Financial Institutions & Quantum Computing: A Cybersecurity Compliance Timeline

"Quantum computing" started as a theory decades ago. Today it is becoming a reality with companies like IBM launching powerful quantum computers and the United States federal government issuing laws and guidelines on the topic. 

So, let's look at why quantum computing is a cybersecurity risk, what requirements have been released so far, and what steps need to be taken to ensure compliance. Bookmark this blog and be sure to come back to see updates as the topic continues to evolve. 

Why is Quantum Computing a Cybersecurity Risk? 

Quantum computing is a cybersecurity risk because it has the potential to make today's encryption capabilities ineffective. 

For example, let's say we encrypt our data today using strong encryption, like RSA 2048-bit encryption or AES 256-bit encryption. It is presumed that quantum computing will be able to break the encryption due to quantum's advanced computing power. This is a concern, in general, but it is especially concerning when it comes to data breaches. While breached data might be protected today due to its encrypted state, this may not always be the case. 

It is only a matter of time before these supercomputers can perform mathematical calculations at such a level and speed that our present encryption is no longer sufficient to protect our systems and data. 

Quantum Computing Timeline 

The following is a timeline of key events related to quantum computing cybersecurity compliance. This is not intended to be a comprehensive list, but instead to provide an overview of the changing laws, regulations, and guidance on the topic. 

Download the timeline infographic in PDF format. 

April 2016: NIST Report on Post-Quantum Cryptography 

NIST has been researching, publishing, and presenting on post-quantum cryptography (PQC) with public materials as far back as 2011. NIST hosted a workshop on the topic in 2015. Then, in April 2016, things began to change. NIST published their Report on Post-Quantum Cryptography (NISTIR 8105). The findings were quite clear: 

"Sufficiently large quantum computers will be built to break essentially all public key schemes currently in use. It has taken almost 20 years to deploy our modern public key cryptography infrastructure. It will take significant effort to ensure a smooth and secure migration from the current widely used cryptosystems to their quantum computing resistant counterparts." 

Later that same year, NIST published two documents in the Federal Register: 

• A Request for Comments on Post-Quantum Cryptography Requirements and Evaluation Criteria 
• A Request for Nominations for Public-Key Post-Quantum Cryptographic Algorithms 

The latter of these two documents was a request for help from the general public. The nominations NIST received from this request came to be significant in the development of PQC standards, as will be discussed later. 

January 2017: American Innovation and Competitiveness Act 

On January 6, 2017, the American Innovation and Competitiveness Act (S. 3084) was signed into law. This was the first bill signed into law that addressed the topic of PQC. Among other things, this law directed NIST to: 

"Develop a process to research and identify, or if necessary, develop cryptography standards and guidelines for future cybersecurity needs, including quantum-resistant cryptography standards." 

December 2018: National Quantum Initiative Act 

On December 12, 2018, the National Quantum Initiative Act (H.R. 6227) was signed into law. This law was designed to "establish the goals and priorities for a 10-year plan to accelerate the development of quantum information science and technology applications." 

This law expanded on the one from the previous year, giving NIST the legal directive to proceed with what they needed to develop PQC standards. It required NIST to: 

"Carry out specified quantum science activities and convene a consortium to identify the future measurement, standards, cybersecurity, and other needs to support the development of a quantum information science and technology industry." 

October 2020: Quantum.Gov and the Quantum Frontiers Report 

On October 7, 2020, a press release was published that announced the launch of Quantum.Gov, a "new digital hub for the growing quantum community to connect with wide-ranging activities underway across the federal government." Along with the launch of the website, a Quantum Frontiers Report was published which was designed to ask questions and serve as a roadmap for quantum researchers. 

May 2022: White House Memo on Quantum Computing 

On May 4, 2022, the White House published a National Security Memorandum on Promoting United States Leadership in Quantum Computing While Mitigating Risks to Vulnerable Cryptographic Systems. 

"[The memorandum] identifies key steps needed to maintain the Nation's competitive advantage in quantum information science (QIS), while mitigating the risks of quantum computers to the Nation's cyber, economic, and national security. It directs specific actions for agencies to take as the United States begins the multi-year process of migrating vulnerable computer systems to quantum-resistant cryptography." 

This memo explicitly mentions the impact quantum computing could have on the financial industry: 

"When it becomes available, a [cryptanalytically relevant quantum computer] CRQC could jeopardize civilian and military communications, undermine supervisory and control systems for critical infrastructure, and defeat security protocols for most internet-based financial transactions." 

The memo goes on to say that the United States must prioritize transitioning to quantum-resistant cryptography as much as is feasible by 2035, and that the first set of NIST's PQC standards are expected to be released by 2024. 

July 2022: NIST Announces Quantum-Resistant Cryptographic Algorithms 

On July 5, 2022, NIST published a press release. The article announced that NIST had chosen: 

"The first group of encryption tools that are designed to withstand the assault of a future quantum computer, which could potentially crack the security used to protect privacy in the digital systems we rely on every day – such as online banking and email software." 

These selected algorithms were announced following a six-year process, dating back to NIST's 2016 Federal Register publications. The algorithms are expected to be included as part of NIST's PQC standards. 

August 2022: CISA Insights on Post-Quantum Cryptography 

On August 24, 2022, the Cybersecurity and Infrastructure Security Agency (CISA) published guidance on Preparing Critical Infrastructure for Post-Quantum Cryptography. This resource provides an overview of the risks associated with PQC and introduces the Post-Quantum Cryptography Roadmap, developed by the Department of Homeland Security (DHS) and NIST. 

December 2022: OCC Semiannual Risk Perspective for Fall 2022 

On December 8, 2022, the Office of the Comptroller of the Currency (OCC) became the first federal banking agency to issue guidance on the topic of PQC to its supervised entities. The guidance was included in the Semiannual Risk Perspective for Fall 2022. The guidance reads: 

"It is important for banks and their service providers to monitor how technological innovation may affect security controls. An example of emerging technology with security implications is quantum computing, which has the potential to render current encryption technology ineffective. While broad implementation of this technology will likely not be available in the near term, banks and service providers should be aware of the potential risk implications. The National Institute of Standards and Technology (NIST) has identified the first group of encryption tools that are designed to safeguard for risks posed by advances in quantum computing. Banks and service providers should consider how to effectively monitor these developments as they manage future infrastructure investments." 

December 2022: RSA Podcast on A Quantum-Ready Board 

On December 13, 2022, RSA Conference published a podcast interview on A Quantum-Ready Board: Governance and Cyber Risk Oversight. The podcast interviewed Maëva Ghonda and Dr. Lily Chen, the Head of Cryptographic Technology Group, Computer Security Division at NIST. (Dr. Chen was also one of the authors of the report published in 2016.) 

Following a question that begins around the 18:00 minute mark, Dr. Chen said she anticipates the publication of NIST's PQC standards in 2023 for public comment and she expects finalization in 2024. 

December 2022: Quantum Computing Cybersecurity Preparedness Act 

On December 21, 2022, the Quantum Computing Cybersecurity Preparedness Act (H.R. 7535) was signed into law. The law requires each of the government executive agencies to create and maintain an inventory of all technology that may be vulnerable to decryption by PQC. 

March 2023: National Cybersecurity Strategy 

On March 2, 2023, the White House released the National Cybersecurity Strategy. Strategic Objective 4.3 is titled "Prepare for Our Post-Quantum Future." This objective identifies the nation's need to "prioritize and accelerate investments in widespread replacement of hardware, software, and services that can be easily compromised by quantum computers." It also references the May 2022 White House Memo for details on what this process will look like.

March 2023: FS-ISAC PQC Report

In March 2023, the Financial Services Information Sharing and Analysis Center (FS-ISAC) published a report titled Preparing for a Post Quantum World by Managing Cryptographic Risk. The document provides an overview of PQC, makes a business case for investing now, and offers a roadmap for PQC preparedness.

What's Next? 

Three words: Start preparing now. Here are three recommendations to help get you started. 

1. Educate. We need to educate ourselves. We also need to educate the decision-makers at our organizations, including senior management and Boards of Directors. Keep an eye on this blog for future regulatory updates. For some extra resources on how to stay on top of this topic, check out the "Additional Resources" section below. 
    
2. Inventory. We need to identify our most critical systems and data and determine what risk of PQC compromise they face. Prioritize the inventory based on things like the criticality of the system and its data, any interdependencies, or what functions the system fulfills. 
    
3. Discuss. We need to start a conversation about what it may look like to upgrade or replace those systems with modern, quantum-resistant technology. If these infrastructure investments are not on your 10-year plan, it would be good to start including those in future strategic conversations. 

Quantum computing technology is evolving. We need to do what we can now to make sure we keep up. 

As quantum computing regulations and guidance continue to evolve for financial institutions, Tandem will help create resources to support you and your business. Learn more about how Tandem can help with your cybersecurity governance, risk management, and compliance (GRC) practices today at Tandem.App. 

Additional Resources 

For additional information about PQC, check out the following resources: 

• DHS Post-Quantum Cryptography Roadmap 
• CISA Post-Quantum Cryptography Initiative
• NIST Computer Security Resource Center: Post-Quantum Cryptography
• National Quantum Initiative
• Quantum Computing: A Cybersecurity Compliance Timeline (PDF)
• FS-ISAC Preparing for a Post-Quantum World by Managing Cryptographic Risk Report