In a recent publication, the Bank for International Settlements (BIS) joined the surge of organizations and advisory bodies advocating migration, by publishing a key roadmap for quantum-readiness.
It’s particularly interesting to see, given that the BIS operates at such a high profile. With influence on global financial systems, policy guidance, oversight, and research and analysis – advice from the BIS is vital to central banks around the world – there’s little doubt that the paper, Quantum Readiness for Financial Systems: A Roadmap will have an impact.
In essence, the roadmap points out the seriousness of the quantum threat including the danger of Harvest Now Decrypt Later attacks, signature forging, and compromised security protocols.
“The rapid advancement of quantum computing,” say the authors, “… poses a significant threat to the global financial system due to their expected ability to break some of the encryption methods that are widely used in today’s financial systems..“
It’s this threat of course, that prompts action – and it’s clear that action needs to be taken in a detailed and collaborative way.
The BIS roadmap suggests a three-phase approach.
- Engagement. This involves broad collaboration among financial system participants, education and assessment and setting priorities for cryptographic agility. Specifically, the guidance suggests defining what quantum-readiness looks like, forming dedicated teams with upskilling in place and establishing budgets for research, training and consultation.
- Planning. More detailed system-level migration timelines and common technical choices (algorithms, key sizes, hybrid, etc) as well as milestone ‘cut-off’ dates for legacy protocols. There also must be alignment with domestic transition plans, particularly for cross-border systems. The planning phase involves identifying and prioritizing sensitive information and systems, developing a phased migration strategy, and ensuring interoperability.
- Execution. Under the supervision at central bank level, this phase includes putting the transition plans into action, monitoring, regularly following up and deploying system-level stress, performance, and penetration tests. The guidance recommends automation where possible, as thorough testing and ongoing validation.
In addition, the report focuses on some key principles for migration, such as:
- Security by design
- Cryptographic agility
- Defense in depth
It’s good to see these foundational principles given profile, as they resonate clearly with PQShield’s own position. Whether in hardware or software, we provide IP that’s focused on security from a foundational layer – critical for components that are built today but need to be ready for the world of tomorrow.
For global financial systems, the stakes are high, and timely guidance from international bodies such as the BIS are critical for the mitigation of future threats. It’s clear that urgent, co-ordinated action from both public and private financial institutions is required, and this report lays out the steps ahead.