“Harvest now, decrypt later.” This directive will be motivation for an expected surge in an emerging threat: quantum computing cyberattacks. That is according to two experts on the matter who joined co-hosts Adam Dennison and Samara Lynn on the latest Ready.Set.Midmarket! podcast. Lance Smith, co-founder and CEO of Cy4Data Labs, and John E. Young, COO of Quantum eMotion America, lent their extensive expertise on the subject of Q-Day and post-quantum computing (PQC) encryption. Both describe how threat actors are currently harvesting encrypted data through cyberattacks. While the bad guys don’t have the means yet to decrypt this data, in the very near future they will have a way—through quantum computing. The time frame for when threat actors will have relatively easy and widespread access to quantum computing power is what is known as “Q-Day.” Smith and Young discuss what Q-Day is, when it’s expected to arrive, the catastrophes that can happen when hackers are able to break traditional encryption, and what midmarket leaders should do now to prepare.
Adam Dennison (00:14)
Hello and welcome to another episode of Ready Set Midmarket, the podcast for everything business technology related to the midmarket for IT leaders brought to you by MES Computing. I'm Adam Dennison. I'm vice president for Mid-Size Enterprise Services with The Channel Company Joined with me as always is my co-host Samara Lynn, senior editor of MES Computing. Hello, Samara. And today we have two ⁓ excellent guests. Have Lance Smith. He's the co-founder and CEO of Cy4Data Labs. Hi, Lance.
Samara Lynn (00:34)
Hello
Lance L. Smith (00:41)
Howdy.
Adam Dennison (00:41)
And we have John Young as well. He's the COO of Quantum emotion America. Welcome, John.
John Young (00:46)
Thanks. Samara.
Adam Dennison (00:47)
So I'll a quick kind of setup here. This podcast is to talk about Quantum Day. And I gotta say, my co-host Samara gives me topics that I need to really brush up on, because our last one was around AI poisoning. So I've heard of Day, but I had to do quite a bit of research. And I think the next one needs to be around like puppy dogs and cotton candy, because these two things are kind of scary.
Before we get started, ⁓ Lance, John, why don't you just give us a real quick overview of who you are, what your role is at your organization, and then we'll kind of dig into the topic at hand. Why don't we go ahead and start with you, Lance.
Lance L. Smith (01:22)
Sure, thank you so much. Yeah, again, my name is Lance Smith. I'm the CEO of Cy4Data Labs, a relatively new company. We're a pioneer of focusing on encryption on data in use. This is one of the pillars that we're sort of missing in protecting data and ensuring who has access to data literally down to a single word or a field within a database. We launched at RSA this year. I've been in production for about two years.
And we're really focusing on protecting those who can't protect themselves when you see so many different and common data breaches occurring in the marketplace.
Adam Dennison (01:58)
Great, and John?
John Young (01:59)
Thanks Adam. My name is John Young. I'm CEO of Quantum emotion America. Quantum emotion, parent company is an international cybersecurity company that specializes in encryption for quantum communications and quantum security, which may not be a big deal to most people, but like AI came out of nowhere, the new quantum computer power is going to be.
hitting everyone with a left-right combination. And we're really preparing everybody to not only be ready for what's coming, but we can also help with the classical encryption. Right now, there's a big weakness. If anyone's seen Apple Prime Target, you'll know what I'm talking about. Since all the encryption these days is based on math, quantum computers eat up
patterns and math based algorithms for lunch. So basically NIST has come out with four algorithms that are approved called PQC, post quantum cryptography. And if you've, like I said, saw Prime Target you'd see what an exciting world we live in where they're killing professors and they're looking for anyone that can crack, you know, the math based encryption. But we have the solution.
Part of the solution for that in that we would replace the math-based seed and keys with quantum mechanics-based seeds. The entropy there is pure randomness, which cannot be cracked by quantum computers or anything for that matter.
Adam Dennison (03:31)
Got it. Thank you. So why don't we up level a little bit around Quantum Day, Q Day. Tell us a little bit, ⁓ Lance, why don't you give us your perspective on thinking about our audience, So CIOs, CISOs, VPs of IT, directors of IT, folks that are running technology for their midsize organizations don't always have the biggest budgets, don't always have the latest and greatest technologies. They're going to rely a lot on their partners.
and their providers. In this time right now, August 25, what should they be thinking about right now? And what are we looking at three, five years down the road? And John, just kind of jump in and have a conversation around that because I'd like to learn myself on our side. And I'm glad I don't have to handle this for our organization.
Lance L. Smith (04:14)
Yeah, there's a lot to unpack there, Adam. So let's get started. Let's set the stage first. What's the threat and what's the concern? So at the advent of quantum computers, no matter how they're created and developed, and there's a lot of technologies that are based on quantum mechanics, that it gives the ability over classic computers to process a lot of information very fast. So that's number one. The question is, when is there enough capability in a quantum computer
that it will be able to crack the code, to be able to break these encryption algorithms that have been used for several decades. And interestingly enough, there's been a lot of progress, but there are two sides of it that I hope that we talk about today. It's not only the technological developments in quantum computers, but also the human ingenuity that figures out how to program these quantum computers.
and improve the ability to crack these codes easier. The biggest concern we have with protecting data, and especially when we talk about encryption, as John said, it's a mathematical sort of process to encrypt something and to protect it, another mathematical process to undo it so that we can see it in its clear text form. Those computational requirements, ⁓ they're changing. There's this thought process that just a few years ago,
that said, okay, turn of the century, 10 years from now, sometime in the 2030s, there's probably gonna be enough capabilities with quantum computers that we're in trouble, that the algorithms that we're using today are breakable. And breakable in a short time period. You give infinite amount of time with any amount of computers, you're gonna be able to break one of these things. But if it's like not in our lifetime, we're not really worried about it. But if they could break it in hours,
then it's kind of a concern, right? So I I said a few things there that need to be addressed. We got a set of algorithms that have been around for a couple of decades. That's what we're using. And we got quantum computers that are catching up at some point. When those two intersect, that whatever you're protecting today, if it's taken, if it's stolen or breached, which occurs a lot, then they can decrypt it down the road when they have access to a quantum computer.
Now, hopefully that makes some sense. I know John, you got some inputs you want to give on it, and then we can go to the next phase of the question.
John Young (06:33)
Well, you talked about something really important. Harvest now, decrypt later, where hackers will sit in the middle, grab some data. And for right now, all they could do is kind of look at it and say, ⁓ I hacked this and I've got this data. They can't really do anything. But the truth is, encryptions have been
broken kind of routinely over the years. It's the human ingenuity as computers got better. Just mathematicians were able to crack the earlier encryptions and they've got better and better over the years. The problem is...
With AI joining forces, okay, that came out of nowhere for a lot of people. Three years ago, if you said to people, what effect will AI have on your life? They would have probably said, you know, I've heard about it, but not much. Now everybody uses AI every single day, whether they know it or not. So you combine AI with the new and improved quantum computers. And let's just throw in the fact that IBM
announced the Starling project, which they figure in three years they're going to have a quantum computer that's 20,000 times the computational power of the quantum computers they have now. So what does that mean? Well, Google took a century long math problem for a supercomputer and they cracked it in less than eight hours. So you can see how the timeframe is telescope down from
years and decades and centuries to hours to minutes, maybe even seconds one of these days. So anybody who's out there who's a bug out bag holder and a doomsday prepper, this is actually what they've been prepping for without even knowing it. You know, they're looking for a problem worrying about alien, you know, invasions and
lizard people in tunnels and government overthrows. Well, this is staring everybody right in the face. And unless something is done about it, then, you know, we could have supply chain failures and we could have bank accounts being zeroed out in front of your eyes. And we could have a lot of things happening that no one even really knows about the utility failures that we experience right now, because say some kind of outage that's just natural everyday thing.
Well, it could be an incursion with some bad actor from a foreign country, basically, who's infiltrated the utility system, but they're not going to announce that they've been able to, you know, bypass the security and crack the encryption. also, Lance will jump in on this, but we've got two forms of encryption. We've got symmetric and we've got asymmetric. And a lot of people point to the symmetric encryption, say that's very quantum resistance, the AES.
256, that's AWS and the cloud providers use, that's really solid against quantum computers. And that's true, but then when you go to the asymmetric encryption, that is what is behind all of the identity and access management. So they won't even have to crack the encryption if they can bypass the asymmetric encryption. They'll be able to read it in pure text, plain text anyway.
There's so many vectors that this can come from that anybody who's looking for a silver bullet like the PQC encryption, they're sort of pinning their hopes on something that they don't really know that much about. Because even the PQC approved algorithms have an Achilles heel in my mind because they're using PRNG, pseudo random number generation, which goes back to the same math based.
situation of randomness we had talked about. So even the nine years NIST took to approve these four algorithms, there's a basic weakness in there too. And that's where the quantum mechanics come in. You pair the quantum mechanics of the randomness and entropy with the quantum encryption that's been approved, and then you've got something to talk about. So yes.
Lance L. Smith (10:29)
Hey, John, if
I may, let me just drill down on that real quick. So now we've got this set of quantum computers, and this has spent the last several years creating a new set of algorithms, right? So why did they do this? There's that concern that the algorithms we have are breakable. They're not today, so let's be clear about that. It's not breakable today. It's sometime in the future that people are worried about.
So the CIOs and the CISOs now have to be concerned that down the road that they've got to be concerned about something. But NIST is also concerned. Remember I said that there is this idea that, well, humans are clever. And one thing that just recently happened in 2024 was there was a group that got together and there was this algorithm developed by someone by the name of Shor who theoretically said if he had a quantum computer it was fast enough.
then we could break these keys, these asymmetrical keys that John mentioned. The side note on that is asymmetrical keys are used when you set up any type of communication or you want to share information. This is not the typical encryption that you use when you encrypt data like at rest, when you're sitting there protecting it, you know, a vault. That's the AES-256 keys that John was mentioning. We're talking about these asymmetrical ones where you have a public and a private key.
you encrypt whatever you want to share in your public key, somebody has a private key that can decrypt it and get the data they want, and that's how we exchange keys. So that's kind of like the quick side note on that. So NIST has created a set of algorithms that John mentioned, right? The four of them. What's interesting about them is that two of them are kind of the primary ones that are fast and had been gone through significant amount of testing, four rounds of testing.
to make sure that no theoretical algorithm or a quantum computer in the future could break. But then there's two backups. And it's like, wait, wait, wait. If the primary ones are good enough, why? Well, they don't know what ingenuity is going to come out, especially the nation states that John mentioned. And so they want to make sure. And what they did is they used a different mathematical foundation for the second set.
John Young (12:28)
Thank you.
Lance L. Smith (12:34)
Now that's important to note, not what they've done, but like one's based on lattice math. The other one is based on uh, or a code based, uh, approaches. And it's very clever. What was done very hard, right? These, a lot of PhDs, a lot of scientists been working hard on this thing and I have confidence in them, but there's a choice. And let's get back to that CIO and see. So what would they do today? Okay. The option today is this right now we've got our PQC algorithms.
Adam Dennison (12:54)
Yes.
Lance L. Smith (13:01)
But they're not approved. They're not certified. And they're certainly not certified in libraries. And so they're not integrated into the software software stacks for people to deploy today. Even if they did, because they're not approved, anyone who does or interfaces with the government or sells product to the US government, they're not going to accept it. Not until there's a standard called FIPS 140-3 certifies them.
John Young (13:07)
Okay.
Lance L. Smith (13:26)
So we have this window now, when will it get certified? Well, it's expected to be done by the end of 2027. So we still have a couple of years to go, right? One and half years for that to happen. In the meantime, here's what one can do. They could do hybrid deployments where you use the algorithms today that are well proven, well understood, but underneath of it, you slide a PQC so that if one's broken, the other one won't be, but it's still certified and can go forward. So that hybrid solution has been rolling out.
quite commonly during this year. When these types of times start to show up, that's when it gets to be tricky. The transition is probably something that's very important where these asymmetrical algorithms are being used. Who are the vendors, the ISVs, the integrators who to update them? Start to prioritize them so that
They can take inventories when they're available and roll out these sort of updates. Now, I wouldn't expect this to occur in probably the last three years of this decade, right? Like 28, 29, right? Even into 30, right? Even part of 27. Because everyone's getting ready for the 2030 kind of timeframe. All the big players, like John mentioned, IBM, Google, D-Wave. I mean, there's a dozen guys out there.
John Young (14:16)
Thank you.
Lance L. Smith (14:39)
that I could mention, some of which you can rent those quantum computers. They're all targeting between 2029 and 2030 to have enough capability for within hours or days. They should be able to break sort of today's asymmetric algorithm. It's commonly used like RSA 2048. That's we're sort of intercepting that, right? So there's got to be this process along the way. I don't know. Maybe I'll stop there in.
Adam Dennison (15:04)
So
John Young (15:05)
Yeah, that's what I mean.
Adam Dennison (15:06)
stay in some of Samara and my's audience focus here, right? So I'm a midsize manufacturer in Indiana. I'm a regional healthcare provider in Massachusetts or ⁓ credit union in Washington. And I'm hearing this. I don't personally understand it. They do. They're the technologists. So they understand this. How can they have these discussions?
with their CEO, CFO, with their boards and say, these are the types of things that we need to start funding, start getting prepared for when they have all the other stuff they have. They've got SAS sprawl. They've got security sprawl. They've got all kinds of vendors coming at them saying, these are the things that you need. This certainly sounds like it's, it's big and a game changer if you get hit. So what are,
John Young (15:40)
Yes.
Adam Dennison (15:51)
What are the suggestions on how they can prioritize, as you mentioned, and have these business discussions with them to say, we need to start making our move now before we're too late?
Lance L. Smith (16:02)
I'm going to get a direct question, give John a chance. ⁓ First, they have to do some discovery work. There is a short list. So they also need to work with their software integrators, ⁓ their vendors. They need to look for number of things. Where is the communication protocol TLS being used? So anytime there's communication between two individuals, or two computers, or two servers, you got to look for TLS. It's just a standard protocol that sets up.
Adam Dennison (16:12)
Yeah
Lance L. Smith (16:27)
a secure connection. There's others. ⁓ SSH, it's another secured protocol. We use some VPNs. I'm sure you've heard sometimes VPNs get broken, right? Behind that is some IPsec. And then ⁓ other things like certificates like XF509. You take that short list and you go through the discovery process. That will take some time and you have to ask some questions, right? You take an inventory of all the different types of applications that are being used.
VPNs are being used and you start making questions say, when do you going to have first like your hybrid version? When are you going to have set of updates that uses PQC? And then that's when you start laying out this inventory and timeframe to say, okay, do we stay with this particular application vendor because they are going to be able to deliver something committed in the roadmap or do we have to go somewhere else? So retire that to do something new. That's kind of, I think the sort of step one and two.
John Young (17:10)
Thank you.
Adam Dennison (17:22)
Okay, John, what's your perspective there?
John Young (17:23)
My perspective is that I live in California and if you ask eight out of ten people if they're prepared for an earthquake, they're not. Okay, it's been a while since we had a big earthquake. So that's when people take action when they're affected. Let's just look at the history of this business. I've been doing this for 40 years, okay? Plus, my history is I...
started off as a backup operator on magnetic tapes back So I've seen the whole evolution of computers before the internet. You know, when it was the ARPANET, I was a network director for McDonald Douglas, $41 billion program C-17. And I worked at IBM for a long time after that. So my whole career has been made basically with two big companies. And I can tell you how they do it, but this is midmarket, right?
Midmarket is focused on growth. Midmarket is focused on revenue, sales, and everything that comes along with that. What we're doing in cybersecurity, and this is another layer on top, quantum preparedness, is overhead to a lot of these people. Unfortunately, can wipe out a year's worth of revenue.
in a very short period of time. That's why they have to take it seriously. When I first started, computer viruses were like the love bug or some of these other ones that would just put practical jokes on there or they accidentally would create harm. Well, that's been replaced. When we look at who the actors are now, it's not just some person, know, teenage kid, war game sitting in his room, you know, accidentally connecting to the defense system. This is
terrorists, okay, this is Patriots from other countries like in America. We may not realize it but these people and I've worked with a lot of them over the years when we contracted out at the big companies They have PhDs and they're making five hundred dollars a month USD, right? so basically if the city state or the government tells them
Okay, you're a patriot, you know, we're going after America, we're going to give you an apartment, we're going to give you a salary that'll take care of your whole family doing what you love. Obviously, they're going to move to that. Then we got the folks who say, you know, I'm making $500 a month, but this side gig, I can make $500,000 this year by hacking into a utility company with my friends and getting ransom or ripping off old people.
I'm an AARP fraud fighter volunteer. And believe me, the stories will make your heart break of what you hear there. So when it comes to the encryption, it's like you're talking to a CEO and all you can really tell them is that this is going to be bad, not just for your company, it's going to be bad for society when these algorithms start falling because it's not like Y2K and if people point to Y2K saying it was all hype and it was a problem. Well, Y2K
Adam Dennison (20:17)
Bring that up.
John Young (20:20)
was a $500 billion worldwide effort to make it nothing. I was in meetings for five years working on 400 million person hours went into solving this two digit rollover problem where we didn't have Facebook, we didn't have online banking, we didn't have the stock exchange tied into everybody. Every broker is electronic now. We didn't have social media. We didn't have any of that stuff. We didn't have deep fakes.
So look at what a half trillion dollar problem was. It took every government in the world to make it all hype that people are pointing to as a nothing burger. When now we've got everybody's integrated, their whole digital life is basically their lives. you know, what are we going to do when there's no set day, there's no set exact problem, there's
thousands of attack vectors. There's tons of different, encryptions that are breakable at certain levels and some like AES 256 are much harder. What do we do? Well, first of all, they have to get ready for basic cybersecurity, good hygiene, because a lot of the midmarket companies have been blowing that off. And I know because I started out at a company, I cringe at what I did in the eighties. People would call me up. I'd create admin accounts for a sales guy just because his
boss said that he needed full access, you know, and I'm looking at that now saying, my God, you know, what are the problems that I probably could have created if we would have the same environment? But the truth is, it's all about the simple things in a lot of ways, the fundamentals, the privilege of least privilege, right? You give someone just enough stuff to get their job done. That's how much access you give them. Separation of duties. You don't have one person
you know, putting money in the bank and then cutting the checks at the same time. You know, so a lot of the companies in the mid market are still way behind on these simple principles. That's why this is going to be hitting them, you know, like a 500 pound weight on top of the head dropped off a skyscraper. But what we talk about awareness and also our solution is very helpful in the way that they don't have to pull out all these encryptions.
all they have to do is replace their source of the keys and the randomness to see, you know, with our source of quantum mechanics randomness. So we can back level and work with classical encryption and we can work with all the PQCs too. So there's got to be a line in the sand where someone says, you know, we have to start and we have to fortify what we have now. And then we can also do what
Lance has said, start sliding in the PQCs for future proofing with some really strong form of entropy like we have.
Adam Dennison (23:03)
Yeah, I'm glad you brought up Y2K. That's what I was thinking about in terms of, you know, just as a lay person, that's something at a point in time, but to your point, that was a point in time. This is an unknown. Samara do want to jump in and ask a couple questions?
Samara Lynn (23:15)
Yeah, just really quickly, I think, you know, and I've spoken to both of you before, and I just thought this was such great information. Even though you both say the timeframe, and when we say timeframe, we're talking about the time where quantum computing power becomes more ubiquitous, where just a threat actor can tap into that and wreak all this type of havoc. And that's kind of the timeframe we're talking about, this 2030, when that's gonna happen.
Even though that's a couple of years off, would you advise these IT executives, they should start having these conversations with their vendors and their MSSPs now? Or do they have a little bit of wiggle room to think and plan and then have these discussions?
Lance L. Smith (23:57)
I think they definitely have to the discussion going because the first exercise they have to do is they do have to take an inventory of what they've got and then look at that list of suppliers, those vendors that they've purchased software from and simply go down the list, the ones with the highest priority to them, like what is their main business operating on? And then ask some simple questions. These things of for communication is easy to find.
Samara Lynn (24:19)
Crown jewels
Lance L. Smith (24:26)
And it's a simple question with their vendors to say, what's on your roadmap? And if they don't have a good answer, then it's going to mean you retire that and you migrate over into new one. It's a bit of work, but that will take time, right? That's not going to happen overnight. But in terms of that process and they make those decisions and they look to see what their choices are. And they do, they have to set a goal in the
20, 30 timeframe right now. And that's real. I mean, we can debate this, that if you look at all the vectors of that threat, Y2K was a little different because it was the unknown. Well, I don't know what's going to happen when all the registers roll over. it break some kind of software because it didn't know what was going This one's actually real. And we have a trajectory that's going to occur.
And what's worse is, as I mentioned before, the optimization of algorithms for breaking encryption got tremendously better just a year ago. I mean, it cut the requirements in half. So that means that the quantum computers that IBM and Google that's on their roadmaps, they're saying 2029, 2030, they're going to be there and they rent these.
Now that doesn't stop a nation state from renting one of these things and giving it a shot, right? So I think that what that, you smaller midmarket companies, it's just a matter of decent hygiene. Like John mentioned, just they're going to have the discipline and the CIO will have to be asked by the board in the CISO, what are we doing to mitigate this? And their answer's got to be, we're doing the first round of investigation where the threat possibly would occur.
Samara Lynn (25:49)
Yeah.
Lance L. Smith (26:11)
We've talked to our vendors, here's their roadmaps. Here's how we're gonna spend money over the next three years to do that transition and what we could do in the meantime, right? It's a matter of just breaking it down into bite-sized chunks, right? Because taking this whole thing on at once, like John was explaining was, my God, I really don't have any time or effort. I'm gonna do anything right now. It's like, no, do one piece at a time, right? Go after your highest priority, what you think is mission critical for your business.
then look at the vendor who makes that sign in and deal with it? Is it that you're primarily have your remote employees using? Well, go look at the VPNs and figure out who has a solution in the next year, who's going to roll on the PQC, who actually has upgradable solution for PQC, because what you buy now, you can use later because they actually upgrade it. And they retire the stuff, it's too old.
Adam Dennison (27:01)
Yep, makes sense.
In two and a half weeks, we're going to be in San Antonio with 150 midmarket IT leaders. And I happen to know, I spoke to them Monday, our keynote that we're putting up to open things up, Quantum Day is in that. And we've been hearing about it a little bit at these events. We do three large ones a year.
and it's gonna be in there in the keynote. So it'll be interesting to start to hear from our audience and our board members, what they are doing about it. And I'll revert back to this and send them this as well, because it's definitely something that they need to be concerned about. Lance, John, great having you both on here. We thank you so much for taking the time. We'd love to have you back as we get closer and take that and start to see how
Lance L. Smith (27:45)
absolutely.
Adam Dennison (27:47)
how things are breaking down and some of the customers that you work with and how they're fortifying their enterprises to move forward with this.
Lance L. Smith (27:55)
Terrific, thanks for having us.
John Young (27:57)
Yeah, thanks for having me.
Samara Lynn (27:57)
Thank you.