Fed report to Congress quantum computing will threaten financial information systems

The Board of Governors of the Federal Reserve System sees a range of emerging technological threats to the financial system - quantum computing's ability to crack current cybersecurity programs is one of them.

In a report to Congress in August 2023, the Federal Reserve expressed concern about the potential risks that quantum computing poses to the security of the financial industry. The report emphasized that quantum computing has the potential to make current encryption standards obsolete, putting sensitive financial data at risk.

The report is divided into three main sections, including policies and procedures related to cybersecurity risk management, oversight and supervision of financial institutions, management of their internal information security programs, and the Reserve Banks' information security programs

According to the report, quantum computing, with its unprecedented processing power, has the potential to break the encryption methods currently used to protect sensitive information used by financial institutions. The introduction of quantum cryptography is seen as a promising solution to address these vulnerabilities. It offers new ways to secure data at rest and in transit, promising to improve data integrity and confidentiality. However, the same advances could also be exploited by malicious actors to evade detection and facilitate data leakage, raising concerns about the double-edged nature of this technology.

"Quantum computing is another emerging area of risk, as quantum computing capabilities could render encryption standards currently used by financial institutions obsolete. The introduction of quantum cryptography will provide new solutions for protecting the integrity and confidentiality of data at rest and in transit, but will also provide threat actors with new capabilities to avoid detection and allow data exfiltration. Hardware requirements and other factors may make quantum cryptography difficult to implement widely at this time, especially in legacy systems."

One of the report's insights is that there are barriers to implementing quantum cryptography on a wider scale, especially when it comes to integrating with existing legacy systems. Substantial hardware requirements and other logistical challenges pose significant barriers to the rapid adoption of quantum cryptography. Despite its potential benefits, the transition to quantum cryptography will require careful planning and significant investment: an indication of the complexity of the road ahead for financial institutions.

The Fed's report emphasizes the need for collaboration. The report emphasizes the importance of collective action to understand, assess and mitigate the risks associated with quantum computing.

Threats such as these underscore the importance of collective action by governments and strong collaboration with the private sector to advance measures to understand and mitigate risks, the report states.

Cybersecurity is a growing and evolving threat to the financial system. As a result, the regulation of financial institutions includes reviewing and monitoring an institution's cybersecurity risk management and information technology (IT) programs. As part of its safety and soundness oversight, the Commission issues cybersecurity-related regulations and guidance, reviews and monitors the cybersecurity risk management posture of regulated institutions, and collects data on cyber incidents (in conjunction with other federal financial regulators) to monitor trends in the financial services sector.

In addition, the Federal Reserve and Reserve Banks ensure the security of their internal information and information systems through robust cybersecurity risk management programs. The Board of Governors follows the requirements of the Federal Information Security Modernization Act (FISMA), and the Reserve Banks have adopted a framework based on National Institute of Standards and Technology (NIST) standards and guidance.

The Board of Governors and other regulators also issue interagency guidance on various aspects of information security risk in the financial services sector, and these guidelines require banks to establish internal controls and information systems commensurate with cyber risk. For example, the Interagency Guidelines for Establishing Information Security Standards require banking organizations to develop and implement administrative, technical, and physical safeguards to promote the security, confidentiality, and integrity of customer information.

Recent U.S. Bills Promoting Cybersecurity

The risk of incidents involving financial institution personnel and contractors has been increasing since 2020, when financial institutions began allowing remote access to core banking services and operational support systems over the Internet and allowing expanded access to permit remote work.

The Federal Reserve also warned Congress about the threat posed by artificial intelligence.

According to the report, the integration and advancement of machine learning tools in cybersecurity has the potential to lead to significant improvements, but it can also create new challenges. These tools could revolutionize the automation of security controls and simplify tasks such as intrusion detection and data loss prevention, thereby enhancing the protection of sensitive information.

However, the positive potential of machine learning may overshadow its threatening aspect to financial systems. Threat actors may use these capabilities to their advantage.

The report notes that "recently deployed machine learning tools, including artificial intelligence generation techniques, may also provide threat actors with better ways to execute social engineering, email phishing, and SMS phishing attacks that disrupt access to corporate systems, emails, databases, and technology services."

"The adoption and development of machine learning tools will also present potential new risks. Machine learning capabilities can drive improvements in the automation of information security controls, such as intrusion detection and data loss prevention. However, threat actors can also leverage machine learning capabilities to automate cyber reconnaissance and attacks, further increasing the likelihood and impact of cyber incidents. Recently deployed machine learning tools, including generative AI techniques, may also provide threat actors with better ways to execute social engineering, email phishing, and text phishing attacks that disrupt access to corporate systems, email, databases, and technology services."

Through a combination of policy development, rigorous oversight of financial institutions and implementation of internal cybersecurity policies, the Fed aims to build a strong resilience (resilient) posture. By increasing resilience across the financial sector, the Fed seeks to safeguard its own operations and the broader stability of the financial environment.

Reference Links:

[1]https://thequantuminsider.com/2023/08/16/federal-reserve-warns-congress-about-quantum-threats/

[2]https://www.federalreserve.gov/publications/cybersecurity-and-financial-system-resilience-report.htm

[3]https://www.federalreserve.gov/publications/files/cybersecurity-report-202308.pdf