Jaya Baloo, Chief Information Security Officer (CISO), Avast Software, interviewed by futurist Trond Arne Undheim. In this conversation, they talk about why is it so hard to eradicate cybersecurity challenges? Internet Organised Crime Threat Assessment ...
Jaya Baloo, Chief Information Security Officer (CISO), Avast Software, interviewed by futurist Trond Arne Undheim.
In this conversation, they talk about why is it so hard to eradicate cybersecurity challenges? Internet Organised Crime Threat Assessment (IOCTA). Threats we are ready for and know about vs. Threats we don’t know about are not ready for. The Quantum Market Players, Challenges, and applications. What quantum security challenges do you worry about in the next decade? Jaya uses the story of Alice, Bob, and ex-girlfriend Eve to illustrate quantum security. How to teach quantum computing to a new gen of engineers.
The takeaway is that quantum security is just around the corner--because if it isn’t, we are all in trouble. Quantum computing has gone from being a theoretical possibility, to a highly experimental, niche application among a few computer firms, to a significant, emerging government concern, and a future business opportunity for those with a lot of data to crunch fast. Most of us don’t need to worry about it in this decade, but doing so, is a bit like not thinking about retirement in your twenties. It isn’t necessary, but it is smart to do.
After listening to the episode, check out Avast Software as well as Jaya Baloo's online profile:
The show is hosted by Podbean and can be found at Futurized.co. Additional context about the show, the topics, and our guests, including show notes and a full list of podcast players that syndicate the show can be found at https://trondundheim.com/podcast/. Music: Electricity by Ian Post from the album Magnetism.
For more about the host, including media coverage, books and more, see Trond Arne Undheim's personal website (https://trondundheim.com/) as well as the Yegii Insights blog (https://yegii.wpcomstaging.com/). Undheim has published two books this year, Pandemic Aftermath and Disruption Games. To advertise or become a guest on the show, contact the podcast host here.
Thanks for listening. If you liked the show, subscribe at Futurized.co or in your preferred podcast player, and rate us with five stars. If you like this topic, you may enjoy other episodes of Futurized, such as episode 13 Cybersecurity: Review of the RSA Asia Pacific & Japan (APJ) 2020 Virtual Event, episode 30 on Artificial General Intelligence, episode 51 which is on the AI for Learning, episode 16 on Perception AI, episode 49 Living the Future of Work, episode 35 on How 5G+AR might revolutionize communication, episode 47 on How to Invest in Sci-Fi Tech, episode 54 on the Future of AR, and episode 31 on The Future of Commoditized Robotics. Futurized—preparing YOU to deal with disruption.
Trond Arne Undheim, Host: [00:00:00] Futurized goes beneath the trends to track the underlying forces of disruption in tech policy, business models, social dynamics, and the environment. I'm your host throne and time futurist and author in episode 69 of the podcast, the topic is the future of quantum security. I guess this Jim Baloo, chief information security officer at Avast software.
[00:00:26] In this conversation, we talk about why it is so hard to eradicate cyber security challenges. We discussed the internet organized crime threat assessment by Okta and threats. We are ready for and know about versus threats we don't know about and are not ready for it. Look at the quantum market players, the challenges and the applications.
[00:00:50] What quantum security challenges do you worry about in the next decade? The story of Alice, Bob and the ex-girlfriend Eve illustrates quantum security and how to teach quantum computing to a new generation of engineers Jr. How are you today?
[00:01:11] Jaya Baloo, Chief Information Security Officer (CISO), Avast Software: [00:01:11] Oh, very good Tron. How are you?
[00:01:13] Trond Arne Undheim, Host: [00:01:13] I'm fantastic. Let's let's go right on to, to quantum security.
[00:01:18] I'm fascinated by your background, Jay. You've been, in info security for a long time. You're now in a privileged position at the singularity university and working with the European commission. In other words really embedded in the future of it. Security. How did you get here?
[00:01:37] Jaya Baloo, Chief Information Security Officer (CISO), Avast Software: [00:01:37] Yeah, that's a weird story, but I think I've been very lucky.
[00:01:39]I started very simply in a network operation center, moved to a much more hands-on position within an it management team, and then started doing things around network architecture. Also not in one country, but in several others, designing and implementing different systems from broadband systems to really like MPLS networks all the way up until like network management.
[00:02:03] And then finally I was doing a project around lawful interception in the Czech Republic just before the Czech Republic had to have all of their stuff ready before they joined the EU. So this is all over the span of more than two decades. So it's not like I did this very quickly, but it gave me a chance to see both it insecurity from a lot of different angles which is really like building up, I think, a strong foundation for what I do today.
[00:02:26]Trond Arne Undheim, Host: [00:02:26] And for the benefit of our listeners, we're going to, we're going to slowly move into this because it is for, even for experts, right? It is a. Not only a rapidly emerging field, but there are some things that we'll talk about today that really are I don't want to say they're speculative, but they depend on a lot of things that aren't, that are not even yet in research labs to, to put it that way.
[00:02:49] So I wanted to, just for the benefit of everyone who's listening, can you start by basically just. Taking us a little bit into this field of cryptography. So there is this notion of public key cryptography and that in and of itself, the field of cryptography is complicated. Where are we now with cryptography and why is.
[00:03:12] Kind of why is this discussion now coming up around cryptography as if we have to redo that discussion. So public key cryptography, it's something that a lot of us have at least learned as a term. What is that? And why is cryptography even in just the existing environment? Why is that such a centerpiece of the discussion?
[00:03:32] Jaya Baloo, Chief Information Security Officer (CISO), Avast Software: [00:03:32] most of us don't actually even know the term public who have geography, Tron. I think you are actually in the minority that even know that term exists. So they know that when they send information across the internet between trusted parties, that there's something. That's happening. That's making that information a secret.
[00:03:49]And that mechanism, a few people recognize that as public key cryptography, but there's also just symmetric, cryptography and public key is often referred to as asymmetric cryptography, because there is a set of keys rather than just a single key encrypting the entire session. I think what's important to remember is that.
[00:04:07] We've been using this stuff for a while and it's been used and a little bit taken for granted, but for everyone, except for the professionals that work in the area as something that you've just got, it makes the stuff a secret. And whether that's your data that you store somewhere. For some purpose or that's the data that you transmitting between particular parties like banking or when you're getting stuff online or when you're checking out something.
[00:04:35] So we just assume that it's going to be there and it's going to be okay. And the reason that it's coming back to the front now, Has a lot to do with the advances we're making in a different area around quantum computing. And the issue is that a lot of the cryptography we use today is based on a few difficult mathematical problems.
[00:04:55]And. The point is that the quantum computer is capable because of the way that it's been built and the types of problems that it's can solve to solve the difficult math problems that our crypto is based on, which means that the mechanisms we've used to make our secret no longer works with an advancement of a sufficiently sized quantum computer.
[00:05:20] It breaks that crypto and makes it. Easy for anyone to read
[00:05:25] Trond Arne Undheim, Host: [00:05:25] this. True. So could we then, just before we move a little bit into this quantum space, could you, for us, if it's possible to dig just one level deeper on cryptography. So I mentioned public key. There, there are three algorithmic ways that this has been.
[00:05:43] Organized there's something called integer factorization problem. And then there's the discrete logarithm problem. And then there's the elliptic curve. Discrete logarithm problem. I bring up these three just because I want to make the point here that as we're transitioning, that this is really. Quite a complicated matter, even just before we get into quantum, is there any way you can explain these three or why there even are three different approaches?
[00:06:13] To cryptography and I'm sure there's more, but these are common ones. So again, how did they develop and how long have they been around? Yeah.
[00:06:22] Jaya Baloo, Chief Information Security Officer (CISO), Avast Software: [00:06:22] So again, like we have these difficult math problems and these difficult math problems are, if you take prime numbers very large prime numbers and you multiply them together, we can.
[00:06:35] Do that operation in the way like that you multiply them together to get a product. We know how to do that. So try and if I gave you two numbers and you had to multiply them together, let's do it now. What is nine times? Eight.
[00:06:49] Trond Arne Undheim, Host: [00:06:49] Seven and two, usually.
[00:06:51] Jaya Baloo, Chief Information Security Officer (CISO), Avast Software: [00:06:51] Yeah. So again, neither one of these are primes and 72 is also not a prime, but if I asked you to try to give me all of the factors that we use to get to 72, you would say.
[00:07:00]Trond Arne Undheim, Host: [00:07:00] What would I say? I would say I don't understand what you mean, that the factors of all
[00:07:04] Jaya Baloo, Chief Information Security Officer (CISO), Avast Software: [00:07:04] the numbers you can multiply together to get to 72.
[00:07:08] Trond Arne Undheim, Host: [00:07:08] Oh, I see. It's two different numbers, right?
[00:07:11] Jaya Baloo, Chief Information Security Officer (CISO), Avast Software: [00:07:11] More than
[00:07:12] Trond Arne Undheim, Host: [00:07:12] two and maybe
[00:07:13] Jaya Baloo, Chief Information Security Officer (CISO), Avast Software: [00:07:13] that's actually a really good illustration of what and the same way that we work is also how computers work.
[00:07:20] When we say nine times eight, who is human, it's easy to get to that product. 72, if we
[00:07:25] Trond Arne Undheim, Host: [00:07:25] I, I see the factors where, so by you, by twos and by fours and all that stuff is so yes, there's a number of ways to get, I get what you're saying. There's a very finite way though.
[00:07:36]Jaya Baloo, Chief Information Security Officer (CISO), Avast Software: [00:07:36] No. Sorry. The point that I'm trying to make is this is called a one-way problem.
[00:07:41]It's basically, this is easy to solve in one direction and difficult to solve in the other direction. And this is actually a function within cryptography, which is that you have a lot of mathematical problems. And the strength, if you will, of the cryptography, we use depends on the difficulty of reversing this one way function.
[00:08:01] So if we know, something, a large prime time, something, another large prime equals this product, we can do this mathematical operation in our current computers rather easily. But to reverse this one-way function, if we only have the product or the cipher text to then reverse it, to try to figure out which are the keys that we've got.
[00:08:23]When we got this, what are all the possible combinations of keys? That's really difficult for our current computers to solve. I understand function. And basically what we have with integer factorization is that very smart individuals, Peter shore. Actually wrote an algorithm that will solve this integer factorization problem.
[00:08:43] So he'll find all of the factors that will be used to actually potentially calculate. So the algorithm is already available. Now we just need a quantum computer to run the algorithm on.
[00:08:55] Trond Arne Undheim, Host: [00:08:55] So this was the MIT mathematician, right?
[00:08:59] Jaya Baloo, Chief Information Security Officer (CISO), Avast Software: [00:08:59] Yeah. Yeah. So Shor's algorithm has been around for a while, just waiting for a quantum computer of significant size, which is important and with enough cubits and processing power and no decoherence problems and build a little low with all of this good stuff to actually run the algorithm.
[00:09:14]And that's one issue. The discrete log. Issue is a secondary problem. And we actually have Grover's algorithm that will also help you with the discrete log issues and also a different mathematical problem. Let me be very clear, discrete log. I usually refer to it, or I don't usually refer everyone refers to it as a clock arithmetic.
[00:09:36] So if you imagine that you have. A dial of a clock. And the function is that you have, an amount of numbers on that clock and using a log function, you can actually like calculate this, but if you don't know all of these parameters, if you don't know the formula, which it's based to, if you only have the result again, Of that discrete log function.
[00:10:00] It's impossible to reverse it the other way to figure out which components you used to get to that result. And it's the same one way function problem here as well. And for that, we can use a Grover's search algorithm, which will allow us to do this large search and optimize it. So you can try all of these multiple paths to the solution at the same time.
[00:10:21]And with these two things, you've actually significantly reduced. Your complexity that we currently have built in to our current cryptography and elliptic curves. We've been using elliptic curves for a while. We probably actually will use a different type of set of curves for when we have a post quantum algorithmic set of cryptographic solutions.
[00:10:43]I don't know how, and in which form yet, but I think cars are going to be somehow back on the menu when we have our new set of solutions, even though the current set are jeopardized.
[00:10:51] Trond Arne Undheim, Host: [00:10:51] Yeah. So the reason why I asked you to go into somewhat of a detail here is because I wanted to. Get to what you've been talking to me earlier about and which I was preparing for.
[00:11:01] Why is it so hard to eradicate cyber security challenges is my question. And I know you and I have been reading this new report, the internet organized crime threat assessment. I Octa that the EU, the Interpol report that's now out. And that report really hammers down the point that we haven't solved all of these problems yet.
[00:11:22] Why is that J a why is it that cybersecurity companies are mushroom ING? Every year I see a new company and you guys are growing and growing. Why is this problem just escalating? And we're not even at quantum yet. That
[00:11:37] Jaya Baloo, Chief Information Security Officer (CISO), Avast Software: [00:11:37] has unfortunately nothing to do with quantum, but it has a lot more to do with our ability to understand and adapt to legacy problems we've created over time.
[00:11:47] We're good at creating problems. We're not so great at fixing them in time when we know we've got them. So part of it is we simply don't know that there are vulnerabilities out there. For example, if you read the Octa, the number one thing we saw is that ransomware is still the biggest single problem we've got.
[00:12:03]And why do we have ransomware? Because we still have insecure systems. Why do we still have insecure systems is because users don't know and don't always have the resources to update or upgrade those systems. And we've got legacy hardware and software all over the place. And the people who operate or run or maintain these systems don't know that there's an issue.
[00:12:23] Or even if they do know are current and fronted by significant challenges to actually make the transition. When we know about problems, we're not that good at reacting. And I think, and I'm actually, I'm not thinking I'm afraid that this will spill over into all new technologies that we invent.
[00:12:38] That even in the presence of a solution, our ability to transition to it is still remarkably slow. So we won't be able to embrace a post quantum future in time to a scalp, all of our privacy and security challenges that will that'll come as a result
[00:12:54] Trond Arne Undheim, Host: [00:12:54] of book. Jr. The interesting thing is what you're describing to me is the same thing we're facing with climate changes.
[00:13:01] The same thing we're facing with black lives matters. Is there any problem that. Our civilization and counters, it seems like we can not understand it or COVID or whatever it is. It seems like we cannot understand it until not until it's too late, but just until it's so pressing that it's starting to produce itself, produce results.
[00:13:21] Initially, essentially everywhere. Yeah. So there's some human logic whereby like baseline preparation, just we're not factoring that in where we're not good at it. We're not. Incented, I
[00:13:34] Jaya Baloo, Chief Information Security Officer (CISO), Avast Software: [00:13:34] guess. Yeah, gently. There's a saying in the Netherlands where I don't know why, but all the sayings always involve some form of animal life.
[00:13:43] This particular one is that a golfer airs for Dinga a calf first has to drown before you do something about the rising water level. And I find this to be true in multiple areas. Indeed.
[00:13:57] Trond Arne Undheim, Host: [00:13:57] Can we move a little bit to talk about this future market of quantum, and then we can move into the security part.
[00:14:03] I'm fascinated by the way that this market seems to be shaping up. And you inform me whether I got this essentially right or not, but the way it seems to be shaping up, there's two giants that are really playing in the game, like trying to become the two giants and that's Google and IBM, but.
[00:14:23] In and around there, there's at least one startup Righetti. And then there's some Chinese companies, mainly Alibaba. And then you have some of the, the older us giants Microsoft, Intel. And then you have this interesting player, Honeywell coming a little bit from the sidelines and those companies are trying to become all in one.
[00:14:43] Platform companies providing every possible, piece of the quantum pie. And then you'll obviously have a bunch of other players tell us a little bit what this market is going to contain because. And again, I'm just paraphrasing stuff that I've read, and I'm not an expert in quantum computing, but you have clearly there's hardware.
[00:15:04] So there's some companies specializing on that. Then there's basically control systems in and around the hardware that are communicating and, running the hardware, but also communicating with them. Perhaps the software side and then you have the services and software side of it and those are three fairly separate bits.
[00:15:20]And then you have some specialty players that are just trying to crack at smaller problems inside of this space. Am I, and I'm basically just quoting from the BCG report that kind of had this distinction, which I found pretty useful. Is that a fair assessment of kind of, at least what's playing out right now?
[00:15:38] Jaya Baloo, Chief Information Security Officer (CISO), Avast Software: [00:15:38] I think that is very fair. I think what you're saying, you have these big companies trying to do everything. I think the issue is that if this is true, the way that you categorize it is absolutely true for quantum computing, but I think we, it would be remiss of me not to say that there's a wider quantum technologies play and depending on the nature of the appetite for investment and the capabilities of the company that wider play.
[00:16:04] In quantum is just as interesting. And that is, if I would characterize it, I'd characterize it the way that we have it now from the commission from Europe, which is you have quantum communications as a pillar, you have in which quantum communications is this future quantum network. So imagine not just connecting everyone to each other in a cryptographically secure mechanism from a physical perspective.
[00:16:28] Using things like quantum T distribution, but also post quantum crypto. And then also making, Oh, sorry.
[00:16:34] Trond Arne Undheim, Host: [00:16:34] Yep. Is that a new version of the internet? It's the quantum internet we're talking about. This is the physical, the new physical layer that is like an industrial IOT on the quantum ledger for backup.
[00:16:47] For lack of other words, it's essentially communicating, using quantum encryption.
[00:16:51] Jaya Baloo, Chief Information Security Officer (CISO), Avast Software: [00:16:51] Yes, but it would be almost like a broadband service. So it's transmission oriented, but then fully secured. So you have an informationally and a mathematically secure option. So you both have the physical security by this actual fiber network, really?
[00:17:05] Because that's in essence what it is,
[00:17:08] Trond Arne Undheim, Host: [00:17:08] my presumption there is, this is where the telcos hope to be playing, right?
[00:17:12] Jaya Baloo, Chief Information Security Officer (CISO), Avast Software: [00:17:12] Not just the telcos. So it should be clear that eventually, like a fully quantum internet will also requires quantum computers to be connected over this quantum internet. So quantum communications is not just for the preservation of current communications in all, its, multiple States, but also for a quantum computing network as well.
[00:17:33] So you've got this fully quantum backbone communications computation, and then you have sensing and metrology. And all of these different technologies are going to be supported by this foundational. Fundamental engineering efforts and that's going to be enormous.
[00:17:50] Let's just say though when we talk about computing, and you talked about Google and Microsoft, I want to be clear that they're not just working on the physical quantum computer. They're also working on, noisy, intimate VHDA quantum, and they're also working on. Quantum simulation.
[00:18:07]They also have, and that's another pillar, that's the fourth and final pillar. So if you take a look at it, there's all of these different efforts. And again, depending on the company, Their investment appetite and their like capacity inside. It depends where they think that they will actually make a play.
[00:18:27] Trond Arne Undheim, Host: [00:18:27] The reason that this is great context, the reason I brought this up is you come from the security space and I was just curious, would you categorize the current. Cybersecurity companies as a, in my third category of like specialty players providing kind of a specialty service into the main players, or is it going to be, have to be fully integrated in that if you are an IBM Google or, Any of these others maybe there'll be a, an Asian player in there as well that has this full fledged solution or indeed, on, on this communication layer, will they have to have such an integrated security function?
[00:19:06] That you will essentially, you can't just be there. A provider you have to actually be fully owned by one of those players. How do you see that playing out?
[00:19:16] Jaya Baloo, Chief Information Security Officer (CISO), Avast Software: [00:19:16] Long-term I actually don't know. I think you can do both. I think those options are definitely there, but what you do see is the companies that have made the investment and have the mindset.
[00:19:24] Yeah. Quantum computing is coming, have also taken the necessary risk mitigation have also invested in, take a look at Microsoft for a moment. They have all of these global labs. They are working heavily also on the post quantum side. They're incredibly involved in the NIST candidate selection for algorithms.
[00:19:44] So I don't see any companies saying we'll do if we, if they go towards the push of computing. They're also doing them necessarily risk mitigation from their own capability to make sure they're ready for it. If someone else would get there first.
[00:19:59]Trond Arne Undheim, Host: [00:19:59] So NIST's quantum algorithms. Zoo has over 60 types of algorithms.
[00:20:05] Now that sounds complicated. 60 algorithms, quantum algorithms, but first off, what is the relevance of having a discussion? Right now in 2020 about algorithms, when presumably wouldn't many of them change or is the game actually a little bit like in cryptography where that the main algorithms are going to be known and we're providing services on top of them, which is a different game.
[00:20:26] I'm just trying to understand how the fight will be played.
[00:20:30]Jaya Baloo, Chief Information Security Officer (CISO), Avast Software: [00:20:30] I think different players will play it differently based on again here, how inclined they are to start early. I encourage everyone to start early simply because we've already talked about this strong just a few minutes ago, our ability to change sucks.
[00:20:43]We need to acknowledge that right away and saying that. Earlier we understand our own current East, how are we in the game? The better we are to be able to accommodate to a social situation. So the first and foremost thing that I encourage companies to do to understand their current cryptographic landscape.
[00:21:00] So yeah. Where do you use your crypto? How do you manage your crypto? Is someone else doing it for you? Do you do it yourself? How have you set that up? Which algorithms are you using? How large are those algorithms in terms of key lengths? So first getting that kind of inventory done of your cryptographic assets and understanding your own position is.
[00:21:21] Really important. Then if you have done that, it's easier to think about where the opportunities are for an eventual transition or an intermediary like play. And there are different, there's a lot of algorithms in the zoo because there's a lot of different things that we use algorithms for.
[00:21:39] So like for example, TLS. We use this all over the internet all the time, so we will have a different set of algorithms for that then we will like for signing or so I, I think it's important for us to appreciate and try out which algorithms that are recommended by NIST will work best for us in our own capacity.
[00:22:01] And what the impact is in terms of our ability to do something called crypto agility. Can we actually take the current algorithm now? And swap it with a post quantum one, maybe we can't. And every algorithm needs a certain amount of bake time until we consider it good enough. And when I say that, that means that nobody else can break it with an mathematical attack or something else.
[00:22:23] And even when we've got that baked time that we trust the algorithm, there's always historically been a whole bunch of implementation. Screw ups. It's got the best algorithm on earth. We bake it into a device and boom, it still winds up not working because you have a side channel attack because they didn't read the actual specification well enough and the vendor just screwed up, so there's all kinds of stuff and I'd rather start early, fail early.
[00:22:47] And then we have a decent chance of getting there on time.
[00:22:51] Trond Arne Undheim, Host: [00:22:51] JL, you are clearly on the algorithm side of this problem. Correct me if I'm wrong, but I don't know if it would be a fair question to ask you some of the more basic challenges that quantum is facing at the moment. I just superficially know that error correction seems to be a very big one right now.
[00:23:06] And, if we had even one error corrected cubit that lasted more than, a nanosecond, we would be in a good shape. So that's one, but there's also very Seems very simple challenges like cabling. And how do you actually create these refrigerators? Because this thing is going to have to currently, I think like 98% of these projects are using cubits that are operating at minus 273 Celsius working temperature.
[00:23:31] Now, I don't know. To what extent, these approaches that are trying to go above that and are also perhaps going to come into play, but what are some of the challenges that you see? Because I think this is what the public has noticed, right? Hey, all these refrigerators, I can't take them seriously.
[00:23:47]Talk to me next decade when you figure this one out. How can how can a thing inside of a fridge. Changed the world. It sounds a little bit crude to say it that way, but honestly, I know what it takes to make a fridge. So you're going to have a computer inside of a fridge and it's not even error free.
[00:24:03] How long is this going to take? And what are the actual challenges beyond these algorithms?
[00:24:08]Jaya Baloo, Chief Information Security Officer (CISO), Avast Software: [00:24:08] There's multiple challenges and the error correction or decoherence one is a big one. It's not trivial. That being said, we have tried to set up underneath the strategic advisory board of the European commission, the actual KPI.
[00:24:24] So it's not about having one error correcting cubit actually initially we wanted to have. Way, way more. So in terms of cubits for quantum computing we want high fidelity, quantum computers, at least 1000 physical cubits in the next
[00:24:39] Trond Arne Undheim, Host: [00:24:39] couple of weeks, or are we from that today?
[00:24:41] Cause I know that there was some announcements around there's this IBM Google fight again. They were talking about moot and going from 32 to 30 to 60 or something. That's the landscape we're
[00:24:51] Jaya Baloo, Chief Information Security Officer (CISO), Avast Software: [00:24:51] in right now. You, because people don't want to miss their Mark. And whenever there's a KPI out there, there's this tension between will we achieve it?
[00:24:58] So should we put it out there, but is it ambitious enough? Because otherwise everyone else will do it as well. So there it's a bit of a tension because you don't want to give yourself a KPI that you can't achieve, but at the same time, that KPI, once you set it out loud, somebody else is going to try to achieve
[00:25:11] Trond Arne Undheim, Host: [00:25:11] it too.
[00:25:12] I think IBM has a name coined it. They wanted to create their own Morris's loss. So they have called it combat us law, which is this doubling of cubits every year. D is that realistic? The D so let's do the math again. Doubling every year. So before with 30 to 60, this year, we're looking at one 20 and then, it's that's, it's not exactly Moore's law, but it's fast.
[00:25:33]And the cubits are a little, perhaps more, more interesting than a than Moore's law. Anyway.
[00:25:38]Jaya Baloo, Chief Information Security Officer (CISO), Avast Software: [00:25:38] And again, decoherence is a problem. So as you have more cubits, you've also increased the amount of noise and potential for decoherence as well. So the whole idea of doing this is fidelity stability.
[00:25:51]That's the name of the game and I'm not a quantum computing expert at all. And the Jerry lucky that I get to talk to a lot of them and then
[00:25:58] Trond Arne Undheim, Host: [00:25:58] no, I look, and I think you're probably a much better expert on many. And, but I don't want to put you on the spot here because I do know that there are subspecialties within this field.
[00:26:07] So it, this was not at all to try to put you on the spot. I'm just, it is very interesting to try to map this market. And I don't think that's. Some of the specialists probably have the least chance of really mapping what kind of a market this as you are at a very interesting kind of intersection point, honestly.
[00:26:24]Because you the application and security layer is just going to be crucial to the business models, to the survival, to the interest, to the way that public sector is going to invest in this. Isn't that why the EU is very concerned. They obviously want to protect their.
[00:26:44] Jaya Baloo, Chief Information Security Officer (CISO), Avast Software: [00:26:44] Yes, of course, but it goes beyond that.
[00:26:46] I think we've understood that there will be a few technologies. And we've talked about these things in Europe, in a European context for a very long time, about the dominance of particular countries in various strategic technology areas. And when it comes to something like quantum, it's just not a game that you can be exempt from playing.
[00:27:05] This is something that requires us. Really to put our money where our mouth is, and to actually make a drive to lead and not follow and to also be self-sufficient. And this has a lot to do with serenity, but it has everything to do with not relying on other countries for your foundational technology for the future.
[00:27:26] So if we're always going to be reliant from a European standpoint on the U S and on China, you're going to get what you got. So we need to change that conversation and be able to do it ourselves.
[00:27:39]Trond Arne Undheim, Host: [00:27:39] Jay, that's interesting if you are the EU, because. That's actually more of a tactical choice for you.
[00:27:45]A strategic choice, but it's actually very possible to do, because the EU is one of the big three entities in the world right now, if you are a smaller country and you're saying, yeah, the EU, we have some agreements with you. If you are, one of my home countries, Norway, that's like slightly on the outside of this, or, you are a country that's not connected to this kind of big Alliance.
[00:28:06] How are you going to fair? W I guess it's just interesting to think about even on the security side, what is the approach of a, let's say let's call it a country that isn't on the outside of these three big alliances of China, U S EU, how are they going to conceptualize an and play in this?
[00:28:24] Will they simply just have to be good followers or are they basically shut out from what you were saying is a new layer?
[00:28:32]Jaya Baloo, Chief Information Security Officer (CISO), Avast Software: [00:28:32] Frankly, I've always believed that there was a very big digital divide and that comes from basis access to the internet, to new technology for it and ICT look, there's not a lot of high performance computing estates all over Africa there aren't.
[00:28:48]And I really think that there's digital divide. That this holds true also for cybersecurity. This is one of the reasons I work, where I work, because I think it's unfair that only those that can afford it will have access to cybersecurity. I don't want to be in a world where that's the case, so I'd rather help everybody else who doesn't have it, try to have it access to it as well.
[00:29:10] This is cybersecurity, but when it comes to quantum, especially at the state that we're currently in access to quantum computing resources are. Are luxury for places that do not have it yet. So if there are already aren't there, it, the only play if you have a finite amount of financial resources is to look for smart partnerships and to look for who you will work with.
[00:29:32] That is not true when it comes to security. After a quantum computer. And again, this is like one of those tiers of evolution. So if you can already get other parts of your cybersecurity in place, and I can tell you yeah. That we don't have that in place for even the developing countries. We're not all a hundred percent.
[00:29:52] Okay. And you know that from the Octa, report that to go then a step further and be ready for a quantum computing attack. This is maybe a step too far. Considering that digital divide, my thinking is to advise when I have spoken for singularity in Africa is just to start now to at least understand the state of play and understand which smart allegiances make sense.
[00:30:16] Trond Arne Undheim, Host: [00:30:16] So I wanted to talk a little bit about the use cases of quantum but from the perspective of your field, which is how to secure them. Once we start crank cranking on them and then let's move into sort of quantum security and I'd like to go through Alice bobbin and the ex-girlfriend Eve, because I think taking this down a little.
[00:30:36]And ended up, I love the way that you're explaining that. And I know that these three names have become a bit of a kind of, they have some fame in, in trying to explain what's going on, but let's just for one second. Talk about quantum application. So you are in cybersecurity. Clearly. That's going to be massive amount of.
[00:30:53] Quantum technology, both applied to security and to apply to breaking existing security. That's one of the issues drug development would seem to be a big one, financial modeling. W what are some of the applications you think. From a security perspective, you are concerned about protecting the first because presumably not all of these are going to balloon at the same time.
[00:31:17] And we haven't talked timelines here, but you're saying, prepare now, which applications or which companies operating in, what fields should be worried. Number one. And and then who, who are what are their use cases that are coming along a little bit later, but still, not long, so long that people should just relax.
[00:31:37] Jaya Baloo, Chief Information Security Officer (CISO), Avast Software: [00:31:37] Yeah. From a worrying perspective, it's really about what is it you have to protect and from whom that's always the foundational part of why worry. So if you have, if you are a state actor and you have access to a national state secret like information, these are the people who I would worry about if that information's ever been transmitted.
[00:31:56]Across the internet, the concern for these types of actors are, store now from an enemy who was just going to capture everything and then decrypted later. So this idea
[00:32:07] Trond Arne Undheim, Host: [00:32:07] are these people even able to do that now, like if you are a country, if you are the European commission, guarding personality, law guarding state secrets for various countries this can be broken now.
[00:32:20]Jaya Baloo, Chief Information Security Officer (CISO), Avast Software: [00:32:20] Arguably everything that we transmit over the internet, if we haven't already encrypted, it is already up for grabs
[00:32:25] Trond Arne Undheim, Host: [00:32:25] because with quantum encryption and decryption, are there players like rogue players, state actors, or terrorist networks or individual, crazies hackers, black hats who are, this year or in the next three years, potentially able to conduct quantum.
[00:32:45] Attacks or attacks like the moment a quantum network comes up, how long will it take these black hat actors to turn around and actually provide that attack, I guess that's the question,
[00:32:58] Jaya Baloo, Chief Information Security Officer (CISO), Avast Software: [00:32:58] right? So it first depends on, do we have a computer that's large enough to conduct the attack? And the question is when is that going to happen?
[00:33:06] So that question that we get asked a lot and it depends on whether you're an optimist or a skeptic here. So the optimist will tell you that within the next 10 years, we will absolutely have a quantum computer they'll be able to do this. Absolutely. And then a skeptic will say, no, we'll never have it.
[00:33:22] We'll have cold fusion before we ever have a quantum computer. So forget it. So it depends on which part of that yeah. Line that you sit that you believe, how far that's going to happen. However wish it's not a trivial thing to capture that volume of traffic. So the only person there's no rogue actor that can sit and suck up all of that traffic.
[00:33:43] That's only going to be relevant from the perspective of. Another nation state and another nation state with significant means. So we're talking about actors like the United States or China or Russia, or, but someone with significant means access to the internet, clear motivation. So if you have all of those things, there is a potential that such an attack of capturing traffic and decrypting it later.
[00:34:06] Is possible, but only with all of those things in place. And even then, I always think is that really it depends on what it is you're trying to attack, but if you take a look at it, we have so many other points of potential vulnerability. So it depends on is that really the, so before people go.
[00:34:23] Home and start getting terrified about it. Oh my gosh. I would rather the things that I'm terrified or like healthcare information, that we have no idea how to protect for a long period of time that we want to be secret for a very long period of time. Maybe generations, we just don't know how to do that.
[00:34:38] Not at all.
[00:34:39]Trond Arne Undheim, Host: [00:34:39] And the problems related to that information is sometimes people just losing an essential laptop on a bus that they just happen to be on, visiting the grandmother and, these kinds of very simple things, but,
[00:34:50] Jaya Baloo, Chief Information Security Officer (CISO), Avast Software: [00:34:50] yeah. Far more likely.
[00:34:52] Trond Arne Undheim, Host: [00:34:52] I agree. I agree. But if we are to just even just look at the type apology of these potential futuristic, quantum attacks, what are some of the types of quantum attacks that one can envision or that the literature has started to envision? And how did they differ from the typology of regular.
[00:35:11] Cybersecurity attacks, which also now have their own boxes to, to put them in. You mentioned ransomware you told me as we were prepping some timing attacks. What is that all
[00:35:20] Jaya Baloo, Chief Information Security Officer (CISO), Avast Software: [00:35:20] about? So before we say quantum attacks, the one real attack with a quantum computer is decrypting encrypted information.
[00:35:27] That's what we're worried about. Number one. That's really the only one. And it's pretty big because that's about information security, at its foundational layer when we talk about encrypted stuff. But when we're worried about other types of cybersecurity attacks, there's numerous ones.
[00:35:42] And we look at attacks that can be waged against, for example, systems that are trying to provide some form of quantum secrecy. You've gone. I think pretty much. Two types of attacks and putting it really in a very high level bucket. And the first is like physical attacks. Like for example, there were, I told you about the quantum internet.
[00:36:02]And in order to do that, you set up you can set up quantum key distribution connections between different points. It's one way to do it. There will be other ways in the future when we have different topologies, but one way is just a point to point link with Q K D. One of the attacks against the Q K D systems was to shine a really bright laser.
[00:36:21] Onto one side of the point that was connected to the other point. And when shining that really bright laser, you could read the way that the physical filters were set up so that you could then figure out how to set it up on the other side. So Eve would then be able to intercept the connection and actually collect the information and.
[00:36:42]Trond Arne Undheim, Host: [00:36:42] So let's go to Alice, Bob, and any, the idea here is there's two people or systems, Alison Bob, and they want to communicate, but then there's this rogue actor Eve who may, for the purposes of the story could be an ex-girlfriend. What is the real issue there? Because presumably if you set up.
[00:37:01] The communication between Alice and Bob. Isn't the whole point that if you, in a post quantum world, the moment you have set that up why would there be a way that this Eve could, so you've explained one way. Photon number splitting was something I came across. There are all of these things that people have concocted that could be done.
[00:37:22] To for Eve to somehow, I don't know either eavesdrop on the conversation still, or actually pretend she is Alice for a while. And then just send the communication over to Alice when she's done. That sounds crazy to me.
[00:37:37]Jaya Baloo, Chief Information Security Officer (CISO), Avast Software: [00:37:37] So there's a couple of fundamental principles underneath all of this, but let's just make it super, super simple.
[00:37:42] So Alice. Has a computer and a connection. That connection is a fiber connection. So does Bob. Okay. And Alice and Bob want to talk to each other somewhere that fiber connection is going between Alice and Bob. And whether they're in two different rooms or, this fiber connection is going underneath the ground.
[00:38:01] It doesn't really matter. What the point is that Eve has somehow along the path of that collection managed to get access. And whether she takes a cable and literally there are different types of attacks. If you like bend a cable, bend the cable, you can somehow get the information that's bouncing off of the cable.
[00:38:21] There's just a sort of interference. That you're creating, but you can actually read off of the photons that are being admitted through the cable. That's one thing it's one attack. The other attack is that, between Alice and Bob, they're these two Q K D machines. And again, if Eve is somehow on that physical connection, she can shine a light on the other end of that fiber and read Alice's or Bob's settings about how they set up their encryption device and then potentially have access to information that.
[00:38:48] She shouldn't have access to in which case could potentially launch another attack. So there are indeed all different types of attacks to these that are physical, but there's also, and I want to be very clear. It's not just physical attacks, there's the potential for all types of mathematical attacks, just because we have a good algorithm.
[00:39:08] Doesn't mean, we won't find a way to weaken it in the future. And history is littered with examples of algorithms that have been either deliberately weakened or found to be accidentally flawed. And there's a new mathematical attack that's launched against them later. And, And I say history is littered because one of the best examples of this was when we had enigma and the enigma machines during world war two were found by the British and then given to the, all the allies to here you go.
[00:39:38]Nygma nevermind that we had a guy in the UK Alan Turing that already broke into the enigma. I forgot exactly how they work, but you know what? This is really good. Crypto. Everybody go ahead and use it. And the meanwhile, the GCHQ could read everybody else's communications.
[00:39:53] Trond Arne Undheim, Host: [00:39:53] What are the good guys helping us in this landscape.
[00:39:56] So are there quantum security startups right now that are native quantum and have security as their main thing? Or are we looking at, companies like yours to morph into also just naturally taking on this challenge as part of
[00:40:10] Jaya Baloo, Chief Information Security Officer (CISO), Avast Software: [00:40:10] any challenge? No, there are definitely companies that are out there that are.
[00:40:15] Started up. I'm thinking of two right now in the two examples that I gave you. In Europe we have ID Quantic which is a Swiss company that, when they first started up, I met one of their founders, Greg, where Rieber D when he was starting up, literally at the university of Geneva. But this is, almost two decades ago.
[00:40:31] And then you have Isaura in Canada. That's really looking at that algorithmic side, over those post quantum algorithms and trying to figure out. How to secure businesses with that. So you have a ton, like a mushrooms of new companies that are rising every day. And I sometimes worry that not all of them are as good as the two that I just mentioned, and it leaves an entire Plethora of potential for people to be exploited simply because, it sounds good.
[00:41:00] And it has quantum in the name. So maybe they're doing something. So
[00:41:04] Trond Arne Undheim, Host: [00:41:04] the big problem with any emerging and advanced technology, isn't it. Who are you going to trust? Because it's not enough to just say we are a bunch of PhDs and we do good work, right? There's a whole other problem GI, which is.
[00:41:16] There are rogue actors who also have PhDs and credentials, and could actually set up these things as bonafide security companies. Maybe they have them already and could make, make their way into, I'm not trying to be difficult here, you don't have to have a very twisted mind to think that there are, there are ways to really start thinking about manipulating this in a big way, because the stakes Seem pretty enormous to me.
[00:41:42] Is that right?
[00:41:43]Jaya Baloo, Chief Information Security Officer (CISO), Avast Software: [00:41:43] No, this is absolutely a legitimate thing. There are companies that specialize in security and there are companies that have again, historically, I don't want to name them, but have historically had enormously public and prominent failures with cryptography. So the question is to which extent have they either been influenced or have they been concocted from some intelligence agency somewhere?
[00:42:08]Trond Arne Undheim, Host: [00:42:08] Jr. Are you in optimist or a pessimist? When you, when I know that you are in these conversations, I feel slightly relaxed because you seem like a very measured and extraordinarily smart person, which I would add with good ethics. That those three things seem to be good.
[00:42:26] Good. You've got those going for you in the conversations with the European commission. Are you. Are you calmed by the approaches that are taken? Or are you yes, it's good, but is it good enough? Do you think that just to take one jurisdiction, do you think the EU has started to take this with the appropriate care that it needs?
[00:42:49] Jaya Baloo, Chief Information Security Officer (CISO), Avast Software: [00:42:49] I think the EU is certainly blessed by the fact that we have some brilliant. Scientists. And I genuinely believe that the commission is trying to do everything to make sure that we have and retain that advantage over every other country. And that we keep this gift for Europe. My biggest concern is.
[00:43:11] As economics tend to play. Can we do this over time? And that has nothing to do with the best intentions and all of the good work that we've done so far. I think that's only something that we can prove when we hold on to that IP. And we prove that this is a benefit for all of Europe instead of, relinquishing it to a company in the United States, we're in China or wherever.
[00:43:32]Trond Arne Undheim, Host: [00:43:32] I don't know if you, you spend any time doing these comparisons, but we've talked a little bit about healthcare and other things, too. What extent is this in your mind kind of the problem of let's call it the next decade or maybe not this ticket or, like how big of an emphasis is this?
[00:43:49] Entire space, quantum and it's security going to get over other technologies as we move into a relevance sphere. Like whenever this becomes truly real, how dominant is this going to become? Is this kind of actually the new internet, the new goal, or is it just a layer after all. On top of which we do very limited things.
[00:44:16] Like we calculate the weather, we do some advanced stuff that AI is currently doing, a factor of a thousand faster and better, really in daily life. Okay. Yeah. A little bit more accurate weather. That's fantastic. Some better financial algorithms so that some people who already were earning a lot of money will earn more money or am I completely missing a point here?
[00:44:37] This is going to adjust. Really reshape everything that we do.
[00:44:43] Jaya Baloo, Chief Information Security Officer (CISO), Avast Software: [00:44:43] Trans, I have to say that I have, I'm a bit dualistic here, like on the one hand. And I have to be honest, the reason I'm that way is because I don't know for sure, because on the one hand, some of the scientific challenges that are there are so fundamental are so incredibly interesting.
[00:45:00]And I genuinely believe that having a quantum computer allows us to answer those fundamental challenges in science. It could allow us to figure out, how to not just make it tomorrow, but to actually go further in terms of space exploration, it can help us figure out some of our climate problems, it already is working towards that effect.
[00:45:18] It could really help us understand so many things so much better. I feel like that is a profound impact in and of itself. That being said, I also feel like. We have no idea. We really don't know because when the internet came out, we never thought that, or I never thought that I would have a daughter who would use it to be on tick-tock the entire day.
[00:45:37]Trond Arne Undheim, Host: [00:45:37] The application layer is just not pre you can't really envision.
[00:45:42] Jaya Baloo, Chief Information Security Officer (CISO), Avast Software: [00:45:42] No. And also the speeds at which I was a nine-year-old with a converse 64, who then was super happy when I had a CompuServe account, with a modem. And then I just, I cannot comprehend some of the speeds that we're having now, the complete depletion of IPV four addresses the lack of adoption of IPV six, even after.
[00:46:03] Running out of those things a while ago. There's so many things that are happening that I simply feel like we have no idea if this is the thing that it brings us. And I only see that as a super positive, happy thing really optimistic. I have no idea what the countervailing effect of that could be on our society, on our lives, on, on every future application of a quantum computer.
[00:46:26] Trond Arne Undheim, Host: [00:46:26] Let me ask you this. We haven't talked about this topic at all, and I'm not going to ask that I'll make it a massive topic, but there's a big discussion about AI and AGI, general artificial intelligence. Do you see these two debates, the quantum debate and the AI debate becoming more and more intermingled and is the promise of the one interlinked with the other or are they independent tracks in the other in the sense that.
[00:46:51] Whether we have a problem or a, or an opportunity with a AI is independent of whether we get these cubits to, to be reigned in like the wild horses they are, and, be tamed and domesticated, which sort of is my metaphor for this we're taming these cubits, but we don't tame them, will the AI terrain just still go on and have its own.
[00:47:14] Own challenges or are they so intertwined that, essentially AI has reached its Zenith.
[00:47:20] Jaya Baloo, Chief Information Security Officer (CISO), Avast Software: [00:47:20] I don't think so. No, it has not. I don't want to believe that. And I don't think that's the case. So I don't think it's reached its Zenith. And I think that quantum computing could offer a potential catalyzing effect for a lot of the things that we want to realize with AGI and AGI.
[00:47:36]If you look at companies like DeepMind, it's still, as far as I know, they haven't released it publicly as it's still part of their dream and not part of their reality. So if quantum acts as a catalyst to help achieve that, I would only laud it.
[00:47:49]Trond Arne Undheim, Host: [00:47:49] We've talked about a lot of things that I don't pretend to understand even after this conversation, but I love to consider them and ponder them.
[00:47:58] When you are tracking the quantum field, some of which is truly your field other things are associated on. You said, you're, eating at the table with experts in these other parts of the quantum chain where, at least your that's not your day-to-day business, how do you stay up to date?
[00:48:15]Clearly you have now access to some networks that not everyone has, but how does one stay up to date meaningfully? So that one can think about investing in quantum, or if you're a CEO of a big companies, start to figuring out how to. Stay smart. Train your executives on it. Perhaps start investing in building technology on it.
[00:48:35] What is the best way to engage? I
[00:48:38] Jaya Baloo, Chief Information Security Officer (CISO), Avast Software: [00:48:38] think that there's a few opportunities now. There are also quantum conferences. So there is inside quantum tech. There is a EDU quantum conference that was set up there. There's a whole bunch of very good. Quantum conferences, if you would just Google on that. I think that's a really easy very low threshold way to figure out and there's business, even for the Etsy conference on post quantum cryptography, there's an executive track and a technical track.
[00:49:04] So they've made it as approachable as possible for people to understand what's at risk. What are the possible solutions and what's best for you?
[00:49:13] Trond Arne Undheim, Host: [00:49:13] Yeah. Etsy they're European standards organization. Yep. Got it. Any bloggers and stuff apart from yourself that that got this?
[00:49:21]Jaya Baloo, Chief Information Security Officer (CISO), Avast Software: [00:49:21] There's a whole bunch of Twitter accounts and also follow the European flagship, which talks about all of those pillars.
[00:49:27]That's always a good resource and there's a lot there because. Part of it is making everything around quantum to be part of the general literacy, just like we were trying to increase the general public's literacy around AI. We're trying to do the same thing for quantum. So when the time is there, we will be able to already have a quantum enabled workforce, like a workforce that understands what's going on and how they can actually benefit from it and work in the field.
[00:49:54]Trond Arne Undheim, Host: [00:49:54] Jai, I thank you so much and I feel slightly more informed, but it strikes me that this may not be the last discussion on quantum security. We are entering interesting times and I hope that we can stay in touch on that. I'd love to. All right. You had just listened to episode 69 of the futurist podcast with host futurist and author.
[00:50:18] The topic was the future of quantum security. A guest was JIA Ballou, chief information security officer at Avast software. And this conversation, we talk about why it is so hard to eradicate cyber security challenges. We discussed the internet organized crime threat assessment. I Octa and. We discussed the threats.
[00:50:40] We are ready for it and know about versus the threats we don't know about and are not ready for it. We talked about the quantum market players, the challenges and the applications. What quantum security challenges do you worry about? In the next decade Jr. Uses the story of Alice, Bob ex-girlfriend Eve to go straight security and how to teach quantum computing to a next generation of engineers.
[00:51:10] My takeaway is that quantum security is just around the corner, because if it isn't, we are all in trouble. Quantum computing has gone from being a theoretical possibility to a highly experimental niche application among a few computer firms. To a significant emerging government concern and a future business opportunity for those, with a lot of data to crunch fast.
[00:51:34] Most of us don't need to worry about it in this decade, but doing so is a bit like not thinking about retirement in your twenties, it isn't necessary, but it is smart to do. Thanks for listening. If you like the show, email@example.com board in your preferred podcast player and rate us with five stars.
[00:51:53] If you like this topic, you may enjoy other episodes of future, such as episode 13, cyber security review of the RSA Asia Pacific and Japan. 2020 virtual event, episode 31 artificial general intelligence episode 51 on the AI for learning episode 16 on perception, AI. Episode 50 49 on living the future of work.
[00:52:18] It was a 35 augmented reality episode, 47. How to invest in scifi tech or episode 54 from the future of AR and episode 31 on robotics. Futurizing preparing you to deal with disruption.
CISO, Avast Software
Jaya Baloo, currently Chief Information Security Officer (CISO) at Avast Software has worked in the cybersecurity area for nearly 20 years. She won the Cyber Security Executive of the year award in 2015 and is one of the top 100 influencers in the field. Jaya frequently speaks at security conferences on subjects around lawful interception, mass surveillance, cryptography. She is a faculty member of the Singularity University and a member of various infosec boards. Expert on quantum computing, Jaya is a quantum ambassador of KPN Telecom and a Vice Chair of the Quantum Flagship Strategic Advisory Board of the EU Commission.