CyberWire Daily - Future-proofing finance: FS-ISAC’s blueprint for cryptographic agility. [Special Edition]
Episode Date: December 31, 2024Brandon Karpf sits down with Mike Silverman, Chief Strategy and Innovation Officer at FS-ISAC, to discuss the white paper Building Cryptographic Agility in the Financial Sector. Authored by experts fr...om FS-ISAC’s Post-Quantum Cryptography Working Group, the paper addresses the vulnerabilities posed by quantum computing to current cryptographic algorithms. It provides financial institutions with strategies to safeguard sensitive data and maintain trust as these emerging threats evolve. Discover the challenges and actionable steps to build cryptographic agility in this insightful conversation. Learn more about your ad choices. Visit megaphone.fm/adchoices
Transcript
Discussion (0)
You're listening to the Cyber Wire Network, powered by N2K.
Air Transat presents two friends traveling in Europe for the first time and feeling some pretty big emotions.
This coffee is so good. How do they make it so rich and tasty?
Those paintings we saw today weren't prints. They were the actual paintings.
I have never seen tomatoes like this.
How are they so red?
With flight deals starting at just $589,
it's time for you to see what Europe has to offer.
Don't worry.
You can handle it.
Visit airtransat.com for details.
Conditions apply.
AirTransat.
Travel moves us.
Hey, everybody.
Dave here.
Have you ever wondered where your personal information is lurking online?
Like many of you, I was concerned about my data being sold by data brokers.
So I decided to try Delete.me.
I have to say, Delete.me is a game changer.
Within days of signing up, they started removing my personal information from hundreds of data brokers.
I finally have peace of mind knowing my data privacy is protected.
Delete.me's team does all the work for you with detailed reports so you know exactly what's been done.
Take control of your data and keep your private life private by signing up for Delete.me.
Now at a special discount for our listeners.
private by signing up for Delete Me. Now at a special discount for our listeners,
today get 20% off your Delete Me plan when you go to joindeleteme.com slash n2k and use promo code n2k at checkout. The only way to get 20% off is to go to joindeleteme.com slash n2k and enter code
n2k at checkout. That's joindeleteme.com slash n2k code n2k. And now, a message from our sponsor, Zscaler, the leader in cloud security.
Enterprises have spent billions of dollars on firewalls and VPNs, Thank you. that are exploited by bad actors more easily than ever with AI tools.
It's time to rethink your security.
Zscaler Zero Trust Plus AI stops attackers by hiding your attack surface,
making apps and IPs invisible, eliminating lateral movement,
connecting users only to specific apps, not the entire network,
continuously verifying every request based on identity and context, Thank you. organization with Zscaler, Zero Trust, and AI for joining us.
In today's N2K CyberWire Special Edition, N2K CyberWire's Executive Editor, Brandon Karpf, sits down with Mike Silverman, Chief Strategy and Innovation Officer at the FSISAC, discussing their new white paper,
Building Cryptographic Agility in the Financial Sector.
And we are joined today by Mike Silverman, Chief Strategy and Innovation Officer at the FSISAC.
Good friends of the podcast, Mike, so great to have you on the show. It's a pleasure. Thank you for having me here.
So what we're talking today about is a recent publication from FSISAC on building cryptographic
agility in the financial sector, just published in October 2024. And this is coming out, I imagine,
for a few reasons. But before we get into the details of this publication,
Mike, I'd be really curious, what is cryptographic agility?
You know, it's a funny question.
It took, like I run the post-quantum cryptography working group at FSISAC,
which is 30 or so cryptography and cybersecurity experts
at financial services firms from around the globe,
all working together for this common cause. And actually, the genesis of the paper was there was no definition of
cryptographic agility. That's why we actually came together. And it took us three months to
actually come up with a concise enough definition that made us feel comfortable to share with others.
Okay. I'll say it's two parts. One, there's the direct piece,
which is to be able to swap out
a cryptographic algorithm
and all of its components,
certificates,
and other sort of things
when needed as a result
of a vulnerability
or a cryptanalysis attack
or some sort of reason
for needing to switch
this cryptographic infrastructure.
But the other part is that cryptographic agility is a design principle.
It's a maturity that you try to obtain.
Today, none of us are cryptographically agile.
If we had to switch, it'd be a one-off manual effort.
The idea here is that the goal would be, over time, build the capability so that when you
switch these cryptographic algorithms and infrastructure, you do so with no or very
minimal disruption to the business. That's the ultimate goal. And you have to design for that.
That is not something that you can just wave a magic wand or just ask one developer to do. This
is an ecosystem, infrastructure, process, and just ask one developer to do. This is an ecosystem, infrastructure,
process, and people change to make this happen. So I think back to when I was doing cryptographic
type work and how many pieces of our technical and operational infrastructure were touched by
our use of cryptology and cryptographic systems. So when you talk about crypto agility,
I mean, what are some of these key challenges
that organizations face in implementing a change like that?
If there's a recent attack or something
that affects the integrity of a cryptographic system,
for an organization to actually change their use of a system
or change their system entirely,
what are they going to be confronted with? How much time do we have on this podcast? Six more minutes. Six more minutes,
right. Well, everything gets touched when it starts to come to crypto agility. It is the code
written in applications. It is the, if we're thinking digital signatures or symmetric cryptography,
we're thinking of all of those keys
that need to be rotated
or chained from the old to the new.
There's questions.
Do you preserve the old
and put the new on top of that?
Do you decrypt and then re-encrypt with the new?
There's a lot of challenges to think about that way.
There's certificates and where you store these keys
and the parameters you use on these things.
There's some consideration of the endpoint.
Is this a point-of-sale device
that's very limited in hardware
versus a full-blown server?
Your point-of-sale systems may not be
able to embrace the newest, latest, biggest algorithms that you want to use elsewhere in
your ecosystem. I could keep going, but I think you get the idea. This is a very holistic sort
of approach. This is hard. Yeah, this is hard. And so, you know, why now? What was the genesis,
right? Sure, needing a definition of crypto agility,
but why is the FSISAC publishing this work today?
The biggest reason why we're starting now is,
and it's FSISAC's raison d'etre,
is to preserve trust within the financial services sector.
Our system is built on trust, right?
You need to know that as a customer of a financial institution,
you put money in,
you get the right amount of money back out. Institutions need to be able to trade with
one another and know that they're going to take the other side of that trade, good or bad,
positive or negative. That's the only way this system works, right? So let me go back to the
basics. We use cryptography for confidentiality, for integrity, for non-repudiation,
for authentication, right? Authenticity. The basics of that is all of those aspects help
build to preserve the trust within the ecosystem. Introduce this attack vector of quantum computers.
Now, quantum computers have an amazing upside. They will help research and
chemistry and risk analysis in many different dimensions, solving huge mathematical problems
we can't do on classic computers today. There's the downside risk, though, which is when a quantum
computer becomes sufficiently large or a cryptographically relevant quantum computer,
cryptographically relevant quantum computer, or CRQC, it will be able to factor huge prime numbers.
And factoring huge prime numbers is the basis for asymmetric cryptography today. RSA is built on that. That is the public-private key on how we establish most web sessions today. If that gets compromised, essentially anyone could be listening
in at the start of a web session and be monitoring that traffic going forward. And so for us, that is
a huge problem and we need to get ahead of it. Now, financial services has been through quite a few
cryptographic transitions before. Single DES, the triple DES.
Triple DES, the AES.
RSA 1024 to 2048, right?
There have been these things,
but we have always been treating these as one-offs.
Just get to the next one,
and this algorithm will work for our lifetime.
Get to the next one, this will work for a lifetime.
And what we're realizing over and over and over again is
we should not be taking that as fait accompli anymore.
These transitions are going to keep coming.
The size of these transitions are just growing in speed, in complexity.
The number of endpoints are growing.
The amount of electronic transactions that occur
versus physical transactions, the speed.
Every transition has been bigger and bigger,
exponentially bigger and bigger than the last one.
And once we're realizing we can no longer
take our algorithms to last 30 years,
we need to think differently.
We need to design for the fact
that these algorithms are going to change,
which is a new concept for us,
but we have to design for that.
That's what cryptographic agility does,
to design, expect these things to maybe fail
so that we can preserve the trust within the ecosystem.
That's a very rational approach,
thinking that these systems are probably modular.
How many times have we been burned in the past
that these systems that we think are going to be
perfectly secure in perpetuity,
a few years later,
some enterprising engineer effectively breaks them?
So I love that approach and that way of thinking
that let's make this modular.
Let's build or design or engineer
what you all have termed the crypto agility
into our systems.
Now, when I think about the financial services specifically, and I think about this industry
that you all are supporting, that system is growing in complexity with all these various
third parties and vendors and financial technologies and mobile banking and services,
what have you. So what are some of the best practices then in implementing
the shift in governing? That's another piece, governing the shift to crypto agility for the
financial services industry. I say there's quite a few aspects to how we want to embrace this.
And some of this we actually started writing on last year, even before this paper even came out.
One of the basis we need to do as we
start to think about this transition is an inventory. Where are we using cryptography today?
Again, back to the earlier point, we have been taking cryptography as fait accompli. It just
works. So we haven't been categorizing it or storing the necessary information consistently
in our asset management
guides, right? This is a scary question, but I've asked many financial services professionals over
the last few years, how many raise your hand in the audience if you know where 100% of your keys
are, the cryptographic keys? Brandon, how many do you think have ever raised their hand?
I'm sure none of them were willing to put their reputations on the line for that.
Exactly right.
And so the first step in this is get your hands around the problem.
Just how many different cryptographic algorithms are we using?
Old, new, etc.
What are their key sizes?
Where are we storing these keys?
What does that ecosystem look like?
Is that just direct
from us to our customers or our consumers or callers? Is that with third parties? What does
that cryptographic bill of materials look like for each of these use cases? Start to define that now,
right? There's the current state processes. How often do you do your e-rotations, your signature updates, whatever it may be? You know, again, especially the larger the institution, you may have business units or divisions that may have different processes from one another. So start to normalize and understand those nuances now, right?
and understand those nuances now, right?
There's also the education side,
the people side of things.
Again, most people just assumed the cryptography, they just took,
it's going to work, don't worry about it.
Now we have to educate and go,
no, we need to design and think differently
about cryptography.
That's a very different approach
for anyone in computer science
or developing these systems of where am I going to authenticate? How am I going to ensure the trust and the accuracy and the authentication, the other aspects of this ecosystem?
We'll be right back.
Do you know the status of your compliance controls right now?
Like, right now.
We know that real-time visibility is critical for security,
but when it comes to our GRC programs, we rely on point-in-time checks.
But get this. More than 8,000 companies like Atlassian and Quora
have continuous visibility into their controls with Vanta.
Here's the gist.
Vanta brings automation to evidence collection across 30 frameworks, like SOC 2 and ISO 27001.
They also centralize key workflows like policies, access reviews, and reporting,
and helps you get security questionnaires done five times faster with AI.
Now that's a new way to GRC.
Get $1,000 off Vanta when you go to vanta.com slash cyber.
That's vanta.com slash cyber for $1,000 off.
And now, a message from Black Cloak.
Did you know the easiest way for cybercriminals to bypass your company's defenses
is by targeting your executives and their families at home?
Black Cloak's award-winning
digital executive protection platform
secures their personal devices, home networks, and connected lives.
Because when executives are compromised at home, your company is at risk.
In fact, over one-third of new members discover they've already been breached.
Protect your executives and their families 24-7, 365 with Black Cloak.
Learn more at blackcloak.io.
Well, so, you know, then thinking about the future state of this,
as we move towards a post-quantum world and rapidly towards that,
which seems like the driving force that all organizations and security officers
should be considering the things and the processes that you were just talking through,
do we expect, especially in an industry like the financial services,
heavily regulated, heavily controlled, do we expect any regulatory changes to come that address quantum security?
I need to say that FSISAC is not a policy engine. We're apolitical, so we don't have much influence on that.
I will say that there already are some legislation in place to do this.
DORA, especially in Europe, is looking at
different aspects of cryptography. The federal government in the US has asked a lot of its
agencies to upgrade its infrastructure to PQC or post-quantum cryptography by fiscal year 2030.
So financial services will get wrapped up into a lot of those movements.
Sure. And 2030 is not too far away.
No, it's five years, right?
Yeah.
Really, it's just five years. And that's a supporting the security of the financial services industry.
What's next for you all in this effort around cryptographic agility?
And how can institutions within your industry work with you or benefit from the work that
you're doing to keep pace?
One is make the recognition that we need to start now.
We need to start these inventory, the current state analysis, the risk analysis.
What are the riskiest assets
we need to start migrating first, right?
All of these sort of things
to look at the infrastructure and go,
we need to think differently
and make significant investments
in order to become
more cryptographically agile.
It would be easy for some
to kick the can down the road.
Look, this is not Y2K.
There is no December 31st, 1999 date that says,
that must be done by this date or you're done.
That doesn't exist.
You know, there's recommendations to this in five years.
Some vendor roadmaps have a CRQC
or cryptographically relevant quantum computer
in maybe seven to 10 years.
Dr. Mosca's survey shows the experts think 10 to 15. So one could say that quantum computers,
though, is not the only threat. We've seen a paper last October that claimed to have broken RSA
without the use of a quantum computer. Now, it was proven false, but that did that.
There was also a paper in April that claimed to break lattice math, which is the fundamental
basis for NIST's new post-quantum cryptography asymmetric algorithm, MLChem. Again, that one
was found to have an error and proven false. But all this here is to say,
this is the case for action.
We need to start moving and start thinking this way and preparing for these transitions now.
To work with us, yes,
our next steps are to go even deeper
to the architecture that we've already proposed.
We're doing work with financial services specific vendors
to understand how they are ready and how they're going to integrate into the ecosystem. Because you as a firm, whether you're financial services or not, you can only own what you manage, right? You're dependent on many third or end parties. So how are they going to all help you in your ecosystem? Have they started even to prepare?
in your ecosystem? Have they started even to prepare? We have to look at, especially in financial services, how payment networks are all going to integrate with one another and what are
the dates we have to start doing that or exchanges, you name it, right? It's really a lock, stock and
barrel assessment of we need to start thinking about this, planning for this now alongside all
the other investments that people have going on.
There's that little artificial intelligence thing that people are making investments in. There's
digital assets that people are starting to embrace, right? So there's all these other
competing priorities, and this needs to be one of those competing priorities.
The paper itself has two aspects to it. There's the business side or the management
side, and then the technical side. So this paper can be read by many different perspectives,
many different roles within the organization. The business side is more of the case for action and
what you're going to expect or may expect as you embrace it. And the second side is the technical things of what is it actually going to take from an infrastructure,
from a technical aspect to embrace cryptographic agility.
Well, the report is Building Cryptographic Agility in the Financial Sector, published by the FSI SAC.
We, of course, will have a link to that in the show notes.
It's a great report. There is a lot in here.
Mike, so great having you on the show.
We will have you back soon.
My pleasure.
Thank you so much for having me, Brian.
Our thanks to Mike Silverman,
Chief Strategy and Innovation Officer at the FSI SAC for joining us.
The white paper is titled
Building Cryptographic Agility in the Financial Sector. We'll have a link in the show notes. Thanks for joining us. The white paper is titled Building Cryptographic Agility in the Financial
Sector. We'll have a link in the show notes. Thanks for joining us. We'll see you back here
next time.