The Financial Services Information Sharing and Analysis Center (FS-ISAC) is a global intelligence-sharing platform that works to protect the financial sector from cybersecurity threats. It plays a vital role helping the financial sector to stay ahead of threats, by providing early warnings, promoting collaboration, and reducing the impact of attacks.
Recently, the community released key findings in a report entitled ‘Building Cryptographic Agility in the Financial Sector‘. The report underscores the urgent need for the financial sector to transition to cryptographic agility, ahead of the quantum threat.
Crypto-agility is, of course, a measure of an organization’s ability to adapt its cryptographic solutions quickly and efficiently in response to emerging threats, and for the financial sector, it really matters.
In fact, FS-ISAC suggest that transition requires a ‘paradigm shift’ for financial organizations, and the report goes on to outline the framework for the shift:
- Inventory – a comprehensive assessment of existing cryptography
- Planning – a clear transition plan, selecting appropriate algorithms and timelines
- Validation – testing of new quantum-resistant algorithms in an isolated environment
- Replacement – systematic replacement of vulnerable, outdated cryptographic components
- Maintenance – monitoring, training, risk assessments and updates
- Ongoing – an iterative process for revisiting and revising algorithms and performance
In addition, the report outlines core elements that are considered critical for successful transition. These include evaluation of infrastructure, governance structures to establish policies for oversight and compliance. Collaboration with third-party vendors is also key to ensure their components align with crypto agility, alongside ongoing transparency with stakeholders.
The report also provides a useful model for measuring crypto agility, ranging from Level 0 (no progression) to Level 4 (sophisticated and responsive)
- Level 0: Initial/Not Possible: No progression towards crypto agility.
- Level 1: Possible: Basic recognition but minimal documentation and inconsistent practices.
- Level 2: Prepared: Policy development, crypto inventory management, and modular system design.
- Level 3: Practiced: Established management processes, regular training, and agility enforcement.
- Level 4: Sophisticated/Adaptive: Dynamic controls, automation, cross-system interoperability, and rapid responsiveness to threats.
FS-ISAC also acknowledges some of the challenges ahead and goes into detail about the topology and technical details for algorithm replacement.
There’s little doubt that the transition is likely to be a complex and potentially lengthy process, and it might require a number of considerations. For example, deeply-embedded cryptography can be extremely hard to refactor and update, and the implementation of quantum-resistant cryptography is certainly a specialized skill that will require significant expertise. There can also be a performance overhead associated with resource-intensive cryptographic process.
With the threat of ‘harvest-now-decrypt-later’ attacks, the report could hardly be more timely for financial organizations. Once again, it underpins the imminence of the quantum threat, and the urgency with which organizations need to consider their response.
Our goal at PQShield is to help organizations stay one step ahead of the attackers, and so for us crypto-agility is paramount. That’s why we’ve designed flexible solutions that can maximize security, while keeping a low footprint, as well as high-performance IP designed to process data at speed. In addition, our software solutions are easy to integrate and carry the very latest post-quantum cryptography algorithms.
It’s clear that the quantum threat is being taken seriously, and adoption of new quantum-resistant technology is now essential to protect our sensitive data, our critical infrastructures, and our most important assets.
As this report points out, the need is to help stakeholders across organizations “understand the problem-space, grasp the necessity of crypto agility, and define an approach that works”.
You can read the full FS-ISAC report here.