Today, the G7 Cyber Expert Group (CEG), chaired by the U.S. Department of the Treasury and the Bank of England, issued a statement addressing the cybersecurity risks posed by quantum computing. While quantum advancements promise groundbreaking changes, they also threaten the security of current encryption standards widely used in financial systems.
The CEG recommends that financial authorities and institutions take immediate action to evaluate their cryptographic methods and plan for a transition to quantum-safe encryption.
"The G7 CEG looks to help support the responsible use of emerging technologies like Cloud, AI, and Quantum in the financial sector while balancing the risks to the global economy," said Todd Conklin, Treasury Deputy Assistant Secretary for Cybersecurity and Critical Infrastructure Protection, Co-Chair to the G7 CEG, in a press release. "Cyber experts across the financial sector have developed internal plans related to quantum innovation and resilience, and it is critical that they obtain the support needed for their successful implementation. The G7 CEG believes that planning for the quantum transition is important to economic security and prosperity, and strongly encourages financial institutions to provide funding and other resources needed to support it."
For businesses and organizations, this announcement signals an urgent need to assess their vulnerability to future quantum-based threats. Financial institutions must start adopting post-quantum cryptography to safeguard sensitive data against potential exploitation.
[RELATED: NIST Unveils Groundbreaking Post-Quantum Cryptography Standards]
For cybersecurity professionals and vendors, this is an opportunity to lead the transition by offering quantum-resilient solutions, upgrading existing systems, and raising awareness of the need for quantum-safe strategies. Organizations will increasingly rely on these experts to guide them through adopting new standards and technologies to stay secure.
"Financial institutions must prepare for post-quantum cryptography now for several pressing reasons. The imminent threat posed by quantum computers to current encryption methods is critical," said Jason Soroko, Senior Fellow at Sectigo. "Quantum computers are advancing toward solving complex mathematical problems that underlie today's public-key cryptography. Once operational, they could render current encryption obsolete, exposing sensitive financial data to breaches."
"This is not a future problem, but an immediate problem. Malicious actors may already be employing 'harvest now, decrypt later' strategies, intercepting and storing encrypted data to decrypt once quantum computing becomes viable," Soroko added. "This puts even currently secured data at future risk, compromising customer information and organizational integrity. Secrets that are encrypted in-transit today with at-risk cryptographic algorithms need to be evaluated. Every organization needs to determine which secrets are most at risk if they were decrypted by 2030."
The public will indirectly benefit from these proactive measures, as the secure handling of their personal and financial data will be more robust in the face of quantum threats. On the flip side, nefarious actors will likely attempt to exploit current cryptographic weaknesses before quantum-safe encryption becomes standard, putting organizations at greater risk in the interim.
In its statement, the G7 CEG recommends financial entities consider taking the following steps to address this emerging risk:
- Developing a better understanding of quantum computing, the risks involved, and strategies for mitigating those risks. Financial entities may consider outreach to vendors, third parties, and other subject matter experts to better understand the risks of quantum computing and potential technology solutions, with a particular focus on cryptographic risks. Issues they may want to focus on include the timelines for quantum technology development, the evolution of the threat landscape, and existing and emerging quantum resilience technologies and approaches. Financial entities should consider processes to track developments in these areas as they change over time.
- Assessing quantum computing risks in their areas of responsibility. Financial entities should develop a sound understanding of quantum computing risks to their particular areas of responsibility, whether that is an individual company or a jurisdiction. The goal of this is to identify the level of effort the entity should dedicate toward the issue and the specific area(s) where it should focus. For entities that are ready to do so, this may involve beginning to inventory critical data and current cryptographic technologies in use within their organizations and key third parties on which they are dependent in order to identify and prioritize areas for mitigation. For others, a starting point may be discussions with the entity's information technology leadership and key service providers prior to conducting a more in-depth analysis. They may also wish to discuss their risk tolerance for protecting critical data before quantum technologies become more mature.
- Developing a plan for mitigating quantum technology risks. Financial entities should consider establishing governance processes, identifying key stakeholders and their roles and responsibilities, and establishing milestones for key actions based on the anticipated deployment of a cryptographically relevant quantum computer. As noted above, such future actions may include creation of an inventory of cryptography use within the entity and its third parties. It may also include planning for the orderly replacement of vulnerable technologies with those that are quantum resistant. The Canadian Government has developed a Quantum Readiness Guide that can help entities prepare for the quantum threat.
"The challenges for IT and security teams are significant, from ensuring compatibility with existing systems to managing the transition of cryptographic keys," said Adam Everspaugh, Cryptography Expert at Keeper Security. "However, the urgency of this shift cannot be overstated. The potential for quantum computers to break widely used encryption algorithms like RSA and elliptic curve cryptography is a very real threat that could compromise the security of sensitive data worldwide."
"To prepare for the transition to Quantum-Resistant Cryptography (QRC), security teams should first talk to IT and software engineering teams to understand how and where public key cryptography is currently used within their organization," Everspaugh continued. "Next, they should engage with their vendors—especially those providing security products—to understand their plans for supporting QRC. The next big development I foresee on the horizon is the widespread adoption and integration of QRC into existing security frameworks. Now that NIST has finalized their QRC algorithm specifications, and production libraries and implementations are starting to become available, the focus will shift toward implementing these new cryptographic standards across networks."
From the U.S. Department of Treasury press release:
"An initial set of quantum-resilient encryption standards was released by the National Institute of Standards and Technology (NIST) last month. Additional standards from NIST and other standard-setting bodies are expected in the future. It is important for financial entities to maintain the agility required to incorporate new encryption standards in a timely and appropriate manner as they become available.
With the availability of NIST's standards, some financial entities may be in a position now to start making the needed changes to implement quantum resilient technologies within their systems. Others may be dependent on vendors and other third parties to develop implementations of the new standards that can be incorporated once they become available. No matter where entities are in their adoption timelines, the G7 CEG strongly encourages financial authorities and institutions to begin taking the following steps to build resilience against quantum computing risks:
- Develop a better understanding of the issue, the risks involved, and strategies for mitigating those risks.
- Assess quantum computing risks in their areas of responsibility.
- Develop a plan for mitigating quantum computing risks."
"When true Quantum Information Science and Technology (QIST) capabilities become commercially available, the impact across the technology environment will be profound," said Philip George, Executive Technical Strategist at Merlin Cyber. "Some aspects of computing, communication, measurement, and sensing will change substantially as the method for execution could look dramatically different. While other technology processes may remain similar to their classical applications but become exponentially more precise from a timing and accuracy perspective. Either way, our method of conducting IT and cyber business today will have to evolve to account for any changes from today's classical computing operational paradigm."
"In the meantime, Post-Quantum Cryptography (PQC) presents us with an opportunity to introduce quantum resistant cryptography and system level agility into our IAM and zero-trust protection strategies," George continued. "Which will ultimately grant industry more time explore QIST based enhancements to the digital identity and access management ecosystem as well as greater technology landscape. Whether leveraging classical, PQC, or QIST based computing, data and human/machine based identities will remain high value targets, especially in a potentially quantum connected world."
The G7 CEG's membership includes representatives of financial authorities across all G7 countries as well as the European Union. It was founded in 2015 to serve as a multi-year working group that coordinates cybersecurity policy and strategy across the member jurisdictions. In addition to policy coordination, the G7 CEG also acts as a vehicle for information sharing, cooperation, and incident response.
