Skip to content
InTechnology Podcast

Ready for Q-Day? Post-Quantum Cryptography at RSA 2024 (206)

In this episode of InTechnology from RSA Conference 2024, Camille gets into quantum computing and post-quantum cryptography with Dr. Richard Searle, Chief AI Officer at Fortanix; Chris Hickman, Chief Security Officer at Keyfactor; and Andrew Driscoll, Quantum Security Engineer at Accenture. The conversation covers an overview of quantum computing and post-quantum cryptography, how organizations can prepare for a post-quantum reality, and when quantum computing will arrive.

To find the transcription of this podcast, scroll to the bottom of the page.

To find more episodes of InTechnology, visit our homepage. To read more about cybersecurity, sustainability, and technology topics, visit our blog.

The views and opinions expressed are those of the guests and author and do not necessarily reflect the official policy or position of Intel Corporation.

Follow our host Camille @morhardt.

Learn more about Intel Cybersecurity and the Intel Compute Life Cycle (CLA).

Overview of Quantum Computing & Post-Quantum Cryptography

Richard explains how quantum computers rely on a physical system composed of atomic structures, which can perform massively parallel calculations. However, it’s because they can simultaneously compute extremely complex functions that they pose a risk to the cryptography in place today. This paves the way for new standards through post-quantum cryptography. He also introduces the concept of “steal now, decrypt later,” or SNDL, already taking place today, which is when bad actors steal or copy encrypted information to then decrypt later with a quantum resource. Inevitably, we are heading towards Q-Day, which Andrew details as the day when a powerful quantum computer will be able to break our modern-day encryption standards.

How Organizations Can Prepare for a Post-Quantum Reality

Andrew and Chris then begin to break down how organizations can get started on their quantum journey. First and foremost, organizations must understand that it is a multi-year process to even prepare for quantum computing. Chris particularly highlights how even understanding where an organization’s crypto assets are today, what they are, and which ones could be impacted by quantum cryptography in the future is a huge undertaking. Andrew outlines a process of strategy assessment, educating stakeholders, and understanding their cryptography ecosystem—particularly when it comes to protecting sensitive data. Chris also emphasizes the importance of looking at the entire supply chain, including cloud providers and third-party sources that currently hold an organization’s data.

As for use cases of quantum computing, Richard notes the ever-increasing intensive compute demand to support AI adoption. However, he explains how current computing is not sustainable for that demand due to the availability of hardware, performance of hardware, and efficiency in power consumption. The solution to these problems, he says, is quantum computing. Richard then compares the similarities of how cloud computing changed the compute landscape for both performance and security risks to the advent of quantum computing today. Eventually, organizations will need to be prepared to comply with upcoming post-cryptographic standards, whether they be standards from NIST or other world governments. While set standards are still developing, many governments have already published recommended guidelines that organizations should follow during this time of preparation and transition.

When Will Quantum Computing Arrive?

The conversation wraps up by addressing the questions of when quantum computing will be unveiled and how organizations can pace their preparation timing. Chris stresses that right now is the time to begin preparing and that organizations should approach cryptography like any other element of critical infrastructure. Andrew then illustrates how quantum computers with the ability to break modern-day encryption could likely already exist, but their existence might be kept secret for a while if developed by nation-states or organizations using it for highly sensitive purposes.

Regardless of when exactly such quantum computers will arrive in the public eye, Richard says CISOs should be giving post-quantum cryptography their immediate attention. Chris adds that the transition to post-quantum cryptography will not be optional because the current systems will no longer be trustworthy in the future. To time the transition right for a post-quantum world, Chris says to start with assessing an organization’s current risk of “steal now, decrypt later” and migrate a little at a time rather than all at once when it’s most expensive. Ultimately, Richard and Andrew both emphasize that sensitive encrypted data is already being copied and that now is the time for organizations to prepare to protect future data with post-quantum cryptography.

Dr. Richard Searle, Chief AI Officer at Fortanix

Richard is currently Chief AI Officer at Fortanix, where he was previously Vice President of Confidential Computing. He has served as the General Members’ Representative to the Governing Board and as the Chair of the End-User Advisory Council for the Confidential Computing Consortium of the Linux Foundation. Additionally, Richard frequently contributes thought-leadership articles and delivers talks on quantum computing, AI security, and the applications of confidential computing. He has a Doctor of Business Administration degree from the Henley Business School, an MBA from The Open University Business School, and is a Fellow in Manufacturing Management and Manufacturing Engineering from Cranfield University.

Chris Hickman, Chief Security Officer at Keyfactor

Chris Hickman has been Chief Security Officer at Keyfactor since 2006. Before Keyfactor, he served as Director of Technical Services at Alacris, a smartcard and certificate management company now part of the Microsoft Identity Manager product suite. Chris’ work has included PKI projects for organizations and firms including NATO, both the U.S. and Canadian Departments of Defense, Fortune 100 banks and financial institutions, manufacturers, telecommunication providers, insurance companies, and retailers.

Andrew Driscoll, Quantum Security Engineer at Accenture

Andrew Driscoll is currently a Quantum Security Engineer at Accenture, having previously served in the roles of Security Consultant and Senior Security Analyst. He has a Bachelor’s degree in Computer Science with a concentration in software, web, and computer security from Bradley University. Before joining Accenture, Andrew was an Information Security Summer Analyst Intern at Accenture, a Software Validation Intern at Caterpillar, and a Code Sensei at Code Ninjas.

Share on social:

Facebook
Twitter
LinkedIn
Reddit
Email

Welcome to InTechnology, Live from the Greenroom, behind-the-scenes conversations with speakers who are shaping today’s discussions on cybersecurity, sustainability and technology.  The following conversation was recorded as part of the 2024 RSA Cybersecurity Conference.

Camille Morhardt  00:21

There’s a lot of chatter across the media right now about quantum compute and post-quantum cryptography or PQC. But there really aren’t a lot of meaningful conversations about what those terms mean. And what is the timeline for the realization, how concerned we should actually be and is there in fact, anything we can do today to help prepare ourselves for it? That’s the focus of today’s conversation. And to have it we brought in three world class experts who actually deal with this stuff on a daily basis. From Fortanix we have Dr. Richard Searle, who is Chief AI Officer, Chris Hickman is Chief Security Officer of Keyfactor. And then we have Andrew Driscoll, who is Quantum Security Engineer with Accenture.  I’m your host, Camille Morhardt.

Richard, I hope that you can kick us off by just giving us a sort of high-level practical reminder of what is quantum compute and how does that intersect with post-quantum cryptography?

Richard Searle  01:17

Yeah, thanks, Camille.  So, quantum computing is a different form of computing to the digital environment that we’re used to today that’s based on electronic devices. So, a quantum computer relies on a physical system composed of atomic structures. And those atomic structures can be used to perform massively parallel calculations. And there’s a lot of research and investment going into that domain at the moment. And one of the possible risks of those computers is that because of their ability to compute very complex functions simultaneously, that this poses a risk to the modern cryptography that we use today. And hence the need for different cryptographic standards, which have been referred to as post-quantum cryptography. And those post-quantum cryptographic algorithms are deemed to be resilient or safe against the attack from something called a crypt analytically relevant quantum computer, which is a form of quantum computer that has the power, or the scale and the stability needed to break the existing cryptographic algorithms that we use today for things like our public key cryptography.

Camille Morhardt  02:29

Can you just comment briefly on “steal now and decrypt later”? What is it that we need to be worried about?

Richard Searle  02:34

Yeah, so this is a very important point, you know. That crypto analytically relevant quantum computer is deemed by experts to be some way distant. It varies in terms of the time horizons that people consider that computer to be a realistic prospect. And perhaps we’ll get into that today. But one of the problems is that data has a lifespan. And that lifespan can extend into tens, if not 100 years, or more based on the lifespan of an individual or an organization or state secrets, for example. And so there is this attack vector called “steal now decrypt later,” where encrypted information can be collected by an adversary today and stored and then that information can be decrypted at a later date with a quantum resource that they may be building in order to steal the information or to evaluate the information within it. So even though quantum computers are still under development, and that cryptanalytic, the relevant quantum resources some way distant, it’s actually a problem that we need to face today in terms of the security of our information, and how we’re actually safeguarding that for its future lifespan.

Camille Morhardt  03:47

Might be a good time to ask, hey, Andrew, what is Q Day?

Andrew Driscoll  03:50

Q Day stands for Quantum Day. And this is essentially the day in which a quantum computer will come out and be able to, or I guess, a cryptographically relevant quantum computer or as we call it in the industry, CRQC. And that is when a quantum computer with enough computing power will come out to be able to break modern day encryption.

Camille Morhardt  04:10

Okay. And so you’re at Accenture. So I want to know, what are your customers thinking of top of mind right now? And then what are they not thinking of that is making you concerned?

Andrew Driscoll  04:20

Yeah, so what customers are thinking of right now is basically just how they can get started with the quantum journey–like what are the initial steps for the quantum journey to be quantum safe or quantum secure. And some of the things that we think they should know is that this is not just like a trivial thing that can be done in overnight. This is like a multi-year process, just because of the amount of encryption that is used in every single application and every single day of our life. All of that encryption from your like iMessage app, Microsoft Teams, Google Meet, all that encryption needs to be updated to a more post-quantum safe algorithm. Luckily, to help with this, NIST is going to be publishing standards within the next couple of months on what algorithms they deem to be the new standard for quantum safe, and those algorithms are what will be required for companies moving forward to adopt.

So being able to understand the fact that this will be a multi-year journey instead of just a singular, you know, maybe 30 days/half a year journey, I think is the very big problem that we see clients misunderstanding.

Camille Morhardt  05:32

Okay. And so Chris as a CISO, can you comment on some of the main challenges of this migration?

Chris Hickman  05:40

As Andrew definitely alluded to, it’s quite a massive undertaking for organizations to really get their arms around.  For an organization to even understand where all their crypto assets are today is a pretty big task. And, yeah, we’ve generally, as an industry taken cryptography for granted. And, you know, now’s the time to sort of bring it into focus more as we do with other elements of critical infrastructure, where we need to start paying attention to what is in our organization, how does it work, and we’ve sort of taken a fire and forget approach towards crypto and really not had to concern ourselves too much with does it interoperate with this that the other thing and so on and so forth.

What’s really being pushed now is this concept of in order to get ready for these post-quantum algorithms–standardization of them, and then downstream the adoption of them–is to start looking at where are those cryptographic assets in your organization? What are the ones that are impacted by quantum cryptography at some point in time in the future, but to look at that alongside of your data, as well, and as Richard mentioned, you know, the lifespan of the data has a play here. You know if something is going to not be of any importance in a year has a different connotation than if it’s going to still be relevant in you know, 50 to 100 years. It is a massive undertaking for organizations to start to get acquainted with the concepts, the impact of that change, and then downstream, the actual plan to effectuate that change.

Camille Morhardt  07:03

Yeah, you know, I wonder if Andrew, you can give us some guidelines in terms of what sorts of industries or what kinds of companies or what types of data should send up a red flag in an organization to start putting together this kind of plan that Chris is outlining?

Andrew Driscoll  07:21

Of course. What we recommend to you at Accenture is companies should be doing a strategy assessment to basically understand where their organization is at, educate key stakeholders understand where their ecosystem–and by ecosystem I mean, like vendors–what they’re using, what the roadmaps are crown jewel locations, all that stuff. We recommend doing discovery phase and by discovery, we need more understanding where your cryptography is at. The reason why we’re recommending this along with you know, strategy–and there are more steps that we also recommend– is because in order to know what crypto you need to change, you need to know where it’s located. And obviously, you may have applications or systems that will tell you what crypto you have right now. But chances are, it’s probably not entirely comprehensive; you know, especially with applications that are commercial off the shelf applications, you may need to go to the vendor to get what we call a cryptographic bill of materials. And that holds a whole bunch of information. But primarily the key piece of information is what cryptography they are being used. And then from there, understanding what that vendor roadmap is to being post-quantum.  And if you go and talk to one of those vendors and realize that post-quantum cryptography is not on the roadmap for the near future, you may want to find an alternative application that will better suit your data needs.

And to answer your other part of the question, what type of data would need protecting? This could be a whole host of data. I know Richard and Chris, they both touched upon this. But this could be data such as state secrets, national secrets, PII or personally identifiable information, healthcare records, financial transactions–especially from banks that hold a bit more of that sensitive transaction type information. So all of that data, and more, would need to be protected.

Chris Hickman  09:19

If I could just add to that, too. Don’t forget about your cloud providers and the rest of your third-party sources that today hold some of your data or in part. You know, it’s important to look at the entire supply chain. And we all know in security, and unfortunately, a repetitive theme that we’d like to get rid of, you’re only as good as your weakest link. So if you’ve got data that is stored in a third-party app in the cloud somewhere that is not going to be migrating to post-quantum at the same time your organization is,  that could become your weakest link for possible theft or intrusion.

Andrew Driscoll  09:52

That is very true. Thank you for that, Chris. And you know, I kind of little quick little segue is we know, there are lots of advancements in quantum computers kind of what Richard was talking about. One thing that is top of mind for us is China’s quantum computing developments. Because right now they have the fastest quantum computer in the world; that quantum computer, it doesn’t do a whole lot, but it does one thing really well and that is factoring. The reason why factoring is so important is just because the primary encryption that is vulnerable, that’s what its main method is used for making that encryption.

Camille Morhardt  10:25

So hey, Richard, I wonder if you could comment on some of the use cases today that are anticipated for quantum computing. We’re moving in this direction but let’s just back up for a second. So why are we moving in this direction? You know, what kind of use cases we use for compute?  And then, what kind of use cases are sort of being innovated or developed right now behind the scenes that we’re expected to see once we have quantum computing?

Richard Searle  10:48

The people that are conducting research into quantum computing, with the exception perhaps of some of those potentially hostile state actors that are developing quantum computing for the purposes of breaking our existing cryptography, they’re developing it as a more efficient method of computation so that more intensive computation can be done to effectively power some of the applications that we’re going to need and use in the future. And a good example of this is, you know, I’m going to use the acronym du jour AI, artificial intelligence; there’s an enormous intensive compute demand to support the adoption of AI right now. And that’s not sustainable on a number of levels–both in terms of the availability of hardware, the performance of hardware, because of the types of models that we want to run–and also the efficiency of that hardware in terms of its power consumption. And sustainability is already a cause for concern within the industry with regard to the intensive nature of the compute involved. Quantum computing potentially offers a solution to this.

And so the acceleration of research and interest in quantum computing to support those benign use cases for computation are actually accelerating the progress towards that crypto analytically relevant quantum computer that Andrew spoke about. And this is the danger, you know, there’s potentially a complacency in thinking that quantum computing is always on some sort of ten-year time horizon. And it’s probably been ten years for the last 30 years. But actually, with the developments that we see around progress in AI and the ability of quantum computers to perform the types of complex matrix computations that are necessary for fast AI models, this is potentially building that resource that we should be concerned about from a cryptographic perspective.

Camille Morhardt  12:41

Can you also address cybersecurity concerns not just about how we’re going to use quantum to hack today’s cryptography, but what kinds of concerns do we have about quantum itself and how it might be attacked?

Richard Searle  12:53

So quantum computing can be considered really in the same domain as cloud computing today; it’s a potentially untrusted resource. And the other thing is, we’re not all gonna have quantum computers at our fingertips in the same way we don’t have huge cloud computing data centers at our fingertips. These are going to be concentrated resources, IBM have spoken about quantum centric supercomputing, very much back to the old mainframe model that they built their businesses in the 1950s, for example.

So when you’re sending information or computations to the cloud, you need to protect them. And the same will be true of quantum computers. So that interface between the digital domain, the client side, if you will, and the server side–which is the quantum resource in some compute center somewhere–needs to be protected.  There needs to be a secure interface so that there isn’t data leakage to the quantum computer that may well be able to break any cryptography that’s been applied to it. So, there’s a lot of different aspects to the cybersecurity of quantum computation. And certainly we’re investigating that with partners today in terms of how those interfaces need to be built, because there’s an interface between the digital system as I mentioned at the start, and a physical system, and that poses some discrete challenges. And also the location of those secure endpoints, which may need to be more proximate to the quantum computing resource than they would be in a cloud domain, for example, when we’re using API’s across public infrastructure.

So there’s a lot of different aspects that the industry needs to address in terms of not only encrypting the information at source, but then also protecting it in use within those quantum resources. And also where those resources are shared, actually providing the isolation guarantees between workloads from untrusted parties.

Camille Morhardt  14:46

Possibly all the way down to the hardware level, I assume.

Richard Searle  14:49

Exactly.  And I think you know, as Chris alluded to, this is potentially a supply chain issue as well, where you’re going to be using, for example, perhaps some open source models and some open source tooling to build those workloads. What is the cryptographic standards that have been applied within there? Andrew referred to C-BOM, the cryptographic bill of materials, that it is becoming an ever-increasing focus. And actually understanding of each part of the chain where the cryptography is applied and to what standard is going to be vital to ensure the security of that system because any weakness at any one point will undermine the use of post-quantum cryptography further up the stack.

Chris Hickman  15:31

We’re also starting to see trends around sovereignty as it relates to post cryptographic standards. So it may not be a one size fits all solution for large global organizations where they also have to take into account sovereignty issues of where those cryptographic algorithms are being derived from. So it’s going to make for a very interesting set of complex maneuvers that every organization has to take.

Richard Searle  15:55

Yeah, Chris makes a great point there. So we’ve been talking to customers and government agencies around the world–I’ve just come back from Sydney in Australia hosting a post-quantum cryptography roundtable with very large institutions there—and a lot of nation states are actually looking towards the NIST post-quantum cryptography competition as the benchmark for the standards that they should adopt. But that’s not exclusively the case. And that particularly applies in Europe, where there has been some controversy over leakage of information, for example, back to the United States. Sovereignty is a big concern within Europe. And they’re also looking at independent post-quantum cryptography standards.

So as Chris mentioned, actually understanding the standards that need to be applied within specific domains where these quantum resources are going to be located, and how the information is transferred between those different jurisdictions poses an additional level of complexity in terms of understanding how to actually adopt and apply the standards within your workloads.

Camille Morhardt  17:00

Do you expect they’ll converge ultimately? Or is this really a matter of having to track multiple standards across different countries or geographies?

Richard Searle  17:08

Well, I think a lot of people are looking at the NIST post-quantum cryptography competition as the benchmark, as I mentioned; and the reason for that is that there’s a lot of investment and analysis being concentrated in that particular process. And obviously, we use standardized NIST cryptographic algorithms today to encrypt data and perform public key cryptography.

But nevertheless, you know, there is a broad spectrum of research happening that is also designed to attack post-quantum cryptography. The day before this was recorded, a new paper was published, positing some attacks on lattice-based cryptography, which is an important method within the post-quantum cryptographic spectrum. So, as well as looking to those sort of centralized standards, from NIST and the potential for international consensus, I think a lot of agencies, particularly when foreign governments are also considering whether they need independent standards in order to provide cryptography that is resilient for their own jurisdiction–so that information related to their state secrets can then be decrypted by others–and also potentially thinking about the risks, the vulnerabilities within the post-quantum cryptographic standards that have been drafted so far.

Camille Morhardt  18:30

Chris, bring us home here and tell us, given all of this information, you know, what is your recommendation, in summary, of what to do now? or sort of what at the highest level? And then what to do if you’re a little bit more mature in your thinking for your organization?

Chris Hickman  18:44

Yeah, I mean, as I surmise for everybody, it’s a great time to prepare; it’s probably not time to panic yet. There will come that time. But yeah, this is a big space, we’ve gotten fairly deep on a few complex areas. But in general, my advice to people is, this is an evolution of cryptography. We talk about it in terms of post-quantum because of the risk that quantum computing presents. But another way to look at it is it’s an evolution of cryptography. If organizations are going to start to take note of this space, which everyone should, there are some great guidance out there through various government organizations. I think every country now or most countries have guidance that they have published on steps to take. They all have some commonality that we’ve mentioned around doing a cryptographic inventory and starting to do preparation, to be aware of your data, so on and so forth.

But you know, in addition to that, another piece of advice that I will give people is start looking at this technology, start looking at doing some testing and becoming familiar with it; understand what it means. It is not the same as your traditional RSA crypto, there are impacts because of key sizes change and things of the sort. And most importantly, exit from this exercise with an approach towards cryptography that allows you to treat it like critical infrastructure–treat it like other important elements in your organization–and to become upwardly agile with it so that you can on an ongoing basis, address whatever is coming at you and coming your way. So that as these, like Richard said, these nuances that are found in things we don’t know yet and so on and so forth, you can continue to protect your organization and make sure that you’re ready to set yourself up for successful future.

Camille Morhardt  20:28

So, Andrew, what is the timeline that we’re looking at for quantum computers to become real?

Andrew Driscoll  20:33

As you know, as people know, from what Richard was saying is that computers come with an immense amount of computational power. And if a nation state were to develop a quantum computer, they may not want other people to know about that. The reason being is because with that immense computational power, they could read the communications of adversaries and understand what they were doing, what their secrets are that they may not want other people to know. And so, with that being said, it may be many, many years from when a quantum computer’s actually invented to when it actually gets announced, found out or whatever, or when another entity or organization says, “Hey, we made the quantum computer.” So, knowing when a quantum computer come out is a tricky question to answer just because of who may be the first to get to it, and what their motives are, I guess, behind making a quantum computer.

Camille Morhardt  21:25

Do you think they already exist?

Andrew Driscoll  21:27

They do exist, but they don’t exist to the standard of being able to break modern day encryption, like the cryptographically relevant quantum computer that I was mentioning. So they do exist, but not to the level that it would threaten our current encryption.

Richard Searle  21:43

If I can come back on Chris’s last point as well, Camille, actually, is there’s something important that when it comes to preparing for the transition to post-quantum cryptography, as Chris said, you know, it’s an evolution of your cryptographic environment. And I think one of the important points is that organizations should have this on their register, CISOs should be identifying this as something that requires their immediate attention. And the other thing is that organizations can’t make the transition to post-quantum cryptography alone. This is going to have to be done on a risk-based basis so that you’re thinking about your most sensitive data first–as Chris said, you know, the lifespan of that data will vary.

But also the physical supply chain from an organization through its customers, suppliers, needs to be considered because everybody needs to make that transition at the same point in time. Otherwise, it undermines the security of the overall data environment. So this is an important consideration that people need to be thinking about in the broader context of where their organization connects, what information flows there are between organizations and again, this is something that is part of keeping up to date with the guidance provided things like NIST Special Publication 1838A, which gives indications of how you should be preparing for post-quantum cryptographic migration, and working with the organizations like those taking part in this webinar to think about the tools and the methodologies necessary to implement that transition in an effective and secure manner.

So this isn’t an imminent concern, even though those quantum computers that threaten our cryptographic standards today may be some way distant as yet.

Chris Hickman  23:36

On top of that, this is not going to be an optional change, either. This is going to be something that everybody is going to have to do from the largest government and financial and healthcare organizations down to the small retailer. You know, maybe one or two location type coffee shops over time will be impacted by this change. It is absolutely something that will happen over time, because we won’t, at some point in time, be able to trust the things that we are trusting today.

So, the change is inevitable. It is in everybody’s best interest to at least accept that point and realize that change is coming, therefore planning for it makes the most amount of sense.

Camille Morhardt  24:15

Is this kind of a timing balance, though, Chris? Because it’s a significant investment to make these changes in inventory, and then the migration. And so, if you’re doing it too soon, and you sort of risk the standards aren’t set yet, you’re investing a lot, there is no attack. How do you decide when to really get going on it?

Chris Hickman  24:33

It’s combination of factors really, right. So there’s the “steal now, decrypt later.” And first and foremost, one has to assess their risk associated with that. Because if you have sensitive data that is already being stolen, you may already be behind in absence of standards. I’m not advocating anybody necessarily jump in with both feet prior to standardization. I don’t know if that’s the best answer either. But there is risk today. And that’s why we’re sort of advocating and a lot of the guidance sort of says, “take this time now to know what you have.”

I think if we look at any other migration insecurity, yeah, the one thing we can all say is that the time we have to migrate is the time where it becomes most expensive to migrate versus planning ahead and doing it bit by bit and having that runway and that clarity of mind to say “okay, you know what? This is what I have to be worried about today. Hey, this is what I have to be worried about tomorrow, so on and so forth, etc, etc.” But I don’t think it’s a Big Bang transition. I don’t think it can be a sort of Big Bang cutover for any organization, as there is going to be these elements of supply chain. And “Is my hardware ready to go? Have I updated all my OSs?” I mean, if you think all the things that this has to touch, right, “I’ve got some router that’s sitting in a closet somewhere that I haven’t touched in 15 years, because I’ve never had to. Can I even get that to a point where it can be post-quantum?”

Look at IoT devices is a great example. You know, a lot of them may not be able to do post-quantum onboard; they may not have enough memory, not enough addressable space on it, to even be able to deal with those keys. So, it is a long, complex problem that really was going to require time for organizations to solve and figure out what they can’t solve so that they can look at how they’re going to deal with that element. Is it going to be a replace? Is there going to be some sort of that in the middle of the solution that’s acceptable, so on and so forth?

Andrew Driscoll  26:21

Yeah. It’s kind of like the Y2K problem. It’ll touch all assets of your organization. The big key difference between Y2K and when, you know, Q Day will happen is we don’t know when that will happen. Y2K we knew when, Q Day we don’t.  Big difference

Chris Hickman  26:35

Could be tomorrow. Could be sometime in the future. I hear that analogy a lot. A lot of people look at it. And I say “no, it’s not the same.” You’re absolutely correct, Andrew.

Camille Morhardt  26:43

Or as Andrew said, it might have already happened, and we don’t know.

Chris Hickman  26:48

I agree with Interpol that the people who are developing quantum computers at a faster pace are not the ones who are in the business of publishing their work.

Andrew Driscoll  26:57

Yeah. And that’s why we say it’s a today problem, not a tomorrow problem.  Just because we may not know, a quantum computer could be out now. But we may not know for maybe five, ten years, right. But we may not know for a good while.

Chris Hickman  27:09

And there’s some school of thought that we may not need to get to a full quantum computer to break classic algorithms. We may get close enough that classical computing can take over and figure out the last, you know the quote, unquote, last mile, so to speak. So it is a progressive evolution of risk that needs to be accompanied by that evolution of cryptography.

Richard Searle  27:30

The point I was going to make, as well, is that people might be thinking about this harvest now decrypt later attack and thinking, “Well, you know, it’s impossible for an adversary to be hoovering up all of this encrypted data, and you to be storing it.”  But they don’t necessarily need to do that. You know, one of the things that was interesting, you know, in the Second World War, for example, is that before the crypt analysts at Bletchley Park had broken the Enigma codes fully, they were able to map the order of battle of the German Wehrmacht from the traffic. And so if you know the points of traffic that are exchanging sensitive data, you can target the data that you’re harvesting, that more sensitive data, and that exactly creates the datasets that you’re going to focus those quantum resources on first when you have them available. It’s not a question of looking for a needle in a haystack, you probably have the needle already. You just need the quantum computer to be able to expose it. And this is where the consideration of risk in terms of application of the cryptography to which data first is important.

Andrew Driscoll  28:37

Yeah and sometimes we hear at Accenture, does SNDL–so steal now decrypt later or harvest now decrypt later, does that actually happen? And we have heard from multiple organizations and governments that they have noticed that a lot of their encrypted data is being copied. So it is a thing that is happening right now in preparation for when quantum computers come out.

Camille Morhardt  28:59

Chris Hickman, Chief Security Officer of Keyfactor and Dr. Richard Searle, Chief AI Officer of Fortanix, and of course, Andrew Driscoll, Quantum Security Engineer with Accenture, thank you very much for your time today.

Chris Hickman and Andrew Driscoll  29:13

Thank you all. Thank you.

The views and opinions expressed are those of the guests and author and do not necessarily reflect the official policy or position of Intel Corporation.

More From