Threat Intelligence

    Get Cyber Resilient Ep 112 | Going Quantum with Duncan Jones, Head of Cybersecurity at Quantinuum

    For our first episode of Season 8 we speak with Duncan Jones, a cybersecurity expert and Head of Cybersecurity at Quantinuum. 


    Here, Duncan talks us through what quantum computing is, what its good and not so good at, the challenges quantum computing is facing and how they are being overcome, and its impacts globally. We also discuss future planning for cyber and wrap up by covering post-quantum encryption and how leaders should be getting ready for this now!

    The Get Cyber Resilient Podcast Episode #112 Transcript

    Garrett O'Hara: Welcome to the Get Cyber Resilient podcast. I'm Garrett O'Hara. We have all been hearing a lot about post quantum computing lately, and today we are covering that with Duncan Jones, cyber security expert and head of cyber security at Quantinuum. Duncan has over 15 years of experience developing security solutions for global companies, from securing the backbone of the internet, to maintaining national ID systems.

    At Quantinuum, where they can generate the strongest cryptographic keys in the world using quantum computers, Duncan oversees cyber security activities. He's also a member of the world economic forum quantum cyber security initiative. Duncan talks us through what quantum computing is, what it's good at and what it's not good at, the challenges that quantum computing is facing and how they are being overcome, early use cases and what the global impacts could be. We get into future planning for cyber, and cover post quantum encryption algorithms, what leaders should be thinking about now to get ready for this traumatic change, and applications of quantum computing in cyber, e.g. machine learning. Over to the conversation.

    Welcome to the Get Cyber Resilient. I'm Garrett O'Hara. Today we are joined in a very exciting episode by Duncan Jones, who's head of cyber at Quantinuum. Welcome to the podcast, Duncan.

    Duncan Jones: Thanks, Garrett. Nice to be here.

    Garrett O'Hara: Great to have you on. This is what I've been looking forward to for a little while, and- and you're coming all the way to us you know, coming to us all the way from Cambridge, right? You're over in the UK?

    Duncan Jones: That's right. Yes, I- I know that it's a completely different time of day for me here, but it's very good to speak to you.

    Garrett O'Hara: Yeah, likewise. Duncan, look, you're in a very, very interesting space. I think it's fair to say the bleeding edge of computing these days [laughs], and I think something that for many of us is kind of confusing and mysterious, and, you know, maybe it's things we read about but probably don't really fully understand. But before we get into that though, it would be wonderful just to get a sense of how you arrived to being head of cyber at Quantinuum over there in Cambridge?

    Duncan Jones: Sure. Well, like most of my career, it's been a [laughs] series of fortunate stumbles that have brought me to where I am today. And hopefully we'll have a good conversation, because it's only been about two years since I entered the world of quantum. And while I'm far from a stone-cold physicist, I have some sense now of what it's like to not to know this stuff and what it's like to have some grasp of it. So hopefully we'll get into some interesting topics.

    But my background is mostly in regular cyber security, so with no quantum sparkles to it. I- I studied computer science at university and just fell into the world of cyber security. I didn't really pick it, it just kind of happened. And it was very good that it happened, because I've discovered, as I'm sure you have, it's it's a field that weathers various recessions and storms, and people need cyber security whether they, you know, want it or not.

    My background is mostly in areas around cryptography and- and hardware security so I spent a number of years working for a vendor of hardware security modules. Got really deep into what it's like to design these sorts of systems for- for banks, for governments, for, you know, protecting the internet itself in some projects. I've spent some time also in research, not being a researcher myself but leading the research work for that company, looking at what are the emerging threats coming three to five years away, and in fact that was when I first encountered quantum as a concept. About four or five years ago, we were looking at it as something coming round the corner, and we started to explore what would it look like to face that as a threat.

    And recent- more recently I spent some time in IOT as well, which I thought at the time was relatively cutting edge. I was looking at how do you manage devices at scale, in a secure fashion. And then I look- I saw an opportunity emerge a couple of years ago that I- I thought looked interesting. It was this company I hadn't heard of, called Cambridge Quantum at the time. And I applied, and they duly said, "Nope, you're not even slightly suitable for that job, but we need somebody who knows cyber security who can help us bring some exciting concepts we have to market." And I said, "That sounds like me, let's do it."

    So I- I jumped aboard, and it's been a whirlwind of a couple of years. And in fact it got even more crazy last year, because, you know, the British quantum software company that I joined, which was called Cambridge Quantum, then merged with a piece of Honeywell in the United States that had been building quantum computers, and suddenly I found myself in the leading quantum company in the world, that has everything from the highest performing quantum computers, all the way through to teams looking at pretty much every area where quantum promises some advantage in the near term.

    So that's sort of how I got to here. I don't know if I could do it again if I wanted to, but I'm very glad that I've ended up here.

    Garrett O'Hara: Yeah, serendipitously landing in a- in a role that seems like it definitely... it suits you, and it's exciting stuff. I- I- look, here's- here's a really basic opening question. Now, obviously quantum is massive. There's people who spend their entire lives trying to understand it, and, you know, the- the famous quote, "If you think you understand quantum com- you know, you- you probably don't." Or there's, you know, some version of that [laughs] sort of phrase, which just points to how difficult a lot of this stuff is. But when I think about cyber security people, what are the things that they would need to understand about quantum physics to get a handle on, you know, where we're going with this stuff?

    Duncan Jones: I think it's important to understand the characteristics of a quantum computer rather than knowing the gory details, and I probably can't do the gory details justice anyway. I think it's good to view quantum computers as very different to the classical computers we use today. They're not going to universally replace the desktop on your- on your, you know, office, or- or your laptop, or your phone in your pocket. They are very specialized tool that will be able to solve certain problems much faster than we can with normal computers. In fact, they'll bring some problems into the scope of being solvable at all, where if we were only to rely on the machines that we have today, we can't really see a path ahead to how we would solve those problems in any reasonable amount of time.

    They operate of course really differently to classical computers. So- so once you start working in the quantum realm, you start calling, you know, all these amazing machines around us classical computers, as though they're some legacy artifact. But un- unlike classical computers which, you know, they rely on transistors and binary and operations on zeros and ones, the kind of trite way of describing what a quantum computer is, is it's a different mode of computation that doesn't just operate on zeros and ones, it operates on any combination of a zero and a one.

    So you have this thing called a quantum bit, which we shorten to qubit when we talk about them, and a qubit is nothing like a digital bit. It can hold any value, let's say between zero one, including... you know, these are complex numbers, so there are even numbers that we can't sort of wrap our heads around naturally as humans. And one of the consequences of- of that behavior, which is known as superposition, and also some other funky behavior such as entanglement, and this is where you can link together more than one qubit so that they effectively operate as a whole, you can't talk about one of them without effectively talking about the whole group. And- and that's true whether those qubits are next to each other or, you know, separated by half the distance of the universe. It's one of these crazy things about quantum mechanics.

    But when you bring all that weirdness together, you end up with a very different type of computation, one that is much more about parallelization, so it's about can we compute almost on sort of every possible input to figure out what the answer might be. But also- it's also a very different type of computation because you don't run it once and get an answer, it- it's probabilistic, and by that it means that you need to design your algorithm in a very clever way so that if you run it say 1,000 times, then you'll get a distribution of outputs. And if you've designed your al- if you've designed your algorithm very well, the answer will emerge as being the most common answer you come across. So you sort of run it 1,000 times, or 2,000 times, and you'll get like a peak on your graph, and that will be the answer that you've been looking for.

    So one of the broader challenges facing us is, how can you take real world problems and try and make them look like the kind of problem a quantum computer can solve. Now, the reason why people in cyber security need to perk up their ears and pay attention is unfortunately one of the problems that we can represent in a way that quantum computers can solve is the problem of factoring large numbers. And that unfortunately is one of the problems that underpins a lot of the encryption systems that we use today. We've always assumed, well, you can't solve that problem on a classical computer and- and therefore we can build algorithms like RSA around the assumption that nobody can- can do this maths. And along comes a quantum computer, or soon will come a quantum computer that can actually solve that, which sort of ruins- ruins [laughs] it a little bit, and that is, you know, triggers some of the problems that I'm sure we'll be discussing in the rest of this this interview.

    Garrett O'Hara: It- you- it definitely does. And I think that's the thing that is- it's certainly hitting the news, and you see the coverage by NIST of the, you know, post quantum algorithms, and we'll- we'll sort of get to that I think as we go through the- the conversation. You- you've sort of covered some of the differentiations there between quantum and tradition computing, and- and one of the things that it's it is good at.

    It would be good to get a sense of what other things you know, quantum computing is good at? And- and then also, what what is it not good at? Because you did say that we would, you know, clearly it's not going to all... I'm not going to be running you know, Microsoft Quantum [laughs] probably any time soon, right? I'm- I'm probably going to still have some version of a classical computer. But be good to get a sense of the other things that it's good at, and then- and then also highlight some of the things that it- maybe it's not good at.

    Duncan Jones: Yeah, I mean, I think the- the thing to take away about quantum computers is that they are a hugely positive thing. You know, even if you work in cyber security, over the fullness of time you'll be glad that quantum computers exist. And we expect them to have a significant impact in all sorts of different fields. So maybe I can- I could talk about, for example, the areas where we have groups focused on solutions, because that represents where we think there are near-term benefits.

    So an example, a simple example would be in machine learning, where we're confident that as quantum computers develop in power, they'll allow us to perform machine learning operations more efficiently, we'll be able to potentially process, you know, larger datasets, or be able to, you know, process models and compute with less resources. You won't need racks and racks and racks and racks of GPUs to make some operations possible, you'll be able to do that with a combination of classical computing and putting certain critical bits of- of processing onto a- onto a quantum computer.

    Another area that has probably motivated the field itself is the idea of simulating nature itself. And- and that lends itself to chemistry use cases, and in particular to the discovery or simulation of materials, and ultimately the discovery potentially of new drugs or more efficient methods of bringing medicines to market.

    The- the reason being is that everything around us at a- at a macro level looks like it's obeying classical Newtonian physics, but everything is ultimately, we believe driven by quantum mechanics. So if you want to simulate even the modestly complicated molecule, you'll need... It would be very difficult to do that precisely on a classical computer, and it quickly becomes impossible because we can only do so much processing and we can only store so much state with the memory that we have available. A quantum computer, because it operates according to those same laws, is exactly the tool you would need to- to simulate that kind of system efficiently. So that's a major area where we expect there to be some benefits.

    Perhaps the most far out in terms of craziness and also in terms of when it will actually emerge, is a field around using quantum computers to process natural language. And actually, at- at Quantinuum we have, you know, hands down the- the world leading group focused on that. And they believe that we'll be able to represent human language as quantum circuits that we can execute on quantum computers, and ultimately we'll get to a stage where we can use quantum computers to genuinely understand let's say the intent in a, you know, a whole paragraph of text, or something like that.

    What we have today, if you look at GPT3 and some of these other impressive looking, you know, text generators or- or text interpreters, frankly they are very clever pattern matching, and we think that quantum computers will let us take a leap forward to genuinely understanding what words and sentences and paragraphs mean. So that's quite exciting as well.

    Now, in terms of problems that we can't solve, I think, you know, there are certain types of, you know, as you probably know, com- problems in computing can be separated into different groups of hardness, you know, NP-complete, that kind of stuff. And there are groups that, you know, no classical computer or quantum computer can solve efficiently, and I think a- a good example of that would be something like the traveling salesman problem, which does not appear to be trivially solved by a quantum computer versus, you know, being unsolvable on- on a classical computer. And there's a whole bunch of... the- the- the basic arithmetic as an example you probably would always turn to the classical computer to do that, and the future definitely contains both types of computer being used regularly and being used in tandem as well.

    Garrett O'Hara: Yeah, understood. I'm guessing, you know, as you have conversations with people, and- and given how new this is, there's probably a bunch of misunderstandings around quantum computing. And actually, I think you've just highlighted one of them, because I- I, you know, I think many people think once it arrives everything else goes away and that's all we'll do, but clearly that's not the case. Are there other things similar to that, that you come across, where people kind of maybe get it wrong or have, you know, mitts that have emerged?

    Duncan Jones: I think the... yeah, the biggest misunderstanding is that quantum computing is simply classical computing, hugely parallelized, and so anything you can do classically, you can just do so much faster, in a blink of an eye on a quantum computer. And I think that- that seems to be the biggest misunderstanding that I come across.

    And- and yeah, recognizing that a classical computer's like a hammer, you know, you can hit nails in with it very well, you can try and hit screws in with a hammer, but it's messy and it doesn't go very well, and sometimes you wish you had a screwdriver, and that's what a quantum computer will be. It will be something that can turn up and solve some problems much better. But equally, if you try and hammer in a nail with a screwdriver, as we've all probably tried at one point in our DIY lives, it doesn't work very well, does it?

    Garrett O'Hara: It's painful, yes.

    Duncan Jones: It is painful-

    Garrett O'Hara: [laughs].

    Duncan Jones: ... and- and it's not the right thing to do. So, yeah, that- that to me seems to be the- the biggest misunderstanding.

    Garrett O'Hara: Yep. All right. That makes sense. I mean, this is sort of a funny one and- and kind of a throw away, but they look really beaut- beautiful, like the machines when you see them in magazines, and you know, Scientific America. They- they always look really gorgeous compared to the- the tower PCs that we're all kind of used to. Will that continue, or is that just a function of them, like- like they right now live in labs and- and organizations like yourself, you know, like yours? But is that a- a thing that will continue? Like why- why are they so pretty? [laughs].

    Duncan Jones: That's a really good question, because they do look gorgeous, don't they, some of them.

    Garrett O'Hara: They do.

    Duncan Jones: I think you're- you're probably thinking of that sort of chandelier looking-

    Garrett O'Hara: Yes. Yeah, that's exactly it.

    Duncan Jones: ... system right?

    Garrett O'Hara: Yeah.

    Duncan Jones: Yeah, it's- it's... I don't think it will last forever, because ultimately we want these machines to be practical in the long term. They can't continue to dominate a warehouse with their size. You know, we're- we're a little bit like... it's like being in the 1950s or '60s and looking at the cutting edge of computing technically. You know, it filled- it filled a warehouse, and now we have something, you know, probably thousands of times more powerful in the- in the, you know, on our wrists even as a watch.

    So I think quantum computing, you know, for it to scale up it needs to- it needs to shrink down, and- and I can only assume these things will become slightly less beautiful over time. What you're seeing there, all of that equipment is what's necessary to achieve some of the extremely low temperatures that are required for-

    Garrett O'Hara: Right.

    Duncan Jones: ... some types of quantum computing to- to to- to- to occur. And in fact, actually going back to your previous question, maybe one of the other myths or maybe just things people aren't aware of, is that quantum computing, un- unlike classical computing where there is sort of one way to do it, you know, there's the- there's only so many ways you can put transistors onto silicon and so forth.

    With quantum computing, you can actually create a quantum computer with many different techniques. You know, we have people building quantum computers using super conductors at very low temperatures. My company focuses on trapping ions with lasers and- and manipulating them in- in that sort of environment. Other companies are exploring, can we actually do this is silicon? It's- it's very different from classical computing in that sense, and it's not necessarily clear if there will be one definitive approach that ends up winning, or whether we have different approaches to different types of problems, and maybe something we haven't even thought of will come along later. So yeah, it's- it's it's very different from classical computing in that sense.

    Garrett O'Hara: Yep. Yeah, understood. There- you know, in- in my reading around this it does seem... like we're in the early days, right? So there's- there's clearly some challenges that your industry is working on overcoming I think in terms of and correct me if I'm wrong, like error rates and stuff like that, where it's getting better and better as time goes by. But would love to get a sense of what- what those challenges are, and- and the progress that's being made to solve those challenges.

    Duncan Jones: Hmm. So one of the- one of the challenges, you're right, is- is around this field of error correction. So in theory, a qubit, a quantum bit is something that you can prepare into a state and you can manipulate with gates that look a little bit like, you know, the equivalence in- in, you know, binary single processing like AND gates and NOT gates. There are similar things like that in the quantum realm. And you could process a qubit indefinitely and eventually get some result out that- that you want.

    In reality, the qubits that we have today are known as noisy qubits. They're not perfect yet. They degrade over time, and you can only perform a certain number of operations on them before you can no longer trust the answer that you get. And you can only keep them in a state for a certain amount of time before they de cohere, where they basically have become, you know, they've- they've become impacted by the environment around them, and a lot of effort is spent trying to isolate them from the environment around them.

    So the work, you know, some of the main work that lies ahead as we bring, you know, evermore powerful machines to market is solving that problem of scale. How do we group together multiple physical qubits to create single, logical qubits that then can... they do appear to behave, you know, almost perfectly. And we're making progress down that path. And most of the major quantum computing companies you know, Quantinuum included, and IBM and others are publishing roadmaps of what we expect to achieve over the next three, five, 10 years.

    And so far we're hitting out milestones. If you look backwards at what we promised over the last few years you know, if Quantinuum for example was looking at delivering... you know, we- we- we laid out a plan by which we expected to increase, you know, orders of magnitude of processing capability, and we are hitting that plan. You know, we are in fact overachieving to some extent on that plan. So if it continues like that across the industry, then we will expect to see these use cases in chemistry and machine learning coming online over the next, you know, couple of years, and we'll see, you know, a batch of use cases become possible, and then a year later it's another bunch of use cases are possible.

    And- and once again, diving back to your question of what- what are some of the myths, I think some- some people see quantum computing as a field that would deliver no value until we get 10 or 15 years in the future, and maybe at around the time that Shor's algorithm, you know, this one that will impact us in cyber security, it may be around the time that that can be executed, only then we'll see some benefit for humanity in other fields. And I think that's not the right way to view it. It's going to be a- a- a- a steady roadmap of positive benefits coming out of quantum computing over the years ahead.

    And I think, you know, largely now we see this as an engineering challenge to scale these devices, and- and an engineering challenge that we will be able to achieve. You know, it's- there's not really a whole lot more on the quantum physics side that we need to wrap our heads around, it's now just good old fashioned engineering. Can we do this thing-

    Garrett O'Hara: Okay.

    Duncan Jones: ... at scale, and- and sort of keep the fidelity and integrity of what we're doing.

    Garrett O'Hara: Does do- like do you do kind of... does the research in quantum effect quantum computing? Because it sounds from what you're saying, like if it is just an engineering problem, it- it's that track that you're going on, but is there that sort of academic research that happens in quantum feeding back into what you guys are doing, and maybe tweaking approaches as you discover new things?

    Duncan Jones: Yeah, absolutely. I mean, the- the error correction, as an example, you know, solving that is... it's partly a- a research theoretical challenge. As- as people come up with clever ways to mitigate the impact of errors propagating, then our existing hardware can do better than it did before if somebody has a breakthrough in error correct- correction. Meanwhile, on the engineering side, as we, you know, are able to build more of these things, then we can just, you know, lump physical qubits together to make logical qubits, then we need less error correction. And if both are progressing as they are, forward, then you kind of have a double whammy as we get more and more powerful machines. So yeah, there's definitely a lot of research still going on, and it- it is inter- interwoven with the engineering that is happening as well.

    Garrett O'Hara: Yep. No, that makes sense. Here's a thing, you know, we were talking about the chandelier you know, the appearance of those quantum computers. What's the- what- how do you program them? So I'm guess you don't sit down... or maybe you do. Do you sit down at a keyboard and, you know, work through a classical interface to deal with the mach- like the quantum machines or the quantum computers? What- what does that look like, and what- do you have new languages to deal with the- the machines that you're working on?

    Duncan Jones: Yeah. So it's a little bit like... it- it feels a little bit like we're at the assembler stage of- of programming at the moment in- in quantum computers, but it's becoming more and more high level. So what it realistically looks likes, is that you would sit down at a- at a computer today, and you would use a language that you recognize. It's P-Python seems to be quite heavily used.

    Garrett O'Hara: Okay.

    Duncan Jones: But- but what you're doing with Python is you're expressing a circuit that you want to run, and that's still being expressed in a relatively low level way. You're still effectively describing the gate operations. You know, I'm going to have this many qubits and I want, you know, qubits one and three to go through this type of gate, and I want these two to go through that type of gate.

    So it's still relatively low level at the moment. But that is changing over time. And what the- the challenge that we have solved, or we're sort of tackling now, is- is around how do you compile those instructions in a way that is efficient to run on a specific quantum computer. Because we're still at the stage now where, you know, they probably number in the hundreds, but you can individually point at all the quantum computers that exist in the world, and they each have unique characteristics, you know, they have different numbers of qubits, they have different connectivity between those qubits. You can't necessarily entangle every one with every other one and so forth.

    So actually, you need to, if you want to run your algorithm in a quantum computer, it really needs to be targeted at that particular quantum computer. And so that's one of the areas that Quantinuum looks at. We have a very popular open source product now called TKET T-K-E-T, which if you get into quantum mechanics you'll realize is a- is a little joke. And that- that solves that problem. You know, you give it a circuit that you want to run, and it optimizes it to run on a specific qubit layout, so that you get the, you know, the maximum, you know, performance out of the machine that you want to try and use.

    But over time, this will need to continue to evolve, and we're also working on that. You know, what does it look like to have a operating system for a quantum computer. How do you begin to express what you want to do in high level languages. Because we- we can't scale this technology if you have to be a quantum physicist to write an algorithm. That's not going to work over the long term. A bit like it wouldn't work now if a programmer has to be sat there with a magnetic pin, sort of setting ones and zeros-

    Garrett O'Hara: Yeah [laughs].

    Duncan Jones: ... you know, on a disc somewhere. That's not scalable.

    Garrett O'Hara: Punch cards [laughs]. Yeah.

    Duncan Jones: Exactly.

    Garrett O'Hara: Absolutely. Yeah, when you mentioned assembler, I think anyone who's ever spent any time programming in that is probably shuddering thinking about how much of a nightmare that is compared to the higher level languages. So good to hear you guys are working on- on [laughs] fixing that problem.

    You know, as you talk through this stuff Duncan, it would be good to get a sense... this- this clearly is something that's going to impact the world and societies in a very, very significant and meaningful way. In a our particular industry, you know, clearly we- we worry about what it means for P- PKI and the functioning of the internet and- and, you know, encryption of data.

    But obviously this is- this is something that's probably going to impact society more broadly, right? It's almost like the internet arriving. Or- or maybe it's not, but it feels like it is one of those huge shifts in terms of how we, you know, how we move through the world as human beings. Has there been any thought to what does that kind of look like in terms of the- that impact to society?

    And, again, some of the good stuff, I mean, you mentioned, you know, the beautiful work in terms of chemistry and, you know, and fixing things and better drugs. That sounds awesome. I'm assuming this thought that's going into the ethics of this stuff, much like AI, you know, the- the sort of Pandora's box of what that all means, and I'm guessing there's- there's similar stuff going on in quantum?

    Duncan Jones: There is, yeah. I've- I've I've seen this topic discussed relatively often at quantum conferences. The CEO of our business a guy called Ilyas Khan has spoken on this topic a fair amount. It's something that we- we want to try and learn from the lessons of the past. And you mentioned AI, and I think that's a good example. I think that technology arrived and was being utilized before we had necessarily thought through all of the ethical ramifications of that.

    Quantum is a technology that has attracted attention at the highest levels. You don't often see national policies aligned behind a particular technology. For example, we didn't really see, you know, the UK or the US governments making, you know big proclamations around IOT, for example.

    Garrett O'Hara: Yeah.

    Duncan Jones: Other than occasionally throwing out criticism about the [laughs] security approach that has been taken. But quantum is something that I think the world has recognized is at another level. And so we've seen investment at a unprecedented level from governments around the world, and we're starting to see, you know, policies and statements, and gov- governments are thinking about, you know, protection of the IP that emerges in this area. And I think it seems like ethics is starting to become part of the conversation. I don't know what the solution looks like there. What will it look like if we've nailed the ethics considerations? I- I'm not sure what that looks like.

    Garrett O'Hara: Yeah.

    Duncan Jones: But compared to some other technologies, I feel like that is being discussed at an early stage, and that- and that bodes well I think for the future.

    Garrett O'Hara: Yeah, it's heartening to hear, because I- I do think you're spot on in terms of how humanity has approached things. And- and it feels sometimes like we dive off the diving board without even checking if there's water in the pool sometimes [laughs] when it comes to technology, so good that you guys are having those conversations. What- what does it look like in terms of the kind of global conversations?

    And I'm thinking of here like the geopolitical instability that feels is going on in the world today, and here where I'm going is the- the idea that if something gets there first in terms of like rapid advancements in quantum, what- what does that mean? You know, the- the country that gets there first. And if they're not sort of one of the friendly countries what does that mean for the rest of us, if anything? [laughs].

    Duncan Jones: It's a serious concern, and I think that's mostly what has- what have motivated governments to invest what they have so far, and to begin to, you know, make announcements and policies around the technology. There is a... I guess there is a risk of falling behind economically.

    Garrett O'Hara: Okay.

    Duncan Jones: If you were to not have invested sufficiently in quantum technology and a workforce that is able to take advantage of that technology, because, you know, one of the challenges that we will face over the years ahead is talent, is- is how many, you know, how many folks are coming out of universities and with the right capabilities to embrace quantum. If a country were to fall behind significantly compared to others in this area, then I think it would have a significant economic impact.

    As we start to see these use cases come online, and if, you know, country X, Y and Z are now able to, you know, half the time it takes them to develop drugs and, you know, your country can't do that yet, then clearly that's going to affect GDP and have, you know, geopolitical ramifications. Obviously the I- other side of this is, you know, quantum is a threat to cyber security-

    Garrett O'Hara: Mm-hmm.

    Duncan Jones: ... and there's always this question mark of, what if China or some country that we feel less comfortable about suddenly gains the ability to run Shor's algorithm and break all of our encryption. And I think that's genuinely concerning. I think there is a sense that nobody believes another country is so far ahead that they're going to achieve that in a couple of years, while it's going to take us 10 years for example.

    But we don't know for sure what's happening in other counties, and perhaps somewhere behind closed doors there's a machine that is more powerful than we realize. Or maybe- maybe there's an algorithm that they have discovered that's better than the best ones that we know about. And so maybe it brings all of this stuff into scope.

    So there is genuine concern around this, and I think it's one of the reasons why let's say America for example has been putting out some very positive messages around quantum, and really beginning to double down on their investments, because they recognize that this is globally strategic.

    Garrett O'Hara: Yeah, that absolutely makes sense. It- it's starting to sound a little bit like the- the plot for a James Bond or a Jason Bourne movie. You know, the- the existence of an algorithm, it's- it's sort of at that level. But, you know, what you've sort of pointed to there is I think cyber security and- and sort of sovereign resilience, is a lot of those things are all tied together these days.

    Drilling right down into an organizational level though, there's talk of companies kind of thinking already about implementing post quantum computing proof of encryption, with the view to the potential for data theft today, and then when this stuff becomes real, that they can then decrypt data that they stole, you know, historically, you know, going back five years or whatever. Do you have any kind of practical recommendations on, you know, that sort of stuff, things that organizations could be thinking about today for their cyber resilience, based on, you know, what- what's coming in post quantum computing?

    Duncan Jones: The main work that companies need to be doing now is planning, inventory, assessment. You know, the- the boring sounding stuff, but the really important stuff. Because we know that quantum computers will arrive in perhaps 10 years that can implement Shor's algorithm. Now, that doesn't mean that on January the 1st, 2032, you know, all the planes fall from the sky and everything goes wrong, because it's not going to be like that.

    Garrett O'Hara: Mm-hmm.

    Duncan Jones: You know, quietly in some government lab somewhere, the ability to do this will emerge. And the first thing that won't happen is they'll rush off to, you know, a particular Australian bank and decide, right, that's the place where we're going to let loose. Right? However, this capability will become more widespread, and eventually it will be relatively straight forward for anybody to- to, you know, decrypt some data that they have in their back pocket.

    So organizations need to think about where is their most valuable data, and where is it being transmitted such that it could be captured by somebody. Because your encrypted data sat on a- sat in cold storage somewhere is pretty safe. I mean, it's- it's safe because it probably is, you know, symmetrically encrypted anyway, and- and- and quantum computers really only have a meaningful impact on asymmetrical algorithms, things like RSA and the stuff that we typically use for communications and for, you know, integrity and digital signatures and that sort of stuff.

    So companies should be thinking about, where do we have long term valuable data that we're transmitting around, that somebody could grab, sit on for 10 years, and still benefit from decrypting in- in the future. And that's only going to be a subset of most organization's data. And so, identifying that and making sure that that is a priority for migration to new algorithms is- is the concrete step people should be taking right now.

    And I don't think it's a small step, because in my experience speaking to companies large and small, they don't tend to have a very good understanding of what they have where. They will... you know, most- most organizations end up being quite siloed despite best efforts to avoid that. There'll be projects that have spun up over the years, and no one person understands them all. Nobody could say for sure what data is where. And so I think there's a lot of work ahead of most organizations, and it should start now to catalog what exists, such that the prioritization can be made as to what systems need to be migrated.

    And obviously for those people who build their systems themselves, they can begin to experiment and think about what migration and the implementation would look like. But in many cases, organizations compose systems from vendors, and so having early conversations with your critical vendors is also important. You know, what is their quantum roadmap looking like? Have they got one? Sort of hope [laughs] they've got one, but maybe you'll discover, you know, some of the vendors that you need to think about do you want to keep working with them, because it's 2022 and they don't seem to have a post quantum roadmap in place yet.

    Garrett O'Hara: Mm-hmm.

    Duncan Jones: So these are some of the concrete steps that your audience could be taking now to get ready for this.

    Garrett O'Hara: Yep. But it- it sounds like they don't need to run out of the building, you know, with their hands in the air in massive panic. You know, once they start to think about this stuff now, get it on their agenda to understand where the data lives, if there's sort of vulnerabilities in terms of encryption methodologies, then, you know, that's a really strong kind of strong first step.

    Is there any use cases here you know, we've talked a lot about data and encryption and- and, you know, the potential there. Do you see any world where this becomes useful in terms of attacks that are not necessarily, you know, data based, but- if that makes sense, but actually using sort of like quantum computing as a way to figure out ways into an organization, or, I mean, you mentioned, you know, simulating chemistry and- and, you know, the sort of composition of molecules, I guess.

    What about things like, and especially when we get to the point where there's natural, you know, understanding of language, do you get to the point where the, you know, the- the machine can actually do a really good job of something like social engineering because it knows exactly the nuance of the conversation and the best thing to say to get somebody to do something? Or, you know, what format of a- a link or whatever we have in a future, some 3D link or holographic link, something that we [laughs], you know, we don't know about yet. But like is there applications there in terms of attack as well, rather than just the sort of encryption side of things?

    Duncan Jones: I think the most concrete near term threats are the ones that we've been discussing.

    Garrett O'Hara: Mm-hmm.

    Duncan Jones: Quantum computing promises to bring benefits to- to fields like machine learning and artificial intelligence, and those are tools already that one can leverage if you're attacking an organization. Perhaps you, you know, you use machine learning algorithms to monitor, you know, data being transferred or the behavior of people. And- and yeah, I can imagine some slightly science fiction roots through to attacking an organization. I think... beyond that though, I think really it's there's a lot of work to be done simply to address the threats that we can clearly see in front of us.

    Garrett O'Hara: Yep.

    Duncan Jones: It's not all about necessarily capturing data and decrypting it, there is also big challenge around integrity. So a good example of this is IOT. If you think about IOT devices, they are typically deployed in the field for decades. That's usually the, you know, the return on investment only makes sense if you digitize something and you run it for the next 20 years, and you get, you know, feedback from your gas pipeline about the flows through the pipe line and all these kind of things.

    Those devices ultimately have a root of trust burnt into the silicon that they, you know, that they have to completely trust. That's what governs the software that runs on them. That's what governs who they listen to and- and so forth. And if you think about those sorts of environments, devices are being built today that need to last for 30 years, that are based on vulnerable algorithms. And so that's more of an integrity challenge.

    Garrett O'Hara: Yep.

    Duncan Jones: And in fact, we've seen a device from the NSA published in the last couple of weeks that specifically calls out that problem, and says, in that area, you should actually begin to act now and use some of the previously standardized algorithms from NIST, these state full, hash-based signature algorithms which are believed to be post quantum secure. We should actually be using those now, while- even while we wait for the sort of main batch of post quantum algorithms to be fully standardized in a couple of years.

    So yeah, I think I would encourage your... I mean, it's fun to kind of muse about the future and what crazy stuff could occur, but the stuff that we already know is going to occur is quite seismic and will trigger a refresh of cryptography, the likes of which we've- we've never seen before. I think one area that- that is also maybe overlooked, and it's something that my team thinks about, is around cryptographic keys themselves. So we've spent, you know, we've sort of... we've been talking really about algorithms so far, so like RSA and that's going to break and what do you replace it with.

    Garrett O'Hara: Mm-hmm.

    Duncan Jones: But beneath all of this, there is the idea that, well, what makes a good cryptographic key in the first place? Well, it should be something that is completely unpredictable and random, and if you stray from that at all, your systems are vulnerable at a very foundational level. Well, quantum computers, you know, we- we talked about what kind of problems do they solve. Well, they- they can simulate very complicated things. They're actually very good sometimes in finding patterns in data. These are all the things you wouldn't want an attacker to have if they were trying to predict what keys you have in your systems, you know?

    So there- there may be attacks like that, that we haven't even really imagined yet, that- that come to fruition. But on the plus side, we can then ironically use quantum technology to actually assist with some of these things. So- so quantum will- will take and give in the world of cyber security, and I think over the longer term, sort of the positive spin on this is I think quantum will bring more benefits than it causes us problems, but that's only after the next decade long headache that we all have to jointly deal with.

    Garrett O'Hara: [laughs]. Yes, the- the transitions are- are often painful, but it- it does sound so exciting to me. Like so many- so many positive things that you described there, and it- it just feels like once we pay attention to this and, you know, start planning now, that actually... not- not that it will be a smooth transition, as you say, it'll be- it'll be huge shifts, but the ultimate outcomes will be fantastic for- for society. Hopefully, fingers crossed. That's the optimist in me.

    Duncan Jones: But it- I think- I- they way I've been saying... the way I've been describing this to people is, view this as an opportunity to build something better than you have right now. You know, you are going to be forced to understand what all your data is, where it is, how you protect it, and you're going to have to change every system that protects your data. So what an opportunity to do this once and do it well.

    Garrett O'Hara: Mm-hmm.

    Duncan Jones: You know, build an inventory of what you have, and keep it up to date. Build crypto agility into the products that you make, and- and, you know, make it a requirement of the vendors that you work with, so that if we have to change our algorithms again in a decade for some other reason, it's not so painful. And embrace the good side of quantum. You know, build your systems so that they, you know, you can generate keys using quantum technology.

    That's one of the things that my group does. Or other people look at, you know, transmission of keys using quantum key distribution. You know, now is a great time to build on a stronger foundation if you're going to be touching all of your systems anyway. So I've- that's my kind of positive spin that I give to organizations. You know, take this opportunity to make things better.

    Garrett O'Hara: And that- that is an incredibly positive note to end on. Very, very much appreciate you taking the time. I- I hope and- and suspect we may get to have another conversation as things progress. It does seem like a- a field that's moving pretty quickly. But really, thank you today for your time and your insights. It's been an absolute pleasure, Duncan.

    Duncan Jones: Oh, same here, Garrett. Thank you very much.

    Garrett O'Hara: Thanks so much to Duncan for joining us, and as always, thank you for listening to the Get Cyber Resilient podcast. Jump into our back catalog of episodes, and like, subscribe, and please do leave us a review. For now, stay safe, and I look forward to catching you on the next episode.

    Haut de la page