Podcast | What Boards Need to Consider about Quantum Computing and Cryptography in 2024 - with Quantum Computing Inc.

Konstantinos Karagiannis: The year 2024 will be a milestone year for post quantum cryptography, with NIST getting ready to release its new standards. What should boards consider regarding PQC and other aspects of the quantum industry this year? It’s a look ahead in this episode of The Post-Quantum World. I’m your host, Konstantinos Karagiannis. I lead Quantum Computing Services at Protiviti, where we’re helping companies prepare for the benefits and threats of this exploding field. I hope you’ll join each episode as we explore the technology and business impacts of this post-quantum era.

Our guest today is the senior director at Quantum Computing Inc., Derrick Sturisky. Welcome to the show.

Derrick Sturisky: Thank you. It’s great to be here.

Konstantinos Karagiannis: I’m glad I was finally able to get you on. I’ve been interesting having this company on for a while. The name is fun. It’s, like, “Quantum Computing Inc.” — if I mentioned it in a meeting or something, people will be, like, “Is that a real company?” It’s like “Acme Quantum Computing.”

Before we dive into what you all do, I’d love to give our listeners a sense of who you are and how you found your way into the quantum realm.

Derrick Sturisky: For those of you who perhaps pick up an accent, I’m originally from South Africa — I moved to the U.S. over 25 years ago. Most of my career has been in management consulting. I did spend some time in-house in the life sciences industry, and I’ve been in quantum for the past year — relatively short. The major reason I moved into the space was, there’s a very compelling, very interesting and potentially very lucrative intersection between quantum management consulting and cybersecurity.

Konstantinos Karagiannis: We’re going to be digging into all that in this segment here. Let’s jump into QCI. What does Quantum Computing Inc. do?

Derrick Sturisky: We’re a nanophotonic quantum company. We excel in generating, entangling and measuring single photons. We were incorporated in 2018, and we’ve been listed on the Nasdaq exchange since last year. Our headquarters are in Leesburg, Virginia. Our lab is in Hoboken, New Jersey, and our future chip foundry will be in Tempe, Arizona. A key strategy of ours is developing quantum optical chips in this foundry that can be leveraged across all our platforms. Like other quantum computing companies, we have several patents and exclusive technology licenses. We offer four major categories of quantum solutions.

I believe you and I have discussed this in a previous call, but first, our quantum computing platform. We offer quantumising and postoptimisation machines for binary and integer optimisation. Our Dirac-1 machine offers 10,000 quantum binary modes. Our Dirac-2 machine offers 1,064 state quantum modes and our Dirac-3 — hopefully, out early next year — that machine will offer 10,200 state quantum nodes with all-to-all connectivity.

Second, our quantum intelligence platform — we are building a photonic reservoir computer. It’s designed for time-series problems, and it excels at classification. We also have an emulator of this photonic reservoir. It’s ideal for edge computing. It’s relatively inexpensive. It’s also ideal for rapid prototyping and algorithm development.

Third, our quantum sensing and imaging platform — very interesting in civilian and defense applications. We are developing single- and low-photon sensing and imaging solutions. They will use temporal gating and quantum mode projection, and these solutions operate at high speed — up to about 20 MHz — with a long range up to 1.6. Our fibrometer is capable of penetrating 70 cm into soil in initial early tests — very promising in quantum sensing and imaging.

Fourth, and finally, our quantum cybersecurity platform, my particular area — one of the reasons I got into quantum and joined this organisation — we offer a quantum random number generator, providing uniform and arbitrary quantum random numbers. It’s available on-prem or in the cloud without the need for postprocessing.

We are also developing quantum authentication hardware and discrete components for the quantum internet. And this is something we are investing heavily in, but we do recognise it’s a longer-term proposition. And finally, we offer solutions and services in quantum risk assessment — a path to quantum services, PQC, crypto-agility and symmetric-key solutions.

Konstantinos Karagiannis: It’s quite an array of things you guys do. You could see why the company has that kind of name. It seems to encompass almost everything.

It’s, of course, 2024. In this episode, we’re going to start the year off by talking about what’s happening this year. NIST is going to be publishing its new standards for post-quantum cryptography, and as a result, PQC is going to be on everybody’s mind. I want to start out the year with another look at what a company is doing to prepare for this seismic shift that’s going to occur this year. Let’s take a look at your general view on Q-Day that’s coming in the future.

Derrick Sturisky: We need to differentiate between the two Q-Days that are subject to consideration. First, as you know, and as you possibly celebrate, April 14 every year, scientists, institutions and governments around the world mark World Quantum Day, the international grassroots celebration of quantum science.

But second, the other Quantum Day — the more potentially catastrophic Quantum Day — is the day, of course, when quantum computers will be able to exploit the immense power of quantum mechanics to break current encryption algorithms you and I, the rest of the world, widely rely on — indeed, on which most of our IT backbone is built. This will, of course, threaten confidentiality, integrity and availability — the so-called CIA triad — of our information systems. Governments, companies and organisations across industries, and institutions and individuals, may be exposed.

But what’s interesting here is that the threat is not only in potentially losing sensitive data, which is significant in and of itself. The threat also includes the risks of severe and sustained business interruption. Imagine, for example, if your bank could not guarantee the security of an online transaction, or if your airline could not guarantee the integrity of its navigational system. This is, of course, potentially catastrophic. Some claim that Q-Day is several years away. My view is that because certain actors, including nation-states, have unlimited resources to invest in these technologies, it will arrive within the next three to five years.

Konstantinos Karagiannis: You’re guessing three to five years when there’s some chance of something being cracked.

Derrick Sturisky: Yes. It may not be at a wide scale, but there may be discrete cases of encryption breakage by some of these larger nation-states or these nefarious actors, again, with unlimited resources. I hope I’m wrong. I hope I’m being too pessimistic, and I hope it’s longer than that. But from what I’ve seen — the investments in technology, the rate and pace and scale of quantum computing adoption and technology improvement — I would say within the next three to five years. But again, I hope I’m wrong.

Konstantinos Karagiannis: That’s pretty aggressive. As a guess, I’d say a lot of the industry — I know NIST, even — they think it’s more like 10 or more away, but we don’t know what other little surprises could happen. That Chinese paper that keeps coming up where they were talking about QAOA, there’s no provable speed up there. But their guess was 372 qubits, which is nuts because we’re going to get there very soon, especially if you’re talking about reasonable gate depth. IBM’s gate depth has just gone up significantly with Heron. That just came up pretty recently.

It’s hard to say. We have a little more time than that. But when I think about Q-Day, I like to think that 2024 is when the apocalypse begins, quite frankly, because this is the year that once NIST publishes those standards, it’s everybody’s problem.

You got to believe, even if you’re not in a federal regulated agency or something that forces you to start the migration path, your private sector of choice will emulate what happens. Like I’ve said on this show before, I did the episode about the White House NSM-10 document, and in it, I made it pretty clear I feel that all the regulators are going to just cut-and-paste from that. Once the standards are out, people are going to have to start taking action. If you look at the federal guidelines, they don’t want you to buy anything until the new standards are out. That’s what they are saying. What actions do you think an organisation should be taking now, in early 2024, to start down the path?

Derrick Sturisky: What organisations should be doing now, immediately, perhaps starting January 2 — and this is the advice I offer to clients — is to be proactive, to follow the space, engage with industry, engage with experts, engage with government and law enforcement — CISA, NIST — engage with academia. There’s some remarkable work taking place in our academic institutions — and begin incubating quantum awareness and begin obtaining quantum experience.

This is very important if we think about Y2K. You may have been around, like I was, for Y2K, and in some ways, not always, Quantum Day may be compared to Y2K. Here are some similarities: For example, Y2K was a point in time in which our IT systems will be threatened. With Q-Day, we have identified and assessed the threat, and we can implement proactive risk remediation against the threat. And government and organisations are mobilising in anticipation of this risk. That is very similar to Y2K.

Here’s the difference: Y2K had a specific date. Q-Day does not, of course. But there is good news. As you may recall, when we look back 20-odd years ago — 24, 25 years ago — Y2K was navigated extremely well: Electricity still flowed. Banks still operated. Life went on after the New Year’s Eve celebrations. It was not actually the new millennium eve, which came later, on December 31, 2000. It was just a simple New Year’s Eve. But to me, it did feel different. It was different. And what we as professionals in the quantum space need to replicate is the Y2K success we had almost a quarter of a century ago when Quantum Day dawns in the future.

Konstantinos Karagiannis: It was so different. I still remember watching TV. I don’t know if people pay attention to this, but on New Year’s Day, wherever you live, you’ll eventually see some coverage of where the first new year’s celebration is happening somewhere in the world. And it was footage of a woman on a beach somewhere playing some kind of flute— I’ll never forget. It was such a haunting image. And the fact that her tones were making it across the world to me made it clear that the Y2K fixes were already in place and happening, because over there, it should have been chaos, and those TV stations should have been suffering, etc. It was this calming thing I had early in the day, relatively, in New York City.

Derrick Sturisky: That’s a great point — the fact that you had electricity to watch the celebration.

Konstantinos Karagiannis: Even though it wasn’t Y2K for me yet, it was for her, and her signal was getting to me. We won’t have anything like that with quantum — we’re not even going to know when Q-Day is, which is super important to remember. We’re not going to be able to tell the world, “You know what? In 16 months and three weeks, we’re going to have a machine that can crack Shor’s algorithm.” We’re not going to know. China might have it before we know they have it, etc. We just aren’t going to know. We’re not going to have any of those instant confirmations that we did our jobs, so it’s time to get rolling.

I’d like to ask you about the technology behind what your company provides for helping this along. I know you have your random number generator. Can you talk about how that’s used and how the other technologies are used as stopgaps for now until everyone starts implementing the post-quantum cybersecurity?

Derrick Sturisky: The reason we can operate across four major platforms is, they all rely on the same technology. It’s all nanophotonics, which demonstrates size, weight, power and cost advantage. We can install our hardware in regular rack rooms on-prem or, of course, through the cloud. But what’s very important is what we are doing in support of the entire cybersecurity market — particularly, the PQC market, which, as you correctly point out, is going to get a lot of momentum and is going to be amplified significantly just as soon as NIST publishes the standard.

There’s going to be a real mobilisation — again, as you point out — within the federal government, of course. With all the organisations that do business with the federal government, they’re going to be encouraged to follow suit — there’ll be a ripple effect through industry.

But on the quantum cyber threat, I believe organisations should be looking at it in three major dimensions: First is investments in crypto-agility —the ability to effectively and efficiently adapt to changes in the cryptographic algorithms, protocols or key management services. When this comes out with a standard, it will be important that organisations are crypto-agile — that they can upgrade their algorithms, their hash functions, their digital signatures, as appropriate. And this, of course, will allow organisations to be responsive to emerging threats and vulnerabilities, or even just advancements in cryptographic techniques.

Second, organisations should review software-based symmetric-key solutions for specific applications, and these are relatively frictionless, relatively low-cost and relatively easy to implement, and they do increase security of systems through the use of temporary symmetric keys, making them ultimately not entirely quantum-safe, but certainly more quantum-resistant.

Third — and this is where Quantum Computing Inc. comes in. — organisations should take a longer-term strategic view at identifying quantum hardware and quantum networking and how this type of quantum hardware can provide quantum key distribution and quantum authentication, which ultimately could be used for unconditionally secure computing and connectivity in the future.

There are three altitudes here. One is crypto-agility — certainly, in line with best practices, prevailing practices. Two is reviewing software-based symmetric-key solutions, relatively frictionless and easy to implement, and prototyping some of these solutions. Three is taking the longer-term strategic view: How will quantum hardware — hardware that can generate and entangle photons, for example, and send those entangled photons over long distances — be used in key distribution and quantum authentication? That’s the complete approach organisations should be taking — and again, I urge them to do so fairly early on in the new year.

Konstantinos Karagiannis: There are a lot of unknowns with that too. When it comes to quantum networking — when we use that term — it raises a lot of questions. People want to know, does that mean quantum key distribution, or does that mean a network where quantum computers are talking to each other? And the answer is, both. Will that network be designed secure from the ground up? I think so. We learned a lot of lessons going forward, so it will be different.

Derrick Sturisky: The other limitation there is, we don’t have fully functional quantum memory, nor do we have fully functional quantum repeaters, which are going to be important if you think about doing this at scale and across long distances.

Konstantinos Karagiannis: Quantum repeaters are like little application-specific quantum computers. They have to swap entanglements. Those are a lot of things we still need. In the shorter term, now that we’re still in this infrastructure we have today, do any of your solutions enable secure keys now?

Derrick Sturisky: We are looking to partner with some software vendors in the market now where we can use our quantum random number generator and some of their solutions to generate symmetric keys to increase the security of these applications. We have the quantum random number generator. Of course, it’s passed the standards, the NIST and Dieharder standards. It’s a very impressive piece of hardware that’s based on our nanophotonic architecture, and we’re looking to integrate this into some of the other solutions out there that generate ephemeral,, or temporary keys.

Again, we play a very important role in this quantum space. The organisations that are helping companies become crypto-agile are very important. The organisations that are providing software-based symmetric keys, very important. And the organisations that are piloting and building a long-term vision for an unconditionally secure quantum network, of course, are also very important. But again, that is a much longer-term proposition.

Konstantinos Karagiannis: You talk about partnering. How do you see the whole PQC market developing right now? What do you see going on with all these other companies that are interested in being players?

Derrick Sturisky: There are some very impressive companies with some very impressive innovation taking place in the market. I would like to see organisations adopting proofs of concept and taking a look at the entire landscape of solutions that are out there and investing in test cases. Let’s take a look at the symmetric-key solution, and let’s test it using perhaps a small office in a particular city and some remote users. Let’s set up a VPN, and let’s try and establish if we can, in fact, using symmetric keys, authenticate between Alice and Bob, and we can, in fact, repeat the use of new keys every few seconds or every few microseconds.

There are some very interesting architectures in the PQC space. But, again, It’s worthwhile differentiating between organisations increasing their crypto-agility so they can upgrade to the new algorithms versus doing so and looking at software-based symmetric-key solutions. I advise organisations to do all three: become crypto-agile, look at some software — some symmetric-key solutions that are out there — but also take the longer-term view. In five or ten years’ time, will the quantum network be ready for you to at least start exploiting for particular high-risk transactions — perhaps between node to node or particularly critical transactions? Those are the three areas organisations should invest in. And of course, the market will be, hopefully, leading those three areas and responding to those three areas at the same time.

Konstantinos Karagiannis: The symmetric-key idea is interesting to me. It is the only recommended upgrade the White House pushed for in NSM-10. In December, they were talking about national security systems having HAIPE just to have that symmetric key that gets updated. That’s something people can do before the standards, for sure.

Derrick Sturisky: Absolutely. And we’ve been using our current encryption algorithms for how many decades? They’re due for a makeover. The timing is right. There are various levers that are taking place in the market right now. NIST, of course, is one of them. Continued cyber breaches is another. The SEC rules will have a significant influence on quantum computing.

Konstantinos Karagiannis: I want to ask you about that because I know the types of conversations you’re probably having. Let’s talk about risk oversight. How do you feel about the recently adopted SEC rules?

Derrick Sturisky: I am a fan. I believe that adoption of the cyber disclosure rules will change the cyber landscape. I read all the submissions before adoption during the commentary period on the SEC website. I made it my business to go and review the comments that were made by governments, by organisations, by individuals, by politicians. It was very interesting to see the responses from these various constituencies. There were some concerns, and there were some legitimate demonstrations of support. I support the rules, and I believe they will encourage far greater cybersecurity transparency in the investment community.

I’m less interested in the four-day breach-notification requirement, although that seems to be getting most of the airtime. I’m more interested in the periodic reports that need to be filed in the 10-K, or possibly the annual report, where registrants will need to describe the processes they use to assess, identify and manage cybersecurity risks, as well as, of course, as you know, the board’s oversight of these risks and management’s role in assessing and managing them.

There’s quite a lot to unpack there. But what I’m particularly interested in, when I read these disclosures — and fair warning to those organisations out there, those registrants who will be publishing them, filing them fairly soon, as early as last December or this January, I’ll be paying special attention to any mention of quantum in these filings. It will be fascinating for me to see which industries and which companies within these industries are proactively investing in quantum cyber threat mitigation. If organisations are investing in quantum in any one of the three key areas — whether it’s crypto-agility, whether it’s the symmetric-key adoption or whether it’s just taking a longer-term view of quantum networking and quantum communications, they should be disclosed in these filings, and I’m going to be interested in reading them in the very near future.

Registrants may also have to justify, if they don’t mention quantum, why they’re not investing in quantum. That may put some registrants in a very interesting position. They need to file disclosures about the policies and procedures of cyber risk management. If there’s nothing about quantum in those filings, then either the organisations aren’t looking at quantum or they’re not filing their interest in quantum, which may be uncomfortable.

Konstantinos Karagiannis: It could create a peer-pressure situation — “I couldn’t help but notice there was no quantum here.”

Derrick Sturisky: Right. And as you know, having been in the management-consulting profession for a while, there are standards, and there are practices. There are prevailing practices; there are best practices. There is interest in what the competition within a particular industry is doing. It’s going to be fascinating to see the effort that is generated from organisations having to file information about their cybersecurity policies and procedures.

Konstantinos Karagiannis: In keeping with this business theme and aspect here, how do you feel a board of directors should think about quantum computing and what questions they should ask?

Derrick Sturisky: Clearly, the main role of any board is independent oversight, monitoring and ratification of the strategy and risks of their organisations. I was at the recent National Association of Corporate Directors conference in D.C., where I met your colleague, who introduced us. And in speaking with several directors, it was clear to me that they’re being inundated with information on AI, which, of course, is timely and which, of course, is very good. AI can significantly impact both the strategy and risk profile of any organisation.

However, they may not be receiving corresponding information on how quantum could impact their strategy and risk profile. And this, I believe, is happening in conversations and consultations with several board members: they’re not receiving the corresponding information — even the basic-level information on how quantum could impact their strategy or their risk. Quantum and AI are also interrelated: AI can help develop quantum technology. It has helped develop quantum technology, quantum algorithms, quantum thinking, research. But quantum can amplify AR performance, accuracy and precision.

Konstantinos Karagiannis: Absolutely. It’s one of the big three pillars of use cases.

Derrick Sturisky: Exactly. Boards should be informed on both of these truly transformational technologies. And as I say, they’re getting the format. They’re getting the information, the briefings on AI. I suspect they’re not getting the full briefings on quantum. Therefore, they should be asking questions: For example, “What is quantum computing?” That’s a very good question. “What opportunities does it afford our industry, and what are our competitors doing in the space?” “What threats does it present to our industry?”

Again, we think about strategy. We also need to think about risk. How do quantum and AI support and enable the business strategy, and how are quantum and AI aligned with IT strategy? That’s a very important question because IT is such a key stakeholder in any quantum or any AI discussion. Management, of course, should be prepared to inform the board proactively and periodically on how both quantum and AI can create value and protect value — in other words, enable the strategy and reduce the risk.

In the life sciences industry, in which I worked for many years, there are value-creation quantum use cases such as molecular modeling, drug modeling and clinical-trial optimisation. But there are also value-protection quantum imperatives against the threats, such as information theft, IP loss, privacy violations, of course, and business interruption. Boards need to understand both the risks and the potential opportunities a technology like AR or quantum presents and affords to them.

Konstantinos Karagiannis: I agree. I’ve spoken at those types of events, and I’ve heard the questions they come up with, and a lot of times, they’re wondering, what will be the ChatGPT moment for quantum? That’s what they want to know. On the good side of that, that ChatGPT moment will be when we have provable advantage in some use case. That’ll be great. That’ll get the press, and everyone will be very excited. The bad ChatGPT moment we’ll have is when we’re cracking encryption. That’s the bad one. But first, we’ll have the advantage one, I’m pretty sure.

Derrick Sturisky: I sincerely hope so. But you’re right: there will be that moment where quantum is as ubiquitous as ChatGPT. Even my mother, who’s almost 80, knows what ChatGPT is, which is remarkable to me.

Konstantinos Karagiannis: We’ll get there. We definitely will. Do you have any closing thoughts before we wrap up?

Derrick Sturisky: In reflection, there is increasing mobilisation, investment. There’s legislation, there’s quantum research going on right now in my industry. In our industry— the tech space — for example, I’m seeing impressive, cutting-edge innovation from companies such as Microsoft, AWS, Google and then smaller companies, smaller organisations, such as SandboxAQ, QUIX, QuSecure and Qrypt. I advise organisations out there, clients out there, to follow the market, look at the value propositions these companies are offering.

I urge clients to allocate resources — even on a part-time basis, even on a limited basis, across diverse functions — to quantum and other emerging technologies. This is not just an IT discussion. I believe, in certain industries, it’s an R&D discussion. It’s an operations discussion — legal and compliance in the regulated industries, finance in some of the financial services industries.

Again, this is not just an IT interest. There should be diverse teams created even on a limited, part-time basis, to start examining quantum and quantum potential. I wouldn’t classify this as training. It is awareness. It’s taking a look at what quantum is: What is the intersection between quantum and AI? What are the opportunities it may afford, and what are the risks it may impose?

Organisations, of course, should review relevant legislation. And you’ve touched on this: the National Quantum Initiative Act, the Quantum Computing Cybersecurity Preparedness Act. It’s very important for organisations to understand this legislation and understand its potential impact on the industry.

Returning to the concept of strategy and risk, whereas the COSO ERM Framework describes value creation and value protection, on the value-creation side, organisations should design use cases, run proofs of concept on multiple architectures, gate models, optimisation machines, run the same type of problem across various architectures, understand the difference, and try and assess and analyse the performance. Then, on risk, on the value-protection side, organisations should understand the quantum cyber threat. Prepare for Q-Day — engage, empower and equip your CISO. She or he will play a key role in quantum. There’s no question about that. Make them key stakeholders in this conversation.

Thanks very much for having me, Konstantinos.

Konstantinos Karagiannis: Thanks. There’s a lot of good stuff there for boards and other decision-makers to keep in mind in this coming year. Thanks for coming on.

Now, it’s time for Coherence, the quantum executive summary, where I take a moment to highlight some of the business impacts we discussed today in case things got too nerdy at times. Let’s recap.

Quantum Computing Inc. Is listed on Nasdaq and focuses on optical systems, reservoir computing, quantum sensing and post-quantum security. Its solutions help customers take advantage of quantum technologies and prepare for the seismic shift needed in cryptography before the dreaded Q-Day.

On the PQC front, QCI believes that companies should focus on three main areas: crypto-agility — or being ready to implement new cryptography — symmetric-key solutions at end points and applications, and taking a long-term view at identifying how quantum networking and other hardware could secure connectivity in the future. Derrick points out that the SEC’s cyber-disclosure rules, designed to help identify and manage cyber risks, could help in the PQC journey we all need to take. Boards should be aware of both the threat and promise sides of the QIS industry.

AI cornered the attention market in 2023, and we need more focus in 2024 on quantum. Not investing the right resources in this industry could be costly in terms of missed opportunities and expanded threat landscapes.

That does it for this episode. Thanks to Derrick Sturisky for joining to discuss Quantum Computing Inc. And thank you for listening. If you enjoyed the show, please subscribe to Protiviti’s The Post-Quantum World, and leave a review to help others find us. Be sure to follow me on all socials @KonstantHacker. You’ll find links there to what we’re doing in Quantum Computing Services at Protiviti. You can also DM me questions or suggestions for what you’d like to hear on the show. I’d love to do an AMA episode in the future. For more information on our quantum services, check out Protiviti.com, or follow Protiviti Tech on Twitter and LinkedIn. Until next time, be kind, and stay quantum-curious.