[00:00:38] Camille Morhardt: Welcome to today’s episode of Cyber Security Inside, What That Means. My guest is Eddy Zervigon , the CEO of Quantum Exchange and he’s here to discuss next generation cryptography*. And what we’re talking about here is the need to have new solutions to secure data and devices once quantum computing comes on the scene. I’m particularly interested in how we prepare for securing things like satellites orbiting the planet. Before we started recording Eddy you pointed out that once you send those up you can’t just send out the Maytag repair guy if something goes wrong. So how do we deal with this?
[00:01:16] Camille Morhardt: First of all Eddy, welcome.
[00:01:17] Eddy Zervigon: Thanks for having me.
[00:01:19] Camille Morhardt: What I’d like to do is have you set the stage for what transition is about to occur and what kind of problem is happening in the quantum compute and cryptographic space that we have to deal with?
[00:01:31] Eddy Zervigon: I think to state the problem set, we’re about to undergo the greatest cryptographic migration in our history. And we’ve used technologies that have served us for the better part of 45 years to really make this evolution into the internet digital age. It’s been a phenomenal run, and that run is coming to an end with the advent of either quantum computing or advanced computing/probabilistic machines. And the reason is because for the last 45 years we’ve used basic math to encrypt the data we send. When we say data, I mean all data–it could be anything from command and control for satellites as well as sending information or data regarding gas pressures or things as simple as basically ID information or appointments that we do every day.
So that has been well served by the math that was developed 45 years ago by Whitfield Diffie and Martin Hellman and it’s the Diffie Hellman Key Exchange. And then shortly thereafter, a year later, RSA followed up with their version of it. And it’s basically, let’s encrypt the data with math that’s very hard to break. And the good news is that for 45 years we’ve done a better job of encrypting than the bad guys have done with their ability to decrypt that information. So it’s been an extraordinary run, but now we’re coming to a point where computers are able to do exactly that very calculation, easily and efficiently.
And so we’ve got to figure out what’s the safety or security protocols that are going to take us into what we call the “post quantum era.”
The prevailing thought is that whether you think it’s going to happen two, three, five or 10 years from now, we know that the inability to respond to the problem in a quick and meaningful manner may result in catastrophic losses. So that’s the problem set that we’re trying to figure out.
[00:03:34] Camille Morhardt: And you said that there’s basically two approaches to solve this problem. Can you explain what those two approaches are and whether they’re complimentary or mutually exclusive?
[00:03:44] Eddy Zervigon: Sure. When we talk about post quantum cryptography, we talk about algorithms being able to factor an extremely large number into its two prime numbers. Those are computations that computers do not do very well. The other way to look at this is with what’s called quantum key distribution, which is using the properties of physics to actually defeat a quantum computer. The properties of physics, meaning photonic delivery, if you will, or creation of the keys at both ends over fiber optic network.
As it sounds, it’s a complicated thing–very expensive, not very scalable today, but at some point in the future, it will be. So those are the two kinds of tools in the toolbox that we have to combat this coming problem. And there’s a lot of work being done into how we’re going to incorporate these new tool sets into a security stack going forward.
[00:04:40] Camille Morhardt: Let me ask you to describe briefly what Quantum Exchange is doing? I know part of this is the concept around crypto agility, which you might also help us understand.
[00:04:53] Eddy Zervigon: Sure. Let’s look at it fundamentally. The way quantum exchange approaches the problem in terms of the architecture. So 45 years ago, ago when Whitfield Diffie and Martin Hellman developed the Diffie-Hellman Key Exchange it was assumed that there would be one communication line. So you and I would be communicating Camille and I would be sending you encrypted data. There’s only one line between us, so therefore it made sense that the data and the encryption key had to travel together because there was only one line of communication. Now, if you look at even your cell phone, you’ve got wifi, and you’ve got your cell access and multiple points of carriage– through your WhatsApp account, or your signal or Netflix account. So there are multiple paths, so why are we not incorporating the fact that now we can deliver multiple paths to separate the key from the data and make it that much harder for an attacker to be able to successfully decrypt information, even if they were to have a quantum computer.
[00:05:55] Camille Morhardt: You’ve basically got—well this probably isn’t a good analogy but it’s the only thing coming to mind—if you know a credit card number it’s not enough; you have to have the CV code is on the back, the three digits to make sure that you’re actually in possession of the card. I think this is almost the inverse of that because you’re saying you’re actually getting the key delivered to you through a separate pathway than the actual data. So it’s kind of the opposite of that.
[00:06:24] Eddy Zervigon: I would even take that further and say, it’s basically a two-factor authentication for encryption. I remember five years ago two-factor authentication was really cool stuff that you would do when you were trying to send a wire for $50,000. Now you can’t even buy concert tickets without two-factor authentication. It’s basically the same concept; it’s an out of band channel that authenticates who you say you are. So it’s the same concept that we try to bring, but to the delivery of an out-of-band key in order to protect a series of data transmissions.
[00:07:00] Camille Morhardt: One of the things I think you’ve done is a sort of proof of concept around satellites and protecting something about them. Can you describe a little bit more what that was?
[00:07:13] Eddy Zervigon: Sure. The fundamental issue with satellites as you pointed out is once you launch a satellite, you spend a lot of time on earth figuring out exactly what you want to put on the satellite and making it as efficient as possible. One of the things you cannot do once lots of satellite go up is as you mentioned send Maytag repairman to go fix it.
The way we’ve looked at this is to think about future-proofing these satellites because getting into quantum and how realistic and how soon the quantum threat will be here is like arguing religion. Some people think that by the time the error rates come down to an acceptable level it’ll be years if not decades from now. Other people think that in two to five years it is a distinct possibility. Rather than get into that whole frame of mind the reality is that if you look at space and satellites that are launched, the vast majority of satellites are within either one of those timeframes. So it’s important to protect it, not only as it relates to the telemetry tracking and control (the TT & C), but also the data coming onto the satellite and coming off of the satellite. That’s important because you’re talking about 4,200 commercial satellites up there and that’s growing at about 20% a year. It’s a significant uptick in satellites and therefore the ability to protect them and avoid in the future what’s called a “man in the middle” attack where someone can come in and falsify who they are, and basically take control of the satellite, deorbit it and send it crashing back into the earth’s atmospheres is something that’s extremely important, especially as you’re talking about communication satellites or imagery satellites which are all very important pieces of the satellite architecture that we see across multiple verticals. And then the other part of this is the data coming off of it. If you cannot be reasonably certain that the data coming off of these satellites is what you think it is, then what’s the point of the satellite? It kind of invalidates the transmission method because you can no longer authenticate the information you’re getting from the satellites.
So it’s extremely important for those reasons and we’ve done tests. If you think about it the ability to deliver an out of band key anywhere in the world, especially as you’re talking about military and intelligence applications, is incredibly important especially in light of these oncoming advancements in computing.
[00:09:42] Camille Morhardt: So what percentage of our critical infrastructure is being provided by satellites now? We’re seeing more and more launch all the time. I’m thinking about telecommunications, but also I suppose, media and entertainment. How big of a problem is this going to be?
[00:10:03] Eddy Zervigon: If you think about it, I think the most recent stat and I’m loosely quoting a report that was issued by Space Capital. I think satellites are about 3% to 4% of the total internet communications traffic. So it’s a small percentage, but it’s growing rather rapidly because of the ease of launch of these satellites.
I remember when we used to launch satellites back at the old DigitalGlobe, we were talking about $60 to 70 million to launch a satellite, and now you’re talking a fraction of that. People are launching satellites for $1 to 2 million bucks. And so that’s part of the reason the satellite industry has been fueled because the startup cost to get up there is a lot cheaper.
[00:10:43] Camille Morhardt: What other kinds of verticals are in? I don’t know if space is a vertical. Do you consider it a vertical or is it a horizontal?
[00:10:49] Eddy Zervigon: Well, it’s a horizontal in terms of industry segments–there are multiple industries, but it is a vertical in that there are finite group of folks that do this and scale that make a lot of sense. The verticals that we really go after are governments, right? And they’re the ones that recognize the problem probably more so than anybody else. And also financial institutions, you may have seen some recent coverage regarding financial institutions taking a much more proactive view on the quantum threat. We’ve been working with several financial institutions in exploring the way to future-proof their architecture.
If you’re going to put a lot of money into your next generation SD WAN architecture, you better make sure that it’s future-proof because if not the cost of ripping and replacing as well as the downtime of the production networks being down becomes incredibly expensive. So financial institutions, data centers. You know, this world of what we call zero trust architecture, right?–so whether it’s going over terrestrial networks that you can’t readily define work that is traveling. I could be sending you an email anywhere and it could travel who knows how many countries, how many data centers before it gets to you, right? So you got to make sure throughout that whole path that it’s protected. If it’s something obviously that you want to protect. And that’s something that we really try to focus in on, especially as it relates to data centers.
I would say the 16 critical industries that were defined by the Biden Administration, Energy is one that’s extremely important because that’s where you’ll see real, what we call “killware,” which is the next generation of ransomware. We’ve seen with Colonial Pipelineswhat we could basically call a rudimentary attack can do and the ill effects that come from it. Just think about being able to increase the gas pressure on a line 20 times beyond its maximum threshold and what that might do to a substation and then everybody down the line.
[00:12:43] Camille Morhardt: So when you talk about killware as the next generation of ransomware, you’re saying rather than extract money or some sort of compensation in exchange for freeing up the resources, you actually just destroy the resource?
[00:12:56] Eddy Zervigon: Yes, that’s right. And you do that by perpetrating what’s called a “man in the middle attack where you actually get in and are able to falsify who you are and therefore allow real access to control data. One thing that we’ve seen as a result of the pandemic, we are extending the range of reasonably acceptable in terms of the edge of computing and being able to access network controls–significant important network access controls.
That’s all great, but that comes at a cost and therefore the further and further you extend the edge, the more and more issues that come up as a result in the potential for nefarious actors to engage in your network.
[00:13:42] Camille Morhardt: There was an Executive Order relatively recently and I’m wondering if you can talk about what you think that will mean in the commercial sector over time.
[00:13:55] Eddy Zervigon: There was an Executive Order last year that came out that kind of got the ball rolling on what we would call post-quantum cryptography. And then about a month ago, an Executive Order came out from the White House National Security Memorandum 8, which really ups the game– which puts specific timelines that government agencies have 180 days to put in next generation cryptography to mitigate the issues that we’re talking about. If they don’t, they have to seek a waiver from the government. And so the ball is now rolling and even though they’re not specific penalties or fines associated with it, that will come.
If you look at years ago OMB 6 -16, which basically said that if you are dealing with a government remote device, you need to make sure that data on the device data is encrypted and has things like two-factor authentication, and password time out. Right? So if you’re not using it for a certain amount of time, like 10 minutes you get automatically logged out. Those are things that were incorporated into OMB 6 – 16 and very shortly after private enterprise had to incorporate that. Now it’s ubiquitous. And so we see many of the same parallels happening with NSM-8 as government agencies start rolling this out it’s not going to be long before regulated entities like financial services, for example, are going to have to follow suit.
[00:15:18 ] Camille Morhardt: The one vertical that you didn’t mention that I was kind of surprised was automobiles, because they have just such a long lifespan once they’re released.
[00:15:28] Eddy Zervigon: That’s a good one. But you know, you have to pick and choose your spots, right? If you’re talking about autonomous vehicles in the future and what that can mean for somebody sending an update to your Tesla and all of a sudden being able to get a hold of and control your vehicle as you’re driving and prevent you from breaking or accelerating, that’s going to be a problem, there’s no doubt about that. And that’s something we’ve got to solve for, but I think right now financial institutions are dealing with significant dollars. And right now it’s estimated that every single fiber optic line of interest coming in and out of Manhattan is being basically scraped for play later on when there’s the ability to decrypt it. And so those are the things right now we have to figure out and in very short order.
[00:16:21] Camille Morhardt: So you’re saying, we’ll just use the term “bad hackers” for lack of a better term, are collecting information today, even though they can’t decrypt it so that in the future when they have access to quantum they could actually then decrypt and look back and see what was being exchanged and possibly put together some kind of information from that.
[00:16:44] Eddy Zervigon: Sure, we know the governments have said they’re doing that. They may not have put it as bluntly as you just put it, but they are doing it. And so that’s part of the problem because it’s not like Y2K where everybody thought December 31st, 2000 was the problem date? The problem is today it’s happening now. The question is when we talk to CSOs and CIOs the thing that we want to focus on are where are your biggest pipes and what is your most pertinent data? By pertinent data, meaning data that you want to keep secret for an extended period of time—five, ten, 15 years, certainly inside the Q Day day, if you will, meaning the day that quantum computers can actually break encryption. We’re not talking about having to cover every single piece because it’s a piecemeal operation; you’ve got to figure out where your largest vulnerabilities are and address those as soon as possible.
[00:17:38] Camille Morhardt: So if you’re a CEO of a company, let’s take another company, who’s a CEO or somebody in the C-Suite who’s been alerted to this problem and now they’re saying “we need to do something about it.” What’s their first step? Should they be looking at does their cloud service provider have a plan because they have a lot of their corporate IP stored on the cloud service provider? Or should they be looking at an in-house plan? Does it depend on their industry? How do you even begin to assess your situation?
[00:18:10] Eddy Zervigon: You’re starting to see this now. There’s going to be a whole area of quantum threat assessment, and we’re helping some of the larger consulting firms really think through that. It’s basically developing a threat matrix to see where are the largest vulnerabilities that have the information or the data that’s flowing through them that are most pertinent, most relevant and most important for you to keep secret for a period of time. And then seeing within that threat matrix, if you will, where are the points where you lose control of the data and then figure out where you’re going from there. As we go more and more to the public cloud this becomes more and more of an issue, which is why we’re talking to the data centers.
Because we think that right now these are all differentiating factors. To be able to say that you’re the first data center to use quantum-resistant cryptography in order to get data from one end of your network to the other end of the network I think that’s a differentiator. And in two to three years that’s not going to be a differentiator; it’s going to be a must have. So now it’s about really finding those enterprises within any of these verticals that we talk about that want to take a lean-forward lead role in being the ones acknowledged as the thought leader in the area.
[00:19:26] Camille Morhardt: Some people have concerns around a hit to performance as they encrypt more and more data. What’s your take on that? Is it a reasonable trade off or are we getting better and better at other kinds of accelerators that help to overcome that?
[00:19:42] Eddy Zervigon: Performance degradation has obviously been and its always been an issue. That’s why asymmetric key encryption was developed, because symmetric key encryption as good as it might be, is not scalable. And now with AES that encryption scheme being under attack, now you’ve got to really think about what we can do. Let’s take One-Time Pad, which would probably be the gold standard, if you will, of encryption; the problem is that the encryption file or the key ends up being larger than the data that you’re transmitting. So there enlies the problem. We think that, again, going back to the way we approach it, it’s an architectural solution. If you’re able to separate the key from the data then all of a sudden the attacker’s problem, does it become the key becomes finding the other key. The second key–what we call the KEK, the key encrypting key. And if you’re able to use that really as what we like to call defense in depth, then that’s more, I think, a more effective and more efficient than just making the math harder and harder to a point where the cost of transmitting the data with the key becomes prohibitive.
[00:20:54] Camille Morhardt: And KEK, just to make sure we’re defining it clearly is Key Encryption Key. This is the key that you’ve encrypted, the key that you’re using to decrypt the encryption with.
[00:21:08] Eddy Zervigon: Correct. Which is sent out of band.
[00:21:11] Camille Morhardt: Right. Okay. And what does out of band mean?
[00:21:13] Eddy Zervigon: “Out of band” means over a separate channel. We talked before about two-factor authentication, if I’m in my bank account on the internet and I’m trying to wire my brother $15,000 and all of a sudden I’m going to get a token on my cell phone, a completely different communication–it’s a cell communication of the token that I now have to input into that. So it’s the same concept.
I mean, what we do is not easy to do, and there’s a lot that goes into it, especially when you’re dealing with a lot of vendors, right? That’s the beauty of what we do. We’re agnostic. We try to make sure that no matter how this evolves, the investment that you’ve made in terms of architecture will cover you. And that’s what really it’s about, because if you look at DHS and you look at Secretary Mayorkus’s directive last March, they talk about post-quantum cryptography and the algorithms is well on its way to being effective and successful, we think we hope. But the reality is that we’re most worried about adoption because how are we going to put this all together? Especially if you’re in an industry such as financial services, where you’re highly regulated, you need FIPs (Federal Information Processing Standards) validated year, right? How is this all gonna come together?
Again, it’s the largest cryptographic migration in our history. And even if we get the math, right, even if we get the algos, right, the question then becomes, how are we going to incorporate it and use these new found tools in a way that’s going to be adopted seamlessly–or so you would hope–into multiple industries, multiple security stacks that are going to be needed in order to be effective?
[00:22:55] Camille Morhardt: Well, a very interesting conversation, Eddy. Thank you so much for your perspective. I appreciate your time. And also the fact that you’re looking into this and trying to help everybody figure out what to do and how to future proof.
[00:23:07] Eddy Zervigon: Thank you so very much, Camille. I really appreciate it, and love your podcasts; I listen to them all the time, so thank you for what you do.
[00:23:14] Camille Morhardt: Thanks.
