Greg Otto

The quantum computing future is closer than you think. But what should enterprises do to protect themselves? We'll talk about it on this episode of Safe Mode. Welcome to Safe Mode. I'm Greg Otto, editor in chief at cyberscoop. Every week we break down the most pressing security issues in technology, providing you the knowledge and the tools to stay ahead of the latest threats, while also taking you behind the scenes of the biggest stories in cybersecurity. An attack is coming. It's about keeping us safe.

Rebecca Krauthamer

He's just a disgruntled hacker.

Tim Stark

She's a super hacke.

Greg Otto

Stay alert.

Rebecca Krauthamer

Stay safe.

Tim Stark

Stay safe.

Greg Otto

This is Safe Mode. Welcome to this week's episode of Safe Mode. I am your host, Greg Otto. In our interview segment, we're going to be talking with Rebecca Krauthamer, the CEO of Q Secure, talking about post quantum encryption and how we're really close to seeing things change in the world of quantum computing and how enterprises that need to worry about post quantum encryption and security in the age of quantum computing, we. What they can do now to set themselves up for success. But first, talking with Tim Stark, senior reporter for cyberscoop. Tim, you had a really interesting story this week that looked at sort of some mixed messaging from the White House and the President himself when it comes to cyber operations and how the US Is conducting themselves and deterring their adversaries from attacking them. Sort of talk us through what we've reported.

Tim Stark

Yeah, so I think one of the things that's, that's, you know, as someone who's writes about cyber policy the way I do, the thing that, that it seems like the Trump administration this time around is going to bring that's different to the table, is this idea that we need to hit back at our enemies harder in cyberspace. We need to do more to send the signal to them that, that their operations against us are unacceptable. That's, that's, that's kind of the message they're pitching, is that this is our unique ad. And that is something that you've been hearing from top White House officials, from Sean Carring Cross as the National Cyber Director, to the two men who have been at the nsc, Mike Waltz, who's obviously since gone, and Alexi Bullizel, who's now the main cyber guy there. What was striking to me about this, because I think it was last month that this occurred to me to write about this, was that Sean Cairncross had weighed in on this and said this language about unacceptable, talked about salt typhoon, talked about Chinese global surveillance and how we need to deter it. But then I was, look, thinking back to the. What Trump himself has said about that kind of thing. When asked specifically about salt typhoon and then getting into our telecom networks, his response was, I mean, we, we do that, too. What's, what's the. Essentially, his response seemed like, what's the big deal? It's a nasty world. This is just the way the world works. And, and you, you know, the, the Fox News host who asked the question seemed a little taken aback, like, oh, really? Like, people didn't expect that. And it turns out there were other ways he'd been talking about cyber attacks that I've been kind of collecting in my head of like, oh, he said this about Russia, too. We kind of just seems like brushing them off a little bit, right?

Greg Otto

It is very much. It seems like to me, he is doing that thing that he does where he's saying the quiet part, loud in that it's open secret, for lack of a better term, is that we're all doing this. And it's, it's dumb to try to talk about it in terms of, like, bargaining chips for, like, trade agreements or something, where it's like, look, it's just the rules of the game right now. Why would we talk about it in any other fashion but that. And I would imagine that there's some people in the NSC that are like, no, no, sir, let's. Deterrence. Deterrence. Deterrence. Right.

Tim Stark

Yeah. It's interesting, you know, the reaction from the people. I've spoke to people, some of them who have been in the White House, some of them have worked on cyber diplomacy for the story. There were people who said, this is a strange contradiction that he's doing this. It's undermining the overall message. Right. If you're saying we gotta hit back at these guys and we gotta make sure that they know they can't do it. It was remarkable how many also were like, he's kind of got a point. And the other part of the article that we delved into was about the degree to which he's maybe not all that alone and how he's getting a bit more open, a little bit more blunt about how we talk about cyber. There were other world leaders who have been doing this a little bit, not explicitly on, on this case of deterring espionage so much. Although in the case of Xi in China, yes, there actually has been a little bit of. He joked with the South Korean president about this. Like, oh, yeah, just, yeah, we're giving you these gift phones and you might as well, just check and see if there's some back doors in there. So there's been a little bit of that, but there's also been an openness of, like, maybe, maybe it's kind of overdue for us to be talking about these things that we, that everybody knows we do, everybody knows everybody else is doing kind of demystifying cyber in a way and trying to put it in the right context, having more open discussions about this thing is not an exquisite means of power that only exists, you know, in these little pockets of technologically advanced nations. It's something that a lot of people are doing. And so there was some amount of, of, of. Not sympathy, because that's not the right word for it. There was a certain amount of relating to what he said that people were like, yeah, actually, he's kind of right. I mean, he's just saying the quiet part out loud.

Rebecca Krauthamer

Right.

Greg Otto

So there is an element of this, of, and it has been for years, of we do it, too. And I think back to when James Clapper testified in Congress about the OPM breach, where he said he kind of tipped his cap to the Chinese. He was like, if I had the opportunity to do something like this, I would do it. And that's, you know, spanning back a decade now, where, yeah, deterrence in all means of, whether it's geopolicy, military and anything really in that purview is, yeah, don't, don't do it to us. But there have been instances, and you talk about this in the story, where it's, we have saber rattled and when the rubber meets the road, we kind of go, all right, we're really not going to do anything. And we have our bluff called and everybody just keeps on keeping on. And it seems like, I don't think it's something that Trump is, like, being directly about. Like, I, I, I would be very surprised if he's really ruminated on, like, Title 10 versus Title 50 and how that's going to affect everything else. I mean, that's why the NSC exists. But there is some element here where, and we see it in our coverage, where you don't see a lot of what we're doing being called out by either, like, the companies or countries, because that's just been the rule, like, don't call America on the carpet in a technical sense, unless you're starting to see a little bit of it in China. And Russia has certainly done it, whether it's been through, not explicitly through Kaspersky, but Russian companies have, have called out American operations And China's cert just called out the US for going after their national clocks. Where you are starting to see a little bit of the okay, we're acknowledging that this is going on because it's stupid to think otherwise. That this is not going on because it is. Maybe we can get to a better place if we all just acknowledge, okay, this is happening. And shaking a finger from across the ocean to say don't do that or we're, we're going to do it back to you. It's like, where's this really got.

Tim Stark

Yeah. Kind of working backwards. I mean, that, that, that Chinese attribution is something that we're seeing more from non Western countries. Singapore just did their first attribution. There's been a little bit more openness about the cyber operations in some other countries that we talked about in the article going to, to Trump's position on Title 10 and Title 50. Yeah, I mean he doesn't seem to think about cyber. It's not, it doesn't seem to be a priority for him personally. And as Chris Painter mentioned in the story, he's kind of looked at cyber as a means of delegitimizing him in the past with the Russian election interference. He takes the idea of cyber as an affront sometimes to the point that when Tom Bossert approached him in the White House about it, he said, leave me alone, I'm trying to watch the Masters.

Greg Otto

Yeah, I believe it's final round of the Masters. I mean, I'm in this stuff and I wouldn't want to be talking about it if I'm watching the final round of Masters fair.

Tim Stark

Let's give them the benefit of the doubt of that. The other thing, of course, is that, you know, the, the, the, the deterring of cyber espionage, the, like the laying out the difference between those things. We tried to do some things to punish other nations for cyber attacks that we viewed as destructive. You know, Michael Daniel mentioned the former White House star under Obama that, that we did Persona non grata png some people after the Russian election interference. But that was a more disruptive kind of attack. Right. It was espionage that stole things, but they were also, the Russians were putting things out into the world from what they stole to affect things in a different way than just taking it and looking at it. And one of the lines of distinction that people raised in the article I thought was interesting is, you know, salt typhoon caused this fur furor on the Hill saying we can't allow China to get away with this kind of thing. And probably they did it because it was such a massive cyber espionage operation, that this was something we have to deter, is what they said. But the people who are in the deterrence field are kind of like, it doesn't really work. You can't really deter cyber espionage so well, because it's really valuable. You get a lot out of it, and what consequences are you going to put on somebody to make them go, yeah, okay, we're scared. We're not going to do this anymore. Right now, that doesn't seem to exist. That, that, that balance of, like, what we would do in response to cyber espionage that would make a country back off. It doesn't seem to be a credible threat. We could issue right now is what some of the people I was talking

Greg Otto

to said, and you hit upon something that spans different administrations, is that policy people disagree. Like, not everybody's in lockstep all the time. And that's okay. It doesn't mean that there's necessarily, like, descent in the ranks to the level of mutiny. Like, that's. That. That just happens. It's just a disagreement. And we've seen it in, we saw it in the Biden administration, we saw it in the Obama administration for the way that this stuff gets handled. So there is an element of, like, this is just the way that it is. But the sea change, where you do see it from Trump himself, where he's like, look, we're doing this. Like, why are we pretending otherwise? Like, he's clearly threatened China in a myriad of different ways besides cyber, too. So I would imagine that he looks at it from that and he's like, I'm not going to look at this as a bargaining chip. I've got enough going on with my trade.

Tim Stark

I think that's. I think that's true. And I do think, you know, certainly from the standpoint of covering a number of presidencies, this guy stands out for. He might just say some things that his team doesn't know he's going to say, and he might not even know he's going to say until he says it right. So in that way, yes, there has been this problem of consistency across administrations, and there are going to be different people who want to go at this different ways. But it seems like, for the most part, there's been a script that his team has been following that he's just kind of ignored.

Greg Otto

And going back to a point that you brought up, too, where it's not just Trump and it's the Chinese and Xi, even with Xi amounting to what is really Just an off the cuff remark. Even that I think does have some gravity to it because we've heard from going back to the OPM breach, probably going back even further. Anytime you reach out to the Chinese government on anything like this, they go, we don't do that.

Tim Stark

That's illegal.

Greg Otto

Just the acknowledgment, even if it's an offhand joke, to say, I might have a back door on it. Watch yourself, bro. Should. I'm glad we included that in the story because I think even that should make followers of this go, wait a minute. That's different in and of itself. To say, okay, maybe the whole turns, how dare you? We would never do such a thing. Is just, it doesn't work anymore. It's a song and dance that doesn't need to happen.

Tim Stark

I don't know what Xi's sense of humor is like, but it does seem like the kind of thing that if he thought that the South Korean president was way off, he would have said something a little bit more like, haha, wink, smile, rye. I mean, there's, there's a certain amount of truth to what the joke was about, right? There's. I think everybody in the world will tell you that China's doing this other than China, right? And so even just kind of winking and kind of being funny about it, suggested that maybe, maybe there's a little bit more going on here than they usually acknowledge. And maybe there's going to be some more openness about this, which, you know, some of the people in the article thought may be good if we saw not just not just China, but other countries start talking about this more in the open, we get an authentic discussion about it. And right now we don't really have that because it's so behind the scenes and it's so taboo to discuss.

Greg Otto

Some of my favorite stories throughout the years have been stories that take a minute to step back and go, what are we all doing here? Can we have an honest conversation and just put the actual truth out there and kind of say what we don't want to say, but we all know to be true? This is one of the best ones that I've seen. So happy that we got it out there. And thanks for joining us to talk about it.

Tim Stark

Thanks, Craig.

Greg Otto

Joining us on our interview segment this week is Rebecca Krauthamer, CEO of Q Secure, a quantum security company. Look, we're really close to seeing what the future holds with quantum computing, and part of that is guarding against security threats like ArvestNow, dump later attacks that will be able to happen thanks to quantum computing being able to break encryption standards that are in place Today. I talked with Rebecca about what the world is going to look like when it comes to post quantum encryption and how government agencies need to prepare for the future. Check it out. All right. And joining us on this week's episode of Safe Mode is Rebecca Krauthamer, the CEO of Q Secure company specializing in quantum security. I met Rebecca a few months ago in September around the world Quantum Congress and really excited to have her aboard the program. So Rebecca, thanks for joining us.

Rebecca Krauthamer

Yeah, Greg, good to see you again. Thanks for having me.

Greg Otto

So the reason I bring up our meeting in September is I had Rebecca in our offices and we were talking about the future of quantum computing. And look, if you're in the technology space space, especially in dc, you've heard a lot about quantum computing for the past decade, I want to say, and we've been talking about it as a future thing, but I was like, look, we've been having the same conversation for a decade on the future of quantum computing. Give me a bellwether moment of when we're, we're heading towards something that looks real and tangible. And Rebecca said to me, okay, wait for like the bond traders to start doing stuff with quantum computing. And when Rebecca said that to me, I was like, okay, I'll, you know, I'll just put a pin in that. No, and I'll look out for that over the next 12, 18 months. Three weeks later, HSBC makes their announcement that they have teamed up with IBM to start using quantum computing in high yield bond trading and high speed bond trading. Yeah, Rebecca was, was right in saying that the future was closer than ever. So super excited to have you on the program now that I know that you definitely are attuned with the way that quantum computing is moving.

Rebecca Krauthamer

Thanks, Greg. Yeah, and that's, that is the thing, right? There's, there's a lot of news that comes out in the quantum computing space and then the quantum cybersecurity side of it, that is hard to understand. And you'll see XYZ organization use quantum computing for insert esoteric sounding application here that nobody actually understands. That's a secret. And so yeah, when, when you start hearing those things exactly. Like HSBC and IBM came out and, and talked about using it for bomb swapping. This really complicated problem that, that quantum computing lends itself to. That's, those are, that's the exciting moment and we're seeing, actually there's another one yesterday news just Broke.

Greg Otto

Okay.

Rebecca Krauthamer

We now have the world's. Yet again, the world's most powerful quantum computer was released and benchmarked from Quantinuum, a company called Quantinuum.

Greg Otto

Interesting.

Tim Stark

Okay.

Greg Otto

Yeah, so when you say we, that's I would imagine, an American company. Or do you mean in the public or what's, what's the we there?

Rebecca Krauthamer

That's a good question. We, we as the, the community, we as the world. It's actually a company that came out of the uk okay. It's called Continuum, does a lot of work in the US as well, but they came out with a quantum computer that has just around 50 error corrected qubits.

Greg Otto

Oh, wow.

Rebecca Krauthamer

Okay, that is, that is revolutionary. That is, that is a mark, that is a number that may sound small, but the way that quantum computers scale, right. If I have a 50 qubit quantum computer, I add one more qubit 51. 51 qubit quantum computer. That's twice as powerful as a 50 qubit 52, twice as powerful as a 51. So, so these things scale really fast and you'll see, right, with it, with Quantinum's quantum computer or otherwise, you'll see more of these bond swapping moments happen.

Greg Otto

Okay.

Rebecca Krauthamer

In the coming months.

Greg Otto

So with these computers growing that way, obviously the Trump administration has real, that the growth is really at a fever pitch right now and they're looking to launch, I would say, whether it's in an executive order or just an initiative similar to like the AI action plan that we saw earlier this year. They're really focused on supercharging, quantum computing and PQC and quantum security. So I'm sure that you are very, very in tune with that. And I'm wondering what your reaction or any sort of conversations that you've been privy to around what the government is doing and how you see that playing out over the next year.

Rebecca Krauthamer

The. Maybe a little primer for people who are, who maybe haven't heard of post quantum cryptography or the quantum threat. So quantum computers, for all of the things like bond swapping that they promise to be able to do, incredibly powerful. Like any powerful technology, there's, there's a flip side and there has been billions and billions of dollars put into quantum computing research across the world for all the, all the cool things that it can do, but also because it can at scale be weaponized to break the encryption that, that we use to keep our data safe. Right. I trust when I send a text message or an email that it's only going to be read by the person that I'm sending it to, I trust that. Nash. It's the same thing we, we trust when it comes to national security, that encryption is broken by quantum computing at scale. Now we're getting closer and closer to that day, the day that is called, that people are now calling Q Day, right. When that quantum computer comes online that can break the encryption that we use. We care today. And coming back to the government action side, the government cares today because it has long been a method to harvest data and stockpile it, harvest encrypted data and stockpile it for later decryption, or what is called harvest now, decrypt later. And so the way to stop that, that, that exfiltration of data is to properly encrypt it in a way that we know cannot be decrypted by a sufficiently powerful quantum computer. The good thing, and this is a lot of people know that that part of it. What we need to make sure more people understand is it is also a solved problem. We have that encryption that we know is quantum safe. And you don't need a quantum computer to fight a quantum computer. You just need to adopt that, that new type of encryption that thwarts quantum decryption. So to come back around to your

Tim Stark

question,

Rebecca Krauthamer

it used to be consensus that that quantum computer wouldn't come online till 2035 or, or beyond this year, more than any other year. There is growing intelligence, there is growing consensus that this, that in the last five years, 15 years of, of roadmap acceleration and of advancement in quantum computing has happened. And so these timelines are now coming, coming closer and closer. So, yes, so that, you know, you released a story, right, about some of this government action that's, that's coming out that says we need to push these timelines in for the government to migrate so that that bleed stops as we get closer and closer to that day when that powerful quantum computer will come online. Final, final note, Q Day will come and we will not know because it will be a nation state secret. Right? You have that powerful of a tool, you do not release a press release on it.

Greg Otto

Right, Right. This is, this is an intel tool. Q Day is if we do ever get to Q Day, there's going to be intelligence agencies, whether it's here or abroad, that, yeah, we'll celebrate it. But yeah, you're right. Silence will be the celebration.

Rebecca Krauthamer

Silence will be the celebration, exactly. So it is, it is more and more urgent that government agencies adopt now in anticipation of, of that day coming in closer and closer. And there's there's now a lot of talk of if we go beyond 2028, you know, that's, that's a new sort of magical date when there's a good enough chance that this could happen by then that we would be kind of, kind of silly not to, not to have migrated the most sensitive systems by that time.

Greg Otto

So, okay, I'm, I'm a government agency, I'm, I'm a CISO that looks at this and goes 2028. That's like, with human cycles and the way the technology moves, that's, it might as well be tomorrow. So when, when looking at it from a practical standpoint, what needs to happen now in terms of like tracking metrics or like, I, I don't want to say compliance check sheets, but for the, there needs to be a list basically of what needs to happen before we do get to a Q day, whenever that may be coming up. So in your opinion, what metrics should the government publish, whether it's like quarterly, yearly, I don't know, to show real progress instead of just talking about this from a theoretical standpoint?

Rebecca Krauthamer

Yeah, it's a fantastic question. And it's, it's, I think it's the central question because to be clear, the novel thing about this year when it comes to government action is led by the U.S. the, the U.S. first issued the migration timelines and they're staged out based on what is highest priority all the way to everything else, right? And across the world, all the, the eu, the uk, Australia, South Korea, et cetera, et cetera, issued their migration timelines as well.

Tim Stark

And

Rebecca Krauthamer

the first, the first stage for government is by end of 2026, January 1, 2027, there can be no new acquisitions into national security that do not support post quantum cryptography, quantum safe encryption. So that's the first sort of domino. You can't, you can't buy anything new in national security that, that doesn't, that isn't quantum safe. And then it cascades from there. High value systems, generally high sensitivity systems have to be migrated by 2030 and then less sensitive stuff all the way to 2035. So to your question, you can look at that and sort of say, this is my prioritization and here's what I have to do immediately all the way to, you know, the, the, the weather app or the lunch menu by 2035. So, but it is right now what is mandated annually beyond that is this inventory of your encrypted systems, of your, of your systems that use encryption to make, to keep that data safe. You have to report on those and you have to report on what is not yet quantum safe. And the most important piece because people get lost in the complexity of the vocabulary of quantum and post quantum and all these things. The most important piece that everyone needs to take away is pick the stuff that you know, you wouldn't want China to have read access to and start immediately. Don't get stuck in this planning process of I have to do everything all at once. So that's, that's the, the, the key takeaway for people is just think intuitively about it, right? What, what do we not want bad actors to have access to and then fix it?

Greg Otto

I mean that sounds like, just sounds so similar to conversations that were held in the government 10, 15 years ago from an IT perspective when people were moving from, you know, on premise data systems to cloud systems where it was protect your crown jewels, make sure that the most important stuff gets moved and is secured and then just go about your business and repeat the process until you're comfortable. And I know that's still a process that is still going on to this day, but now there's just this added. Oh, by, by the way, make sure that you're thinking about your encryption and your cryptography on top of it as well.

Rebecca Krauthamer

Yeah, it's, it's very much is. And in theory these, these lists of high value assets should certainly exist right. And, and be prioritized. But we're always, I think in government or otherwise, we're always also building the plane as we're flying it. So we often go in and also work with organizations to help identify these systems. One interesting piece of proposed legislation, so a bill that has not yet been passed, but it's called the Quantum Quantum Security Migration Strategy act of 2025, essentially says hey all right, get out of planning mode. You have to pick by end of next year. You have to pick your one high sensitive, high sensitivity system to adopt post quantum quantum safe encryption and put that system into production by end of next year. Pick your first one speed run through this, this adoption process. So you're learning by doing and then build the blueprint for the rest of the agencies. So the, the doe, the dod right. All of the sector risk management agencies do it learn build blueprint for the rest of your, your high sensitivity systems. Just pick one.

Greg Otto

Okay. So thinking of, of some of the other ideas that have come out of like federal IT and how it applies to this migration as well S bombs, software, bills and materials is I know an idea that has really been championed inside the federal Government. I'm wondering, because I've talked to some other people about this, whether that something similar on the cryptographic front, like a cryptographic bill of materials could be included or is a worthwhile idea so agencies actually know what crypto they're running. I mean, obviously it gets tough because there are. Cryptos are all about secrets and it's inherently something that you hope it's something that is, is guarded by nature. So I'm wondering whether you think that idea is worth it or it just wouldn't work this, this time around. And there are other methods and other things to re. Worry about as this migration push continues.

Rebecca Krauthamer

It's, it's critically important.

Greg Otto

Okay.

Rebecca Krauthamer

The, to your point, it is, it is really sensitive information now if you do encryption, if you adopt the proper encryption, even if a bad actor knows they should not be able to do anything with that information. So that's, that's, that's what we're, we're deploying with these quantum safe encryption algorithms. Cryptographic bill of materials. Yeah, it's, it's, it's common, it's, it's gotta be standard. And it is also this idea that it is no longer acceptable to not know what encryption lives where. There are these jokes that are not really funny because they're true about oh, where is your single des or an encryption algorithm that was broken in, you know, 20 years ago? Where, where is that hiding in your sensitive systems? And it's not funny because it's, you know, it's something that just is, is, it's out there.

Greg Otto

Right.

Rebecca Krauthamer

It's a painful truth. So it's as quantum comes as AI moves faster and faster. It is not acceptable for us not to one know what encryption is used where and to not be able to change on the fly what encryption is used where. And that's so the bigger picture here of the quantum threat to encryption is that it's finally telling us we need to get it together. We need to change the way that these things are managed. So it's not first you gotta do all your housekeeping and figure out everything and then you gotta take five years to migrate. No, we, we have to have this cryptographic bill of materials in front of us and then we have to be able to quickly fix encryption. Cause this is not gonna be the last time things get broken.

Greg Otto

Right?

Rebecca Krauthamer

So, so yes, it's very much part of it. I think the, the key thing that people need to understand is that you do not need to build a comprehensive cryptographic bill of materials before you start migrating. You should be building your cryptographic bill of materials as you actively migrate systems to post quantum.

Greg Otto

Okay, interesting. Okay. And, and speaking of that migration and, and building things on the fly, I don't know if I'm not attuned with how cryptography works with like, I'm just not an expert at this, even tripping over my words, trying to explain.

Rebecca Krauthamer

I'm not an expert in the world.

Greg Otto

But I'm wondering, is there sort of like a hybrid stance where people could do this slowly? Like, I know you just talked about that. No, this needs to change and it needs to change now. But I'm wondering if there's sort of like a hybrid or a half measure where there's like a mix of like classical encryption is I, I guess what I'll call classical encryption on top of PQC to where it can sort of be like a half measure or get somebody closer to using full pqc. Does that make any sense? Am I making sense? Is that a possibility? Or is this something where it's just like, no, you gotta rip and replace. Like, we gotta get, we gotta get the encryption in here that is PQC and we move forward from there.

Rebecca Krauthamer

You're asking actually a question that is some of the, some of the smartest analysts have been looking at this, this space for years.

Greg Otto

Oh, okay.

Rebecca Krauthamer

And are just now waking up to. Yes, what you're saying you're asking. Exactly. Very sophisticated question, actually. And one that, oh, look at that.

Greg Otto

Okay.

Rebecca Krauthamer

This is kind of the central point that we need people to understand is, yes, that is the way you have to do it. And, and so what, where I think it is easy for organizations to get stuck is this idea of we've gotta, we work with a big telco, for example.

Greg Otto

Okay.

Rebecca Krauthamer

And when we started talking to them, they said, hey, we just got a quote for $100 million and five years to rewrite all of our applications. To adopt quantum security is not the way that, that the world needs to be thinking about it. The way that they need to be thinking about it is, yes, this one staged pick the systems that are most sensitive. For example, Apple has migrated iMessage to postcode. They haven't migrated your whole. All of your systems on, on an iPhone, but they have migrated iMessage because we share a lot of sensitive information via text message.

Greg Otto

Sure do.

Rebecca Krauthamer

Right, right. So if you're using imessage, good news. If you're using signal, also good news for you. If you're using WhatsApp, WhatsApp needs to step up. So yes, the Second answer is, that is very much this hybrid way of, hey, you're already using classical encryption where we work with army and Air Force, for example, okay. We go in and overlay essentially this service match the security blanket of encryption that is post quantum over what they've already got their existing systems. No code changes, no nothing. And this is what has become the, the new standard for adopting encryption. Because that's really the only way you can do it in a way that allows you to dynamically change your encryption as, as things evolve. So if that, if that, hopefully that brought a little clarity to it. But the answer is yes. One, pick your systems, do it quickly. And two, yes, hybrid works. Don't change your code. If you're changing your code, you're. You're probably on the wrong path.

Greg Otto

Okay, so some is better than none. Good, good to know.

Rebecca Krauthamer

Some is better, is absolutely better than none.

Greg Otto

With the work that you were talking about with the army or Air Force, I'm wondering too, how does this factor into like autonomous Systems? Because the DoD is that, that's a big thing for them from a technological perspective. So I'm wondering, does the conversation change at all when we're not just not talking about IT systems, we're talking about autonomous systems that are built in to whether chips, weapons, you name it. I'm wondering if it's. Is it sort of the, the, the same idea or, or, or is there any difference in the fact that this is a machine that, that is. Doesn't really have an operator sitting at a keyboard?

Rebecca Krauthamer

Mm. It's. So I can talk publicly about one of the, one of the things that we've done for, with army, for example, is tactical networks where you're out in the field, you've got sort of resource constrained devices that, that relate to battlefield awareness, for example.

Greg Otto

Okay.

Rebecca Krauthamer

And so yes, very much, very much the same. The same definitely applies. What encryption should look like is that you shouldn't have to think too much about it. It should be there, it should be trusted. And if you need to change it, you can. What, what, what quantum does is it threatens data as it travels between any two points. You pick it. My, my phone to yours, a drone to a base station, a satellite to a base station. Right, right. Anywhere that data travels, that needs to be moved to post quantum encryption. And so what you do is you, you upgrade, you, you pop a little, a little bit of software on any of those things that says, now I'm using quantum safe encryption, and you move on with your day.

Greg Otto

All right, no. Good to know because, yeah, I just. The way that all of this is going to look in 2030 just fascinates me beyond belief. So definitely whether it's my laptop sitting on my desk or like you said, a satellite beaming a signal to a drone. I've wondered on an application level, but

Rebecca Krauthamer

yeah, and if it's done right, you shouldn't know as end user, you should be notified and, and your trust should just be reinforced that, hey, my data is not going to get. Yeah, I got to hear a talk from the, The. The former CTO of the CIA. And the way he phrased it was, in the next 10 years, everyone's going to have their own WikiLeaks moment.

Greg Otto

Okay, that's from a journalist perspective. That's a. That's a bold. My. My ears perk up when I hear that.

Rebecca Krauthamer

Yeah, that's. Yeah, exactly. This, this harvest now to gift later thing, it's. It's real. And you know, the, the average citizen might not be the, the prime target, but this is now about. About trust and trusting that our data is only going to be seen by. By. By the people. It should be, but you shouldn't know. Nothing should change for you. Nothing should change for the end users. It should be transparent.

Greg Otto

So finally, I would say going back to what you were saying about Q Day and us not knowing, yes, there's not going to be a press release, whether it's us somewhere in Five Eyes or China or Russia that says we got it, like we did it. But hypothetically, what could be one warning sign that an adversary may have gotten. May have gotten there? Like, is it. Is it that we start to see more of these harvests now, decrypt later attacks and would we even know. Like, how would we know that that was breached pre, you know, pre quantum or. I'm. I'm just wondering because look, you were really good with the prediction with the bond trading thing. Like that came true. So I'm wondering if you got anything else up there in terms of predictions and not so much predictions, but like any sort of warning signs that, oh, wait, Q Day might have happened. And here we are.

Tim Stark

We're.

Greg Otto

We're the future's now.

Rebecca Krauthamer

What should we be looking out for? Yeah, no, I love the question. So we, we have a kind of historical analogy, right. In World War II, the Germans used a code to communicate strategic plans. And that's. We know Alan Turing and his team were able to break that code. And similarly, they did not release a press release and they went as far as to take strategic losses that they knew were coming in order to keep that secret private. So I think it'll look very much like that because it will likely be. It won't be a hacker in a basement that gets this quantum computer. It will, it will be a nation state, of course. And so what are, what are some key indicators? One question that everybody has is, does this affect blockchain? And yes, yes, it does. So anytime there's a, a public key exposed, so anytime you've, you've essentially sent something from like a, a, a bitcoin wallet, for example, that is under threat of quantum decryption. So as soon as it. That, that cryptographically relevant quantum computer comes online, if there's funny behavior that we see in, in the cryptocurrency space, for example, that's a very strong indicator.

Greg Otto

Right, Interesting. Okay.

Rebecca Krauthamer

Yeah. You know, similarly, I think the first targets will be critical infrastructure and national security. So we'll see. It'll be targeted at banks, telecommunications, energy grid, oil and gas, and it will be national security. And I don't think the average person will necessarily hear about the average, the national security stuff, but as soon as we see things that we shouldn't see coming out from, from those institutions, that's a pretty strong indicator as well.

Greg Otto

Either a rug pull or the lights go out. Neither of those. Yeah. Yeah, neither of those sound great. Rebecca, really appreciate you joining us. Always fascinating conversation talking about this stuff. And we'll have to have you on again to discuss the future as the administration continues to push the acceleration of quantum security.

Rebecca Krauthamer

Greg, thanks so much for having me.

Greg Otto

Thank you. Thanks for listening to Safe Mode, a weekly podcast on cybersecurity and digital privacy, brought to you by cyberscoop. If you enjoyed this episode, please leave a rating and a review and share it with your friends, your co workers, your CISOs, your sysadmins, your mom, your dad, anybody that wants to know more about cyber security. To find out more information or to contact me, please look for all of our social media handles or visit cyberscoop.com thanks for listening. Check us out next week.