state, you inevitably alter it. If an eavesdropper attempts to intercept the key, their interference can be detected, allowing the authorized users to discard that compromised key and start afresh.
QKD is fascinating because it uses the randomness inherent in quantum mechanics to provide a foundation for generating cryptographic keys that are theoretically impossible to predict or replicate. That randomness is crucial for creating secure encryption that can withstand attempts from quantum attacks.
"The strength of QKD is that it isn’t based on maths, it’s what we call information theoretic secure"
The strength of QKD is that it isn’t based on maths, it’s what we call information theoretic secure. That means it can’t be broken with any type of powerful machine today or in the future, because it isn’t dependent on cracking some kind of algorithm.
That makes it particularly useful for strategic sites or large locations where there’s big data transfers. We are looking at both QKD and PQC to provide a complete solution in our journey towards becoming quantum safe.
IM: In 2023, HSBC announced it was joining BT and Toshiba’s quantum-secured metro network, and would trial multiple scenarios on its network. How does this initiative work and what progress has there been so far?
PI: We have deployed quantum key distribution links in our headquarters in Canary Wharf and a data center in Berkshire via the BT and Toshiba commercial quantum metro network. This allows us to exchange quantum keys between the two sites to test the stability of the system and apply those quantum keys to applications like audio, video and data files. Therefore, it’s a way of encrypting data with this kind of quantum resistant future technology.
The key experiment we ran at the end of 2023 was using that system to connect to our AI Markets platform and simulate a 30m euro to dollar foreign exchange trade.
The front end connected out of Canary Wharf headquarters and the information was retrieved from the back end in Berkshire through this quantum network. Effectively, the information exchange and the simulated trade were encrypted with quantum keys and sent between the two sites.
It was a demonstration of the world’s first FX trade on a commercial QKD network and gives you a flavor of the sorts of things we’re doing to test how this technology may apply to our critical applications and what impact it has on performance and anything else that may aid our learning as we transition to being quantum safe.
IM: What other approaches are being taken in the financial sector to mitigate quantum threats? How important is collaboration in these efforts?
PI: We’re seeing two key initiatives – one is more guidance and advisories being issued by organizations and governments, which at this stage are designed to educate industry on the guiding principles and roadmaps to becoming quantum safe.
We’re also starting to see advisory notes come out of regulators. For example, in February 2024, the Monetary Authority of Singapore published an advisory telling financial institutions to develop strategies and build capabilities to address cybersecurity risks associated with quantum.
We are also seeing more consortiums involving academia, government, technology players and financial services institutions, that are designed to share best practices and problem solve some of the threats relating to quantum computing.
The more best practices you can pick up when it comes to cybersecurity, the better. That’s partly because we’re all working against a common threat but also any one weak link in the chain of a payment system is going to be a problem. The whole industry needs to move forwards together.
"The single most important step is to make sure your board are having conversations about quantum computing"
There are a couple of really good examples of consortiums, for example we’re involved in the World Economic Forum (WEF) and Financial Conduct Authority (FCA), which are looking to bring regulators together to talk about some of these issues and what different organizations are doing.
Another example of really good collaboration we’re seeing are through initiatives designed to test some of these technologies. This includes Project Leap, which is testing quantum secure exchanges between the central banks in Europe. It’s putting into practice some of these early implementations to understand what impact it has and what learnings can be made when deploying new types of technology.
IM: What can financial services organizations start doing today to prepare their systems for being quantum-secure in the future?
PI: The single most important step is to make sure your board are having conversations about quantum computing and the emerging threats that they pose.
The reason for that is transforming cybersecurity in a financial services organization is going to be long, complex and expensive. It’s important not to be fooled into thinking that because cryptographically relevant quantum computers are still some years away, you should take a wait and see approach.
We were involved in discussions last year with the FCA and the WEF, which identified four broad steps to follow when it comes to being quantum secure.
- Step one is around preparing and raising awareness. Understanding the current state of cryptographic infrastructure and building internal capabilities, including having the right technical skills, is vital for laying the groundwork for any transition.
- Step two is about clarifying what you are going to do. It’s about gathering the evidence and identifying the gaps in your network, mapping different regulations across different regions that your organization operates in, and getting a good understanding what a transition will mean. This should include things like inventory management – you have to understand the different applications you’re using and the different cryptographic protocols that they are operating under today, as well as the type of data going through them and the sensitivity and longevity of that data.
- Step three is creating a solid transition strategy, it’s moving beyond preparation and clarification to shaping and guiding what a transition will look at. Which applications are you going to prioritize first, how are you going to ensure that you are developing protocols that meet industry and regulatory best practices. This is the point where you need to start working with vendors to understand and implement these new standards.
- Step four is your transition and monitoring. This is about deploying PQC and potentially QKD, and effectively modernizing your cryptographic ecosystem. You’re deploying PQC, QKD and enabling crypto agility. This concept of crypto agility is becoming more important because we don’t ever want to be back in the same situation we are now where we have mathematical algorithms that are being compromised. If someone works out how to break a new algorithm, you don’t want to re-engineer your ecosystem. Therefore, you have to make your new software platforms crypto agile so you can rotate between different algorithms.
Read here: How to Pave the Way for Quantum-Secure Encryption
IM: What is the best versus worst case scenario for a quantum future?
PI: The best-case scenario is that organizations have modernized their cryptography ecosystem to become quantum safe, and they’ve validated the performance and implications well in advance of the point in time where a cryptographically relevant quantum computer is available. In other words, the impact is nil, applications and systems continue performing and our customers don’t notice any difference.
The worst-case scenario is the opposite. This is the situation where a cryptographically relevant quantum computer becomes available before organizations have been able to migrate to quantum-resistant cryptography.
There are two scenarios where this might happen. One is if quantum computers capable of breaking cryptography develop faster than we anticipate, because we’re seeing lots of technological progress happening.
The second reason is if transforming cybersecurity to become quantum safe becomes much longer than organizations realize. That’s why we think it’s important to start this journey sooner rather than later.