It’s a high-tech, high stakes waiting game.
As Jack Hidary, CEO of Sandbox AQ, told PYMNTS’ Karen Webster, financial institutions (FIs) and all manner of firms are still reliant on RSA, a public-key cryptosystem that is the cornerstone of secure data exchange, underpinning the transmission of everything from payments to healthcare information.
However, that algorithm stretches back to the late 1970s, and it represents a key vector of vulnerability that can ultimately be defeated by hackers.
That’s especially true if those hackers are armed with turbocharged quantum computing power — and backed by nation-states that have unlimited resources at the ready.
As to the grand strategy, Hidary said, “They grab the data, they exfiltrate it, they store it, and then they read it when they have more and better computing capabilities.”
Smash. Grab. Wait. They wait for the quantum computing power to become available, even if it takes years. It’s a store now, decrypt later approach that can unleash havoc down the line, and no one knows just when.
Banks are vulnerable, Hidary told Webster, because the “secret ways” in which they have set up payment infrastructure — the internal checks and controls, the risk management and proprietary trading models — are all valuable. There have been any number of existential threats at banks and at payment firms over the years, and now the threats are increasingly digital, especially as touch points proliferate.
“These threats all come from misjudging risk,” he said.
We might be years away from seeing quantum computers that are lightning fast and powerful enough to break the lines of defense that are in place via key encryption, but threat looms.
The threat is broad enough that the White House has announced proposals that aim to keep the U.S. at the forefront of the quantum race and mitigate risk in the years ahead.
Explaining It to Mom
To boil down why the here and now is most urgent when it comes to the most exotic, complex processes within computing — specifically quantum computing — start with the “mom approach.”
In other words, how would you explain it to dear old Mom — she who might have a bit of trouble logging onto Zoom calls?
Hidary likened the bifurcation in computing and data defense to the changes taking shape in transportation. There are combustion vehicles that burn gas to get the wheels turning, and there are electric vehicles.
“They’re both vehicles that move people — but they do so in very different ways,” Hidary said.
To that end, there are all sorts of computers out there today, he said. There are different CPUs and GPUs that are on offer from companies as diverse as Intel and Nvidia, Google and AMD and a slew of others. As Hidary noted, those offerings operate on the traditional principles of computing, powering the CPUs we have on phones and in servers.
But as he said, “Quantum computing will never ‘take over’ from classical computers. They are not here to replace classical computers. They are here to sit side by side, where we process information on multiple types of computing simultaneously.”
The Consortium Approach
The advantage of these quantum computers and the power they wield is not just that they can be leveraged by the bad guys — the good guys can harness all that power, too. They can also band together to protect data, and financial security, in a standards-based approach that foster quantum-resistant cryptography.
Hidary noted that through the past few years, a broad range of countries throughout North America and Europe (tied, in turn, to the National Institutes of Standards and Technology) have worked together to bring new protocols into the field.
But the fraudsters, he said, are watching — and they’ve got a short window of time, which means they may amp up their attacks. To speed up the defenses, White House National Security Memorandums have instructed the National Security Agency to help chief information officers (CIOs) with efforts to develop quantum resistant protocols.
Sandbox and the Quantum Alliance Initiative, a consortium of companies and universities, are working with regulatory agencies to help address the vulnerabilities of today’s situation and chart a roadmap to better protection.
At a high level, as payments become more distributed — and as all devices connect to the internet and can conceivably be able to transact (and apps mushroom) — the cloud can help improve those lines of defense. As Hidary said, transitions via the cloud need no hardware in place, and thus only upgrades would be necessary.
For the banks, he said, “The first step in this transition is an inventory and assessment process,” where banks would create transition plans to migrate from RSA to quantum-safe protocols.
The migration might take years, he said, but it can be triaged along the way, as critical data can be stored and protected with new encryption first.
Beyond banking, all manner of data will have to be migrated, including the billions of healthcare records generated and stored in the U.S. that make their way across providers and the healthcare system at large.
“The very definition of HIPAA will now have to be updated to include the migration to these protocols,” Hidary said.
Looking ahead, he said that the move to quantum safe initiatives means that banking (and other) executives have the opportunity to rethink their cyber architecture in general. Best practices involve creating task forces within the firm, bringing different departments and functions together to address cyber risk and protect assets, consumers and confidentiality.
“Within the bank infrastructure and the payment companies, this is not just an issue for the CSO, the chief information science officer and the CTO,” he said. “It’s being driven at the CEO and board level.”
For the banks and payments forms, harnessing quantum computing power, even if it’s a ways off, can generate myriad benefits.
Quantum computing can offer a much more sophisticated, more networked way of looking at risk and loan books, pinpointing the issues a number of customers (or even a single one) can present.
Even blockchain (which can foster financial inclusion) is based on vulnerable protocols, he said, as they are based on RSA.
Hidary told Webster that we may be only weeks away from seeing the first standards and specs on these protocols — and a tailwind for the payments community to come together and start the discovery process. By 2025, he said, banks and other financial service providers will have migrated to quantum safe systems.
“It’s important that we move with great agility,” Hidary said. “The RSA has been the standard that has been with us since 1978 — it’s had a good run, but we need to move to the post-RSA world.”