DTCC warns on quantum security risks as financial industry grapples with threat planning

Quantum-based computers will one day have the power to break the industry’s existing cryptography codes in seconds. In a recent white paper, post-trade market infrastructure Depository Trust & Clearing Corporation (DTCC) explained the risks and identified protective steps.

“We recognize that the quantum technology threat is coming. With some experts estimating that the industry’s protected data could become vulnerable within the next decade, the time to act is now,” said Ajoy Kumar, DTCC managing director and chief information security officer, in a statement, adding that the post-trade market infrastructure is already taking steps to protect its data.

“Here at DTCC, we are well aware of the quantum threat. We wanted to be ready for that day, as well as for the day PQC [post quantum cryptography] standards became available. We knew if we made every preparatory step that’s possible now, we might avoid an urgent scenario that recalled the rush of Y2K, where teams had to rush to prepare,” Kumar said. “We knew that enhancing our crypto-agility now – even as we await more guidance from experts and authorities – could only reduce disruption and potential vulnerability later.”

The steps that DTCC recommends in the white paper include:

  • sizing up the effort by identifying systems and encryption mechanisms in scope for remediation; strengthening cryptography practices by centralizing the management of keys and certificates
  • instilling standards for encryption mechanisms, and implementing change management for new encryption solutions
  • developing and exercising a playbook that details the steps needed to replace an encryption platform while ensuring the plan can be executed on time
  • modifying and separating systems, as needed, to facilitate work to come
  • beginning organizational change management efforts to build a strong risk culture and risk-based mindset within organizations.

The firm also suggests closely monitoring activities taking place within the regulatory community that address topics like standardization, including NIST’s focus on post-quantum cryptography (PQC) standards.

At Quantum.Tech Europe in London this week, financial services firms like Barclays, HSBC, ING, Moody’s, Santander, Standard Chartered, and European insurance firm Generali, detailed some of their moves that tap quantum computing and associated technologies. These initiatives are generally presented in a “threats and opportunities” framework.

For banks, cybersecurity threats are top of the agenda, said one expert from a major global bank, speaking on a panel: “A lot of our cybersecurity (team) are involved in looking on how we will deploy some of these security algorithms, understanding these new NISQ [Noisy Intermediate-Scale Quantum] standards that are coming out, getting them deployed, testing them out — before they are in the wild and we are depending on them.”

A development engineer from a European bank described how his team implemented an open source C library for quantum-safe cryptographic algorithms, called liboqs, into its Corda-based enterprise DLT infrastructure. One of the lessons learned is that it’s necessary to “easily and quickly adapt with newer, updated or safe algorithms” when using an open source approach. However, how that translates to cybersecurity within the rest of the bank was unclear, and the developer noted that there was still a lot of work to do.

Ilyas Khan, CEO of Quantinuum, presented the firm’s cyber application, a platform that generates “quantum-enhanced cryptographic keys” for communications security. The product targets financial services and vendors as clients. Users announced so far are Japan’s ICT firm Fujitsu and a company working with the International Space Station. More users are expected to be announced over the coming months.

“This is real. It is not something which is aesthetically pleasing from an intellectual standpoint. It is not something that people are writing papers about or doing proof of concepts. It is an actual key that works in today’s environment,” he said.

Finadium subscribers can read our business update for quantum computing in banking

Related Posts

Previous Post
AFME weighs T+1 settlement for Europe, warns on seclending compression
Next Post
SFM Interview: ION’s Tyndale-Biscoe on repo liquidity and the rise to the cloud

Fill out this field
Fill out this field
Please enter a valid email address.

X

Reset password

Create an account