The best listening experience is on Chrome, Firefox or Safari. Subscribe to Federal Drive’s daily audio interviews at Apple Podcasts or PodcastOne.
If wind and sun don’t ruin the energy grid, emerging quantum computing could be safe. Power outages here and there could turn into a sudden national disaster. You can find out here how the federal government can help to prevent this Federal Drive with Tom Temin reached out to Quantinuum’s head of cybersecurity, Duncan Jones.
Tom Temin: The grid is relevant to the Cybersecurity and Infrastructure Security Agency (CISA) and Quantum. These two things coming together seemed to frighten them. And I think it should scare us all. What is the problem with quanta in particular and the grid in particular and what does CISA advise these days?
Duncan Jones: So, speaking briefly about quantum in general, the threat we face from emerging quantum computers is that they will break many of the encryption schemes we rely on today. And we’ve seen a spate of US government announcements and guidance that really encourage agencies to take this threat seriously and prepare to transition to newer cybersecurity approaches that can withstand this threat. Well, the reason why it’s particularly relevant to national critical infrastructure is because in those environments, if you imagine, we’re talking about power grids here, we’re talking about systems that could be 30, 40 years old in the context of this comprehensive digitization, which we observe in many industries, connected to the Internet. These systems have been used in the field for decades. The return on investment makes sense if they’re there for 20 or 30 years. Therefore, these systems must be built on a cryptographic foundation that stands the test of time. And during that 20, 30 year period, we’re going to see quantum computers appearing that can break the encryption that we’re using today. It is therefore particularly important in this area that these migrations are planned and carried out effectively. Otherwise, you know, the nation is in jeopardy.
Tom Temin: Now I have two questions, one the operating systems and the applications that are used in critical infrastructures. And you see that all the time. Sometimes the network operators have quite old applications and infrastructure to run on. You see that when subways get flooded and they find relays that were installed there in 1964 and things like that. Can these applications and the associated data be encrypted at all using modern algorithms?
Duncan Jones: Yes, the good news is yes. So you know that there is currently a process underway in various industrial settings to bring these systems online. And it has to be done carefully. And what it usually relies on is that you’re bringing in edge computing as a concept here because you need to connect these, as you sometimes say, steam-powered systems to the internet. So what you do is throw something in a plant, which is a relatively modern piece of kit. And then it talks to all these systems and sort of mediates between this place and the rest of the world. So what we’re talking about here, when it comes to the quantum threat, is can we ensure that when these types of control systems are introduced, they are future-proof? So you are ready to tackle the threats we know about today. But also those that are coming, including quanta.
Tom Temin: Right. In other words, in this architecture, encryption lies between the Internet and the legacy operating system and applications.
Duncan Jones: Yes, I mean, of course it varies. And, of course, new systems are constantly being used. We’re seeing, you know, a wonderful surge in solar and wind energy. And these systems are being developed and deployed today. And in those systems, it’s far more sophisticated. You will see these devices connecting themselves to the cloud and sharing information about what they are doing. And even there, we need to see that the security decisions made are future-proof. So we must both be prepared for the quantum threat and use quanta as a tool to keep these systems secure.
Tom Temin: Safe, and not to get too deep into the weeds. But back to the older systems, is there a plan? Or do you see the practice of people, instead of running the old software, somehow abstracting it and running it in an emulation system, which could then change the architecture and change where you need to apply your encryption?
Duncan Jones: Yes, in this industry there is this practice known as digital twins, where you often try to do something in the cloud and you want like a shadow image of what’s in the factory. So you want this model of your steam powered generator turbine thing to be represented digitally so you know what’s happening and if you make a change to the digital version it will reflect that in real life. What this boils down to is that you need a connection you can trust, between the clouds, say, and an industrial facility buried somewhere inaccessible. And it all sits on the encryption and trust that we’ve seen in the world recently as global powers came together and fought over territory. Cyber attacks are real, and the ability to disrupt power grids and things that really bring a country to its knees will happen in the future. That’s why it’s so important and why I think CISA specifically designated this area as an area that needs to focus on being quantum resistant.
Tom Temin: We speak to Duncan Jones, Head of Cybersecurity at Quantinuum. And recently, NIST, the National Institute of Standards and Technology, released a set of so-called quantum-proof encryption algorithms that they believe even the future of quantum computing won’t be able to crack. Does that solve the problem? Are we free here if everyone just adopted these algorithms?
Duncan Jones: It’s certainly a big part of the solution. Yes. These algorithms are based on mathematical problems that we don’t think quantum computers can solve any better than conventional computers. Therefore, they present a solution here. The challenge is that it is very difficult to use these algorithms. So we’re moving from what we have today to effectively, you know, very different underpinnings. It’s a huge effort. And the starting point for many organizations is simply to understand what do they have today? They know that not all of their data is equally at risk from the content threat. And so, what many organizations need to do and what CISA and recent security memos have emphasized must be done. It’s a lot of planning, like what have you got? Where do you use cryptography? Where does your data need to stay safe for five or ten years? You need to understand that first to start the transition to quantum security. And then those algorithms, I would say, are half the challenge. The other half is how do we make sure we have good encryption in the first place, good encryption keys. And that’s one of the areas where we can actually start using quantum as a positive force to help us develop encryption that will really stand the test of time.
Tom Temin: How do you assess the status of quantum computing? Does anyone say Russia? Probably less Russia, the chance of them than China? But do they actually already have a real quantum computer that they can use against cyber hacking? Or is that 10 years break? Or maybe never?
Duncan Jones: Well, it’s interesting, you should mention China because Baidu recently announced its own superconducting quantum computer. So it is clear that countries around the world are investing heavily in this technology. We don’t think anyone has a quantum computer today that is actually powerful enough to threaten encryption, that time will come and we may not know exactly when we’ll have reached that moment. And perhaps even more worrying is the risk that the data we share today may be collected and recorded by such countries, and we may not want to have access to it. And as their quantum computers evolve and mature, they can subsequently decode them and look at them. This is another reason why federal agencies need to take this seriously, because they’re the kind of organizations that share secrets, they share things that have to be secret 10 or 15 years from now.
Tom Temin: Right, I feel like learning how to use these quantum-safe algorithms is a good strategy. You said that was the most difficult task at this point. But at some point you will have to come to terms with it. So why wait for the devil to knock on the door? Perhaps now is the time to familiarize yourself with them and gain some knowledge of how to use them before you have to.
Duncan Jones: Yes absolutely. And this very much reflects the leadership that is emerging. We have maybe 18 months or two years before that NIST process that you mentioned earlier is fully standardized and announces that this is exactly how we make these new algorithms. This is the window of opportunity for public and private organizations to implement their plans and start testing and exploration, how to be prepared for the quantum threat? How can they use quanta as a tool? How do they do that, they just have to line up their ducks because we’re a few years away from pulling the trigger on this stuff into production and people have to be ready.
Tom Temin: And perhaps the second implication is that it’s a good time to review your basic system architecture, so maybe you can simplify encryption and apply it in an efficient way, shall we say.
Duncan Jones: Yes, very good point Tom. Yes, so there is a buzzword in the industry, the crypto-agility cyber industry, that describes whether a system is crypto-agile, it means it’s not a big deal if you change the algorithms from time to time. Many of our systems today are not crypto-agile. And so this transition period will be painful. But if we do it right, as you suggest, we could ensure that future transitions are much easier. So yes, a very good point.
Tom Temin: And one last nerd question: are we making progress on the concept of encryption while data is being used by the processor?
Duncan Jones: It’s an active area of research, it used to be something that was very, very slow and so wasn’t very attractive to people. But lately there have been advances that mean it’s starting to become more practical to work with fully encrypted data, meaning you don’t have to decrypt it at all. I expect we’ll see more of this in the future.
Tom Temin: So one day we will be able to send these quantum computers in endless loops.
Duncan Jones: Well, yes, I mean, infinite loops, entanglement superposition, anything is possible with a quantum computer.
Tom Temin: Good. Duncan Jones is Head of Cybersecurity at Quantinuum.
