Duncan Jones, Head of Cybersecurity at Quantinuum, recently spoke with IQT News contributor Dan O’Shea about the company’s Quantum Origin product, how current events like the Russia-Ukraine War are impacting cybersecurity developments and what the future of protection might look like to enterprise users. What follows is an edited portion of that interview:
IQT: After the merger of Honeywell Quantum Solutions and Cambridge Quantum Computing closed, there are probably a lot of products Quantinuum could highlighted from the start, but the Quantum Origin cryptographic key generation platform (originally announced by Cambridge Quantum last summer) was the first. Why?
Duncan Jones: The opportunity fell right for us. Quantum Origin’s purpose is to help companies today strengthen their cybersecurity systems by generating for them cryptographic keys that are as close as possible to being strongest cryptographic keys in the world. You don’t have to look around the world too much right now to reel in horror at the growing sense of doom in cybersecurity, and the fact that sophisticated, state-funded attacks are just commonplace. We’re in a position where the world has never been more in need of a foundation for protection. There was also the element that this is a product derived from a quantum computer, and while quantum computers are rapidly advancing, and we’re very pleased with the trajectory we’re on, obviously, to be able to deliver something that can only be done in the quantum realm today, you are limited with your options. There are many interesting use cases that are going to be coming online in the coming months. We’re very close on a number of fronts, but it just happens that with cybersecurity we don’t need quantum computers to get any better to be able to do this. In fact, if they get better, our products get better. So it was partly just a matter of readiness as well. We can bring a tangible quantum product to market.
IQT: Regarding that sense of doom, how has the Russia-Ukraine War added to the urgency around development of post-quantum cryptography and better cybersecurity in general?
DJ: I think if you look at what the U.S. government is saying, for example, its advice on cybersecurity over the past 12 plus months has been a flurry of advisory notices and memos and that are really drawing attention to the need to take cybersecurity more seriously. And we’ve seen some high profile incidents in the last couple of years [like] what happened with Solar Winds or the Colonial Pipeline, as early evidence that we will see genuine disruption to our daily lives as a result of cyber warfare in the years to come. And I think the situation that’s unfolding now is simply another reminder that threats need to be taken seriously. It’s been commented in a number of places that wars are not just physical affairs anymore; they are cyber affairs as well. What’s interesting about the events of the moment is that it’s hard to separate what is directly state-sponsored and instigated versus what is also just being instigated by people on both sides of this equation who have the skills to potentially disrupt business operations around the world. I think this is one of the reasons why products like Quantum Origina have quite a broad appeal is because you never know if you’re going to be impacted by some of these threats. You may perceive for some reason that your company is not typically a victim of these sorts of things, but the nature of cyber warfare can be quite indiscriminate.
IQT: At the same time as we think about current threats, we have to think about the role of quantum technology as a threat, right?
DJ: Most people we speak to are thinking about the threat of quantum [being used to break encryption], and beginning to make plans to be quantum-safe in some respect. I think most of those plans are in their infancy. I think there is potentially a need for more people to act faster on this topic. I have a lot of sympathy for CISOs and others because they have a lot of burning fires to deal with. But this particular threat is quite existential. Even though most people would argue it’s five or 10 years away, it will be a big deal when it arrives if you’re not ready. Quantum Origin is to some extent the other side of the coin. Quantum is a boogeyman for cyber, but it’s also going to help us as well. Quantum Origin is not directly a response to the quantum threat. But it’s something you can add into existing systems to make them resistant [and that can be used] to generate new quantum safe keys if you want. We support those algorithms, or candidate algorithms that NIST is midway through standardizing.
IQT: This NIST process is ongoing, but how important will standards be to accelerating this evolution?
DJ: This particular standardization process has been running since 2016, and there has already been quite a lot of evaluation. We are down now to seven–it’s debatable whether one of the most of them in the race [a reference to the recently-hacked Rainbow signature, which Jones wrote about last month]–but about seven algorithms. And we’re expecting a number of those algorithms to be selected so there won’t ‘one ring to rule them all’. We’re expecting to hear some more news on that this year, but I think the standardization is really important because right now, companies may say one of the reasons not to explore this topic is because there are not standards in place. Now I don’t think that is a valid reason to not explore the topic, but it’s an easy get-out clause. So I’m excited for the moment when they arrive because suddenly that excuse is taken off the table. A lot of attention is going to be thrown on CISOs and similar roles to ask ‘Well, what do you do about it?” Day one after those standards arrive there’s going to be a knock on the door from the CEO asking, ‘I’ve just heard that this thing has happened. You know, where are we at with that?’ So I think it’s a good idea for people to be exploring things way ahead of standardization.
IQT: When we have standards and more quantum-safe protection implemented, will we still need programs like Zero Trust and other cybersecurity measures?
DJ: Cybersecurity is all about having all these layers that stop people from attacking you. So, just because we have solved one of those layers, doesn’t mean the other layers aren’t so important. You’ve always got other things to be thinking about. But at least if you can take some risks off the table.
IQT: And how will things be for users and for developers of products that need to be secured?
DJ: For 99% of the world population nothing apparently changes because we’ll just carry on using the products and services that we do today, as much of what we’re talking about is invisible under the covers. You and I are not particularly aware of encryption protecting this Zoom call. For the people who build these products, they will have to go through a transitional phase that will not be straightforward. These algorithms are not necessarily drop-in replacements. So they’re part of the reason why we need to experiment–in order to understand the impact of shifting from something we’ve used for many years to something different. We have to really kind of tear out the guts of what we’re doing today and change it for something else. But in another sense, it’s just business as usual. We are always learning about how some advanced new attack could make something obsolete that was previously considered secure. Products like Quantum Origin are fundamentally different because the keys we generate are unpredictable regardless of what you throw at it. It’s just unpredictable because it’s unpredictable, because that’s the way quantum physics works. And so I think we’ll start to see more adoption of these sorts of solutions. Nothing is perfectly secure, but we remove a lot of the bits that could be broken by advances in attacks and computing power, and replace them with things that are secure because the laws of physics say that’s how it works.