It is a high-tech and high stakes waiting game.
Like Jack HeydariCEO of Sandbox AQKaren Webster of PYMNTS, told PYMNTS that financial institutions (FIs) and all kinds of businesses still rely on RSA, a public-key cryptographic system that is the cornerstone of secure data exchange, which supports the transfer of everything from payments to healthcare information.
However, this algorithm stretches back to the late 1970s, and is a major vector of vulnerabilities that hackers can eventually defeat.
This is especially true if these hackers are armed with the power of turbocharged quantum computing — and backed by nation states with unlimited resources at the ready.
Regarding the grand strategy, Heydari said, “They take data, steal it, store it, and then read it when they have more and better computing capabilities.”
Smashing. abduction. wait. They wait for quantum computing power to become available, even if it takes years. It’s in store now, and deciphering the subsequent approach could unleash havoc down the line, and no one knows just when.
Banks are at risk, Hidary told Webster, because the “secret ways” in which they set up their payment infrastructure — checks and internal controls, risk management and monopolistic trading models — are all valuable. There have been a number of existential threats to banks and payment companies over the years, and now threats are increasingly digital, especially with the proliferation of touchpoints.
“All of these threats come from a miscalculation of risks,” he said.
We may be years away from seeing quantum computers that are fast and powerful enough to break the lines of defense in place via key cryptography, but a threat looms large.
The threat is broad enough that the White House has announced proposals aimed at keeping the United States at the forefront of the quantitative race and mitigating risks in the coming years.
Explain it to my mom
To summarize why the here and now is even more compelling when it comes to the most bizarre and complex operations within computing – specifically quantum computing – start with the “mother approach”.
In other words, how do you explain it to my dear mom – who might have some trouble logging into Zoom calls?
Hidary likened bifurcation in computing and data defense to changes that take shape in transport. There are combustion vehicles that burn gas to spin the wheels, and there are electric cars.
“They are both vehicles that move people — but they do it in very different ways,” Heydari said.
To that end, he said, there are all kinds of computers available today. There are different CPUs and GPUs on offer from companies as diverse as Intel, Nvidia, Google, AMD, and a large number of others. As Hidary pointed out, these offerings operate according to traditional principles of computing, powering the central processing units (CPUs) found on phones and in servers.
But as he said, “Quantum computing will never “overcome” classical computers. They are not here to replace classical computers. They are here to sit side by side, processing information about multiple types of computing simultaneously.”
The advantage of these quantum computers and the power they wield is not just that bad guys can take advantage of them — good people can harness all that power, too. They can also band together for data protection and financial security, in a standards-based approach that promotes quantum-resistant encryption.
Heydari noted that over the past few years, a wide range of countries across North America and Europe (linked in turn to the National Institutes of Standards and Technology) have worked together to introduce new protocols in this area.
But he said the scammers are watching — and they have a short lead time, which means they may ramp up their attacks. To speed up defenses, the White House National Security Memos instructed the National Security Agency to assist chief information officials (CIOs) in efforts to develop quantum resistance protocols.
The Sandbox and the Quantum Alliance Initiative, a group of companies and universities, are working with regulators to help address weaknesses in the current situation and chart a roadmap for better protection.
At a high level, as payments become more distributed – and with all devices connected to the Internet and conceivably able to conduct transactions (and applications proliferate) – the cloud can help improve these lines of defense. As Hidary said, cloud transitions don’t require hardware, so upgrades will only be necessary.
For banks, he said, “the first step in this transition is the inventory and appraisal process,” in which banks will create transition plans to move from RSA to quantitative security protocols.
Migration could take years, he said, but it can be sorted along the way, as important data can be stored and protected with the new encryption first.
Other than banking, all kinds of data must be migrated, including billions of healthcare records created and stored in the US that make their way through providers and the healthcare system in general.
“The definition of HIPAA itself must now be updated to include migration to these protocols,” Heydari said.
Looking ahead, he said, moving to quantitative security initiatives means bank executives (and others) have the opportunity to rethink their cyber architecture in general. Best practices include creating teams within the company, bringing together different departments and functions to address cyber risks and protect assets, consumers and confidentiality.
“Within the infrastructure of the bank and payment companies, this is not just a problem for CSOs, CIOs, and CIOs,” he said. “It is paid at the CEO and board level.”
For banks and forms of payments, harnessing the power of quantum computing, even if remote, can generate myriad benefits.
Quantum computing can provide a more complex and more complex way of looking at risk and loan ledgers, identifying problems that a number of clients (or even one client) can present.
Even blockchain (which can enhance financial inclusion) relies on weak protocols, he said, because they are based on RSA.
Hidary told Webster that he may be just weeks away from seeing the first standards and specifications for these protocols — and a tailwind for the payments community to come together and begin the discovery process. By 2025, he said, banks and other financial service providers will have migrated to quantum security systems.
“It is important that we move very quickly,” Heydari said. “RSA has been the standard that’s been with us since 1978 – it’s been good, but we need to move to a post-RSA world.”