The advent of quantum computing and generative artificial intelligence could potentially pose new risks to the US financial system, warned the Board of Governors of the Federal Reserve System in a report issued to Congress on August 1, 2023 (the Report). These threats and others warrant unspecified “collective actions across government and strong collaboration with the private sector in advancing measures to understand and mitigate risks,” says the Report.
According to the Report, “[q]uantum computing is [an] emerging risk area, as quantum computing capabilities could render current encryption standards used by financial institutions obsolete.” Likewise, the Fed also noted that “[t]he adoption of machine learning tools [including generative AI technologies] will also introduce new risks. … Threat actors [could] use machine learning capabilities to automate cyber reconnaissance and attacks, further increasing the likelihood and impact of cyber incidents.”
The Report noted that these risks are in addition to risks prompted by geopolitical tensions (including the Russian invasion of Ukraine) that “increase the likelihood of cyberattacks with the intent of disrupting critical infrastructure” and general cyber-criminal activity, including ransomware as a service and threats that aim to exploit weaknesses in authentication mechanisms.
Experts are divided as to when quantum supremacy may be realized (i.e. when a programmable quantum computer can reliably solve problems with at least the same accuracy and faster than a classical computer). Common estimates range from 3 – 10 years1 to not until 2042 according to the median of predictions on Metaculus, a forecasting platform. 2 However, these predictions may not account for recent advances in “error mitigation” and other techniques that should enable quantum computers with fewer qubits to operate more efficiently and reliably. As a result, “we may see general-purpose quantum computers earlier than many would have anticipated just a few years ago...,” reports a recent article in MIT Technology Review.3
(Unlike today’s classical computers which rely on many transistors known as “bits” connected by circuits known as “gates” that operate logically based on the binary on or off status of their transistors – commonly represented as 0 or 1 – quantum computers rely on qubits which generally are sub-atomic particles that, through a characteristic termed “superposition,” can simultaneously exist in states of 0 and 1.)
In response to the potential threat of encryption compromise by bad actors, the National Institute of Technology has already approved four quantum-resistant cryptographic algorithms that might be used to withstand an attack by a future quantum computer, and is also evaluating other possible algorithms.4
Therefore, unlike the challenges the financial services industry experienced in preparing for the Y2K bug in advance of the turn of the current century, there is no certain date by which the industry must prepare for the advent of reliable quantum computers. Moreover, it may be challenging today to prepare for the potential threats of quantum computing. According to the Report, “[h]ardware and other requirements and other factors may make the wide-spread implementation of quantum cryptography difficult currently, especially in legacy systems.”
Thus, it is likely important that financial services firms at least begin inventorying their systems and devices (including third-party provided services and devices), containing data that is potentially susceptible to compromise and begin considering how to deploy upgraded encryption algorithms, if possible, or alternative solutions. Consideration should also be given whether supplemental disclosure or other action should be taken in connection with previously compromised confidential data.
Additionally, the Report identified threats by bad actors using machine learning tools, including generative AI, to compromise firms’ systems and private data. “The recent deployment of machine learning tools … may also provide threat actors with improved methods for performing social engineering, email phishing, and text messaging attacks compromising access into firms’ systems, emails, databases and technology services,” said the Report. Financial services firms should likely also be reviewing the adequacy of their existing safeguards against these enhanced attacks.
[1] Pavle Avramovic, Sam Qayyum, Rupesh Srivastava, Evert Geurtsen, “A Quantum Leap for Financial Services” (Insight/FCA, July 4, 2021) (“FCA Article”), at pg. 2: https://www.fca.org.uk/insight/quantum-leap-financial-services.
[2] https://www.metaculus.com/questions/3684/when-will-a-quantum-computer-running-shors-algorithm-or-a-similar-one-be-used-to-factor-one-of-the-rsa-numbers-for-the-first-time/. (Thanks to Metaculus for providing updated information on August 11, 2023, to a prior citation that noted 2048 as being the relevant year, that appeared on an earlier version of this advisory.)
[3] Michael Brooks, “What’s next for quantum computing” (MIT Technology Review, January 6, 2023): https://www.technologyreview.com/2023/01/06/1066317/whats-next-for-quantum-computing/.
[4] “NIST Announces First Four Quantum-Resistant Cryptographic Algorithms” (NIST Press Release, July 5, 2022): https://www.nist.gov/news-events/news/2022/07/nist-announces-first-four-quantum-resistant-cryptographic-algorithms.
The introduction of quantum cryptography will provide new solutions for protecting the integrity and confidentiality of data at rest and in transit but will also give threat actors new capabilities to avoid detection as well as permit data exfiltration." -- Board of Governors of the Federal Reserve System