The identity security vodcast for cybersecurity leaders and practitioners
Identity is now the front line of cybersecurity — and organizations need to stay ahead of threats, compliance pressures and authentication challenges. RSA Identity Unmasked is a monthly vodcast hosted by RSA experts and industry leaders, covering the real issues shaping identity security today.
Sign up now using the “Subscribe Now” form to be notified when new episodes are available and get actionable insights on topics including Modern Authentication, Identity Governance, Zero Trust, Risk-Based Access, Help Desk Verification, Industry Issues, Technology Trends, Sector-Specific Hot Topics, and more.
Episode 1 – Quantum Computing
Join Ingo Schubert (RSA) and David Lello (Burning Tree) to continue the debate on quantum cryptography, timelines to risk, and how organisations can prepare for post-quantum identity resilience. In this extended first episode, we get the FULL conversation. Settle in and grab the popcorn! It’s a good watch!
Video Transcript
INGO SCHUBERT: Welcome to RSA Identity Unmasked, the Vodcast where we break down the forces shaping the future of identity security. I'm your host, Ingo Schubert, and today we're diving into the topic that's generating a lot of heat across the industry, quantum computing. Today I'm joined by David Lello from Burning Tree. Let's get straight into it. Today, quantum computing, hype, threat, opportunity, or all three of them. We are actually revisiting a debate that began at Bletchley Park in September of last year with David Lilo from Burning Tree and myself, Ingo Schubert. So let's get straight into it. David, welcome to this episode.
DAVID LELLO: Thanks
INGO SCHUBERT: I think from like benefit over the audience can you describe in a couple of words what quantum computing is so that we are on an expert level after you finished
DAVID LELLO: Well um I'll start with the the basic way of looking at quantum computer because i think that if we start getting into theoretical physic s I think we might lose a few people.
INGO SCHUBERT: Yep
DAVID LELLO: So um with quantum computers quantum computers work in a different way to traditional computer. you're telling the computer to do. With a quantum computer, it does it differently. What it's using is quantum mechanics, and therefore, in a multidimensional world of quantum mechanics, it looks at the data and it sees the data. It doesn't read the data in the same way, and as a result, it can hypothesize and look at multiple constructs all at the same time. It's kind of like when you read a book, a traditional computer will read it from the beginning to the end with a quantum computer, it'll read the book and it'll see the data. And so because of that, the quantum computer is able to process information far faster. And when problem solving, it's kind of like solving all the problems at the same time rather than looking at a problem in trying to solve it in a series.
INGO SCHUBERT: Yeah, so the algorithms are quite different, of course. Yeah, I think that's probably why many, and I'm counting myself there as well, you know, struggle, of course, with like, how do you actually program that thing. I think from a traditional IT background, I think what helps me sometimes understanding, like, you know, this is really a different beast, is that, you know, a traditional computer, like every bit, yeah. If you have N bits, you can store N amount of data. It's zero, one, yeah? With quantum, it's two to the power of N, yeah, which is like, immediately, like, if your old instant kicks in, it's like, yeah, that's a lot more, yeah, in the same amount of qubits in this case, right? So, therefore, storage and processing is just on the different level, right? So I think we'll leave it there because otherwise we'll be here for days, right? Just explaining the basics.
So, the next topic I'd like to explore is what is the current state of quantum computing? Where are we right now? Because I think this probably, and if people watching that may have watched us at Bletchley Park, we have some different opinions on where we are, where we will be. So let's start with you. What is the current state of quantum computing?
DAVID LELLO: I think that quantum computing is in still early stage. So there are a number of quantum computers out there, and you can actually hire time on quantum computers so that you can look at data. But I think that with the way that quantum computers have been developed, I think there's a number of issues. Some quantum computers are requiring a lot of control in terms of things like temperature. So a quantum computer operates at absolute zero, so minus 270 degrees Celsius, which is really cold. You need big facilities and big equipment and big energy for it. Otherwise you lose cohesion and you lose the stability of the platform.
Early quantum computers were just burning out all the time because of that issue. And so that is a problem that needs to be solved and addressed. The other problem is that because the quantum computer looks at the data all at the same time, it creates a lot of noise. If you had to take something like the Bible and read the Bible instantly, rather than going through it from beginning to end, it would create a narrative in your mind that would be incomprehensible. And trying to be able to digest and understand and distill what the message is becomes very difficult.
So, the noise in the system has created a huge amount of issues. We have seen some good success coming out of Oxford, where they have reduced the error rating and the noise within the system quite significantly. But probably the most significant issue at the moment is the amount of cubits that can be entangled at once because you start losing cohesion of those cubits when you start exceeding about 100 or so cubits. So the amount of qubits that actually can be entangled at once to be able to process the information is limited. And that means that the processing power and the capability of the machine is limited.
So, it's not yet what we would call cryptographically relevant quantum computing, which is a big issue, but it is at a stage where it is proven. It works. It does what the scientists say that it does. It's just about taking it to that next level and investing further. Every few months, further advancements happen or being heavily invested in, and we're starting to see progress.
INGO SCHUBERT: Yeah, so the, and that's true. And I think if you compare quantum computers, if you just look at pictures of them, right? From like, you know, five years ago versus today, I would still call them partially a physical experiment, but it was way more physical experiment like five years ago, right? If you just look at the physical setup of those things, right?
However, while it's true that, you know, become like, yeah, you throw a problem with them and they can solve it much faster than traditional computers. And part of that is what you said is cohesion. Yeah, it's basic cohesion is, you know, if you only can keep the system stable for a certain amount of time. And that's usually measured at maximum in seconds, yeah, or in milliseconds, depending on which chip in all this. And that is a good amount away from being useful in many cases. Now, there are some use cases where it makes sense. Think of it as like a quantum co-processor. But the issue I have with that is like in many of the use cases, it's questionable if you could solve the problem as well with a couple of Nvidia's GPUs, right?
So, one of the things I see still constantly being done, there's a lot of hype in this quantum computing space as well. I think it overlaps a bit with the AI hype as well. You can also argue, you know, if that's a hype, it's real. But the point is there's a lot of hype, a lot of money floating around. I think part of that money now is looking for like an exit strategy. And quantum computing seems to be attractive, right? So they're pumping a lot of stuff in there and there are companies out there which fundamentally look at this are overvalued and also overhyped in terms of what they promise what they do and and this is actually goes across the spectrum here right. At Bletchley Park I had the google willow chip as an example where google actually had a press release about this this new chip where they had great error correction all this and the claim that got picked up by also the popular press was this chip can do in five minutes what a traditional computer can do in 10 to the power of 35 years yeah which is extraordinary because the universe is only 10 to the power of 25 years old right so and and then if you read it it's like yeah no it can't do it right it was like if this thing could run for five minutes and like it's like by like millions millions of times they're not capable to do that, then it would be like that. And if you look at some other press releases of different companies, large and small, there's a bit of a trend to overhype what they achieve.
And I think, unfortunately, this drowns out some of the real advances that quantum computing actually has done over the couple of years, right? And I think what, and this is where we get to, it kind of makes this threat of quantum computing seem much more real in terms of this is around the corner than what it really is. But before we go into like, you know, why the world will end, if quantum computing just suddenly shows up, what would be the benefits of a quantum computer that you have in mind? So what would be the, So what could it do much better than anything else?
DAVID LELLO: I'm going to respond to that in reacting also to what you said about the quantum computer in terms of where it's at the moment. And I think while I agree that there are issues in terms of the quantum computer, I think that we're a lot closer to actually achieving stability in a quantum computer than what is being suggested. I think that if I look back, I think one of the best ways to actually look at the future is to look at history. And when I was a young man working in a bank, there was a mainframe and it was an old school IBM mainframe. The mainframe occupied a room. It was a big room. It wasn't a small room. It was quite a big room. And it filled the room. There were valves on this mainframe. It had three water cooling tanks. There were swimming pools underground in the basement of this bank. This thing was massive. And only a few years before that, they'd replaced the punch card system out of that mainframe.
When they took that old mainframe out, which needed forklifts and some very heavy machinery to get it out, they actually had to cut some doors out because they couldn't actually physically fit that mainframe out again. And they replaced it with a rack and a mainframe computer that was exponentially bigger than what was there before. We have seen a massive acceleration in the advancements of computers over the years. And if we go back just 30 years, you know, if you go 40 years, it's just, it's massive, the amount of change that we see happening.
INGO SCHUBERT: Yep.
DAVID LELLO: And what we've seen with quantum computers now, yes, there are early indicators and science, it almost feels a little bit like that old mainframe in the basement with the three tanks because you need the cooling systems, you need the big equipment, you need all the sort of stuff that goes with it. There's a huge amount of money going into it. There's a lot of investment going into it. And these problems will be solved. And they may be solved quicker than we might think. And the advancements that we've seen from month to month at the moment are suggesting that we're getting closer and closer to cohesion. And so I think it might be a bit closer.
And if it does comes I think really really exciting because what the quantum computer can do because it can actually process data so much faster and not quite as fast as some people claim but because it can process that data so much faster it means that it can look at and solve problems that could could not be solved before.
So you know in in theoretical physics you concept of Schrodinger's cat, and is the cat dead or alive? Is it decayed? Is it, what is it? What is the state of the cat? Well, the quantum computer would be able to actually look at and see the cat in every possibility and therefore be able to solve major problems that we have not been able to solve.
INGO SCHUBERT: Yeah, and I think like in terms of like medicine, you know, protein folding or or so, quantum computers would actually have the edge over traditional computers, for sure, right? And there are other things where, you know, simply everything with massive amount of data that needs to be processed, you know, weather forecast would be one thing, like, you know, anything, geological data, there's quite a bit of use cases that would benefit from computing.
Now, coming back to like this is sooner your point as soon as you might think it's like I don't think so because it's not a straight line where he goes this happened in the past with transistors that it happens again so it might it might not be it's like the lottery just because you won last time doesn't mean you don't win the next time it starts from zero every time and especially with cohesion, if you talk about like, okay, a couple of hundred qubits, maybe a couple of thousands, to be a universal quantum computer that, for example, can run Shor’s Algorithm, which would be a threat to cryptography. You're talking about a couple of hundred thousand qubits, right? And on the way to that one, we might hit a wall somewhere, right? There's no guarantee that we will solve for those issues. We might, and actually, yeah, sure, there could be, but there's no guarantee. And at the same time, a quantum computer has to commercially survive in an environment where we have seen massive amounts of increase in compute power worldwide, thanks to GPUs essentially, right? Thanks to AI. Well, before it was the whole Bitcoin craze, now it's AI. So that without having advances like fundamental advances in chip design. I mean, yes, they get smaller under this. We massively increased the compute power, so much that we are basically the limiting factor is now power, right? So electric power.
And in that environment, a quantum computer has to survive. Now, you can make the argument that, hey, especially for those, you know, cracking keys, you know, some governments will do that, fine. Yeah, so that's fine. They have enough money. They don't really care about that. Well, maybe they should care. It's our taxes, but let's assume they don't care.
There are practical quantum computing use cases along the way to a fully functioning universal quantum computer. I think that's undisputed. I'm not saying that's not the case. And there are good use cases for that. As I said, like, you know, protein folding, for example, in pharmaceutical research, right?
But let's talk about the threats, right? And I'm not talking about like power consumption, all that because we have that today with traditional units, right? I mean, threats in particular to IT security and then it is security, right? Because there are some, you know, I mentioned Shor’s algorithm, so maybe we should, you know, briefly explain, you know, what this is and how does it affect security.
DAVID LELLO: Yeah so um with with the quantum computer because it can process that information and the data so much faster um it's able to use shaw's algorithm to reverse engineer um cryptographic keys um and and therefore um when we have a cryptographic, relevant quantum computer, it would be able to break those keys within seconds, minutes.
INGO SCHUBERT: Yeah.
DAVID LELLO: And therefore, the most data that we consume, use, access would be vulnerable to attack.
INGO SCHUBERT: Yeah. And so Schor's argument, as I mentioned it before, you know, today you don't of a quantum computer that could run this because you need hundreds of thousands of qubits on in cohesion and running for some time. So yes, it's a couple of seconds, but even a couple of seconds are an issue nowadays for some quantum computer. So it would actually essentially break or invalidate in a sense, the RSA algorithm, yeah, so a private public key, using RSA, but also using Diffie-Hellman and using elliptic curves, ECC. So basically all the ones that are popular and that have been used for the last couple of decades would be essentially broken, right? They would be broken with a quantum computer. Of course, traditional computers would still struggle as they always do, so it's no threat there.
And yeah, so if this is broken, I mean, those algorithms are used everywhere, yeah? So these are, you know, your traditional TLS, a web server communication, from a client to web server, VPNs, email signatures, encryption of files being sent around and all this, you know, they're all often based on RSA, ECC, and or Diffie-Hellman, right? So, I mean, that would be, you could actually call it catastrophic.
DAVID LELLO: It would be, absolutely. It would be completely catastrophic. I think there's, the more I look into it and the more use cases that I actually, the more systems will fail. It’s a global issue. Like authentication and authenticating into the financial system. Even things like Bitcoin become compromised. So they use elliptic curve encryption and it would be compromised. You then have a complete breakdown of the financial system as a consequence of that being compromised.
So, yeah, it can be absolutely catastrophic. I think that we can see in in the typical wide use cases major issues but also in in smaller less public issues which I think people don't always think about so when we start talking about IOT and OT and we start thinking about medical devices and medical equipment the ability to be able to compromise that. You know, you take a person who's wearing an insulin pump.
If I can compromise the encryption on that insulin pump, I can kill someone.
INGO SCHUBERT: Yeah.
DAVID LELLO: That's, you know, all of a sudden, the criminality behind these things can become exponentially more significant. And we start seeing things like Minority Report and Terminator type use cases of things happening.
INGO SCHUBERT: Now you're talking. This is just got interesting now, yeah.
Okay. But I mean, that, coming back then to availability of quantum computers, that won't happen overnight because it wouldn't just be like from one day to the next. Let's assume somebody, yeah, finally gets a quantum computer with like, you know, 200,000 cubits where it can run Shor’s algorithm, for example. Usually it's about a million. There are some research that says you only need around a couple of 100k qubits. It's not like, you know, suddenly everybody has a quantum computer. It’s only a couple of governments and research facilities that have access to quantum computing. It’s not like every cybercriminal has access too it.
But the threat is real. I think it's similar to like, you know, the year 2000 problem a bit. So we've seen that coming for a while, but we did things to mitigate that and it turned out to be a bit of a nothing burger.
DAVID LELLO: But but only because we did something.
INGO SCHUBERT: Exactly. Just because we did something, right? So if we would have not done anything, that probably would have been a huge issue and we did something and it turned out to be okay, right? And I think it probably will be similar to in this case here because there are things that can be done, which brings us to the next work.
Yeah, so we might disagree how long we will have, right? So just as throwing this out there, there was a MITRE report, so as a government -funded research institute in the US a recent report beginning of the year and they put this Shor’s algorithm somewhere like early 2040s probably more 2050s around so it's not like they had an incentive to push it out right so it was a solid report there but even if you say like this is much sooner, it's unlikely it will be before 2030s. I think it's highly unlikely, unless some miracle happens. So what can you do today to prepare yourself for this quantum apocalypse?
DAVID LELLO: I think it's definitely going to be a lot quicker than 2050. I think, you know, I hate to try and predict because it's an impossible thing. You know, when one tries to predict the future, you inevitably fail because we don't have a supernatural mind.
INGO SCHUBERT: Well, let's meet 2055. Same time, yes, so we can talk about this. If I'm still at the inside.
DAVID LELLO: Absolutely. Let's do this. Same time, same place. Let's do this. All right, but if it's sooner, I think let's see how we can celebrate that event because I think with any advancement in technology, a breakthrough happens, and it happens at a point in time. It may happen next week. It may happen in 10 years' time. We don't know. But it's going to happen, that I'm sure, because the science is there. It's credible. It's real. You know, a field of sunflowers is able to maintain cohesion right now. The stability is there at room temperature, in a field, with all of the things that are happening around it. Animals running around below and pollution and everything else. A field of sunflowers can have cohesion.
INGO SCHUBERT: That's right.
DAVID LELLO: Why quite a bunch of scientists do it?
INGO SHCUBERT: Yeah, but they got a couple of million years to evolve, right? So that's my point. I agree with that, but they have a bit of a head start, right?
DAVID LELLO: Getting back to you to the issue is, think one of the problems we have, and we got into a little bit at Bletchley Park, is that what we have at the moment in terms of practice and what we would call good practice around managing of cryptographic keys, I think a lot of companies have failed. So when it comes to events, so a few years ago, we had the SSL vulnerability, and everybody scrambled around and looked at replacing keys. And it meant that organizations became a lot more agile in terms of how they rotated their TLS keys, which is fantastic. That's solving a good chunk of the problem. If you have agility within your TLS keys, then it means you can change them. You might have to do some testing along the way to make sure that it all works.
But organizations can start thinking now about their certificate authority and how they issue their keys and how they replace their keys at a TLS level. And that's fine. The problem that we find in is when we get into an organization is 20 to 30, maybe even 40% of keys are not managed in this way. Very often a lot of hardware has embedded keys in it within a piece of hardware infrastructure and some of these pieces of hardware can live around for 20 years and the ability to change the keys within that hardware means changing the hardware.
We've also got a lot of bad practice in coding especially in the days of monolithic builds where applications have got embedded keys within the applications themselves. And when we start thinking about not just have happened.
INGO SCHUBERT: I think that's my point. That was bad practice regardless of quantum computing or not.
DAVID LELLO: It is. And so when we start thinking about this idea of Q-Day, which in Y2K was easy because we had a date. We don't have a date with Q -Day.
INGO SCHUBERT: Very good point.
DAVID LELLO: But when it eventually does arrive, and it might arrive tomorrow, or it might arrive in 10 years time, or if you're right in much longer than that, then we have a situation where a good chunk of the organisation and its keys are not readily or easily replaceable, and we're going to have a panic. We're going to have a massive, massive issue as data becomes compromised.
But it also, the other issue that we have is one which is something that I get asked questions around a lot and that is the ‘harvest now decrypt later’ threat. And we've seen data being stolen which is encrypted for years I mean back in in this country with David Cameron, he famously said all of our data has been stolen by China, but it doesn't matter. It's encrypted. So going back a few years, that kind of a statement is while true right now, given the technologies that we have in time with a quantum computer, that becomes an issue. And yes, of course, data ages.
INGO SCHUBERT: But some of that data will still still be relevant. Not all of it, but some ways. So I think that's same. Like, they stayed out there which like, yeah, you know, if it gets, if it gets decrypted like in five years, like, who cares, right? Or in 10 years, yeah. So you can make an argument that many of the identity data for authentication, if that gets, you know, decrypted in five or 10 years, like, you don't really care that much because it's outdated by that time. But there's many strategic data where, yeah, this could harm you for decades down the line, right? And you don't even have to be a state. You could be just a normal corporation, normal enterprise.
DAVID LELLO: Exactly.
INGO SCHUBERT: And what's the case?
DAVID LELLO: I mean, you know, the amount of organizations that I go into where there is legacy systems. In fact, I was in an organization not too long ago where there was an application. They treated it as a black box, and they treat it as a black box because the source code was lost. The person who wrote it, long gone, don't touch it. If it falls over, the answer is turn it on or turn it off, turn it on again and pray because it's the only thing you can do. There's nothing you can do. And this system controlled all access in its stores, all access in its stores. And if compromised, if taken down, you take down the organization.
INGO SCHUBERT: Single point of failure.
DAVID LELLO: Single point of failure. The amount of organizations that we're going to where there is that single point of failure is extraordinary. Organizations really need to start thinking about how do they modernize their identity and access management infrastructure? When we start thinking about identity and access management, identity and access management is the route into everything. We've seen with the latest ransomware attacks that have been happening in Germany, as well as here in the UK, Italy and other places. These ransomware attacks, they are targeting the access control systems. They are targeting it in authentication because it's a soft, easy target, whether it's active directory or whether it's a system like I described, the ability to be able to actually compromise access, you bring down the organization, you stop communication, you stop the ability to be able to access. Modernizing identity access management in this context is going to be one of the big priorities.
INGO SCHUBERT: Yeah, yeah. It's hard to argue against that because, you know, because that makes sense, no matter how you look at it, right? I think when we go back to the bare -bone cryptographic encryption key management, many customers don't know what they have, right? They don't have a good view of where they encrypt, where the keys, where do they digitally sign. They don't have like this overview. I think that's part of the problem, right? Because you can't fix what you don't know exists. Many of customers struggled with simply basic cyber hygiene. That's what I see on a constant basis, unfortunately, right? Just this morning at a call about a customer that is running a 20 -year -old RSA software, 20-year -old, right?
DAVID LELLO: Wow.
INGO SCHUBERT: So, actually, they called our support about something, and support couldn't answer, and it's like, yeah, sure, you know, probably the support personnel that was answering the phone call was probably in kindergarten when that software came out, right? So, my point is that as long as we don't do this basic cyber hygiene and visibility, first of all, you cannot reach this quantum ready state, yeah, where you're ready for Q-day. That's just like no way possible.
It's also, my opinion is you're not allowed to worry about quantum computing until you fix that stuff, right? Because if you don't know what software you're running, if you don't keep that up to date, of course you're dependent on vendors fixing this thing, like you're implementing post -quantum cryptography, for example, right?
But if the software is out with the new version, with all this nice quantum computing stuff and you don't install it, it makes one doesn't exist, right? And And coming to that, even if you do that, if your policies and procedure around, for example, like the data management, if they're not right, what are we talking about here? So if the attacker can just phone your help desk and ask for entry, they don't need a quantum computer to do that, right? They don't need it today. They didn't need it yesterday. They don't need it tomorrow. They just phone your help desk if your policies aren't right and gain access.
So, there's a lot of things that can go wrong, did go wrong and will go wrong, which have nothing to do with quantum computers. And my fear is that people are looking at this quantum thing, this Q -Day, and being distracted by this nice, shiny toy, right? Whereas they have so much homework to do, which they haven't been done probably for decades, right? And of course, you can make the argument that, hey, you know, you need to do that, have visibility, you know, have patching in place on that, fix your procedures. If it needs this threat of quantum computing for a customer to do that, so be it, right? I could be happy.
But part of me goes like, nah, because what happens if we hit a roadblock with quantum computing? And like, for a couple of years, there's no real advantage or advances and then you go like ah that's like you know 2060s like I’ll be I’ll be I’ll be long gone from the workforce so I don't have to worry about that and that's the wrong approach because you should fix that no matter what.
I’ll drop some knowledge on you yeah some some name dropping yeah German philosopher Emmanuel Kant yeah now don't cut that editor yeah that's k that's k. That's K -A -N -T, right? So I call him Emmanuel from now on, yeah.
So German philosopher, 18th century, and many smart things he said. But one of the things that I believe is one of the smartest is you do the right thing because it's the right thing to do, right? Not because it earns you some brownie points with some deity something like that. You do it because it's the right thing to do.
And have a good overview of where you encrypt, how you encrypt about policies, procedures, and patching and all this, that's the right thing to do, regardless of if quantum computing is 10 years away, 20, 30 years. It doesn't matter. You need to do that. Now, you should have been doing that for the last 20 years. That's essentially a point. I think this is where we agree. Yeah, absolutely. I think the motivation behind that, I think, is where we disagree because we have different opinions on where quantum computing is and where it will be. But absolutely, if there's a customer that says I need to be quantum ready, the effort is not wasted.
DAVID LELLO: No, absolutely not. I think also, Ingo, one of the things that is a reality that I'm always being challenged on because we spend a lot of time with boards of large companies talking to financial directors and the like and a company exists for the purpose of supplying a product or a service and if it's in the private sector to make a profit unless of course it's charity but let's not worry about that so the idea of actually spending money just because it's the right thing to do, where it gives me a negative return becomes difficult and challenging for financial people to actually realize. And so investing in something because it's the right thing to do becomes more of a philosophical discussion. I don't think it's necessarily the right approach.
INGO SCHUBERT: Well, yeah, absolutely.
DAVID LELLO: Even though I agree with you, absolutely 100%, you know, from a faith perspective from, you know, what I believe, I would always want to do the right thing. But the reality is that businesses don't exist for that. They don't exist to the right thing. Sometimes they're a little bit immoral.
INGOSCHUBERT: Really? First time I hear that. Let me make a note of that.
DAVID LELLO: So I think what you do is we sort of looking at it in in in a different way and I think one of the one of the realities that we see and that does resonate and people do understand is measuring and recognizing and realizing what is my risk exposure associated with a given environment and we need to tie it back to something that's tangible we need to always get back to how do I build a case for change in this world yep and what does change even look like? You know, one of the, one of the challenges that we set ourselves, because when we started looking at helping organisations answer this problem, is that there isn't actually a framework that deals with quantum preparedness. There isn't one.
So, we went and wrote one. We wrote a standard to say, here is an approach to look at quantum. We took various different standards from NIST and good practice, ISF and various different things to be able to come up with a model and a framework so we can start looking at it. But what that does is it allows us to start looking at and saying, well, when you take a system like that identity system that manages all the access that is a black box environment, what is my risk exposure of having a machine like that? And I'll take quantum out of it completely. What is my risk? Do I really understand my risk? If that goes down, what happens to my environment? And if I can appreciate that risk, I've got to do something about it.
INGO SCHUBERT: Oh, and this is, I mean, in the end, this is the proper risk management, which I see is missing from many corporations ororganizations in general, right? And that actually needs to be done and should have been done for years and should be done today, regardless of quantum computing or not. So that's my point.
Well, of course they don't do it because it's the right thing to do, right? That's a hard financial argument to make. I completely agree with you that. But there's all the other threats why they should be doing this, right? And again, if you need to sell this concept of looking at all this and figuring it out and having proper risk management because of quantum computing, be my guess, right? I think that's absolutely the right way. If that's the lever you need to get the signature, oh, yes, absolutely do it. Because in the end, even if quantum computing is still 30 years out, you still benefit today. Because having that readiness helps you being secure today as well. You're not wasting the money. Yeah so I think that's that's perfectly that's the right thing to do. And there are some recommendations and some frameworks from the European as well for example they actually say that by 2026—which to be frank you should have already if you want to be DORA compliant. You see maybe the same things again because you don’t see some people doing it. So visibility and risk management by 2026 and then some quantum readiness in some form by 2030 for high risk and 2035 for low and medium risk, right? So it seems seems to be far way out, but, you know, we already, like, at the end of 2025, when we record this, release is 2026.
So it's like, yeah, this is like only a handful of years away. And if you're coming back to the beginning of our conversation, if you look at the Y2K problem, yeah, if you started in 1999, you're probably well, like a bit late for this, right? So you need to be prepared now, absolutely, right.
DAVID LELLO: I think, I think one of the things that you brought up there, which I think is a fascinating point in terms of human psychology, is the regulations, European regulations and things like Dora. Regulations only really come into effect because companies are negligent in doing the right thing.
INGO SCHUBERT: Yes, absolutely.
DAVID LELLO: And because they're not doing the right thing, lawmakers say we're going to have a major issue in the country unless we look at it. So the laws come into play when you have to do something it. So the NCSC in the UK have put guidance in place around quantum. And we’ve got DORA in Europe. And sadly because of Brexit—
INGO SCHUBERT: You brought tup I didn’t.
DAVID LELLO: We're only starting to look at our Resilience Bill here. So the Resilience Bill has been released for public comments. So issue one has been released and comment is happening. And so we'll have a reading in Parliament sometime soon. Hopefully we catch up with the rest of the world on that particular issue.
INGO SCHUBERT: Well, except the US. US seems to be like, you know, this wild place on the map, yeah. Yeah,I t really is. Yeah, it's like, and I see that talking also to U .S. colleagues, yeah, it's like, yeah, we don't really have that, right? But everywhere else in the world, it seems to be like, resilience, risk management seems to be a bit more mature in terms of regulations and loss, yeah, which is—
DAVID LELLO: You've got to have it.
INGO SCHUBERT: You've got to have it, right? And when you read through them, and you probably have as much and probably more than I have, some of those things like is blindingly obvious, having proper risk management. It's like, you should know, if that thing goes down, you just know the consequences, right? Of course you should because your business is making money and is something preventing it from doing that. You should know why and how to fix that. And yet they don't do that not until they're forced by by law which is which is sad in some in some sense right
DAVID LELLO: Human nature sadly come to play. I struggle with it though because these these aren't difficult things you know looking at risk and risk management is not difficult.
INGO SCHUBERT: No but they take time.
DAVID LELLO: And it it does take time but I mean there's there's so many different technologies out there that can help simplify the process. You know, computers are designed to automate process. The whole reason where we have computers is because we've got manual processes that take armies of people to actually do something. With computers, we can automate all of that process. And with modern systems, we can automate even the more. You know, you take things like vulnerability management. If you've got a modernized environment and you have vulnerability scanning rolled out, you have a relatively good visibility in terms of what your technology risk is.
INGO SCHUBERT: Yeah. Same thing for us. Identity governance. In the end, it's not rocket science. Yes, of course. You'll connect all the different systems, maybe create some rules and all this. But then you have that visibility and you have the view of you like, you know, in terms of segregation of duties, compliance and you have that. And yes, it's it's work. Yes, it's investment in terms of money and time, of course, but you get something from it.
DAVID LELLO: Yeah.
INGO SCHUBERT: Right. Which also I think people don't realize that probable risk management also gives you something back because you actually find out things that maybe you shouldn't invest all that money into this one securing or you're making this thing resilient because it's not such a huge impact whereas the other one you should actually invest more because if that goes down bad things happen. I think that's also and of course you don't realize that because if you don't do proper risk management you don't have that visibility so how should you make that decision right? So people are, basically, organizations are hurting themselves by not doing this, right?
DAVID LELLO: And identity governance does go a long way in terms of actually enabling that and helping. Yeah. You know, when I talk to a lot of organizations around identity, identity isn't one of those security things that you do because, you know, it's an insurance policy. Identity is an enabler. It's a real business enabler to help organizations to be more efficient and more effective in terms of how people have access. But having the right access at the right time and the right place and having the governance models that actually drive that is what is critical. So when we start looking at your ITGC controls and financial systems and you start looking at how access needs to be created in your entitlements, your segregation of duties, the mandates that go with it. These things are not anything new. They have been written into Companies Act and Financial Regulation for decades.
INGO SHUBERT: Absolutely.
DAVID LELLO: And the ability to be able to control that with a good identity governance system is there now. And with a modernized solution, it becomes actually quite easy. It's not as difficult as people think it is.
INGO SCHUBERT: Look at us. Talking about identity security governance and we started with quantum. It's like, let's just, yeah, but that's the point. I think this is something where it's also like a door opener with some discussions at customers or like in organizations in general where like, yeah, it's fine. Talk about the quantum threat and, you know, but at the end you end up at discussions, which are not really about quantum but about other things. That, yes, you can fix now, you should fix now, regardless of what happens in the future.
DAVID LELLO: It’s the basic hygiene concept.
INGO SCHUBERT: It’s the basic hygiene concept, exactly. So that’s—what a perfect way to wrap this up. So David, thank you. It was, we could talk for hours, really, every time we meet. So, thanks a lot. And so I think the quantum threat may feel distant.
It may be, it may not be. But hopefully during this conversation, our viewers and listeners got the idea that, you know what, regardless if you should do things today to like be quantum ready. This doesn't hurt at all.
What you get from it benefits you today from threats which exist today, right? You don't have to wait then 20 years to realize the benefits. You actually realize them today.
So that wraps up today's debate on quantum computing and its impact on identity security. The quantum future in science fiction and organizations need to understand where the real risks and opportunities lie. If you want more insight on identity resilience and the technologies preparing organizations for what's next, visit RSA.com. If you like inbox access to more episodes of RSA Identity Unmasked, don't forget to subscribe. Thanks for joining us and we'll see you next time.
DAVID LELLO: Thanks
INGO SCHUBERT: I think from like benefit over the audience can you describe in a couple of words what quantum computing is so that we are on an expert level after you finished
DAVID LELLO: Well um I'll start with the the basic way of looking at quantum computer because i think that if we start getting into theoretical physic s I think we might lose a few people.
INGO SCHUBERT: Yep
DAVID LELLO: So um with quantum computers quantum computers work in a different way to traditional computer. you're telling the computer to do. With a quantum computer, it does it differently. What it's using is quantum mechanics, and therefore, in a multidimensional world of quantum mechanics, it looks at the data and it sees the data. It doesn't read the data in the same way, and as a result, it can hypothesize and look at multiple constructs all at the same time. It's kind of like when you read a book, a traditional computer will read it from the beginning to the end with a quantum computer, it'll read the book and it'll see the data. And so because of that, the quantum computer is able to process information far faster. And when problem solving, it's kind of like solving all the problems at the same time rather than looking at a problem in trying to solve it in a series.
INGO SCHUBERT: Yeah, so the algorithms are quite different, of course. Yeah, I think that's probably why many, and I'm counting myself there as well, you know, struggle, of course, with like, how do you actually program that thing. I think from a traditional IT background, I think what helps me sometimes understanding, like, you know, this is really a different beast, is that, you know, a traditional computer, like every bit, yeah. If you have N bits, you can store N amount of data. It's zero, one, yeah? With quantum, it's two to the power of N, yeah, which is like, immediately, like, if your old instant kicks in, it's like, yeah, that's a lot more, yeah, in the same amount of qubits in this case, right? So, therefore, storage and processing is just on the different level, right? So I think we'll leave it there because otherwise we'll be here for days, right? Just explaining the basics.
So, the next topic I'd like to explore is what is the current state of quantum computing? Where are we right now? Because I think this probably, and if people watching that may have watched us at Bletchley Park, we have some different opinions on where we are, where we will be. So let's start with you. What is the current state of quantum computing?
DAVID LELLO: I think that quantum computing is in still early stage. So there are a number of quantum computers out there, and you can actually hire time on quantum computers so that you can look at data. But I think that with the way that quantum computers have been developed, I think there's a number of issues. Some quantum computers are requiring a lot of control in terms of things like temperature. So a quantum computer operates at absolute zero, so minus 270 degrees Celsius, which is really cold. You need big facilities and big equipment and big energy for it. Otherwise you lose cohesion and you lose the stability of the platform.
Early quantum computers were just burning out all the time because of that issue. And so that is a problem that needs to be solved and addressed. The other problem is that because the quantum computer looks at the data all at the same time, it creates a lot of noise. If you had to take something like the Bible and read the Bible instantly, rather than going through it from beginning to end, it would create a narrative in your mind that would be incomprehensible. And trying to be able to digest and understand and distill what the message is becomes very difficult.
So, the noise in the system has created a huge amount of issues. We have seen some good success coming out of Oxford, where they have reduced the error rating and the noise within the system quite significantly. But probably the most significant issue at the moment is the amount of cubits that can be entangled at once because you start losing cohesion of those cubits when you start exceeding about 100 or so cubits. So the amount of qubits that actually can be entangled at once to be able to process the information is limited. And that means that the processing power and the capability of the machine is limited.
So, it's not yet what we would call cryptographically relevant quantum computing, which is a big issue, but it is at a stage where it is proven. It works. It does what the scientists say that it does. It's just about taking it to that next level and investing further. Every few months, further advancements happen or being heavily invested in, and we're starting to see progress.
INGO SCHUBERT: Yeah, so the, and that's true. And I think if you compare quantum computers, if you just look at pictures of them, right? From like, you know, five years ago versus today, I would still call them partially a physical experiment, but it was way more physical experiment like five years ago, right? If you just look at the physical setup of those things, right?
However, while it's true that, you know, become like, yeah, you throw a problem with them and they can solve it much faster than traditional computers. And part of that is what you said is cohesion. Yeah, it's basic cohesion is, you know, if you only can keep the system stable for a certain amount of time. And that's usually measured at maximum in seconds, yeah, or in milliseconds, depending on which chip in all this. And that is a good amount away from being useful in many cases. Now, there are some use cases where it makes sense. Think of it as like a quantum co-processor. But the issue I have with that is like in many of the use cases, it's questionable if you could solve the problem as well with a couple of Nvidia's GPUs, right?
So, one of the things I see still constantly being done, there's a lot of hype in this quantum computing space as well. I think it overlaps a bit with the AI hype as well. You can also argue, you know, if that's a hype, it's real. But the point is there's a lot of hype, a lot of money floating around. I think part of that money now is looking for like an exit strategy. And quantum computing seems to be attractive, right? So they're pumping a lot of stuff in there and there are companies out there which fundamentally look at this are overvalued and also overhyped in terms of what they promise what they do and and this is actually goes across the spectrum here right. At Bletchley Park I had the google willow chip as an example where google actually had a press release about this this new chip where they had great error correction all this and the claim that got picked up by also the popular press was this chip can do in five minutes what a traditional computer can do in 10 to the power of 35 years yeah which is extraordinary because the universe is only 10 to the power of 25 years old right so and and then if you read it it's like yeah no it can't do it right it was like if this thing could run for five minutes and like it's like by like millions millions of times they're not capable to do that, then it would be like that. And if you look at some other press releases of different companies, large and small, there's a bit of a trend to overhype what they achieve.
And I think, unfortunately, this drowns out some of the real advances that quantum computing actually has done over the couple of years, right? And I think what, and this is where we get to, it kind of makes this threat of quantum computing seem much more real in terms of this is around the corner than what it really is. But before we go into like, you know, why the world will end, if quantum computing just suddenly shows up, what would be the benefits of a quantum computer that you have in mind? So what would be the, So what could it do much better than anything else?
DAVID LELLO: I'm going to respond to that in reacting also to what you said about the quantum computer in terms of where it's at the moment. And I think while I agree that there are issues in terms of the quantum computer, I think that we're a lot closer to actually achieving stability in a quantum computer than what is being suggested. I think that if I look back, I think one of the best ways to actually look at the future is to look at history. And when I was a young man working in a bank, there was a mainframe and it was an old school IBM mainframe. The mainframe occupied a room. It was a big room. It wasn't a small room. It was quite a big room. And it filled the room. There were valves on this mainframe. It had three water cooling tanks. There were swimming pools underground in the basement of this bank. This thing was massive. And only a few years before that, they'd replaced the punch card system out of that mainframe.
When they took that old mainframe out, which needed forklifts and some very heavy machinery to get it out, they actually had to cut some doors out because they couldn't actually physically fit that mainframe out again. And they replaced it with a rack and a mainframe computer that was exponentially bigger than what was there before. We have seen a massive acceleration in the advancements of computers over the years. And if we go back just 30 years, you know, if you go 40 years, it's just, it's massive, the amount of change that we see happening.
INGO SCHUBERT: Yep.
DAVID LELLO: And what we've seen with quantum computers now, yes, there are early indicators and science, it almost feels a little bit like that old mainframe in the basement with the three tanks because you need the cooling systems, you need the big equipment, you need all the sort of stuff that goes with it. There's a huge amount of money going into it. There's a lot of investment going into it. And these problems will be solved. And they may be solved quicker than we might think. And the advancements that we've seen from month to month at the moment are suggesting that we're getting closer and closer to cohesion. And so I think it might be a bit closer.
And if it does comes I think really really exciting because what the quantum computer can do because it can actually process data so much faster and not quite as fast as some people claim but because it can process that data so much faster it means that it can look at and solve problems that could could not be solved before.
So you know in in theoretical physics you concept of Schrodinger's cat, and is the cat dead or alive? Is it decayed? Is it, what is it? What is the state of the cat? Well, the quantum computer would be able to actually look at and see the cat in every possibility and therefore be able to solve major problems that we have not been able to solve.
INGO SCHUBERT: Yeah, and I think like in terms of like medicine, you know, protein folding or or so, quantum computers would actually have the edge over traditional computers, for sure, right? And there are other things where, you know, simply everything with massive amount of data that needs to be processed, you know, weather forecast would be one thing, like, you know, anything, geological data, there's quite a bit of use cases that would benefit from computing.
Now, coming back to like this is sooner your point as soon as you might think it's like I don't think so because it's not a straight line where he goes this happened in the past with transistors that it happens again so it might it might not be it's like the lottery just because you won last time doesn't mean you don't win the next time it starts from zero every time and especially with cohesion, if you talk about like, okay, a couple of hundred qubits, maybe a couple of thousands, to be a universal quantum computer that, for example, can run Shor’s Algorithm, which would be a threat to cryptography. You're talking about a couple of hundred thousand qubits, right? And on the way to that one, we might hit a wall somewhere, right? There's no guarantee that we will solve for those issues. We might, and actually, yeah, sure, there could be, but there's no guarantee. And at the same time, a quantum computer has to commercially survive in an environment where we have seen massive amounts of increase in compute power worldwide, thanks to GPUs essentially, right? Thanks to AI. Well, before it was the whole Bitcoin craze, now it's AI. So that without having advances like fundamental advances in chip design. I mean, yes, they get smaller under this. We massively increased the compute power, so much that we are basically the limiting factor is now power, right? So electric power.
And in that environment, a quantum computer has to survive. Now, you can make the argument that, hey, especially for those, you know, cracking keys, you know, some governments will do that, fine. Yeah, so that's fine. They have enough money. They don't really care about that. Well, maybe they should care. It's our taxes, but let's assume they don't care.
There are practical quantum computing use cases along the way to a fully functioning universal quantum computer. I think that's undisputed. I'm not saying that's not the case. And there are good use cases for that. As I said, like, you know, protein folding, for example, in pharmaceutical research, right?
But let's talk about the threats, right? And I'm not talking about like power consumption, all that because we have that today with traditional units, right? I mean, threats in particular to IT security and then it is security, right? Because there are some, you know, I mentioned Shor’s algorithm, so maybe we should, you know, briefly explain, you know, what this is and how does it affect security.
DAVID LELLO: Yeah so um with with the quantum computer because it can process that information and the data so much faster um it's able to use shaw's algorithm to reverse engineer um cryptographic keys um and and therefore um when we have a cryptographic, relevant quantum computer, it would be able to break those keys within seconds, minutes.
INGO SCHUBERT: Yeah.
DAVID LELLO: And therefore, the most data that we consume, use, access would be vulnerable to attack.
INGO SCHUBERT: Yeah. And so Schor's argument, as I mentioned it before, you know, today you don't of a quantum computer that could run this because you need hundreds of thousands of qubits on in cohesion and running for some time. So yes, it's a couple of seconds, but even a couple of seconds are an issue nowadays for some quantum computer. So it would actually essentially break or invalidate in a sense, the RSA algorithm, yeah, so a private public key, using RSA, but also using Diffie-Hellman and using elliptic curves, ECC. So basically all the ones that are popular and that have been used for the last couple of decades would be essentially broken, right? They would be broken with a quantum computer. Of course, traditional computers would still struggle as they always do, so it's no threat there.
And yeah, so if this is broken, I mean, those algorithms are used everywhere, yeah? So these are, you know, your traditional TLS, a web server communication, from a client to web server, VPNs, email signatures, encryption of files being sent around and all this, you know, they're all often based on RSA, ECC, and or Diffie-Hellman, right? So, I mean, that would be, you could actually call it catastrophic.
DAVID LELLO: It would be, absolutely. It would be completely catastrophic. I think there's, the more I look into it and the more use cases that I actually, the more systems will fail. It’s a global issue. Like authentication and authenticating into the financial system. Even things like Bitcoin become compromised. So they use elliptic curve encryption and it would be compromised. You then have a complete breakdown of the financial system as a consequence of that being compromised.
So, yeah, it can be absolutely catastrophic. I think that we can see in in the typical wide use cases major issues but also in in smaller less public issues which I think people don't always think about so when we start talking about IOT and OT and we start thinking about medical devices and medical equipment the ability to be able to compromise that. You know, you take a person who's wearing an insulin pump.
If I can compromise the encryption on that insulin pump, I can kill someone.
INGO SCHUBERT: Yeah.
DAVID LELLO: That's, you know, all of a sudden, the criminality behind these things can become exponentially more significant. And we start seeing things like Minority Report and Terminator type use cases of things happening.
INGO SCHUBERT: Now you're talking. This is just got interesting now, yeah.
Okay. But I mean, that, coming back then to availability of quantum computers, that won't happen overnight because it wouldn't just be like from one day to the next. Let's assume somebody, yeah, finally gets a quantum computer with like, you know, 200,000 cubits where it can run Shor’s algorithm, for example. Usually it's about a million. There are some research that says you only need around a couple of 100k qubits. It's not like, you know, suddenly everybody has a quantum computer. It’s only a couple of governments and research facilities that have access to quantum computing. It’s not like every cybercriminal has access too it.
But the threat is real. I think it's similar to like, you know, the year 2000 problem a bit. So we've seen that coming for a while, but we did things to mitigate that and it turned out to be a bit of a nothing burger.
DAVID LELLO: But but only because we did something.
INGO SCHUBERT: Exactly. Just because we did something, right? So if we would have not done anything, that probably would have been a huge issue and we did something and it turned out to be okay, right? And I think it probably will be similar to in this case here because there are things that can be done, which brings us to the next work.
Yeah, so we might disagree how long we will have, right? So just as throwing this out there, there was a MITRE report, so as a government -funded research institute in the US a recent report beginning of the year and they put this Shor’s algorithm somewhere like early 2040s probably more 2050s around so it's not like they had an incentive to push it out right so it was a solid report there but even if you say like this is much sooner, it's unlikely it will be before 2030s. I think it's highly unlikely, unless some miracle happens. So what can you do today to prepare yourself for this quantum apocalypse?
DAVID LELLO: I think it's definitely going to be a lot quicker than 2050. I think, you know, I hate to try and predict because it's an impossible thing. You know, when one tries to predict the future, you inevitably fail because we don't have a supernatural mind.
INGO SCHUBERT: Well, let's meet 2055. Same time, yes, so we can talk about this. If I'm still at the inside.
DAVID LELLO: Absolutely. Let's do this. Same time, same place. Let's do this. All right, but if it's sooner, I think let's see how we can celebrate that event because I think with any advancement in technology, a breakthrough happens, and it happens at a point in time. It may happen next week. It may happen in 10 years' time. We don't know. But it's going to happen, that I'm sure, because the science is there. It's credible. It's real. You know, a field of sunflowers is able to maintain cohesion right now. The stability is there at room temperature, in a field, with all of the things that are happening around it. Animals running around below and pollution and everything else. A field of sunflowers can have cohesion.
INGO SCHUBERT: That's right.
DAVID LELLO: Why quite a bunch of scientists do it?
INGO SHCUBERT: Yeah, but they got a couple of million years to evolve, right? So that's my point. I agree with that, but they have a bit of a head start, right?
DAVID LELLO: Getting back to you to the issue is, think one of the problems we have, and we got into a little bit at Bletchley Park, is that what we have at the moment in terms of practice and what we would call good practice around managing of cryptographic keys, I think a lot of companies have failed. So when it comes to events, so a few years ago, we had the SSL vulnerability, and everybody scrambled around and looked at replacing keys. And it meant that organizations became a lot more agile in terms of how they rotated their TLS keys, which is fantastic. That's solving a good chunk of the problem. If you have agility within your TLS keys, then it means you can change them. You might have to do some testing along the way to make sure that it all works.
But organizations can start thinking now about their certificate authority and how they issue their keys and how they replace their keys at a TLS level. And that's fine. The problem that we find in is when we get into an organization is 20 to 30, maybe even 40% of keys are not managed in this way. Very often a lot of hardware has embedded keys in it within a piece of hardware infrastructure and some of these pieces of hardware can live around for 20 years and the ability to change the keys within that hardware means changing the hardware.
We've also got a lot of bad practice in coding especially in the days of monolithic builds where applications have got embedded keys within the applications themselves. And when we start thinking about not just have happened.
INGO SCHUBERT: I think that's my point. That was bad practice regardless of quantum computing or not.
DAVID LELLO: It is. And so when we start thinking about this idea of Q-Day, which in Y2K was easy because we had a date. We don't have a date with Q -Day.
INGO SCHUBERT: Very good point.
DAVID LELLO: But when it eventually does arrive, and it might arrive tomorrow, or it might arrive in 10 years time, or if you're right in much longer than that, then we have a situation where a good chunk of the organisation and its keys are not readily or easily replaceable, and we're going to have a panic. We're going to have a massive, massive issue as data becomes compromised.
But it also, the other issue that we have is one which is something that I get asked questions around a lot and that is the ‘harvest now decrypt later’ threat. And we've seen data being stolen which is encrypted for years I mean back in in this country with David Cameron, he famously said all of our data has been stolen by China, but it doesn't matter. It's encrypted. So going back a few years, that kind of a statement is while true right now, given the technologies that we have in time with a quantum computer, that becomes an issue. And yes, of course, data ages.
INGO SCHUBERT: But some of that data will still still be relevant. Not all of it, but some ways. So I think that's same. Like, they stayed out there which like, yeah, you know, if it gets, if it gets decrypted like in five years, like, who cares, right? Or in 10 years, yeah. So you can make an argument that many of the identity data for authentication, if that gets, you know, decrypted in five or 10 years, like, you don't really care that much because it's outdated by that time. But there's many strategic data where, yeah, this could harm you for decades down the line, right? And you don't even have to be a state. You could be just a normal corporation, normal enterprise.
DAVID LELLO: Exactly.
INGO SCHUBERT: And what's the case?
DAVID LELLO: I mean, you know, the amount of organizations that I go into where there is legacy systems. In fact, I was in an organization not too long ago where there was an application. They treated it as a black box, and they treat it as a black box because the source code was lost. The person who wrote it, long gone, don't touch it. If it falls over, the answer is turn it on or turn it off, turn it on again and pray because it's the only thing you can do. There's nothing you can do. And this system controlled all access in its stores, all access in its stores. And if compromised, if taken down, you take down the organization.
INGO SCHUBERT: Single point of failure.
DAVID LELLO: Single point of failure. The amount of organizations that we're going to where there is that single point of failure is extraordinary. Organizations really need to start thinking about how do they modernize their identity and access management infrastructure? When we start thinking about identity and access management, identity and access management is the route into everything. We've seen with the latest ransomware attacks that have been happening in Germany, as well as here in the UK, Italy and other places. These ransomware attacks, they are targeting the access control systems. They are targeting it in authentication because it's a soft, easy target, whether it's active directory or whether it's a system like I described, the ability to be able to actually compromise access, you bring down the organization, you stop communication, you stop the ability to be able to access. Modernizing identity access management in this context is going to be one of the big priorities.
INGO SCHUBERT: Yeah, yeah. It's hard to argue against that because, you know, because that makes sense, no matter how you look at it, right? I think when we go back to the bare -bone cryptographic encryption key management, many customers don't know what they have, right? They don't have a good view of where they encrypt, where the keys, where do they digitally sign. They don't have like this overview. I think that's part of the problem, right? Because you can't fix what you don't know exists. Many of customers struggled with simply basic cyber hygiene. That's what I see on a constant basis, unfortunately, right? Just this morning at a call about a customer that is running a 20 -year -old RSA software, 20-year -old, right?
DAVID LELLO: Wow.
INGO SCHUBERT: So, actually, they called our support about something, and support couldn't answer, and it's like, yeah, sure, you know, probably the support personnel that was answering the phone call was probably in kindergarten when that software came out, right? So, my point is that as long as we don't do this basic cyber hygiene and visibility, first of all, you cannot reach this quantum ready state, yeah, where you're ready for Q-day. That's just like no way possible.
It's also, my opinion is you're not allowed to worry about quantum computing until you fix that stuff, right? Because if you don't know what software you're running, if you don't keep that up to date, of course you're dependent on vendors fixing this thing, like you're implementing post -quantum cryptography, for example, right?
But if the software is out with the new version, with all this nice quantum computing stuff and you don't install it, it makes one doesn't exist, right? And And coming to that, even if you do that, if your policies and procedure around, for example, like the data management, if they're not right, what are we talking about here? So if the attacker can just phone your help desk and ask for entry, they don't need a quantum computer to do that, right? They don't need it today. They didn't need it yesterday. They don't need it tomorrow. They just phone your help desk if your policies aren't right and gain access.
So, there's a lot of things that can go wrong, did go wrong and will go wrong, which have nothing to do with quantum computers. And my fear is that people are looking at this quantum thing, this Q -Day, and being distracted by this nice, shiny toy, right? Whereas they have so much homework to do, which they haven't been done probably for decades, right? And of course, you can make the argument that, hey, you know, you need to do that, have visibility, you know, have patching in place on that, fix your procedures. If it needs this threat of quantum computing for a customer to do that, so be it, right? I could be happy.
But part of me goes like, nah, because what happens if we hit a roadblock with quantum computing? And like, for a couple of years, there's no real advantage or advances and then you go like ah that's like you know 2060s like I’ll be I’ll be I’ll be long gone from the workforce so I don't have to worry about that and that's the wrong approach because you should fix that no matter what.
I’ll drop some knowledge on you yeah some some name dropping yeah German philosopher Emmanuel Kant yeah now don't cut that editor yeah that's k that's k. That's K -A -N -T, right? So I call him Emmanuel from now on, yeah.
So German philosopher, 18th century, and many smart things he said. But one of the things that I believe is one of the smartest is you do the right thing because it's the right thing to do, right? Not because it earns you some brownie points with some deity something like that. You do it because it's the right thing to do.
And have a good overview of where you encrypt, how you encrypt about policies, procedures, and patching and all this, that's the right thing to do, regardless of if quantum computing is 10 years away, 20, 30 years. It doesn't matter. You need to do that. Now, you should have been doing that for the last 20 years. That's essentially a point. I think this is where we agree. Yeah, absolutely. I think the motivation behind that, I think, is where we disagree because we have different opinions on where quantum computing is and where it will be. But absolutely, if there's a customer that says I need to be quantum ready, the effort is not wasted.
DAVID LELLO: No, absolutely not. I think also, Ingo, one of the things that is a reality that I'm always being challenged on because we spend a lot of time with boards of large companies talking to financial directors and the like and a company exists for the purpose of supplying a product or a service and if it's in the private sector to make a profit unless of course it's charity but let's not worry about that so the idea of actually spending money just because it's the right thing to do, where it gives me a negative return becomes difficult and challenging for financial people to actually realize. And so investing in something because it's the right thing to do becomes more of a philosophical discussion. I don't think it's necessarily the right approach.
INGO SCHUBERT: Well, yeah, absolutely.
DAVID LELLO: Even though I agree with you, absolutely 100%, you know, from a faith perspective from, you know, what I believe, I would always want to do the right thing. But the reality is that businesses don't exist for that. They don't exist to the right thing. Sometimes they're a little bit immoral.
INGOSCHUBERT: Really? First time I hear that. Let me make a note of that.
DAVID LELLO: So I think what you do is we sort of looking at it in in in a different way and I think one of the one of the realities that we see and that does resonate and people do understand is measuring and recognizing and realizing what is my risk exposure associated with a given environment and we need to tie it back to something that's tangible we need to always get back to how do I build a case for change in this world yep and what does change even look like? You know, one of the, one of the challenges that we set ourselves, because when we started looking at helping organisations answer this problem, is that there isn't actually a framework that deals with quantum preparedness. There isn't one.
So, we went and wrote one. We wrote a standard to say, here is an approach to look at quantum. We took various different standards from NIST and good practice, ISF and various different things to be able to come up with a model and a framework so we can start looking at it. But what that does is it allows us to start looking at and saying, well, when you take a system like that identity system that manages all the access that is a black box environment, what is my risk exposure of having a machine like that? And I'll take quantum out of it completely. What is my risk? Do I really understand my risk? If that goes down, what happens to my environment? And if I can appreciate that risk, I've got to do something about it.
INGO SCHUBERT: Oh, and this is, I mean, in the end, this is the proper risk management, which I see is missing from many corporations ororganizations in general, right? And that actually needs to be done and should have been done for years and should be done today, regardless of quantum computing or not. So that's my point.
Well, of course they don't do it because it's the right thing to do, right? That's a hard financial argument to make. I completely agree with you that. But there's all the other threats why they should be doing this, right? And again, if you need to sell this concept of looking at all this and figuring it out and having proper risk management because of quantum computing, be my guess, right? I think that's absolutely the right way. If that's the lever you need to get the signature, oh, yes, absolutely do it. Because in the end, even if quantum computing is still 30 years out, you still benefit today. Because having that readiness helps you being secure today as well. You're not wasting the money. Yeah so I think that's that's perfectly that's the right thing to do. And there are some recommendations and some frameworks from the European as well for example they actually say that by 2026—which to be frank you should have already if you want to be DORA compliant. You see maybe the same things again because you don’t see some people doing it. So visibility and risk management by 2026 and then some quantum readiness in some form by 2030 for high risk and 2035 for low and medium risk, right? So it seems seems to be far way out, but, you know, we already, like, at the end of 2025, when we record this, release is 2026.
So it's like, yeah, this is like only a handful of years away. And if you're coming back to the beginning of our conversation, if you look at the Y2K problem, yeah, if you started in 1999, you're probably well, like a bit late for this, right? So you need to be prepared now, absolutely, right.
DAVID LELLO: I think, I think one of the things that you brought up there, which I think is a fascinating point in terms of human psychology, is the regulations, European regulations and things like Dora. Regulations only really come into effect because companies are negligent in doing the right thing.
INGO SCHUBERT: Yes, absolutely.
DAVID LELLO: And because they're not doing the right thing, lawmakers say we're going to have a major issue in the country unless we look at it. So the laws come into play when you have to do something it. So the NCSC in the UK have put guidance in place around quantum. And we’ve got DORA in Europe. And sadly because of Brexit—
INGO SCHUBERT: You brought tup I didn’t.
DAVID LELLO: We're only starting to look at our Resilience Bill here. So the Resilience Bill has been released for public comments. So issue one has been released and comment is happening. And so we'll have a reading in Parliament sometime soon. Hopefully we catch up with the rest of the world on that particular issue.
INGO SCHUBERT: Well, except the US. US seems to be like, you know, this wild place on the map, yeah. Yeah,I t really is. Yeah, it's like, and I see that talking also to U .S. colleagues, yeah, it's like, yeah, we don't really have that, right? But everywhere else in the world, it seems to be like, resilience, risk management seems to be a bit more mature in terms of regulations and loss, yeah, which is—
DAVID LELLO: You've got to have it.
INGO SCHUBERT: You've got to have it, right? And when you read through them, and you probably have as much and probably more than I have, some of those things like is blindingly obvious, having proper risk management. It's like, you should know, if that thing goes down, you just know the consequences, right? Of course you should because your business is making money and is something preventing it from doing that. You should know why and how to fix that. And yet they don't do that not until they're forced by by law which is which is sad in some in some sense right
DAVID LELLO: Human nature sadly come to play. I struggle with it though because these these aren't difficult things you know looking at risk and risk management is not difficult.
INGO SCHUBERT: No but they take time.
DAVID LELLO: And it it does take time but I mean there's there's so many different technologies out there that can help simplify the process. You know, computers are designed to automate process. The whole reason where we have computers is because we've got manual processes that take armies of people to actually do something. With computers, we can automate all of that process. And with modern systems, we can automate even the more. You know, you take things like vulnerability management. If you've got a modernized environment and you have vulnerability scanning rolled out, you have a relatively good visibility in terms of what your technology risk is.
INGO SCHUBERT: Yeah. Same thing for us. Identity governance. In the end, it's not rocket science. Yes, of course. You'll connect all the different systems, maybe create some rules and all this. But then you have that visibility and you have the view of you like, you know, in terms of segregation of duties, compliance and you have that. And yes, it's it's work. Yes, it's investment in terms of money and time, of course, but you get something from it.
DAVID LELLO: Yeah.
INGO SCHUBERT: Right. Which also I think people don't realize that probable risk management also gives you something back because you actually find out things that maybe you shouldn't invest all that money into this one securing or you're making this thing resilient because it's not such a huge impact whereas the other one you should actually invest more because if that goes down bad things happen. I think that's also and of course you don't realize that because if you don't do proper risk management you don't have that visibility so how should you make that decision right? So people are, basically, organizations are hurting themselves by not doing this, right?
DAVID LELLO: And identity governance does go a long way in terms of actually enabling that and helping. Yeah. You know, when I talk to a lot of organizations around identity, identity isn't one of those security things that you do because, you know, it's an insurance policy. Identity is an enabler. It's a real business enabler to help organizations to be more efficient and more effective in terms of how people have access. But having the right access at the right time and the right place and having the governance models that actually drive that is what is critical. So when we start looking at your ITGC controls and financial systems and you start looking at how access needs to be created in your entitlements, your segregation of duties, the mandates that go with it. These things are not anything new. They have been written into Companies Act and Financial Regulation for decades.
INGO SHUBERT: Absolutely.
DAVID LELLO: And the ability to be able to control that with a good identity governance system is there now. And with a modernized solution, it becomes actually quite easy. It's not as difficult as people think it is.
INGO SCHUBERT: Look at us. Talking about identity security governance and we started with quantum. It's like, let's just, yeah, but that's the point. I think this is something where it's also like a door opener with some discussions at customers or like in organizations in general where like, yeah, it's fine. Talk about the quantum threat and, you know, but at the end you end up at discussions, which are not really about quantum but about other things. That, yes, you can fix now, you should fix now, regardless of what happens in the future.
DAVID LELLO: It’s the basic hygiene concept.
INGO SCHUBERT: It’s the basic hygiene concept, exactly. So that’s—what a perfect way to wrap this up. So David, thank you. It was, we could talk for hours, really, every time we meet. So, thanks a lot. And so I think the quantum threat may feel distant.
It may be, it may not be. But hopefully during this conversation, our viewers and listeners got the idea that, you know what, regardless if you should do things today to like be quantum ready. This doesn't hurt at all.
What you get from it benefits you today from threats which exist today, right? You don't have to wait then 20 years to realize the benefits. You actually realize them today.
So that wraps up today's debate on quantum computing and its impact on identity security. The quantum future in science fiction and organizations need to understand where the real risks and opportunities lie. If you want more insight on identity resilience and the technologies preparing organizations for what's next, visit RSA.com. If you like inbox access to more episodes of RSA Identity Unmasked, don't forget to subscribe. Thanks for joining us and we'll see you next time.
