A cybersecurity catastrophe appears to be brewing. Kaniah Konkoly-Thege points to several signs out there that don't bode well for critical data or critical inf...
A cybersecurity catastrophe appears to be brewing. At least according to a recent guest on the Federal Drive with Tom Temin . Kaniah Konkoly-Thege points to several signs out there that don’t bode well for critical data or critical infrastructure. The General Counsel at quantum-computing software vendor Quantiuum, joined Temin to read the tea leaves.
Interview transcript:
Tom Temin
We should qualify you a little bit, because we don’t usually have lawyers talking about cybersecurity. But you have worked in the government, and you are very close to policy in the job that you have. Maybe, just, tell us a bit about yourself.Kaniah Konkoly-Thege
Sure. Thanks for the introduction. So I actually started my career at Department of the Interior, working on a class action litigation called Cobell. And what’s interesting about that case, is it actually required the U.S. Department of the Interior to disconnect itself from the internet.Tom Temin
I remember that case.Kaniah Konkoly-Thege
So when I started, my job was to work with the various bureaus and offices to understand their cybersecurity architecture, and present it before the special master monitor to get them reconnected, which at the time, this was in 2003, 2004. Cybersecurity and understanding, kind of, cybersecurity architecture and those types of issues, weren’t really well known, and certainly not by someone who went to law school and thought they were going to just be doing litigation. So I had a crash course in trying to understand cybersecurity architecture, at the time it was defense in depth strategies, obviously, that’s become now zero trust. But really had a, like I said, a crash course in understanding cybersecurity. I spent a number of years working on that, and then moved over to work for Department of Energy on some of their litigation associated with the closure of the various Manhattan Project sites around the country.Tom Temin
All right, so now you are with a quantum company, and you are looking at signs in the economy in developments that are happening, that could mean a major critical infrastructure, cyber attack is in the offing. What are you seeing? What are your dots that you are connecting here?Kaniah Konkoly-Thege
What’s really happening, so in the quantum computing industry, there’s kind of two schools of thought. The first one, is around the development of the hardware. There’s a lot of opportunity associated with the hardware and what it can do as it continues to scale. The biggest risks associated with quantum computing, is around what’s known as Shor’s algorithm, which eventually, and I do mean eventually. Quantum computers will allow for the decryption of public key encryption.Tom Temin
Right. We’re only at about 150 cubits at this point, but they’ve got to get to thousands, before it can really crack that stuff in a few days.Kaniah Konkoly-Thege
Exactly. And many people think, that’s years, maybe decades away, why should we care? Well, for a couple of reasons. The first reason we should care, is because understanding cybersecurity architecture, and what you have as a company or as the U.S. government is really complicated. In many, many cases, the architecture itself, is built layer upon layer upon layer. So really understanding what you have and where your vulnerabilities exist. That is no small feat. The second piece, really comes down to more of that policy issue. And it is around, what I’ll call, the consequences of hype around breaking encryption. And what I mean in that respect is, as you see more and more news articles and statements by various governments about the advancement of their ability to crack encryption. Most recently, China has issued two different papers claiming they’ve been able to do this, which I would say, I think the industry writ large dismisses those claims, at least in large part. But what that starts to do is really escalate some of the tensions within, particularly the U.S. government, but really governments around the world. And what that can result in, is over regulation, and really, the inability for these businesses and these groups to be able to scale, because there’s just not enough talent that sits in the United States. So the more controls that exist, the harder it is to hire, the more complicated it is to grow or scale your supply chain. And so then it results in a contraction of the actual ecosystem.Tom Temin
We’re speaking with Kaniah Konkoly-Thege, she is the chief legal officer at the quantum-computer software vendor Quantiuum. And just to go back to something you mentioned earlier, that people could amass data now and encrypt it later. Let me just play devil’s advocate for a minute. If they did, by the time this decryption capability comes about, that data would be a decade or a couple of decades old. So at that point in the future, when there are quantum resistant algorithms out there working, would it really matter if the enemies could decrypt something that’s 20 years old?Kaniah Konkoly-Thege
I think that is a great question, and something that a lot of people grapple with. My answer is, absolutely, yes. And I would say, how many people have changed their bank accounts in 20 years? Maybe you have, maybe you haven’t. But certainly, in the nuclear industry and in the defense industry, and a lot of the critical infrastructure industry, 20 years is not a long time. And so data that’s being taken today, may still be irrelevant. Even if it isn’t from a personal perspective, it certainly is for the critical infrastructure, and for the safety and security of our country.Tom Temin
Yes, well, I’ll counter my own argument by asking a company like this FTX debacle. that was 10 years in the brewing. And so you would want to look at data, I’m sure they are, that goes back to the founding of it, which I think is about 10 years. So maybe, things do remain relevant long after they are on your active drives, and have been moved to optical.Kaniah Konkoly-Thege
Certainly, yes, absolutely.Tom Temin
So given the step-by-step approach of quantum. And [National Institute of Standards and Technology (NIST)] does have those algorithms out, that are the architecture for algorithms that are quantum resistant. What should chief information security officers and people related to this be doing now different from what they’re doing now? I mean, zero trust and so forth, because of the quantum threat out there?Kaniah Konkoly-Thege
So what we recommend, is to really look at your encryption technologies, make sure you understand who your vendors are, where your keys are coming from, who’s managing your keys and your, what we call the key and the algorithm, in what we like to refer to in layman’s terms is the padlock. So if you think of your padlock, your key, and then the management of both, really understanding that full cycle in what’s happening. It isn’t that the padlock, that algorithms set that will need to change. We also argued that the keys themselves need to change, from a deterministic set, which are produced today, into a nondeterministic key to be generated for the encryption technologies.Tom Temin
Because classical computing and quantum computing will exist side by side for the foreseeable future. Because quantum, doesn’t actually, solve every problem in computing. It’s not like everybody will have a supercomputer. And so the cross breeding, I guess, you will, or an algorithm that safe from quantum could still be subject to classical decryption. So you got to look at it from both angles, correct?Kaniah Konkoly-Thege
Correct. And the other piece I would say is, what’s emerging in the industry today is the concept of hybridization, where quantum computers are being connected to supercomputers, and looking at the ability to distribute the algorithm, based on or portions of the algorithm, to what system could be run better. What that means is a continuous advancement. And I raised that to say, it’s important to think about the ability of these hybridization systems to do greater and greater problem sets than what, maybe we would have thought, they could do even five years ago. So that’s where CISOs, and others really want to pay attention, to how the industry is advancing and how much more you’re able to do with, say, less cubits.Tom Temin
Right. It really multiplies the measures that are going to need to have in place then, doesn’t it? Having to systems of computing operating side by side, or even as you suggest, in tandem?Kaniah Konkoly-Thege
It certainly could.Tom Temin
And now’s the time to get started, huh?Kaniah Konkoly-Thege
Absolutely.
Copyright © 2024 Federal News Network. All rights reserved. This website is not intended for users located within the European Economic Area.
Tom Temin is host of the Federal Drive and has been providing insight on federal technology and management issues for more than 30 years.
Follow @tteminWFED