Quantum computing is a new paradigm with the potential to tackle problems that classical computers cannot solve today.
New requirements for financial entities in the EU. DORA lays out a set of requirements across ICT risk management, incident reporting, operational resilience testing, cyber threat and vulnerability information sharing, and third-party risk management.
Below, we will further elaborate on the referred 'cryptographic threats' and the implications they could have on financial institutions in the context of quantum computing.
In 1994, the physicist Peter Shor introduced an algorithm that, when run on a large-scale quantum computer, could break public key-cryptography algorithms such as Rivest-Shamir-Adleman, Diffie-Hellman and Elliptic Curve Cryptography.
The financial sector relies on these algorithms to ensure the confidentiality and integrity of bank transactions, the authenticity of its customers, the validity of digitally signed documents and the confidentiality of customer financial data.
If the supporting cryptography can no longer be trusted, the entire financial sector is at risk.
To break today's cryptography, a so-called Cryptographically Relevant Quantum Computer would need to be realized.
In 2016, NIST launched a competition with more than 80 submissions to standardize a new form of cryptography that will run on ordinary systems but will be resistant to a quantum attacker because it relies on mathematical problems that are hard to solve by a quantum computer.
NIST standardization timeline for quantum-safe cryptography.
Why quantum has an impact on DORA. Quantum threats, when they materialize, have the potential to drastically impact the operational resilience of financial entities and could disrupt the economy globally.
New quantum-safe cryptography algorithms are available, which will be needed to mitigate those threats.
This implies the need to adopt upcoming, quantum-safe data-in-transit protocols such as quantum-safe transport layer security or quantum-safe virtual private networks, as well as quantum-safe mechanisms for signing documents or bank transactions.
As a result, financial entities will need to implement supporting infrastructure such as quantum-safe public key infrastructure and key management systems.
Given current draft requirements as per JC 2023 86, one can anticipate that soon after quantum-safe cryptography is standardized, it will be considered an account-leading practice.
Regardless of when quantum threats might materialize, regulatory requirements, such as DORA, will soon implicitly mandate the adoption of quantum-safe cryptography in the financial industry.
At the same time, organizations should seize the opportunity to improve their overall cryptographic agility by modernizing the way cryptography is implemented today and making future changes much more timely and cost-efficient.
It is clear that implementing quantum-safe cryptography will not be an easy endeavor.
Assess and review your enterprise cryptographic posture and identify elements potentially impacted by quantum threats.
Ensure current change processes and strategic projects take into consideration the impact of cryptography and provisions are made to implement remediation on the least disruptive basis.
We strongly recommend that organizations define a quantum-safe migration program today.
This Cyber News was published on securityintelligence.com. Publication date: Fri, 26 Jan 2024 18:13:09 +0000