There are a handful of people in the world today who are on a mission to make the world’s networks quantum safe. Some of these people work for the leading technology and telecommunications companies. Others represent governments and academia. Much of what they are working on will affect how banks protect themselves from malicious actors in the future. Most importantly, being quantum safe presents a further priority for cybersecurity teams in banks and the wider financial markets.
In March this year the Monetary Authority of Singapore (MAS) cautioned financial institutions on the cybersecurity vulnerabilities introduced by the advent of quantum computing.
Financial institutions located in Singapore will need to mitigate quantum-related cybersecurity risks. They will need to transition from vulnerable cryptographic algorithms to post-quantum cryptography (PQC) without impacting their systems. The MAS has encouraged these financial institutions to explore quantum security solutions including Quantum Key Distribution (QKD).
This activity in Singapore hasn’t gone unnoticed. We spoke to Zygmunt Lozinski, Global Lead on Quantum Safe Networks at IBM to find out more.
The Mission to Make the World’s Networks Quantum Safe
Zygmunt started the conversation by sharing a little about his background. Initially he served as CTO for telecoms at IBM. He then moved onto specifically looking at the applications of quantum computing in telecoms. This led to Zygmunt being one of the people, with colleagues from IBM and Vodafone, who set up the GSMA Quantum Taskforce in 2022:
Zygmunt explained how the role of the taskforce is to help make the entire world mobile infrastructure quantum safe.
Using his experience working within the telecoms space, Zygmunt shared his initial insights about banking. He shared how today he meets with banks in his role. And at many of these meetings the topic of quantum and cryptography is delved into. At a recent meeting one of the bankers asked him ‘why does the bank need cryptography’? This might seem surprising for some, but Zygmunt wasn’t surprised.
“We have forgotten why we use cryptography,” explained Zygmunt. “People will remember Enigma, why we use Signal or Telegram, but not that we use cryptography to secure data. Cryptography is how we ensure that the infrastructure is secure. Every piece of code and hardware is secured using public key cryptography.”
Zygmunt believes that the challenge today is to return to understanding how cryptography works. We need to explain to the politicians, the Chief Information Security Officers of companies and to the enterprise architects how to be better prepared for post quantum cryptography.
“Fundamentally we mustn’t panic,” Zygmunt continued. “We need to start planning and building skills.”
Are Regulators and Central Banks taking Post Quantum Cryptography Seriously?
IBM has set several strategic milestones when it comes to its ‘Quantum Roadmap’. By 2030 the technology company wants to deliver quantum-centric supercomputers with 1,000’s of logical qubits.
Zygmunt shared how IBM has been very open about its plans relating to quantum computing. He also highlighted how the U.S. government had increased its preparations by implementing the National Quantum Initiative Act in 2018. And subsequently the signature by President Joe Biden of a National Security Memorandum (NSM) in 2022 called NSM-10. The NSM-10 directs U.S. Government agencies to migrate vulnerable cryptographic systems to quantum-resistant cryptography as part of a multi-year effort. Bi-partisan support from Congress in H.R.7535 provides funding.
“There is a huge amount of work and investment going into quantum computing around the world,” Zygmunt highlighted. He described the recent meeting of the National Institute of Standards and Technology (NIST) in the U.S. The meeting took place as detailed technical work on new standards had now been completed. The next step is for the proposals to go through the U.S. Department of Commerce where it needs to gain the approval from under-secretaries and eventually the Commerce Secretary. This would then lead to the proposals being published in the Federal Register prior to turning into a federal standard.
“We are at the point where people need to be starting the planning process,” Zygmunt explained. “It will take multiple years, and you need to start now. You must identify where to prioritize first. Interbank settlements are a good place to start for banks. Especially systems like Fedwire which has a transaction limit of up to $10 billion and is used for large dollar payments.”
How Bankers can Prepare for Post Quantum Cryptography (PQC)
In 2017 a team of researchers and developers at IBM debuted the open source Quantum Information Science Kit – Qiskit. What started out as a simplified way to build quantum circuits has since set the stage for the future of quantum programming. Quantum developers interested in any aspect of quantum computing can go onto the IBM website and install Qiskit.
Over the years a global open source community has grown around Qiskit including researchers, advocates, educators, hobbyists, and more. All in the name of learning and teaching all things quantum.
The sorts of people at banks that will in some cases already be working with quantum systems are quants. Zygmunt shared how these people already understand that mathematics involved in the types of algorithms affected by quantum computers.
“We find that quantum algorithm developers prefer to write Python code,” shared Zygmunt. One of the people that IBM has engaged to help with this initiative is John Watrous. John was a professor at the University of Waterloo’s Institute for Quantum Computing prior to joining IBM in 2022. His book, The Theory of Quantum Information, is used by students, educators, and researchers around the world. Today John is Technical Director of IBM Quantum Education.
“We’re making educational materials available to universities,” Zygmunt added. “It can be used for university modules that physicists, computer scientists, or economists attend. Sharing this type of knowledge will help to ensure that a generation of people will enter the workforce who know how quantum works.
“As the technology matures, those are the people that the banks are going to hire. Teaching is key. Making information available can only help.”
How IBM is building a Quantum Industry
There have been several stories about the amount of research centres at IBM. In fact, in 2022, President Joe Biden visited IBM’s quantum data center in Poughkeepsie, New York. The data center is home to the world’s largest fleet of quantum computers.
Another place of great importance is the global headquarters of IBM Research, the largest industrial research organization in the world. The research center is in Yorktown Heights, NY. Many of IBM’s most notable breakthroughs in quantum computing, artificial intelligence, and semiconductors have taken place there. Interested persons are welcome to visit IBM’s premier Think Lab at Yorktown Heights, which houses multiple IBM Quantum systems as well as an experimental AI-optimized cloud-native supercomputer.
Zygmunt explained how visitors can walk around the system and talk to some of the people who are there working on it.
“We have created a showcase at the lab,” Zygmunt explained. “It’s where we bring clients so they can see the technology is real. And this is where we discuss potential use cases.”
Outside of the research centers and labs there is the broader IBM Quantum Network, Zygmunt shared. This includes 250+ Fortune 500 companies, universities, laboratories, and startups.
How does IBM bring useful quantum computing to the world? IBM does this through leadership. Building a quantum computer isn’t enough. IBM is building a quantum industry. The IBM Quantum network members collaborate widely, and benefit from close working relationships with IBM’s in-house experts. Some of the financial institutions within the network include American Express, HSBC, and Mizuho Bank.
“The quantum network is how we get people to use those systems,” Zygmunt explained. “You need to build an ecosystem of people who have problems. Whether they be trading or risk managers in banks. Whether they be people thinking about how to optimise liquid natural gas shipments around the world. And many other people.”
IBM looks to support the collaboration of companies and academia or research facilities. But not every problem is a good problem for a quantum computer, Zygmunt highlighted.
“You’re never going to replace Excel or Word with a quantum computer,” Zygmunt explained. “It’s like the Nvidia GPUs. It is an accelerator that in a particular domain can do things you will never be able to do even with a national budget and a supercomputer. At the IBM Quantum network we look at what problems work well on the quantum computing machines. Then we work with you, or have our partners work with you to accelerate that process.”
How the Telecoms Industry Embraced PQC
Zygmunt shared his personal journey in the case of telecommunications to help explain better how banks can prepare themselves to be quantum safe. He explained how there was a whole set of technical things that had to be done. But equally important was the importance of building consensus in the industry that quantum was an important topic.
“We took a proposal to the GSMA, the global organisation unifying the mobile ecosystem,” Zygmunt explained. “We approached the technology group of the GSMA, which included all the CTOs of all the mobile operators in the world.”
There was a need to map out the response from the industry. More than fifty firms were brought together representing suppliers, operators, and regulators. The initial response was lacklustre.
“What we did after this is we created an impact assessment,” Zygmunt shared. “We wanted to know what the transition to post quantum cryptography or quantum safe meant for telco firms. And we published the response.”
This initiative led to a better level of understanding within the industry. It led to people getting their ‘hands dirty’. A representative of one of the operators, who had initially been lukewarm about the topic of quantum, changed their approach dramatically after completing the assessment and seeing the results. Six months later this individual stood on stage in front of his company’s entire supply chain and said: ‘I’d like to tell you that you now need to be planning for this transition to PQC.’
The operator made awareness of PQC a requirement for its supply chain. Within months the head of security at one of the suppliers of the operator explained that his firm would be making a statement of direction. That the firm is going to make their network quantum safe over the coming years.
“You build consensus, you build direction,” Zygmunt explained. “The sets of people who get involved early on get their hands really dirty and understand what the implications are. These are the people who can then communicate to the ecosystem, to the supply chain, to the standards bodies, to the national regulators. These people can highlight that we need to do this.”
What happened next was that a proposal was made to make the transition to PQC a requirement for future telecoms networks. This then feeds into the standards process within the telecoms industry.
How Banks and Financial Institutions can Prepare better for PQC
Banks and financial institutions, much like the telecoms industry, have many standards that they are required to meet. Zygmunt pointed to the Payment Card Industry Data Security Standard (PCI-DSS) as an example.
Apart from PCI-DSS, the Bank for International Settlements (BIS) is one of the organisations that has taken a lead role in highlighting PQC.
“The BIS have now got people that understand how they think about securing interbank settlements,” Zygmunt shared. “I think the next thing for them to do is start communicating that widely and building an ecosystem of understanding amongst firstly the central banks and the globally systematically important banks. That is the first step.”
Once the largest stakeholders are engaged, Zygmunt believes the next stage would involve the payments industry and then the smaller banks. All this whilst considering topics like the security of personal data. This would then allow later for low value transactions and the less critical parts of banking from a risk perspective to be considered. This would lead to the better preparation of the global financial infrastructure for PQC.
Whilst the order of priority may still be in process, Zygmunt believes it is essential to share as much knowledge as possible.
“It’s like aviation,” Zygmunt explained. “We shouldn’t compete on safety and security. We want everybody to be at the same high level.”
Zygmunt believes that countries need to follow the lead of the U.S. government and start to publish guidance. Zygmunt is seeing that this process is starting. France, Canada, Germany, and the UK are examples of where PQC is being made a priority. In the UK the National Cyber Security Centre (NCSC) has been writing guidance for Chief Information Security Officers on the topic of PQC.
“Over time you have to build out an understanding firstly at the executive level, but you also need the depth beneath,” Zygmunt highlighted. “You need to fix the API gateways if you’re interested in tokenisation. We are going to have to think about the security of the API gateways through which the open banking systems flow. This in turn is dependent on transport layer security (TLS). And we need to migrate certificate authorities (CAs). Ideally, we would have a plan to make sure we’re on TLS 1.3 using a profile of approved algorithms. All the nitty gritty stuff.”
Out of all this we assemble a secure infrastructure that works, Zygmunt assured me. “If we start now, we won’t get to a point where we’re rushed,” he explained. “If we treat this as part of the lifecycle of critical software, of critical infrastructure, it will be easier. Much easier than if we suddenly inform the board of a financial institution that we need to spend X by the end of the year as we weren’t prepared.
“The price of security is eternal vigilance,”
Zygmunt Rozinski
“The price of security is eternal vigilance,” Zygmunt highlighted. It’s not just about keeping security teams updated. We need to ensure that the enterprise architects who build systems, build them to the best standards that are available.
How the Financial Services Industry is Preparing for PQC
Whilst Zygmunt suggested a potential roadmap for financial institutions to consider, this doesn’t mean the industry hasn’t made steps already. Apart from the initiative by the BIS, next year will see a new mandatory requirement for the payments industry. The Payment Card Industry Data Security Standard (PCI-DSS) is a collection of security protocols established in 2004 through collaboration between Visa, MasterCard, American Express, and others. This standard is regulated by the Payment Card Industry Security Standards Council (PCE SSC). On March 31, 2025, organizations subject to PCI-DSS 4.0 compliance must have a cryptographic inventory and a documented strategy for dealing with cryptographic updates.
“There is a detailed process by which you have to discover all of the places that you’re using cryptography,” Zygmunt explained. He shared how the team at IBM recently worked with one financial institution to highlight the number of places that cryptography was being used across the organisation. This made the challenge visible.
“When it becomes visible, you can manage things that are visible similarly,” Zygmunt shared. “You need to put tooling onto the network so that you can see all the TLS connections. And what version of TLS you are using.
“Once you’ve got visibility of all the endpoints then you can build a policy and start managing the policy. We need to make the underlying technology, what cryptography you’re currently using, and your source code visible so that people will now do that management.”
The focus for Chief Information Security Officers needs to be more than just post quantum cryptography. But hopefully this story will reverberate amongst the community and help senior security professionals in financial services be able to prepare better for what might happen tomorrow.
Author: Andy Samu
#Quantum #QuantumSafe #CyberSecurity #IBM #Cryptography #Taskforce #Regulation #PQC #Qiskit
See Also:
25 April EPAA Press Release WG-QSC.docx (emergingpaymentsasia.org)
How IBM’s cloud makes quantum computing safe for banks | Disruption Banking
