Future-proofing finance: FS-ISAC’s blueprint for cryptographic agility. [Special Edition]

Mike Silverman

You're listening to the Cyberwire Network powered by N2K.

Brandon Karpf

The IT world used to be simpler. You only had to secure and manage environments that you controlled. Then came new technologies and new ways to work. Now employees, apps and networks are everywhere. This means poor visibility, security gaps and added risk. That's why Cloudflare created the first ever connectivity cloud. Visit cloudflare.com to protect your business everywhere you do business.

Dutch Bros Ad

This episode is brought to you by Dutch Bros. Big smiles, rocking tunes and epic drinks Dutch Bros. Is all about you. Choose from a variety of customizable handcrafted beverages like our Rebel Energy drinks, coffees, teas and more. Download the Dutch Bros App for a free medium drink. Plus find your nearest shop. Order ahead and start earning rewards Offer valid for new app users only. Free medium drink Reward upon registration 14 day expiration terms apply. See DutchBros.com.

Brandon Karpf

Hello and thanks for joining us. In today's N2K CyberWire Special Edition, N2K CyberWire's Executive Editor, Brandon Karpf sits down with Mike Silverman, Chief Strategy and Innovation Officer at the FS isac, discussing their new white paper, Building Cryptographic Agility in the Financial Sector.

Interviewer

And we are joined today by Mike Silverman, Chief Strategy and Innovation Officer at the FS isac, good friends of the podcast. Mike, so great to have you on the show.

Mike Silverman

Oh, it's a pleasure. Thank you for having me here.

Interviewer

So what we're talking today about is a recent publication from FSISAC on building cryptographic agility in the financial sector, just published in October 2024. And this is coming out, I imagine, for a few reasons. But before we get into the details of this publication, Mike, I'd be really curious. What is cryptographic agility?

Mike Silverman

You know, it's a funny question. It took I run the post Quantum Cryptography working group at FS ISAC, which is 30 or so cryptography and cybersecurity experts at financial services firms from around the globe all working together for this common cause. And actually, the genesis of the paper was there was no definition of cryptographic agility. That's why we actually came together. And it took us three months to actually come up with a concise enough definition that made us feel comfortable to share with others. Okay, I'll say it's two parts. One, there's the direct piece, which is to be able to swap out a cryptographic algorithm and all of its components, certificates and other sort of things when needed as a result of a vulnerability or some, you know, a cryptanalysis attack or some sort of reason for being needing to switch this cryptographic infrastructure. But the other part is that cryptographic agility is a design principle. It's a maturity that you try to obtain. You know, today none of us are cryptographically agile. If we had a switch, it'd be a one off manual effort. The idea here is that the goal would be, over time, build the capability so that when you switch these cryptographic algorithms and infrastructure, you do so with no or very minimal disruption to the business. That's the ultimate goal and you have to design for that. That is not something that you can just wave a magic wand or just ask one developer to do. This is an ecosystem infrastructure process and people change to make this happen.

Interviewer

So I think back to when I was doing cryptographic type work and how many pieces of our technical and operational infrastructure were touched by our use of cryptology and cryptographic systems. So when you talk about crypto agility, I mean, what are some of these key challenges that organizations face in implementing a change like that? If there's a recent attack or something that affects the integrity of a cryptographic system, for an organization to actually change their use of a system or change their system entirely, what are they going to be confronted with?

Mike Silverman

How much time do we have on this podcast?

Interviewer

Six more minutes.

Mike Silverman

Six more minutes, right. Well, everything gets touched when it starts to come to crypto agility. It is the code written in applications. It is the. If we're thinking digital signatures or symmetric cryptography, we're thinking of all of those keys that need to be rotated or changed from the old to the new. There's questions. Do you preserve the old and put the new on top of that? Do you decrypt and then re encrypt with the new? There's a lot of challenges to think about that way. There's their certificates and where you store these keys and the parameters you use on these things. There's some consideration of the endpoint. Is this a point of sale device that's very limited in hardware versus a full blown server? Your point of sale systems may not be able to embrace the newest, latest, biggest algorithms that you want to use elsewhere in your ecosystem. I could keep going, but I think you get the idea. This is a very holistic sort of approach.

Interviewer

This is hard. Yeah, this is hard. And so you know, why now? What was, what was the genesis? Right, sure. Needing a definition of crypto agility. But, but why is the FS ISAC publishing this work today?

Mike Silverman

The biggest reason why we're starting now is, and it's FS isac's raison d'etre is to preserve trust within the financial services sector. Our system is built on trust, right? You need to know that as a customer of a financial institution, you put money in, you get the right amount of money back out. Institutions need to be able to trade with one another and know that they're going to take the other side of that trade, good or bad, you know, positive or negative. That's the only way this system works, right? So we let me go back to the basics. We use cryptography for confidentiality, for integrity, for non repudiation, fault authentication, right? Authenticity. The basics of that is all of those aspects help build to preserve the trust within the ecosystem, introduce this attack vector of quantum computers. Now, quantum computers have an amazing upside. They will help research and chemistry in risk analysis in many different dimensions, solving huge mathematical problems we can't do on classic computers today. There's the downside risk though, which is when a quantum computer becomes sufficiently large or a cryptographically relevant quantum computer or crqc, it will be able to factor huge prime numbers. And factoring huge prime numbers is the basis for asymmetric cryptography today. RSA is built on that. That is the public private key on how we establish most web sessions today if that gets compromised, essentially anyone could be listening in at the start of a web session and be monitoring that traffic going forward. And so for us that is a huge problem and we need to get ahead of it. Now Financial services has been through quite a few cryptographic transitions before. Single des to triple des, triple des to AES, RSA 1024-2048, right? There have been these things, but we have always been treating these as one offs. Just get to the next one and this algorithm will work for our lifetime. Get to the next one, this will work in a lifetime. And what we're realizing over and over and over again is we should not be taking that as fait accompli anymore. These transitions are going to keep coming. The size of these transitions are just growing in speed, in complexity. The number of endpoints are growing, the amount of electronic transactions that occur versus physical transactions. The speed every transition has been bigger and bigger, exponentially bigger and bigger than the last one. And if we have, once we're realizing we can no longer take our algorithms to last 30 years, we need to think differently and we need to design for the fact that these algorithms are going to change, which is a new concept for us. But we have to design for that. That's what cryptographic Agility does to design, expect these things to maybe fail so that we can preserve the trust within the ecosystem?

Interviewer

That's a very rational approach, right? Thinking that these systems are probably modular. How many times have we been burned in the past that these systems that we think are going to be perfectly secure in perpetuity, a few years later, some enterprising engineer effectively breaks them? So I love that approach and that way of thinking that let's make this modular, let's build or design or engineer what you all have termed the crypto agility into our systems. Now, now, when I, when I think about the financial services specifically, and I think about this industry that you all are supporting, that system is growing in complexity with all these various third parties and vendors and financial technologies and mobile banking and services, what have you. So what are some of the best practices then in implementing the shift in governing? That's another piece governing the shift to crypto agility for the financial services industry.

Mike Silverman

I say there's quite a few aspects to how we want to embrace this. And some of this we actually started writing on last year, even before this paper even came out. One of the basis we need to do as we start to think about this transition is an inventory. Where are we using cryptography today? Again, back to the earlier point, we have been taking cryptography as fait accompli. It just works. So we haven't been categorizing it or storing the necessary information consistently in our asset management guides. Right. This is a scary question, but I've asked many financial services professionals over the last few years. How many? Raise your hand in the audience if you know where 100% of your keys are. The cryptographic keys. Uh huh. Brandon, how many do you think have ever raised their hand?

Interviewer

I'm sure none of them were willing to put their reputations on the line for that.

Mike Silverman

Exactly right. And so the first step in this is get your hands around the problem. Just how many different cryptographic algorithms are we using? Old, new, et cetera? What are their key sizes? Where are we storing these keys? What does that ecosystem look like? Is that just direct from us to our customers or our consumers or callers? Is that with third parties? What does that cryptographic bill of materials look like for each of these use cases? Start to define that now. Right. There's the current state processes. How often do you do your key rotations, your signature updates, whatever it may be? Again, especially the larger the institution, you may have business units or divisions that may have different processes from one another. So start to normalize and understand those nuances now. Right? There's also the education side, the people side of things. Again, most people just assumed the cryptography they just took, it's going to work, don't worry about it. Now we have to educate and go. No, we need to design and think differently about cryptography. That's a very different approach for anyone in computer science or developing these systems of where am I going to authenticate? How am I going to ensure the trust and the accuracy and the authentication, the other aspects of this ecosystem.

Brandon Karpf

We'll be right back. And now a word from our sponsor, Know before it's all connected and we're not talking conspiracy theories when it comes to infosec tools, effective integrations can make or break your security stack. The same should be true for security awareness training. KnowBeFor, provider of the world's largest library of security awareness training, provides a way to integrate your existing security stack tools to help you strengthen your organization's security culture. KnowBeFor's security coach uses standard APIs to quickly and easily integrate with your existing security products from vendors like Microsoft, CrowdStrike and Cisco. 35 vendor integrations and Counting Security Coach analyzes your security stack alerts to identify events related to any risky security behavior from your users. Use this information to set up real time coaching campaigns targeting risky users based on those events from your network, endpoint identity or web security vendors. Then coach your users at the moment the risky behavior occurs with contextual security tips delivered via Microsoft Teams, Slack or email. Learn more@knowbefor.com SecurityCoach that's knowbe4.com SecurityCoach and we thank knowbe4 for sponsoring our show.

Interviewer

Well so you know then thinking about the future state of this as we move towards a post quantum world and rapidly towards that which is seems like the driving force that all organizations and security officers should be considering. The things and the processes that you were just talking through do we expect, especially in an industry like the financial services, heavily regulated, heavily controlled, do we expect any regulatory changes to come that address quantum security?

Mike Silverman

I need to say that FS ISAC is not a policy engine. We're apolitical so we don't have much influence on that. I will say that there already are some legislation in place to do this. Dora, especially in Europe is looking at different aspects of cryptography. The federal government in the US has asked a lot of its agencies to upgrade its infrastructure to PQC or post quantum cryptography by fiscal year 2030. So financial services will get wrapped up into a lot of Those movements.

Interviewer

Sure. And 2030 is not too far away.

Mike Silverman

No, it's five years, right? Yeah, it really is just five years. And that's, that's a lot of work to do in five years.

Interviewer

It is, it is. Well, so then, you know, thinking about what comes next for fsisac, for the work that you do supporting the security of the financial services industry, what's next for you all in this effort around cryptographic agility and how can institutions within your industry work with you or benefit from the work that you're doing?

Mike Silverman

To keep pace, one is make the recognition that we need to start now. We need to start these inventory, the current state analysis, the risk analysis, what are the riskiest assets, we need to start migrating first. Right. All of these sort of things to look at the infrastructure and go. We need to think differently and make significant investments in order to become more cryptographically agile. It would be easy for some to kick the can down the road. Look, this is not Y2K. There is no 12-31-1999 date that says thou must be done by this date or you're done. That doesn't exist. There's recommendations do this in five years. Some vendor roadmaps have a CR QCR cryptographically relevant quantum computer in maybe seven to 10 years. Dr. Mosca's survey shows the experts think 10 to 15. So one could say that quantum computers though is not the only threat. We've seen a paper last October that claimed to have broken RSA without the use of a quantum computer. Now it was proven false, but that did that. There was also a paper in April that claimed to break lattice math, which is the fundamental basis for NIST's new Post Quantum Cryptography Asymmetric Algorithm ML chemistry, again that one was found to have an error and proven false. But all of this here is to say this is the case for action. We need to start moving and start thinking this way and preparing for these transitions now to work with us. Yes, sure. Our next steps are to go even deeper to the architecture that we've already proposed. We're doing work with financial services specific vendors to understand how they are ready and how they're going to integrate into the ecosystem. Because you as a firm, whether you're a financial service or not, you can only own what you manage.

Interviewer

Right.

Mike Silverman

You're dependent on many third or nth parties. So how are they going to all help you in your ecosystem? Have they started even to prepare? We have to look at, especially in financial services, how payment networks are all going to integrate with one another and what are the dates we have to start doing that or exchanges, you name it. Right. It's really a lock, stock and barrel assessment of we need to start thinking about this, planning for this now alongside all the other investments that people have going on, there's that little artificial intelligence thing that people are making investments in. There's digital assets that people are starting to embrace. Right. So there's all these other competing priorities and this needs to be one of those competing priorities. The paper itself has two aspects to it. There's the business side or the management side and then the technical side. So this paper can be read by many different perspectives, many different roles within the organization. The business side is more of the case for action and what you're going to expect or may expect as you embrace it. And the second side is the technical things of what is it actually going to take from an infrastructure, from a technical aspect to embrace cryptographic agility?

Interviewer

Well, the report is Building Cryptographic Agility in the Financial Sector, published by the fsisac. We of course will have a link to that in the show notes. It's a great report. There is a lot in here. Mike, so great having you on the show. We will have you back soon.

Mike Silverman

My pleasure. Thank you so much for having me, Brian.

Brandon Karpf

Our thanks to Mike Silverman, Chief Strategy and Innovation Officer at the FS isac, for joining us. The white paper is titled Building Cryptographic Agility in the Financial Sector. We'll have a link in the show notes. Thanks for joining us. We'll see you back here next time.