Episode 97: Quantum Computing and Tomorrow’s Problems Today
Just over twenty years ago Time Magazine cover story with the headline the end of the world. Remember what that was for climate change no Forno market crash. Nope. It was for Y2K shortcut for that moment of transition from December 31st, 1999 to January 1st, 2010 potential for a dreaded millennium bug in the end Y2K amount of too little because people prepared and made system changes across most computers ahead of time. Now, we're counting down to why two cute cat years to Quantum increase power of quantum Computing has a potential to wreak havoc on today's security systems that this might seem like a future problem. What was today's guest Mike Brown CTO and Foundry by Sarah will hear whites very much a problem for now. We'll all star dive into one else will change.
Dawn Quantum to be great show so stick around. I'm John Frye. I'll welcome to the Georgian impact podcast.
Mike Brown Quantum Computing photography and this is a problem for now. I'm sure we got everyone's attention to tell me how you get into this space. Turn. Ya So currently I'm the CEO and co-founder and Ice Air Corporation in Waterloo, Canada your background wise I started with a love of mathematics and cryptography turn that into a degree at University of Waterloo and then spent 14 years of blackberry helping build the product security team there and then it moved over into the squantum security space. So I want to get into right now will get into ice Ira kind of why this emergence of quantum Computing is going to have a real profound effect on security, but I want to try to do some level setting with you. So let me start with encryption and I'm pretty sure I got this but let me check with you on my computer. You know, I've got the password and of course my assumption is that the password protection is not enough. So I follow all the write practice.
I encrypt my hard drive I can crack my back up so or so good, right? Yeah. Absolutely. Yeah, you're protecting. What's what's being stored on your computer and the science of cryptography is kind of the mass behind this right how Richard field is that?
Oh, I didn't say cryptography goes back into our ancient history. So you stories and times in ancient Egyptians wear Egyptians and the Greeks for using cryptography. You know, what story that they used to do was if a leader was trying to send a message across an ancient Greece. They actually shave The Messengers headright the message on the top of their head, let hair grow back and then send them on the way so that someone stop them they wouldn't see that there is a secret hidden under scalp that as well. So give a cryptography has its roots in the ancient part of our own civilization is too great story. Thank you for that. You mention that I'm protecting kind of a data on my disk and I do know this term kind of data at rest. So what's the difference then between data at rest vs. This may be the terms data in transit. Is that correct? Yes, we stayed in transit, which is basically how does information get to your computer? So let's use an analogy if I'm going to buy something from Amazon on when I connect
To Amazon servers they're storing information about me. So that's data-at-rest. Let's information stored in their systems that but I'm going to send them my credit card information or to buy something when that data is being sent that stayed in motion. And I need to make sure I protect that when it's going over the Internet very different. It's right that makes sense. So we have to have kind of encryption everywhere and think about all the different touch points to protect us elves from bad guys. I absolutely it that's the thing about security broadly is that it's all about the details now, it's not just about let's make sure I encrypt data stored on my hard drive. It's about how is a software that's going to interact with it being designed. How is David going to get to my hard drive? How is I am I going to displayed on the screen like security which could part of me is a core part of speech is an essential part of how we design the infrastructure you lice. So on this design for their I've got two contrasting thoughts here that I think if I relevant, but let me let me run the to buy you so I know that if I enter
Incorrect password on my iPhone 10 times in a row it gets white. That's kind of a process and a policy. Yes. Yes. Now I also loved the book and the movie The imitation game and there is Alan Turing kind of trying to break this German Enigma encryption. I just try to cranking through a million a zillion thousand option just cranking through options, right? Yes. Yeah, so somebody can steal my computer and remove the hard drive or maybe figure weight does access it directly and bypass this password thing and they could try to read it so they could try a zillion keys in a row without worrying about this 10 time blackout power difference between your smartphone for example, where the only way for me to enter a password on
Your smartphone is either I'm through the screen. So I typing it in or on by connecting through the USB cable, whatever connector is there. And so there's a way to rate limit how many times you can type it in versus if I ripped the hard drive out or if I'm going back to World War II and I'm Alan Turing and I have the ball machines. They are trying to feel chugs who are all the possible combinations. I can use the power of our computers under try to actually figure out what your password is and we do get recommendations on changing passwords. I've been a fan in a user one password for a long time in the latest updates giving me messages around redundant passwords are not being rich enough. So since we all want to sound smart at cocktail parties, or maybe this is a cocktail party of nerds tell me a bit about entropy entropy is that you are very rich Concept in physics, which is basically about disorder and Randomness and when were thinking of it. And what time it applies
Passwords that means basically make your password complicated. So don't use 1 2 3 4 or secret Twitter some of the most common ones end up going to use on what you want to do is make it hard for someone to guess the harder. It is for some gas the more entropy or Randomness. There is within your password then but you also want to make sure that then you don't come up with a really hard password which then you use for every single website that you go to ask for tools. Like one last ice Randy those password managers come in to let you keep a very strong password to protect everything and then have individual passwords for El every single website. Do you go to and besides entropy or maybe it's part of the word and should be here. You could have an HR capacitor a 24 character password or more or cheese cryptography Keith the bigger the better again. Yes. Yeah, absolutely an in sometimes one of the best ways to do that is you can have a really long complicated password which will never remember or maybe you use a combination of phrases or words that are sound like words.
Actually words to allow you to get more and more information. So I increase the entropy in your password then but actually make it so maybe or may be able to type in once in awhile. So now I want to get to Quantum Computing. So I don't think I'm going from the world of easy questions, but harder questions, but I'm working for our audience here and I pulled this out on a you're at your former Blackberry employee get off from a Blackberry post. That was written when they made partnership would like Sarah and the cool thing I pulled out of this was on a 256-bit key. It takes to go to the power of 256 to run through all those options and there's only two to 270 Adams in the entire universe of that are quantum Computing is going to Cripple encryption methods something else. I pulled out of that article help me understand this better now so does all this work around the world to build quantum computers, and the reason is
Is that they can solve problems that we can't saw today? So for example, we spend about 3% of all of the energy be produced in the world. Every year to create fertilizers of fertilizers are obviously very important because it's important for a growing population continue to eat. But if anyone who has a compost heap in their backyard knows that nature is good at creating fertilizers with very little energy and heat some water and some materials near backyard and they'll break down into fertilizers. I wouldn't be great if we could follow that same type of process to create an industrial way of creating fertilizers with very little energy you use any Factory can there's a problem in quantum chemistry that we can solve with a quantum computer that allows us to achieve that so much stuff is actually showing how to do this thing. And what's interesting about this is that means that there are all these different types of problems that we can saw with quantum computers using interesting properties of physics like entanglement superposition, then we can also apply to security
So I read a little bit about entanglement and superposition and you're not I don't want to go there. I love to have a beer and talk more about this when I was looking at my definition of quantum Computing. And I know what a bit is. What is 0 in ones and I'm sort of getting not getting a cubed and I made a flip joke to Alex banana or a director of of trust and security at Georgian here and I said sounds like the bits is cat but that's just stupid anyone. Yep. So why don't you understand about a cubit? Yeah, so it and that's a great analogy there. So, you know it with a classical computer we have ones and zeros mail on and off. So it's a very clean simple concept to understand in a quantum computer. What's interesting things like superposition. We have something called a cubit which is an analog to a bit and it Cube. It is not just one or zero it can actually exist.
Both States at the same time and the real power of quantum computers come into the fact that you can then do calculations utilizing that fact. So for example, if you're trying to solve a problem where there is four possible outcomes Costco computer with try all four scenarios to see which one is the best of quanta computer try to another example, but say were in a library and I tell you to close your eyes and I going to room with there's a million bucks and I walked her all of the books. I put an X inside the cover of one of the books at random and you go in on average is going to take you about 500,000 attempts to find the book that if turn Mark trip of the quantum computer and do it in a thousand attempts because it's able to utilize that power of effectively processing more solutions at the same time to arrive at the solution that you really want. It really is just a different flavor of parallelism to some degree. Yeah, there's some elements of parallelism play here, but it's not truly a trial the solution.
The same time it's really the fact that you can take advantage of of some of these physical properties to to try more solutions, but then utilize the fact that when you observe a system been a collapse into I'm hopefully the solution that you want and is it fair to say that versus being a 01 other also cuz I was like I saw a very strange formula some of my research that is if you can have an ODS associated with it being a zero or one it is that part of the the sinking here yet. Definitely probabilities coming everywhere when you start talking about Quantum Computing because you're a did there's a probability that a bit is going to be either a 0 or a 1 and then you do calculations based off of those different probabilities. So the net net is there will be faster computers and they going to be able to break the encryption and there's ways to bypass the 10 passwords and you get wiped out this doesn't mean though that all of our customers and all
Audience is listening to this podcast are going to be moving to quantum computers. We need to protect them from Evil doers that are using quantum computer is absolutely so from a business perspective. You will utilize quantum computers in the future to solve problems that you have. Now, if you're in banking and finance, for example, quantum computers will be hugely beneficial for fraud detection for analyzing big data when you're trying to better insights into what your customers are doing. Those are the positives. Unfortunately one of the problems that a quantum computer is also very good at solving as a math problem. Math problem underlies the the public key cryptography we use on the internet and they are saying elliptic curves. So as a business your move then is to understand. How do you use a cryptography in your systems today? And then what's your roadmap to move to what are known as Quantum safe alternatives to this sounds like this is not just science the just like perhaps when we doing machine learning in this
Many many different machine learning techniques one could use that got to pick the right ones and Define their systems are there is a great deal of art not just science here as you talk about Quantum safe and creating having companies protecting themselves from these quantum computer attacks. How much art is there than in these different techniques if we take a step back if we think about how public key cryptography is used today fundamentally. It's about let's find a mathematics problem that is difficult to solve with existing computers and then build security around that so in Quantum safe cryptography, we do the same thing. We use different math problems. We build topography on top of that that but one of the key points that you're getting at here is around how does a business know what to use because of course there's different math that we can rely upon here. And this is where the world's standards be hugely important. So there's work going on globally to standardize. What's the quantum say Solutions of the future going to be and we have groups like nest in the United States who have a competition into
I'm what are the specific masks games are going to use lattices Hashmi signatures. There's five different math areas in there working through those details right now, but it's not just about the math thing I think about this is very much like an onion where we have the mathematics of the core, but then we use a mathematics and different systems in this is Ruth groups like at sea, for example who are based in France who look at telecommunication standards like 3G and 4G of the ITF which defines how the internet works. So if anyone's heard of TLS or or ipsec for vpns specified there and then we have industry-specific groups. So for example, if you're in banking you have x 9 which is somebody that you're used to which tells you all the standards for how banking communication Works ultimately cryptography is a language and we need to use standards to specify that language to everyone could speak to everyone else. So X9 and banking might get one type of quantum save solution and then perhaps data going across a 5G Network Vicodin.
Set of quantum Solutions as well. So that's where the art shows up in terms of its really hard science. But I Sperry application-specific it is because if we look at 9, for example, they're going to rely upon other standards groups like Miss to tell them what the proper algorithms to use and then they're going to fit them into the banking specific space. So for example, how do we use a lot of space scheme in the Swift Network to protect high-value transaction or how it fits into retail banking such as the mobile app bigger using to access your bank online from your phone that so each industry, then we'll take this and sold it into their own solutions that they have that this really points to the fact that this is a large-scale it migration and we've gone through an industry over the years. This just happens to affect something which is fundamental to how all of variety systems are built and so points to the scale associated with it. It just ain't because the standard Works being done so I could see listen to feel the CEO sitting back on.
Oh good. I just got worried about this later. So maybe here's an interesting example might be ancient history too many but the Y2K problem was huge in terms of resources. I mean every company has the following resources to ensure nothing disaster happen and it was fun for me to see a new term gold White 2 Q years the quantum. So where should a CEO be thinking about Quantum safe? And actually after that take me to some of your general views on cybersecurity as well, please why do Q as in it's an interesting on name to use because it points to the fact that this is a large-scale transition that people are going to take and the when they are very very much depending on on the who so let's use an example if I'm a car company and I'm thinking about a car which is on the road in new College 2035. We know an average that will be on the road for 11 and a half years. So it went into the market in the early 2020s and
Car that's going to be in on the road in 2022. It's wet 68 years for a research and development which means a car company actually started a few years ago to get the car ready that will be on the road in 2035. So you're an organization where you have a long exposure for your information industry experts expect quantum computers that can threaten cryptography are in the 2026 223 range the space off people from University Waterloo works or nest in the United States. So if you have information that needs to be safe for 10 years or longer you need to start today, but there's another Insidious part 2 the stunt if you have information. You're sending on the internet encrypted today, we do know there are people who are storing encrypted traffic from the internet so they can analyze it later on. This is known as harvest. So if you're sending information today that still needs to be protected 10 years from now, you actually have an ongoing it exposure that's happening right now. So what that implies is that as an organization
Start thinking about how do I start doing this transition and string for your plans in place today? Because you may already have an exposure while I can Harvest and decrypt is almost frightening and I it's almost a little bit with the dark web and and the and all of the Bitcoin Ransom note someone out to all of my friends sharing old passwords and right and they weren't even encrypted that was just bad behavior by lots of folks and it's worse I guess. So, where do you think companies should be thinking about Security First when they should thinking about developing a reputation of trust with their customers. What should CEOs be thinking about right now the first step for a CEO to take today is really understand. What date are you actually have in your organization know it is very much an archeological expedition understand what type of HR information you have what type of Trade Secrets what type of financial information and then that actually gives you a good Baseline to start understanding risk. They ultimately this is a risk
Discussion understand your systems understand your data understand how long you need to protect at 4 and then start putting plans and place some information or some systems which may only need to last for 5 years. You can safely ignore but a long-term HR database that includes no healthcare information for the employees. You better start planning today in her the power to protect that. Wow, that is strong. Let's go broader other than Quantum. What do you see is just threats are out there that people should be worried about insecurity. There's a lot of focus on still what I consider to be the basics spearfishing, you know as threats which attack you at a user level. Those are still very big and will continue to be very big as well to you as an end-user can be difficult to think about how to protect yourself. And so that's why we always preached near the basics. We talked about passwords previously in as an end-user. One of the best things you can do is make sure you have a strong password policy in place utilize a password manager have unique
Passwords for all of the web sites and services it utilized and I'll put you as an user in the best position to protect yourself and if we can have companies protect themselves, they'll have less breaches LS violation of an end users trust that all of a sudden everybody should be in a much better position. Yes absolutely was such an interesting discussion unbelievably important is where the world is going. Thank you so much for taking the time with us today. Oh, I really appreciate the opportunity was a pleasure to speak with you today.
Quantum computing is still years away from widespread commercial use. But did you know that you should already be protecting yourself and future-proofing your encryption against the power of quantum computing? In this episode of the Georgian Impact Podcast, Jon Prial welcomes Mike Brown, CTO of Isara and former VP of Security at BlackBerry to discuss why we should address the risks of quantum computing sooner rather than later.
In this episode you’ll learn:
- How encryption works and how it will change with quantum computing
- How quantum will help solve some of our hardest problems
- Why quantum computing will pose a threat to today’s encryption standards
- What you can do to prepare your organization today
As Chief Technology Officer and Co-Founder, Mike is responsible for the technical vision and direction of ISARA Corporation. His teams are singularly focused on research into the state of the art in Quantum Safe algorithms as well as how to implement them in a secure and efficient manner. Mike was most recently the Vice President of Security Product Management and Research at BlackBerry, where he co-founded the product security practice and was responsible for the vision and execution of security for all BlackBerry products. Mike has spoken at global security events including RSA, CTIA, GTEC, Bloomberg, APECTEL and InfoSec Europe. He holds a Masters of Mathematics from the University of Waterloo, focusing on cryptography.