Podcast Summary: CyberWire Daily – Future-proofing Finance: FS-ISAC’s Blueprint for Cryptographic Agility [Special Edition]

Introduction

In this special edition of CyberWire Daily, hosted by Brandon Karpf of N2K Networks, the focus centers on the critical topic of cryptographic agility within the financial sector. The episode features an in-depth conversation between Brandon Karpf and Mike Silverman, Chief Strategy and Innovation Officer at the Financial Services Information Sharing and Analysis Center (FS-ISAC). Released on December 31, 2024, the episode delves into FS-ISAC’s newly published white paper, Building Cryptographic Agility in the Financial Sector, exploring its significance, challenges, and implementation strategies.

Defining Cryptographic Agility

The discussion begins with an exploration of the fundamental concept of cryptographic agility. Mike Silverman elucidates that cryptographic agility consists of two primary components:

1. Algorithm Flexibility: The ability to replace cryptographic algorithms and their associated components—such as certificates—swiftly in response to vulnerabilities or advances in cryptanalysis. Silverman explains, “You need to be able to swap out a cryptographic algorithm and all of its components... when needed” (02:34).

2. Design Principle for Minimal Disruption: Embedding cryptographic agility as a design principle enables organizations to transition to new cryptographic standards with minimal or no business disruption. Silverman emphasizes, “The goal would be, over time, build the capability so that when you switch these cryptographic algorithms and infrastructure, you do so with no or very minimal disruption to the business” (02:34).

Challenges in Implementing Cryptographic Agility

Brandon Karpf probes into the complexities organizations face when adopting cryptographic agility. Mike Silverman outlines several key challenges:

• Comprehensive Impact: Implementing crypto agility affects various facets of an organization’s infrastructure, including application code, key management, certificate handling, and endpoint compatibility. Silverman states, “Everything gets touched when it starts to come to crypto agility... This is a very holistic sort of approach” (04:54).

• Technical Hurdles: Decisions on key rotation, encryption methods, and certificate management present significant technical challenges. For instance, organizations must determine whether to preserve old keys while introducing new ones or to switch entirely, which requires meticulous planning.

• Diverse Infrastructure: The heterogeneous nature of financial systems, ranging from limited hardware on point-of-sale devices to robust server environments, complicates the uniform implementation of new cryptographic standards.

Rationale for Addressing Cryptographic Agility Now

The conversation shifts to understanding the urgency behind FS-ISAC’s focus on cryptographic agility. Mike Silverman underscores the paramount importance of trust within the financial ecosystem, which is fundamentally underpinned by robust cryptographic practices. He explains, “FS isac's raison d'etre is to preserve trust within the financial services sector” (06:12).

The imminent threat posed by quantum computing to current cryptographic algorithms is a central concern. Silverman elaborates on the dual nature of quantum computing: its potential to revolutionize various fields and its capability to break existing cryptographic systems, particularly asymmetric cryptography like RSA. He warns, “When a quantum computer becomes sufficiently large... it will be able to factor huge prime numbers... And so for us that is a huge problem” (06:34).

Best Practices for Implementing Cryptographic Agility

Addressing the practical aspects, Mike Silverman outlines several best practices for financial institutions aiming to achieve cryptographic agility:

1. Comprehensive Inventory: Organizations must catalog all existing cryptographic implementations, including algorithms in use, key sizes, storage locations, and integration points with third parties. Silverman points out, “The first step in this is get your hands around the problem. Just how many different cryptographic algorithms are we using?” (10:18).

2. Standardization and Normalization: Harmonizing processes across various business units to ensure consistency in key management, rotation schedules, and algorithm updates.

3. Education and Awareness: Shifting the organizational mindset from taking cryptography for granted to actively designing systems with cryptographic agility in mind. Silverman notes, “We have to educate and go. No, we need to design and think differently about cryptography” (10:18).

4. Risk Assessment and Prioritization: Identifying and prioritizing the most critical assets that require immediate attention in the transition process.

Regulatory Considerations

The episode also touches upon the evolving regulatory landscape surrounding cryptographic practices. While FS-ISAC does not directly influence policy, Mike Silverman acknowledges existing and forthcoming regulations that mandate the adoption of post-quantum cryptography (PQC). He mentions, “The federal government in the US has asked a lot of its agencies to upgrade its infrastructure to PQC by fiscal year 2030” (14:57).

Silverman highlights the tight timeline, stating, “2030 is not too far away... that's five years, right?... you need to think differently and make significant investments in order to become more cryptographically agile” (15:34).

Future Steps and Call to Action

Looking ahead, Silverman outlines the next steps for FS-ISAC and financial institutions:

• Initiate Immediate Actions: Begin inventory and risk assessments without delay to lay the groundwork for future transitions.

• Collaborate with Vendors: Engage with financial services-specific vendors to ensure their readiness and integration capabilities for cryptographic agility.

• Comprehensive Planning: Incorporate cryptographic agility into broader strategic plans, balancing it alongside other priorities like artificial intelligence and digital asset management.

• Long-Term Commitment: Recognize that cryptographic transitions will be ongoing and increasingly complex, necessitating sustained effort and investment.

Silverman concludes, “We need to start moving and start thinking this way and preparing for these transitions now... this needs to be one of those competing priorities” (16:02).

Conclusion

In this insightful episode, Brandon Karpf and Mike Silverman shed light on the critical need for cryptographic agility in the financial sector. FS-ISAC’s white paper serves as a comprehensive guide for institutions to navigate the complexities of transitioning to more secure cryptographic frameworks, particularly in anticipation of the quantum computing era. The discussion emphasizes the urgency, challenges, and strategic steps necessary to preserve trust and ensure the resilience of financial systems against emerging cryptographic threats.

For those interested in a deeper dive, the white paper Building Cryptographic Agility in the Financial Sector is available through FS-ISAC, with a link provided in the show notes.

Notable Quotes

• “The goal would be, over time, build the capability so that when you switch these cryptographic algorithms and infrastructure, you do so with no or very minimal disruption to the business.” — Mike Silverman (02:34)

• “FS isac's raison d'etre is to preserve trust within the financial services sector.” — Mike Silverman (06:12)

• “We have to educate and go. No, we need to design and think differently about cryptography.” — Mike Silverman (10:18)

• “2030 is not too far away... that's five years, right?... you need to think differently and make significant investments in order to become more cryptographically agile.” — Mike Silverman (15:34)

• “We need to start moving and start thinking this way and preparing for these transitions now... this needs to be one of those competing priorities.” — Mike Silverman (16:02)