2025 Public Sector Perspectives

Sign ten: Quantum is coming Remember when I said that Ukraine changed everything in the cyber landscape? Well, quantum computing will likely be more disruptive to how you perceive and interact with the world around you than the impact of AI and the Ukraine geopolitical disruption combined! While the technology is still being developed, the potential of quantum computing will rapidly increase the likelihood of data breaches with potential intellectual property theft, such as when advanced persistent threat (APT) groups and criminal organizations try to exploit the vulnerabilities in current cryptography used to secure electronic communication. A lot of valuable and sensitive information is currently encrypted with non- quantum resistant algorithms. This means that companies responsible for critical infrastructure, such as financial services, will be particularly vulnerable to future breaches. Information security professionals are dreading “Q-day” – the date when quantum computers make current global encryption methods useless. This event would be equivalent to a cyber blizzard, much worse than any winter. Machines vastly more powerful than today’s fastest supercomputers would be capable of cracking codes that guard current public encryption systems, like those that secure bank accounts, financial markets, and critical infrastructure. You do not need to look much further than IBM’s Kookaburra processor to catch a glimpse of how close the ominous Q-Day may be. To describe this world, I think Booz Allen Hamilton said it best when they described it by asking, “what does chaos look like?” Do I have your attention yet? Do you feel the wintry chill? Now let us review how Citi has prepared for the evolving cyber threat landscape and how you, the central bank community, can also better prepare. Here is a twelve-point list to review and consider that will better help you ensure that you, as central bankers, are as ready as you can be for today’s cyber winter: 1. Consistently monitor, on a dedicated basis, the typologies of ongoing cybercrime While cyber actors are diverse in origins, motivations, and objectives, they share similar tactics and quickly replicate techniques. It is crucial that central banks similarly compare notes with one another, and with official sector partners in their circle of trust. The speed at which you identify typologies is mission critical to ensuring that threat actors are understood broadly, and defenses are systemically designed and applied. 2. Incident detection and response is as important as preventative measures The average time between a hacker infiltrating a system and the target detecting the breach is approximately six months. That means, an adversarial hacker who enters through a business email breachmay have horizontal access to snoop inside a multi-dimensional, complex operating environment for months before taking any action. During the period that hackers are roaming undetected, they are able tomonitor confidential data such as financial and economic data, regulated firm information, policy plans, personnel documents, and payment processes to gain strategic In a world where AI expedites advanced malware generation, efficiency of research, and adversarial operations, exploited institutions have less time to respond, patch vulnerabilities and prepare for disclosure . 34 Cyber Winter: Are Central Bankers Ready?