Orrick RegFi Podcast | Preparing Financial Systems for Post-Quantum Cyber Risk
Listen on Apple
Listen on Spotify

RegFi Episode 28: Preparing Financial Systems for Post-Quantum Cyber Risk
 32 min listen

Rick Bueno, the president and CEO of Cyber Reliant Corp, joins RegFi cohosts Jerry Buckley and Sasha Leonhardt to share his insights about post-quantum cyber risk. Rick explains how the exponential difference in computing power between quantum and classical computers will transform numerous industries, including financial services. These benefits come with the potential for a new generation of cybersecurity threats.

Rick outlines how policymakers and industry participants can prepare for post-quantum cybersecurity risk through technology-agnostic cybersecurity strategies and shifting from perimeter defense to data-centric solutions. The discussion also covers the complex intersection of quantum computing and financial regulation, highlighting the need for collaboration and careful consideration of the ethical and societal implications of emerging technologies.

 

Links:

 

 

  • Jerry Buckley: Hello. This is Jerry Buckley, and I am here with my RegFi co host Sasha Leonhardt. Our guest today is Rick Bueno. Rick is the founder and CEO of Cyber Reliant, a company that provides advanced data protection solutions to the government and commercial users. Rick has a long record of providing strategic advice to critical infrastructure players, including the Department of Defense and the National Security Agency.

    We’ve invited Rick to join us to discuss a subject that many have heard about, but few understand: post-quantum cyber risk. Rick, you have a rare ability to translate complicated concepts into terms that a layman can understand, so let’s start with the basics. How would you define quantum computing? What science is driving the creation of quantum computers and how would the functionality and capabilities of a quantum computer differ from the computers we employ today? And, finally, the development of the quantum computer is a fact, how long do you think it will be until this type of computing platform is fully operational?
    Rick Bueno: Thanks, Jerry, good to be here. That’s a really good question on the quantum side and, basically, you know, I’ll start with the science. There’s two predominant sciences that drive quantum computing. One is physics and the other one’s mathematics, right? So, we have to understand from a physics perspective how quantum computing can help the world in helping to solve, you know, medical issues or help build better aircraft or, in some cases, unfortunately, they can be weaponized to do harm in terms of cybersecurity, right, for this point. And the difference between a quantum computer and what’s called a classical computing model or a conventional computing model is on how the information is processed and delivered. So to make an analogy out of this, pretend like you had five cards in front of you, and every other card is facing up or down, okay? And you wanted to make a calculation. Well, those cards would flip — cards that are flipped down are going to flip up and the cards that are flipped up are going to flip down. And that’s the computer — think of it in an almost analog way, that’s trying to make some decisions. And that’s really what a computer chip is doing is it’s flopping back and forth trying to come up with an answer that you’ve asked it. And that’s sufficient for day-to-day, you know, computing needs, browsing the internet, writing papers or doing whatever. And now we have some of the AI components that help refine some of the things that we’re trying to develop using conventional computing methodologies.

    So taking that analogy, pretend like you had those five cards that were actually standing up — they’re not flat on the table — and you spun them very fast, so that you can’t see at any given time the front or the back of the card, and they’re all spinning. Well, that spinning — the calculation’s happening so fast that you’re going to get an answer a lot faster versus just the flip-flop of the card that’s flat on the table, right? So that’s one way to kind of characterize how a quantum computer works. Now, I could go into physics and qubits and things like that, but I think at the end of the day, it’s really about why are we interested in quantum computing, what can it do to help our lives be better in terms of medical, financial, all of these things that can give us calculations a lot quicker than conventional computing models, right? 

    So that’s really the difference, and some people think, for example, there’s this new thing about the quantum internet. And I think there’s a lot of hype around that, because they don’t understand the quantum aspect. And another one is around something called correlation. So, let’s say you had a cookie, and you broke it into two pieces, and you put one piece down — facing down — and another one facing up. When you flip the one that’s facing down up, it doesn’t mean the one that’s facing up is now flipped down. That’s not correlation. Correlation is that if I were to take those two halves of the cookie and put them together, I’ve got a whole cookie. They’re correlated by virtue of that, and so that doesn’t mean that it’s going to make the internet work any faster than it does today with conventional computing models. And people are now beginning to realize it will be a real struggle to actually find a practical use in quantum internet, right? So those are some basic examples. Hopefully, those analogies can ring true with some of the folks who don’t, you know, don’t have a deep understanding of the physics related to quantum computing.
    Jerry: Well, when you think about what can be achieved with the quantum computer verses what can be achieved with conventional, what is the magnitude of difference?
    Rick: It’s exponential. And this goes back into the qubits conversation. So, let’s say that I’ve got let’s call it 10 qubits. Well, now, I’ve got these 10 spinning things. Right? Well, let’s say I have 10 conventional class computing processors. They’re still doing they’re flip-flop — the classical computing processors and the qubits are spinning. So, for the amount of time it takes for those qubits to spin and calculate something, it’s going to be — let me rephrase that — in the amount of time it takes for classical computing to flip-flop and come up with an answer, the qubits would’ve come up with that answer exponentially faster, a hundred times, a thousand times depending on how many qubits you have. Right? 

    So that’s the difference and so a good example of this is in the research they’re doing for cancer, cancer research. Since there’s been enough qubits, and they are starting to use some of the quantum computing systems to help do that, we’ve come a few steps forward in terms of understanding that. Now, a lot of this is combined with AI, but, at the end of the day, the power of quantum computing is to allow us to get to a difficult answer much, much more quickly than we could otherwise with a conventional computing model. But also, where we are today, some are operational, but in a practical sense, there has not yet been a quantum system, quantum computer that’s been fully operationalized because we’re still doing a lot of research and pushing the boundaries as best we can.
    Jerry: And where is the leadership in this thinking about development to the ultimate state of having an effective quantum computer?
    Rick: It really spans both public and private sector. There’s a ton of research that’s being done, for example, at Google, at Microsoft, Amazon, all these other really big companies where they have their resources to spend time and money on that, and they’ve made great strides. But on our public sector side, there’s also a lot of research that’s being done, for example, with National Security Agency, right? They’re looking at that, as well; especially, if they want to help protect the country with better encryption or they want to kind of use that quantum computer to break encryption keys of adversaries that are trying to harm us in the cyber perspective. 

    And so, I think, you know, it’s neck-to-neck honestly, at this point, because, for better or for worse, the government acquisition process has a tendency to slow things down. And in industry, one person can make the decision and off we go. So it’s neck-to-neck right now and it’s across the world because we know that a lot of other countries that have the resources do, in fact, are in fact putting a lot of effort, time and money in getting to that point, what we’ll call, you know, an event horizon between the development of quantum computing and the actual, practical implementation of quantum computing. And I think that window is closing very quickly.
    Jerry: Very interesting, you know, and if the, if this operationalized quantum computer, you know, moves forward and moves forward quickly, as you said, it’s expected that it would break codes that we depend on to protect confidential electronic information today.
    Rick: That’s correct.
    Jerry: That’s the overarching question being posed by NIST, National Institute of Standards and Technology, which is asking cryptographic specialists to search for post quantum data protection solutions even before the quantum computing has been fully deployed and given the risk, it’s not surprising, in fact, it’s pretty prudent to do that. What light can you shed on this quest for post-quantum cybersecurity solutions?
    Rick: Right, so the post-quantum cybersecurity solutions are really designed to combat a quantum threat, whether it’s to combat a quantum computer’s ability to compromise on-premise or in cloud cybersecurity or directly to compromise our encryption keys that are holding national security secrets. And, the thing about the post-quantum side of the house is you don’t have to understand quantum computing to understand post-quantum security. You don’t have to understand that because we’re using conventional techniques today that are sufficient. 

    And so the, you know, kind of like the market term for it is called post-quantum or quantum secure. The technical term, a lot of people aren’t aware of this, it’s called information-theoretic security. And if you go to Wikipedia, there’s actually a pretty good list of requirements of what it means to be information-theoretic security. And most of those are tied to a specific set of algorithms, but there is now a push in the Department of Defense, I think they’re taking the lead on this, to develop full spectrum post-quantum solutions that can be practically deployed today. They can do a great job of protecting our national security secrets and be somewhat future proof. So once a quantum computer is made available, we’ll actually have a system to test against so it won’t be theoretic anymore.

    So that value there is good because we can implement it today right here, right now and, as we begin to learn about quantum, we can add techniques to that so when it becomes practical, we will have the ability to defend against quantum threats.
    Jerry: It would be very interesting to get a little more understanding of how that will work, but I understand that’s pretty technical stuff. I won’t push you on that, but maybe as the conversation proceeds, we can get a little bit more on that. But, Sasha, let me bring you into the conversation.
    Sasha Leonhardt: Thanks, Jerry. And Rick, thank you for joining us today. There are a lot of people out there, you and others, doing the hard thinking on post-quantum cyber solutions. As Jerry noted, NIST is focused on this, as are our defense and intelligence agencies, as well as, unfortunately, our national’s adversaries. And I note that because today, even pre-quantum, data breaches, theft of IP and ransomware attacks are proliferating and on the rise. You’ve obviously given this subject a lot of thought, both current state and future. Can you share your thinkings on the best way to protect data from exfiltration in today’s world?
    Rick: Yeah, absolutely, Sasha, I really appreciate the question. It’s really near and dear to my heart, so it’s a really interesting phenomenon that happened that drove us to where we are in terms of what the industry considers a valid cybersecurity. And, you know, the net-net here is that predominantly cybersecurity companies and cybersecurity products are designed to keep the bad guys out and that has not worked out so well, when we’re talking multi-billion, trillion dollar companies that put all of their shoulder against that and the bad guys are still getting in, right? 

    So that’s called a perimeter approach, building deeper moats, taller walls, and clearly that hasn’t worked. So what’s the answer? Doing a lot of research and understanding the “how” we got to where we are, helped me understand, like, where do we actually need to be and so the analogy I use, and what I just spoke about is, when cars were invented, people started driving around in cars and they got faster, and people were having accidents and getting killed. Imagine a world where they put the airbags on the side of the road, right, but not in the car. That’s effectively what’s happened with cybersecurity — firewalls and malware, antimalware and all of these different systems are designed to protect the vehicle by virtue of the roadway, right? But, there’s no airbags inside the car. 

    So what we’ve thought of is, you know, why don’t we step away from the perimeter model, let’s look at data itself and find out if there’s opportunities where we can put the airbags back in the car. In other words, give data its distinct and unique security profile that’s not dependent on the perimeter at all. And we’ve done a lot of research in that, we’ve worked with government, worked with industry and what we’ve found was first of all, cascade effects don’t occur. There’s a perimeter breach, and it starts to move towards the data. We have what’s called a cryptographic firebreak. So that’s one really great way of protecting the data that doesn’t require perimeter breach. We can work together, right? It’s called loosely coupled, but highly cohesive, you want the data to work with the perimeter. You have to, that’s the cohesive side. But you want that to be very, very loosely coupled, so you don’t have a dependency issue, which would result in a cascade effect, which is what we’re seeing predominately now in healthcare for ransomware. And the ransomware part of that is a frightening proposition for what we see going forward. 

    We’re already getting intelligence reports that ransomware is now being tooled with AI. Well, this AI, ransomware AI is generative. In other words, the ransomware kicks off and it’s blocked, and it learns how to go around that block, right? By itself. And it spawns and it finds, you know, tricky ways to get in and our security teams aren’t staffed for that. They’re not trained for that and so it’s just something like ransomware, which has already been very devastating, is going to become even more concerning when they start tooling in AI components to proliferate, you know, the damage there. 
    So when you have a data-centric model, we abstracted away the security properties from the perimeter and apply it only to the data, then you start developing a whole new set of value propositions that actually reduce the complexity of cybersecurity and give you a clear view of how you can protect your data without a high degree of complexity. And now we're seeing some good traction across that, both private and public sectors.
    Sasha: Rick, I think that's fascinating. The idea of bringing together machine learning and AI and ransomware is certainly something to think about. I think about though, when we bring in quantum computing as well and just kind of supercharge it with that additional level of computing power and technology.

    You know, I'm driven to think about the fact that technology in a market economy like ours is often the result of private sector initiatives, but are sometimes boosted by government research funding. But, quantum computing has the potential to be one of those few initiatives that develops outside of the normal process since it's so technical, so expensive, and potentially so transformative. Space, flight, nuclear power, The Manhattan Project — things like that. In the realm of quantum computing and post-quantum cyber risks, do you expect the private sector to take the lead here? And what role would the government play in funding this and establishing “rules of the road” for using quantum technology?
    Rick: Wow, that's another fantastic question. I haven't seen the government put so much shoulder behind a capability in decades. When in the heyday, spaceflight, and some of the good innovations that came out as a result of getting to space, that was all driven by the government, and we see a lot of benefits from that, you know? And we lost that over the course of 30, 40, 50 years where predominantly we're seeing commercial industry driving innovation, and now the government has to have contractors and work with them and implement those. 

    But now I'm seeing a little bit of a paradigm shift here where the government is taking lead on quantum. And there's a lot of agencies that see phenomenal value and I've seen a high degree of cohesiveness between agencies as they collaborate to developing quantum capabilities. You know, the ugly truth is that as the government continues to do that, they're gonna do that also with an intent to defeat the enemy, right? From a quantum perspective. Crack their encryption keys and all of that, but at the same time the government’s putting a lot of money into medical research and financial systems. 

    I just read an article this morning how they want to use AI and quantum to help build financial models to help us understand better how to do our budgets from a country, from a national perspective and I think that's all common good stuff. In private industry, and there's another aspect, there's not-for-profits that actually do this for too, but let's look at private industry. Their job is to monetize as much as they can, get their stock value up and so, we're seeing a lot of private industry defining new ways of doing that, of making themselves the market leader in “X.” It's not necessarily a bad thing, but those market forces are really driving towards getting, you know, practical implementations of quantum computer out as quickly as possible. There's tons of startups out there that are doing AI, they're doing quantum, and they're being purchased for hundreds and hundreds of millions of dollars. Its staggering to see the level of hunger on the private sector side for purchasing those companies. Now, so we see — I see so far that the federal government is really taking the stick on this. 

    Now with regard to regulation, you know, multinational, multidimensional policy creation is a really, really tough nut to crack. We tried to work with China, we tried to work with other countries that we have diplomatic relationships with and they have different goals in mind. They have different perspectives in mind and we can't come to terms on building strong enough regulation on quantum. Something similar happened back in the, maybe it was the ‘70s or ‘80s when they figured out how to clone a sheep, right? And there was a big international discussion about this, and collectively, the international community said we're not going to do cloning. It's not good for humankind, period, right? And there might be some dark pockets here and there, but from a conventional perspective, we don't do that. 

    I'm hoping, I’m hoping that governments and international policy makers will come to that same conclusion, right? The weaponization of these two capabilities independently is tough and scary but can you imagine when you stick them together. You've got a system that can out-think and then out process very quickly. And if we don't put regulation on there and put international peer pressure through whatever body we need to, that's really a deep point of concern for me because we still have access to classified materials and we're just getting some indicators here that we're not seeing a level of cooperation internationally that we should be seeing and that's concerning.
    Jerry: You know, it is concerning, Rick, and in a world that’s increasingly polarized, it's going to be much harder to arrive at those conventions, especially where this technology has a very significant national security aspect to it as well as the civil aspect. It's very hard, I can imagine.
    Rick: Yeah, Jerry, I mean look, I'm a big fan of cultural preservation and we've seen very various degrees of that. One of my concerns for humankind is less — is not just about the weaponization of this but actually using it to “bring cultures that aren't at the same standard of technological advancement up”, right? And I don’t see that as necessarily an “up.” Maybe they've chosen to have that culture that way and that's how they want to live and just leave them alone, so it’s like, you know, we carry this big stick around and we say, “we have quantum and we have AI, let us come in and help you,” right? It's like that little adage, we're from the government and we're here to help, right? 

    And, that’s another aspect people don't talk about is, it’s not about climate change, it’s about cultural, it’s about cultural formation and the dilution of that culture that's been established over thousands of years and then these technological advances aren't being used responsibly enough to not prevent a dilution of that culture perspective. I've been reading some articles around anthropology and sociology and its impact on cultural indigenous cultures and how AI could actually dilute that significantly along with the use of quantum. 

    So, that's just another area that I like to do research in and I guess the take-away here, you know, is a thought experiment. How many industries could be developed from this? How much culture? How can we preserve culture or how could culture be harmed by virtue of these new technologies that, you know, as Sasha asked earlier, are not really regulated from an international perspective, right? So, yeah, that's just a point of concern for me, too, for humankind overall.
    Jerry: Well, I'm going to bring us back to the fact that this RegFi podcast focuses on how financial regulation is likely to change over the next decade and how much more over the last 50 years. You know data is the life button of the financial services industry and of course data security is vital to the functioning of financial markets, which in turn are critical to the national security. From your experience advising the agencies charged directly with protecting national security, do you have any thoughts about how our financial regulators and our national securities agencies might better coordinate their efforts to protect vital data held in the financial institutions?
    Rick: Um, I have some thoughts on that. That is an emerging area independent of quantum or AI, the financial services industry is a very complex industry to try to kind of balance out. We see a lot of the financial models from different countries are relatively the same but they're implemented very differently. For example, in the Middle East, a lot of the countries there will not allow you to take financial data outside of the country. There’s one country in particular that doesn’t use any commercially-available cloud stores. They don’t use Microsoft, they don’t use Amazon, they have their own that they built in-country, it’s indigenous, and that is where your financial data goes. So, that is a representation of how, even though we are all using very similar financial models, we still implement that very differently. 

    So, when we talk about financial systems, you can’t talk about it in the context of what just the U.S. is about, because financial systems are now global, right? And there’s a lot of transactions that are going on that have global impact. So, again the regulation aspect of this should be kind of regional in terms of using quantum and AI to help decide — help make decisions better — better decisions, sorry, on how to create a financial model that actually serves the common good, right? A good financial model. Because all governments need money to put those services to use and how does that work internationally? So, there is kind of a two headed coin here because, you know, inward facing, we’ve got to do what we need to do for our own financial profile. And in outward facing, we have to interact internationally and sometimes those are diametrically opposed outcomes. 
    Jerry: Well, let me take you to the immediate issue — as the quantum computing capability rolls out, maybe combined with AI, do you see the U.S. governmental authorities, who are concerned about national security able to communicate with their financial regulator counterparts in a way that is effective and allows them to deliver to the financial services business community, the capabilities they’ll need to protect data as they move forward?
    Rick: Over time, right? There’s still so many gaps in knowledge about how these tools can be used to coordinate and to be more cohesive. And right now, there’s too much gap and we don’t have the quantum computers that are implemented in a practical sense, and AI is getting there. And, so I think over the next 10 years we are going to see a lot of trial and error, just like anything. When there is an innovative technology that comes to the forefront and people rush to use that, which is fine, you know, we are going to trip a few times before we can get to a stasis point that says okay, we’re using these systems in a way that actually meets our particular intent. All right? I hope that I’m answering the question in a manner…
    Jerry: Well, you’ve answered it as best you can, and at some point I’d like to talk more with our financial regulators about their vision of how we will prepare an industry for an entirely new world of computing where the data that they have is exposed in a way that it never was before. It’s still exposed and there’s still exfiltration of data. But there will be an exponential change in that as quantum computing is coming online and the question I am really am concerned about and don’t have an answer to is to what extent are our financial markets preparing for that?
    Rick: It’s a, yeah it is really just a very precarious situation right now because we have an imbalance between AI and quantum. So, people are rushing to AI right now and they are trying to exercise AI and looking for financial models to help them do X, Y or Z. And that’s all fine and good and there have been some successes and failures and then when you incorporate something like quantum into that — they think it is additive. It’s not; it is compounded. There is a difference between additive and compounded so, to your point, we just don’t know yet and I, you know, haven’t really thought about exactly what the impact would be going forward. 

    Now from a protection perspective, you know, I have to look back at the history and say, “Okay is SWIFT going to compromised like it was back in the day?” And the answer is likely, right, so we have to come up with a different form of international transaction management like a SWIFT system but something that is designed to combat AI and post-quantum. So, the way I like to think about this is let’s try to figure out what the threat vectors might be today and start instrumenting for those and as those threat vectors begin to show themselves, we tweak that instrumentation so that we can meet the threat when the time comes. And that’s kind of where…
    Jerry: And I think your comments earlier about how even in the era before the full implementation of quantum computing takes place, those techniques that predict the data itself versus the perimeter, those techniques will have significant relevance in this new market.
    Rick: Yes, that’s absolutely right so, from a data prospect, I will give you an example. Kind of going back to the original discussion around data, when we started looking at data in the company, we found that the only thing that data grew was the standard for formatting. That was it. There was nothing added to the data except formatting standards where keeping up with X amount, you know, or different kinds of processing systems. But nothing meaningful about the data and the ability for the data to own its’ own security profile. 

    And when we figured that out, we came across some really stunning results, for example, let’s take a data file of any kind. In the new paradigms now you can break that up into 10 pieces and send those 10 pieces through different parts of the world and they can converge into one location. So, you don’t have a single point of failure as it is being transmitted and moreover, of those 10 pieces, you can say, “I only need seven, any of the seven to coalesce in order for me to get all my data.” That is a brilliant way of putting fault tolerance and high availability into the data itself and not having to rely on infrastructure because infrastructure fails and that doesn’t include AI, that doesn’t include in quantum. 

    So, I’m going back to this notion of we have practical solutions today that can in fact, theoretically beat quantum but they have practical uses today in terms of preserving that dataset and illuminating to the highest degree possible any chance that dataset is either going to be wholly destroyed or it is not going to be able to be processed in enough time as its being sent from point A to point B. Alright, so if we continue to work on those kinds of systems and I’m a big advocate of a data centric model. Then I think, we’ll reap benefits sooner rather than later. We would have had a more sophisticated approach to a data-centric model for security so that when those larger threats come, we will have enough experience to say, “okay, here is how we are going to do it now.” Right? You can’t go from first grade to Ph.D. suddenly because there is a new computer, right? And a lot of people think that you can, but you’ve got to earn your stripes as you go down the road and I think we are in a good position to do that.
    Jerry: Well, that’s fascinating Rick. I am sorry to report that our time is up. You know, on our podcast Rick, we often have lawyers and policy makers and others who are not involved directly in creating solutions that address vital national security issues. And I think I can speak for Sasha and myself in saying that you’ve given us a lot to think about, and I hope our listeners feel the same. 

    If any listeners have questions that have arisen out of this discussion, they are welcome to send them to [email protected] and we will pass them along to Rick, who has said he is willing to respond as time permits. He doesn’t have a lot of time, but he will try to respond. So, thank you again Rick. Really appreciate it. 
    Rick: Thank you Jerry. Thank you gentlemen, I appreciate it.