18 April 2023

Prosperity at Risk: The Quantum Computer Threat to the US Financial System

Arthur Herman & Alexander Butler

Due to the deep interconnectivity between public and private institutions and the inherent sensitivity of equity and credit markets, the financial sector network presents a prime target for a quantum attack. Even if America’s financial sector could install sufficient protections against conventional cyberattacks, it will remain a valuable and vulnerable target for a quantum-powered cyberattack.

Despite the many benefits that quantum computing is poised to bring to the financial sector, the threat of quantum-enabled cyberattacks and, more specifically, quantum decryption holds the potential to outweigh any gains in computational efficiency and accuracy. The impact of a cascading quantum attack on major banks, the Federal Reserve, or stock exchanges and derivative exchanges could be calamitous for the United States and the global economy. The risk of a catastrophic attack and financial collapse rises to levels that eclipse the 2008–09 crisis or the Great Depression.

Consequently, now more than ever, cyber threats, especially in the future quantum-enabled era, pose a critical risk to our national, economic, and even societal security—especially within the financial sector. While there are numerous attack vectors for a quantum-enabled adversary to exploit and a variety of points of failure within the vast financial system, experts have placed growing emphasis on the threat of a breakdown in the interbank payment system, specifically real-time-gross-settlement (RTGS) systems such as the Fedwire Funds Service that the US Federal Reserve provides.

The combination of the reliance on digital security that will be exposed to quantum intrusion, internally centralized operational design, and the overall concentration of network topology within Fedwire drastically increases the potential for a systemically disruptive event. If an adversary prevents the settlement of cross-border and domestic transactions between banks operating within the Fedwire RTGS system, a cyberattack could lead to liquidity issues for receiving parties, contract breaches, and payment and obligation failures, among other issues.

The high degree of interconnectivity within the financial sector can accelerate financial contagion and spread systemic risk. Consequently, a cyber disruption to Fedwire can ignite a chain effect in which the initial halt in interbank transaction processing can swell into liquidity crises in the financial system at large. Once a cryptographically relevant quantum computer exists, it could access the Fedwire network and initiate a disruption to payments, cause coordination failures within the system that hinder efforts toward resilience, and ultimately irreparably affect the US economy in the fashion of, or likely worse than, the 2008 financial crisis.

To account for both the direct financial impacts to the affected bank and the cascading effects throughout the broader financial system and the US macroeconomy, we implemented a two-staged economic analysis to quantify the total indirect economic impacts of a quantum computer cyberattack on the Fedwire interbank payment system. Our analysis demonstrates that such a hack would result in declines in annual real GDP ranging from over 10 percent in the baseline scenario to 17 percent in the maximum impact attack scenario, which begins with the initial attack scenario and lasting through the resulting six-month recession. Furthermore, our results indicate that such a decline in aggregate output would comprise a loss of between $2 and $3.3 trillion in indirect losses alone, as measured by GDP-at-risk.

Overall, our results demonstrate that a quantum-enabled cyberattack on Fedwire, or any other RTGS system or key financial market infrastructure (FMI), would result in catastrophic financial losses for the national economy. It could well launch us into the next Great Depression due to the intensity and duration of the first-, second-, and third-order indirect impacts modeled in our analysis.

The US government has designated financial services infrastructure as critical to national and economic security. Fortunately, both policy and technological solutions exist. However, without the system-wide adoption and implementation of quantum-safe encryption, quantum key distribution, or post-quantum cryptography, the US financial system will remain under threat, and our collective economic security will be at stake as the quantum future takes shape.

Regardless of financial and technological resilience, both regulators and market participants need to take on this known threat and win the quantum arms race.

We present four steps that policymakers can implement to get a head start in this quantum race.

First, they need to adopt and migrate to the National Institute of Standards and Technology (NIST) post-quantum cryptography (PQC) standards for Fedwire protection with a clear timeline for implementation and replacement of legacy encryption systems.

Second, the chair of the Federal Reserve should call a Quantum Security Summit involving America’s largest banks and financial institutions to insist they start laying out plans for becoming quantum-secure.

Third, Congress needs to set a deadline for all 12 Federal Reserve banks to be quantum-secure.

Finally, the government should create a quantum security taskforce at the Federal Reserve to oversee and implement the migration timeline.

Please note that we originally derived our econometric calculations at the end of the second quarter of 2022. While we acknowledge that there have been profound changes in the financial system and the general economy since then, we emphasize that our results highlight the risks associated with critical infrastructure left exposed to the emerging quantum threat. Furthermore, although our analysis relies on several assumptions and on extrapolated data and information (see Appendix B), our results are likely an underrepresentation of the impacts of such a catastrophic event.

No comments: