Without quantum encryption, the financial sector will not be secure for long

Public Key Cryptography (PKC), which underpins today’s digital economy, has been successfully encrypting online communications since the seventies. It enables the transmission of secure keys between parties to allow them, and only them, to decrypt messages.

But soon, it will not be enough.

Developments in quantum technology mean that PKC can no longer guarantee that your data is secure. While the time required for a standard computer to crack PKC encryption makes it impractical for attackers to attempt, anyone with a quantum computer could do so many orders of magnitude faster – giving access to private financial information.

Additionally, ‘Harvest now, decrypt later’ attacks have emerged which threaten the security of data both today, and in the future. These attacks entail hackers mining encrypted data today, with the aim of saving it in an unreadable state, and decrypting it once a quantum capability becomes available.  

What is the quantum threat for financial institutions?

Quantum computers are not yet commercially available, but that doesn’t mean the threat should be ignored.

Financial institutions need to pay attention to this threat for a number of reasons. Of course, the sensitive information they are charged with protecting is not only incredibly valuable for an attacker – it also has a long lifespan. But, perhaps more importantly, they are often large organisations with a hugely complex technology stack that can’t afford to have much down-time. Any major technology overhaul takes time, and needs to be done carefully.

That’s why, for HSBC, it was important to act early. The bank recently joined BT and Toshiba’s quantum-secured metro network (QSMN) to trial the quantum secure transmission of data between its global Canary Wharf HQ and a data centre in Berkshire.

HSBC processed 4.5 billion customer payments last year, and each one relies on a secure encryption process. The trial was therefore not only a matter of ensuring financial security for the bank, but also one of reputation, explains Philip Intallura, Global Head of Quantum Technologies at HSBC:

“The impact that quantum computing can have in financial services from a malicious use case perspective is tremendous. Our whole business model is predicated on protecting customer data, processing billions of payments – and so the need to start exploring how and where we apply these new quantum resistant technologies is very, very important.

“That journey has to start now.”

Philip Intallura discusses HSBC’s plans for exploring applications for quantum-secure technologies

As part of the trial, HSBC was able to successfully protect a €30 million trading scenario from Euros to US dollars on its HSBC AI Markets trading platform, showing that quantum-secure technologies can be successfully deployed, today.

How to establish quantum security

What does that journey to quantum security look like? In the first instance, it’s implementing QKD – Quantum Key Distribution.

Like PKC, QKD involves the exchange of secure keys, which can be used to decrypt data passed between parties. However, unlike PKC, it uses the principles of quantum physics to make these keys secure even against the power of a quantum computer.

Undeniably, the transition to a post-quantum understanding of security processes will take time. For those sectors most affected, it’s vital to start the transition as soon as possible:

1. Identify biggest vulnerabilities – and mitigate them

The technology exists to begin protecting your most vulnerable data today. Quantum-secure technologies such as QKD are commercially available and able to mitigate the risk of harvest now, decrypt later attacks.

2. Become quantum-aware  

Despite significant progress being made in the quantum space, many organisations are not yet quantum-aware. Beginning to actively pursue education – especially throughout technology and management teams – will make all the difference in a quantum future.

3. Take the first steps

Any progress is better than none. “The way I look at this is: the cost of not doing anything, of not exploring this technology – particularly for an organisation like HSBC – is so much higher than the risk of investing,” said Philip Intallura.

“If quantum computers materialise in the way that we expect them to, then this could be one of the best investments we’ve ever made.”

Time is of the essence

The reality of quantum computing is no longer in the distant future. It is mere years away – in July of this year, Google announced a ‘significant step’ forwards, with a prototype quantum computer capable of solving equations 47 times faster than the current fastest supercomputer.

Customers depend upon financial institutions to keep their data secure in any eventuality. To fail to do so would damage an organisation’s reputation, while a successful cyber-attack could cause a huge amount of disruption on an unprecedented scale. Banks are likewise individually responsible for protecting customers against cyber-attack under FCA regulations, which means a data breach has severe legal implications, too.

“When you think about what is at stake – it’s basically our entire business model,” said Philip Intallura. “If the things we do are hackable by a quantum computer, then we’re in big trouble. Everyone is in big trouble. This isn’t unique to financial services, everyone needs to protect their data, but it’s particularly important for financial services because we’re vital to the economy.”

That’s why financial institutions like HSBC are acting early. It’s no longer a question of whether quantum computers will exist, but rather when they will. By securing transactions with QKD technology, the financial sector can ensure that their safeguarded data is not only secure today – but long into the future, too.