B (5:42)

Thanks. Likewise. It's been at least probably what, eight, 10 years since we last worked together.

A (5:46)

Yeah, it's been. Yeah, we're just shy of 10. 2016. It has been way too long. You've come up in the world, which is always a great thing to see. So do me a favor. I mean, you and I obviously know one another. My audience doesn't tell my audience about Michael Satilli.

B (6:03)

Sure. All right. So I am Michael Satille. I'm currently a CISO for a quantum computing company. I've been involved in cyber defense, data security, information security, using all the terms that you used to use back to describe it, going back a couple of decades, since the late 90s. I love security, very passionate about it. I spent my entire career working for various organizations. Fintech, software development, healthcare, a little bit of defense in most of the roles that report to a traditional ciso. Up until about a year ago when I began working as a CISO myself.

A (6:45)

When you became a traditional ciso.

B (6:46)

I became a traditional ciso, yes. At a very non traditional company.

A (6:50)

Fantastic. So given your company is in the quantum computing space, I thought you would be the ideal person to talk to us. I mean, quantum computing is still being mentioned on the edges of conversations within cybersecurity and for me that's concerning because I remember when AI and cloud were being mentioned on the edges and then all of a sudden it's here. And I think that there's an opportunity here on this podcast for us to bring the conversation in from the edges and begin to get a deeper understanding as well as your expertise in terms of figuring out what should I really be worried about? What should I really be concerned about? What should I be doing to prepare? So, using a phrase that I know you are very familiar with, though it's been a while, explain it to me like I'm a six year old. What is quantum computing?

B (7:48)

Okay, so generally speaking, quantum computing is a shift in paradigm in how, how a computer can operate. So today we've got classical computers. Every computer we use is, we consider a classical computer. It's got a register, it's got binary settings that you can control electronically. It's either a zero or a one. And that can be a very low powered computer that you wear as a calculator watch. For anybody who still works the old Casio calculator watches all the way up to a mainframe to even the supercomputers that are built with millions and millions of dollars of processors from Nvidia. These are all, these are all riffs on basically the same concept. Just doing it at scale and with faster, better hardware. Right? So this is what we've had now in computing for, oh my gosh, going back, what, close to 100 years, 70, 80 years now. So there's a, I don't want to say newer concept, but it's getting a lot more buzz lately. A lot more technological advancements have really come out the past few decades, especially the past few years with quantum computing. Right? So quantum computing, rather than looking at a register with a bunch of zeros and ones, you have, and depending on who's, who's making or developing the quantum computer, you've got some, some ions, some photons, subatomic particles that could either be a zero, a one or something in between. And that, that allows a quantum computer to do different things. It allows the quantum computer do things a little bit differently than a classical computer, but even more so, depending on the problem it's looking to solve, it can be exponentially quicker. I don't think that you'll, you'll find too much out there today stating that a quantum computer will replace classical computers. I haven't seen any from the, you know, I've worked, worked with quantum computers for the past year or so. I don't see them replacing them, I see them augmenting them. Heck, even quantum computers, pretty much everybody's today, still requires classical computers to operate and run and kind of serve as that liaison between the human and the quantum computer. So it's not that we're evolving from just classical to just quantum. It's we're evolving from classical to a hybrid approach where we're going to have classical computers and they will have another tool at their disposal. And that tool is a quantum computer.

A (10:13)

Let me interject here for a second and go take us a step back. You said we use some sort of subatomic particle that can enter the traditional one or zero state, but also something in between. Is that. And I am by no means an expert, but I do try and do a little research. Is that what is referred to by this thing I keep hearing about a qubit or is that something different?

B (10:37)

No, you are correct. So in classical computers you have a bit, which is short for binary digit, and it's a zero or a one. With quantum computers you have a qubit and it's a 0, 1 or something in between. And that's achieved through science that I can't quite understand, much less explain. But you're.

A (10:58)

I don't want to. That's okay.

B (10:59)

You're talking about superposition and some really crazy out there physics ideas. And in all honesty, when I first started learning more about quantum. So before I took the role I'm in now, I did several months of research on it. And I consider myself a highly technical person, relatively smart, and I read a lot and it was very frustrating because you're trying to apply long held principles that you understand about classical physics and trying to apply it to like, okay, how does this translate to a classical computer once we're moving to the quantum world? And it's really frustrating it doesn't do it nicely, at least for lay people, which I consider myself one of. Just to be clear, I think it's helpful for people to look at quantum computers as a device that can do some very, very specialized things that we never thought imaginable with classical computers, regardless of how it works, if it helps you in your brain to think of it as a super classical computer on steroids, I think that's fine too. I don't think it's really worth getting too mired up in the details on exactly how they work. Plus, there are, there, there's dozens, if not more quantum computing companies and they all, they all kind of do do these things differently, right? There's, there's several different ways of, of utilizing these, these principles to achieve a quantum computer. So it's, and they're all, many of them are very, very, very different from one another.

A (12:29)

Okay, so why should I care? As a senior cyber professional, should I care?

B (12:36)

Yeah, you should. Right. So it's funny you mentioned earlier when you, when you were introducing the topic that cloud and AI, they were on, on the edges and out of nowhere they were here. It's easy to forget about cloud because it's been so long ago, but AI was very, very recently and I like reading the tech articles and I was reading about it and then all of a sudden it's like, holy crap, it's here. Right? I mean out of nowhere, right? You're reading about it for a decade and then bam, it's, it's, it's here within a few months. It seemed like it just, it was. For me, it still is kind of mind blowing how quickly that happened. But it, it shouldn't be that surprising with what we saw in cloud and, and I'd like to think that quantum won't be as surprising as AI, but, but it might be. You never really know. We need to care about quantum computing from a security perspective. It'll, it'll enable us to do great things. Right. I feel like most technologies that come out, they're a bit of a double edged sword. They let you do amazing things and they let everybody do amazing things.

A (13:36)

Let's double click on that. And that's heading in the direction I wanted to poke at. It will enable us to do amazing things. And again, all technology is a double edged sword. What kind of things should I be looking at as a CISO to say whenever Quantum gets here, this will be easier, this will be harder, or whenever Quantum gets here this is going to break and this is going to be a problem. What are those type of things I should be thinking about now?

B (14:06)

Sure. Well, first the positive things. Right. There is so much for humanity that Quantum can do for security and non security. Right. Outside of the security world. I mean there aren't many sectors out there that won't be able to potentially benefit massively from pharmaceutical development and research and development, cancer treatments, energy really, it's almost limitless. Right. How this could potentially help us one day. On the security side, ways it can help us is you could theoretically, and we're talking like 10 plus years from now, most likely and we can talk about the timeline in a bit, but one day quantum computers could theoretically significantly help with fraud detection. So if you're Working for a card processor, and you're looking for, for example, for fraudulent activity in a payments ecosystem, you would be able to, ideally, use technology that's bolstered by quantum computing to make that easier. Compliance could become easier with quantum computing achieving additional resilience just in your own enterprise. Quantum computing can help in many ways. That said, quantum computing also presents some challenges and opportunities from a security perspective, particularly as it comes to encryption. We've lived in this space now for 30, 40 years where we've had some great encryption algorithms and they stick around for a few years, and then somebody finds a way to get around it or theoretically bypass it, or make it not as effective. So some tweaks are made, and then everybody has to scramble, change their infrastructure, change their client server configurations, add things to them, and evolve with that. And once we get to the point where quantum computers are able to break much of what we consider to be classical computing encryption technologies, we need to be prepared for how we handle that. And now's the time to start planning for that. It's not the time to start freaking out. By all estimates, we have at least five to 10 years, depending on who you talk to. If not 10 to 20 years before the 40s, computers are powerful enough to really pose a significant imminent threat.

A (16:30)

So let's parse that a little bit. So reflecting back a little bit in terms of quantum computers being able to break encryption algorithms, I'm assuming, and please correct me if I am wrong, I'm assuming it's because of the speed of the computational power that they can bring to play with dealing with more than one state or a binary state. I can then potentially run massive amounts of calculations to attempt to break the encryption algorithm a lot quicker than I could with the fastest supercomputer here, which means a lot of our strongest algorithms may end up breaking quicker. Am I interpreting that correctly?

B (17:12)

You're not too far off, right? So it's not so much.

A (17:14)

Please.

B (17:15)

It's not so much just the speed. It's not that a quantum computer would be able to brute force a password, for example, although in theory, that. That is not. That's not out of the question. There are certain algorithms out there, and we'll talk about Shor's algorithm and Grover's algorithm in a bit that cannot be run on a classical computer. It's not that they're not fast enough. It's just the algorithms themselves are designed to be run in a state where you've got qubits that are able to represent information to 0 or 1 or something in between. And you don't really get that in a classical computer. So it's not really necessarily that it's doing what a supercomputer can do even faster. I'm sorry, a classical computer can do even faster. It's just doing it differently and also, by the way, massively faster.

A (18:01)

Okay. So given that the probability of a standard encryption algorithm standing up to analysis, for lack of a better term, using a quantum computer, it won't, or it won't stand up as long as it would if I were running it through a classic computer.

B (18:22)

Correct? Yeah. So there are. So it's been known now since, since I think the mid-80s. There's been an algorithm that was designed, and might have been mid-80s, mid-90s, a very long time ago called Shor's Algorithm, which requires a quantum computer. But Shor's algorithm allows you to do some very interesting fancy math, including factoring large numbers into two primes. Right. So when you look at current crypto schemes, not all, but many of them, you're looking at rsa, I think, Diffie, Hellman, elliptic curve cryptography, a handful of others. They rely on some very complex math problems that classical computers, even the supercomputers, just have a really hard time solving. Shor's algorithm was, was, was developed several decades ago as a way to prove that a quantum computer one day can break these, these crypto suites. And, and one day it, it turns out, most likely is in the next 5, 10, 15 years or so.

A (19:30)

It. Have you ever imagined how you'd redesign and secure your network infrastructure if you could start from scratch? What if you could build the hardware, firmware and software with a vision of frictionless integration, resilience and scalability? What if you could turn complexity into simplicity? Forget about constant patching. Streamline the number of vendors you use, reduce those ever expanding costs, and instead spend your time focusing on helping your business and customers thrive. Meet Meter, the company building full stack, zero trust networks from the ground up. With security at the core, at the edge, and everywhere in between. Meter Designs, deploys and manages everything an enterprise needs for fast, reliable and secure connectivity. They eliminate the hidden costs and maintenance burdens, patching risks, and reduce the inefficiencies of traditional infrastructure. From wired, wireless and cellular to routing, switching, firewalls, DNS security and vpn. Every layer is integrated, segmented and continuously protected through a single unified platform. And because Meter provides networking as a service, enterprises avoid heavy capital expenses and unpredictable upgrade. CYC Meter even buys back your old infrastructure to make Switching that much easier. Go to meter.com CISOP today to learn more about the future of secure networking and book your demo. That's M e t e r.com CISOP. So when do I as a CISO actually start? And we both grew up in financial services, so let's use an example that's near and dear to both of us without naming companies. When do I start, as I do strategic planning, you know, for a three year window, start tapping this chief operating officer, the chief information officer and the business is to say, you know, all this stuff we're using to secure our environments. Right now we need to start migrating and oh, by the way, not only do I need to start migrating, I need to start migrating to things that will theoretically stand up to potential future problems that aren't necessarily baked into the regulatory frameworks that I have to deal with, a la pci, dss, et cetera. So when is that inflection point that I should begin to have those type of conversations? If you're telling me I need to.

B (22:50)

Worry about this now, so let me break it down into, I think maybe simpler steps to look at when.

A (22:58)

Please.

B (22:59)

Okay, so when this thing happens, this nebulous thing where Shor's alderman has been implemented and you can no longer use RSA or ECC or Diffie Hellman, the tools to get us past that already exist. It is, it is conceptually super easy. You update the config on a server, you update the config on a workstation, everything works beautifully. That fails to take into account things like IOT things that don't have.

A (23:26)

Yeah, I was about to say, I know I have my BS flag over in the closet there and I know you still have yours right here.

B (23:32)

There it is, right here. That's why I said conceptually it's very easy. I'm thinking back, I'm going to go back in my time machine about 10 years, might have been 11 or so. I was working in FinTech and SSLV3 was deprecated. And we knew it was going to be deprecated. It was long coming. And then Poodle came out. The patent Oracle on demand, the poodle thing, right. And so all of a sudden everybody had to adjust quickly and upgrade, change configurations, all that servers and workstations, super easy. Wasn't really a problem there. The problem was when you had IoT Internet of Things connected devices. In fintech specifically, we had car terminals. Some car terminals can be updated remotely, some can't, some are really old. And we ended up finding in One fintech environment. There were tens of thousands of old terminals that could not be upgraded, that were no longer able to be able to accept SSLV3 connections. And they were kind of left behind. How do you handle those? Right, so what we thought initially was going to be super easy. Oh, you just make some little conflict changes on, on an F5 somewhere. No, no, no, no, no, no, no. You, you need to look at what's connecting to you. So, so you need to look at the whole ecosystem, right? Not just, not just your own, not just your own organization, but how, how companies and individuals interact with you as well as how you interact with others. So I say that to, to remind us we've done this before. We've had massive crypto changes we've had to make before. When we deprecated, SSLV3 moved to TLS 1.0 and then four or five years after that, TLS1111 were deprecated with beast.

A (25:20)

Yeah, we have changes that happen every few years, but these are examples where, heads up, this is going away and for lack of a better term, your keister's going to be in a sling if you're not. If you don't do this because heads up, it's gone. You and I were in situations where we knew this was coming, we knew this was coming, we knew this was coming. And oh, by the way, nobody did anything until they were 90 days out. And in both cases, and you and I would probably say in some cases, 90 days was generous by the time we actually got the attention. But it would be nice.

B (25:56)

What are those nerds insecurity talking about? Why is it a big deal?

A (25:58)

Exactly. So it's a similar thing. So the argu, the counter argument to what you're saying is, yes, we've done this before and the sky didn't fall, nations didn't fall, dictatorships didn't rise based upon us waiting till 90 days out until we had to. I don't like waiting to 90 days out because I like to be proactive. But we're now sitting here talking about, are we in a situation where I should be telling CISOs, know that it's coming. Familiarize yourselves with the tool sets that are out there and understand that when this hits, is it going to be, hey, we're heads up, this is going to be a requirement, be ready, or oh, by the way, somebody just got popped badly and quickly and we have to scramble. But should I be having those conversations or thought processes literally 10 years out?

B (26:52)

I think so. And I Also want to just look back at that timeframe. Right. I referenced SSL v3, TLS1011. Yep. And those were, you know, almost 10 years ago, almost five years ago. If we're going to try to find a pattern in there, it stands to reason every four or five years something big happens in crypto. I personally don't think from life, what I'm reading, what you see out there, that quantum computers are going to present an imminent threat in the next four or five years. Right. We agreed earlier in the conversation, let's call it 10. Yeah. So before, before this becomes an issue for us, chances are we're going to have another encryption issue where we have to, we have to scramble, we have to replace TLS 1.3 with 1.4. I'm making that up. Right. But there will be some other big thing that happens and I feel like the lessons we've learned at all of them frustratingly and maybe it indicates we haven't learned the lesson. But you need to know, you need to inventory all your services, how they're interacting with others, how others interact with your services so that when the next bad thing, be that TLS1.3 being deprecated, be it quantum cryptographic, post quantum cryptography being implemented and mandated so that you prepare for those things.

A (27:58)

So not just the stuff, but the interactions that happen between that stuff so that we understand what can. Because things fail at the interface. So we can understand what things may be impacted and begin to plan for it. So that makes sense to me. Let's assume using the timeframe that you use because yeah, it is about every five years we have a massive crypto upheaval when the next crypto upheaval happens and you know, by your timeline, we're probably a year and a half out, would it make sense for us to migrate or begin to migrate to quantum safe algorithms within the environment?

B (28:37)

Absolutely. And in many cases we already are. I think one of the example. Example, example. So one of the, one of the world's largest WAFs, so Cloudflare, they've supported post quantum cryptography solutions now for I think since October, November of last year, if not longer. So any website that sits behind that particular waf, they are protected with it now during the TLS handshake, right. The the server and the client are going to negotiate which, which set of algorithms and key strengths do we want to use. So the client also has to be configured to utilize one of these post quantum algorithms as well. However, Edge all chromium based browsers, Firefox which isn't Chromium. Right. But Firefox, Chromium based browsers and all the big browsers already they support it. Right. So these are already solutions that are supported today. Right. So if you've got a, if you're running a browser, a relatively recently updated browser, it should have support for post quantum encryption algorithms. And if you're communicating with a website that sits behind a WAF or is configured with its own and its own SSL configs to utilize one of these algorithms as well, there's a good chance that those, during the TLS handshake they will agree on, they'll negotiate and agree on a post quantum encryption to be used depending on.

A (30:03)

And that also tells me that it doesn't have to be potentially an all or nothing swap that if I, if I am cunning with my magic, and again another phrase you've heard before, if I'm cunning with my magic, I can configure the systems or the edge devices such that they are capable of going that high but don't have to go that high necessarily.

B (30:26)

Absolutely.

A (30:26)

So that it doesn't have to be a. Okay, we're going to flip the switch today and bring this down and then this comes up versus we can then do something like plan on transition within the environment so that we can support customers that are already there or they're quicker, but we can also deal with customers that aren't quite there yet. Absolutely.

B (30:47)

Yeah.

A (30:47)

Okay.

B (30:47)

Absolutely. Sorry to cut you off there. Yeah, absolutely. Thinking back to how fintech dealt with car terminals, it wasn't so much the bad thing that happened, it wasn't so much that new technology was enabled. It's not that all of a sudden we had a support TLS 1.2, it was SSL V3s going away. So we didn't have a hard time implementing something new. We had a hard time deprecating the old. And that old was so old it was kind of forgotten and you just kind of lose track of the fact that it's out there. Right. We lost track in this particular orb of the fact that there are car terminals that are basically It's Knuckle Buster V1 1. Right. I mean it was like one of the oldest things out there and we had thousands of them that were connecting to us and they were just kind of left behind. So my concern, and I think what we need to really do preparing for five, ten plus years from now is keeping track of everything so that what is still kind of fresh in our mind today doesn't become Totally forgotten tomorrow, if that makes sense.

A (31:47)

Makes sense. Now, we've talked about good things, we've talked about what we should be doing. We haven't really talked about a lot of the bad things other than potentially encryption breaking within the environment. What bad things should I be worried about?

B (32:01)

Well, so I think one of the things people gloss over is most security organizations, especially if you're air quotes here so advanced, you're talking about the quantum threat is defense in depth, right? So in order for this to really be a bad thing for you, the attacker needs to get to your encrypted data in the first place. Right. And ideally, it's not just as simple as going online and downloading an encrypted blob of data from you. Right? So if you're augmenting your security program with things like vendor due diligence checks, right, you're making sure ISPs and upstream providers have controls in place to protect your traffic. If you've got controls in your own enterprise, your own environment, to make sure that you're keeping the bad actors out, the good people in the data protected, that's a huge thing you can do to help yourself as well.

A (32:56)

Okay, so, and again, I'm going to pivot this back to potential bad things as well. And I'll use the AI analogy for that. There's been a lot of talk and there will be more talk on this podcast this season regarding the good, the bad, the right, the wrong and the different of AI as we go forward. One of the things that I talk about when I talk about AI is with rare exception, with very rare exception, what I'm looking at is I'm looking at increases in volume, accuracy and speed of the same type of attacks I've been fighting for over 30 years. There are not a lot of new attack vectors that have resulted from AI. So the question I would ask you is putting on your crystal ball all of our caveats in place. Are there any new attack vectors I should be anticipating from quantum?

B (33:51)

None that come to mind. One of the, one of the bigger concerns I, I think when that's out there with, with quantum, and rightfully so, is the concept of harvest now, decrypt later. So you've got adversaries, especially nation state adversaries, who've got footholds with ISPs and are able to down, are able to intercept encrypted comms. Today we get a little bit complacent, say, yeah, yeah, they got it, but it was encrypted. Yeah, right.

A (34:16)

Well, are we seeing an uptick in that, though? I know what you're talking about. Why are we seeing an uptick in that?

B (34:22)

We hear about it. I'd like to think my own government's doing that. Otherwise. Otherwise, where are my tax dollars going? So if we assume our own government's doing it, you got to assume others are as well. However, getting that data isn't the easiest, and it's also a lot of data. Right. However, there's a lot of storage out there. So I would be concerned about harvest now to crypt later attacks. And a lot of that also depends on how long you want your secrets to remain secret for. So if you're talking about a credit card number or a password to a bank account that you can change with really little, little repercussions, you know, within five minutes, those, those secrets don't need to last as long. When you're talking about nation state secrets, who killed jfk, things like that, you want those secrets to last a very long time. So you don't want to rest on the fact that, hey, it's encrypted, nobody can ever crack it, because those days are. Those days are numbered.

A (35:16)

What's the one thing we did not mention, talk about, ask, bring up, that you would want my audience to know or hear from you?

B (35:25)

Aside from being a ciso, I've also, in the past four years or so, I've consulted a lot. I've talked with dozens of organizations, and we talk about advanced security measures and security programs and security strategy and some really, really technical concepts. And it's exciting. It really is. I see companies doing a worse job today than they did five or 10 years ago on maintaining an inventory. It's not just list your laptops and servers, it's where is all your data? Where are all your services? Who are you connecting to? Who's connecting to you? What connections do you have to the Internet? What connections are coming into you from the Internet, So on and so forth. All those. Right. And the tracking mechanisms, the inventorying tools, I don't think have really kept up with the evolution of the size and complexity of enterprises today. And I say all that because it's really frustrating. And when you read about breaches, a lot of these are occurring on those, Those fringe cases that aren't really necessarily being tracked in an inventory somewhere, but they should be. You should be aware of all these things and all that to say your, your, your crypto ecosystem, your, your encryption ecosystem is certainly one of those things that you need to have a better understanding of so you know what is where and who's interacting with it. And that's not it's not sexy, it's not super fun. At the end of the day, it's a list, ideally in a and a purpose built tool or service for it. But there's really no way around the fact that if you don't know what your company is connecting to, what your organization's connecting to is connecting to you, or so on and so forth, it's going to sting you eventually.

A (37:17)

Michael, it's been great not just to learn about this topic from you, but just to catch up man, and see how fantastic you're doing. So thank you for making the time, man. Let's not make it 10 years next time.

B (37:29)

Thanks, I appreciate it. Next time I'm in Phoenix, I'll give you a call.

A (37:52)

And that's a wrap for today's episode. Thanks so much for tuning in in and for your support. As N2K Pro subscribers, your continued support enables us to keep making shows like this one and we couldn't do it without you. If you enjoyed today's conversation and are interested in learning more, please visit the CISO Perspectives page to read our accompanying blog post, which provides you with additional resources and analysis on today's topic. There's a link in the show Notes this episode was edited by Ethan Cook with content strategy provided by Mayon Plout, produced by Liz Stokes, executive produced by Jennifer Ibin, and mixing sound design and original music by Elliot Peltzman. I'm Kim Jones. See you next episode. Securing and managing enterprise networks shouldn't mean juggling vendors, patching hardware, or managing endless complexity. Meter builds full stack, zero trust networks from the ground up, secure by design and automatically kept up to date. Every layer from wired and wireless to firewalls, DNS security and VPN is integrated, segmented, and continuously protected through one unified platform. With Meter, security is built in, not bolted on. Learn more and book your demo@meter.com CISOP that's M E T E R.com CISOP and we thank Meter for their support in unlocking this N2K Pro episode. For all Cyberwire listeners.