The Federal Reserve faces many distractions right now, from curbing inflation to keeping a vulnerable mid-size banking sector from roiling the financial system. But there’s one threat on the horizon that dwarfs them all. That’s the threat of a future quantum computer attack on our financial sector.
It’s a threat the White House and federal government is finally taking seriously, thanks to a series of executive orders released last year that tied the White House’s Zero-Trust Cybersecurity strategy to deadlines for federal agencies to plan for migrating to quantum-secure cyber solutions.
It’s time our financial industry brought the same mindset to the quantum threat, starting with the Federal Reserve.
Our latest Quantum Alliance Initiative study shows that despite the many benefits that quantum computing will eventually bring to our economy and the financial sector in particular, the numbers show that the impact of a cascading quantum attack on major banks, the Federal Reserve, and/or on stock exchanges and derivative exchanges, could be calamitous for the U.S. and the global economy—comparable or even worse than the Great Depression.
As we’ve explained in this column many times before, instead of digital bits quantum computers employ “qubits” which can represent any combination of 0 and 1 simultaneously, to encode and process data. This allows computing power grow exponentially as the number of qubits expands. A 2,000- to 4,000-qubit quantum computer, for example, would quickly decrypt almost all public-key encryption architectures—the ones used for everything from banking and credit cards to the power grid. Those architectures rely on numbers too big for conventional computers to factorize, but which a quantum computer could.
In November 2021 we warned Fed Chairman Powell that the threat to financial infrastructure could be as grave as any the country has faced. We knew from conversations with Treasury Department officials that banks and the Fed work closely with the federal government and Treasury on cybersecurity issues. But despite warnings from the 2020 Office of Financial Research report on the quantum risk to financial stability, there’s still a big hole when it came to confronting the quantum threat.
Those discussions, including with Fed officials, always came back to the same question: how serious could the threat be? What that in mind, we decided launch an econometric study of an attack on one of the most vulnerable aspects of the interbank payment system the Federal Reserve oversees, namely the Fedwire Fund Service that the Fed provides real-time-gross settlement (RTGS) for interbank payments.
Our preliminary study had indicated that a future quantum attack would be far worse than comparable conventional computer hacks, because it would be undetectable (all transactions or access by nefarious actors would appear as authentic) and as such could continue for days or weeks. Indeed, a quantum computer attack could impair nearly 60% of total assets in the banking system due to bank runs and endogenous liquidity traps. We estimated that a single quantum attack on one of the five largest U.S. financial institutions (by assets) aimed at the Fedwire Funds Service payment system could trigger a cascading financial failure costing anywhere from $730 Billion to $1.95 Trillion.
The final report we have just released, “Prosperity at Risk,” provides a more exact picture of the overall potential costs. Our analysis found that a quantum hack and its cascading impact across the financial sector would result in declines in annual real GDP ranging from 10 in the baseline scenario to 17 percent in the maximum impact attack scenario. Ultimately, such an event would spread throughout the US economy and thrust the nation into a six-month long recession.
Our study concludes that the decline in aggregate output would result in a loss of between $2 and $3.3 trillion in indirect losses, as measured by GDP-at-risk: a much larger loss than our initial estimates indicated.
Critics may try to dismiss these numbers by insisting that quantum computers capable of this kind of assault are—according to the experts—at least a decade or more away. The problem is, getting our financial system quantum secure includes analyzing which data and networks need the most protection; and which legacy cybersecurity systems need to be not just patched, but completely replaced. The migration timeline will take almost as long as the timeline to an imminent quantum decryption threat. By then, it will be too late.
With that in mind, we recommend four steps Chairman Powell and other policy-makers can take to get ahead of this threat.
First, adopt and migrate to the National Institute of Standards and Technology (NIST) post-quantum cryptography (PQC) standards for Fedwire protection, including a clear timeline for implementing and replacing legacy encryption systems.
Second, summon a Quantum Security Summit involving America’s largest banks and financial institutions, to devise an action plan for quantum-reading for our entire financial system.
Third, Congress needs to set a deadline for all 12 Federal Reserve banks to be quantum secure.
Finally, the Federal Reserve chairman should create a quantum security task-force at the Fed to oversee and implement the migration timeline, in coordination with the White House’s Zero-Trust Cyber initiative and its post-quantum provisions.
It’s important to remember that risk is the price you never thought you’d have to pay. From that perspective, future quantum computers pose a risk to our financial sector so catastrophic we need to start confronting the problem today.