In many ways, the human appetite for computing power is ever-growing. More computing power can be found in the cloud for our ever-growing thirst for power. But that’s still not enough. Enter the next generation of computing power — quantum computing.
In this episode of the Security on Cloud Podcast, we sat down with one of the world’s few quantum computing and privacy experts, John OMalley, to discuss all things quantum computing. Listen in as we discuss topics like…
- What differentiates a quantum computer from a regular computer. [02:56]
- How we pull answers from a quantum computer. [03:58]
- What qubits and quantum bits are in quantum computing. [05:45]
- Some of the problems we’re hearing about in security due to the upcoming quantum computing. [07:42]
- The issue with today’s modern Encryption. [11:09]
- What a “harvest attack” is and the steps we can take to solve them. [13:05]
- A high-level overview of what “quantum cloud” is. [17:13]
More Ways to Listen: iHeart Radio | Pandora | Apple Podcasts | Spotify | View All
Scott Emo: Hello everybody. And welcome. You’re listening to the Security on Cloud Podcast live on Anitian Radio. I’m your host, Scott Emo. In many ways, humans’ appetite for compute power is ever growing. And the technology sector seems to just keep delivering to feed that appetite. Only a few decades ago, an entire room would be filled with one huge computer and businesses would run their finances on an IBM 360.
Scott Emo: Today, the compute power that was once in that room can now be held in the palms of our hands as we check the weather on our smartphones. Even more compute power can be found in the cloud for our ever-growing thirst for that power. But you know what? That’s still not enough. Enter the next generation of compute power: quantum computing. I know our listeners have heard the term thrown around and talked about for years and horror stories and myths have clouded the truth behind online privacy and the ability for quantum computers to decrypt anything in seconds that used to take years to brute force, but there seems to be some hope.
Scott Emo: And with that, I’d like to introduce our guest for this episode. He’s a graduate of the American Military University, where he focused on cyber forensics and counterterrorism. He brings over 20 years’ experience as an IT and identity access management specialist. In the US Army, he served as a computer analyst and an IT security specialist while supporting both Department of Defense and the entered agency, computer security operations in multiple geographic combatant commands spanning the Russian Federation in Europe, Africa, the Middle East, and South and Central Asia. Later, he transitioned to IT security in the private sector as the identity access manager for LifePoint hospitals, managing identity solutions for a network of over 50 hospitals and 30 separate emergency rooms, as well as he led teams focused on audits and incident reports. He’s one of the few quantum computing and privacy experts in the world. He’s written numerous articles, evangelized quantum computing, and the impact that it may have on all our futures. He currently holds the role of infrastructure and security specialist at American Binary. Coming to us from Nashville, Tennessee, I’d like to welcome our guest, John OMalley. Welcome, John!
John OMalley: Thank you, Scott. It’s wonderful and great to be here today.
Scott Emo: Well, great to have you. So let’s just jump right into it. Can you describe for us how a regular computer and a quantum computer are different? Like what makes a quantum computer so special?
John OMalley: Well, a quantum computer is a unique aspect as it goes on protons, neutrons and electrons that we use in everyday life. And what I mean by that is we take a computer, break it down to as small as it can be, the atomic level. We ask it to provide us information in a rapid instance and then we get that information in milliseconds, instead of years, into what we can understand in today’s binary language.
Scott Emo: So, today’s binary language is ones and zeros, right? And we all learned that computing in the past, right, that you have a one and zero, you just flip those on and off, you got eight bits, bits and a bite, all that… We learned all that in school. But how do you get an answer out of a quantum computer that used to do ones and zeros? What’s the answer kind of look like out of a quantum computer?
John OMalley: So, the great example is a dimmer lightbulb or a round object. So, picture [that] I have a soccer ball in my hand, and that soccer ball, if you go in the middle and you go up as on and down as zero from the middle, that it literally means one is on, two is off. Everybody understands that. But you can’t go below zero. You can’t go to the right of a zero or left of a zero, right of a one, left of one or things. So, if I take that soccer ball and I take the answer going all the way to the backside of the soccer ball and have it slightly above zero, but below one, its atomic number, it’s an atomic level.
John OMalley: The best way to describe this is to break it down even smaller. Eight qubits, or a qubit is a quantum bit, equals one bit in a computer, standard binary. With that being said, that qubit that we have in this soccer ball can be any number at any time, any given possibility. It can be a positive, a negative, a letter, or it can be everything exactly the same time. So, all the possibilities are wrapped up into one qubit. If you take eight of those qubits and compress it to one bit, and then you take eight bits to get a standard format. So, it’s really neat that it’s so small that it can hold every possible answer in just one atomic level.
Scott Emo: Wow. Can you go into qubits just a bit? Because it sounds like that’s kind of the basis of this whole thing.
John OMalley: So yes, the qubit is how we read. Like the ones and zeros a bit. A qubit is how we read. And so the qubits can be made of light, they can be made of copper, can be made of crystal. It’s the definition of where we’re getting our possibilities from. And we take it into the quantum computer and we have all these cubits running around giving information and then we ask it to freeze and it spits out the answer and then it freezes. Now there are technical terms that go with this, but let’s speak to where everybody’s on the same page, if that makes sense. So, we ask it to freeze. It freezes that instant right then and there and spits out an answer. And the qubits determine whether it’s up or down, if it’s left or right.
John OMalley: If it’s behind it or in front of it — if it’s a hair above a one, below a one and things like that — that when it freezes, it provides that information and puts out. So if we take it back to the dimmer switch, so the standard light switch is up is on down is off, but the dimmer switch has so many possibilities going up and so many possibilities down. That’s how the quantum looks at it. All these different possibilities at one time, exactly the same time until we ask it to freeze and it isolates it. There are algorithms that go in to make it freeze and those algorithms are worked on every day. And so with that being said, it’s literally trying to ask the atoms to give us an answer. And it’s pretty accurate, very accurate these days.
Scott Emo: Wow. It’s a fascinating space, but now what I’ve heard is there’s some problems that we’re hearing about in securities specifically. So, this is the Security on Cloud Podcast. In security specifically, we’re hearing there’s a bunch of problems coming up or people are fearing some of these security issues due to the upcoming quantum computing. Can you rattle off a few of these problems and what they might be?
John OMalley: So the biggest problems we’re hearing about is encryptions, APIs, public key, PKIs, harvest attacking and personal health information. Those are all our top things right this second. Each one of them has a different level of security that we are reminded of each day. There’s a ton more that goes out there, but these are the ones that you see and read about.
Scott Emo: Well, that’s a ton of issues and honestly, that’s almost every issue that we run into in security today. So, it’s no wonder that people are worried about this. But there’s so many issues there, let’s just cover a few. Let’s take a few top issues and break them down. Let’s tackle the encryption problem first. So first, what’s the issue with that?
John OMalley: The issue with today’s modern encryption is [that] its binary only, and it is becoming outdated and it’s becoming relative that qubits can now read multiple bits at the same time. And that aspect of 128 and 256 are both in danger, 512 will be shortly. And what this means is that a quantum computer can random off a number of codes and possibilities against that encryption, as it’s moving across the network, guessing which letter it is because of all the possibilities a qubit can be to a bit. I have read and seen reports that say that 128 has been broken. I have not physically seen this myself. Again, I’ve read and seen reports, but I’ve never seen it actually be done. Love to see it. Let’s be honest, we would all love to see that.
John OMalley: But at the same time, it took months and almost a year to break that 128. But does that mean it’s still safe? Right this second — today — it is. Tomorrow, [it] may not be. And the reason I say that is because every day we’re coming up with more and more quantum computers with more and more qubits that can run faster and faster. And these abilities for these computers to charge against this encryption at a faster rate, more qubits is going to bring and lower that encryption time shorter and shorter of breaking it and hacking it.
Scott Emo: Yeah. That does sound like a problem. Even if you can decrypt something in a year, that still sounds like an issue because a lot of people like to keep things secret for over a year.
John OMalley: Yes, sir.
Scott Emo: So that certainly does sound like a problem. So, yeah, it’s not the nanoseconds right now, it’s 128 bit.
John OMalley: Yeah.
Scott Emo: So that’s actually promising a bit. But it sounds like the issue’s coming, it’s going to get here. What do you think we can do to address the encryption problem?
John OMalley: So, the addressing is companies like the one I work for, we’ve developed post-quantum encryption and quantum encryption that protects your data extended amount of times against a quantum attack. And what that means is we’re providing quantum-safe encryptions to your stuff and as we develop and change, we offer everything else that goes with it to protect your data. So it’s not using traditional information to encrypt it. It’s using the new calculations, the new high-end mathematics, the new formats, all the quantum level stuff to do this and produce this type of encryption to protect your data. And we’ve been doing this for over two years and companies are starting to realize. And believe it or not, NIST has standardized in a pre-standard, as they call it, post-quantum encryption. And so this means businesses and banks need to start looking and start talking and having these discussions about moving to these new levels of encryption.
Scott Emo: Yeah. And that actually, that makes us feel a lot better. That there [are] companies out there that are solving the issue or are on their way to solving the issue. And because we can see it coming, we could see this issue coming. It’s there. Thankfully most people are using 256 and so it’s maybe not as urgent, but you’re right. To make this happen companies have to start talking about this problem today. That’s a great point. Well, so let’s talk a bit, I want to change gears just a little bit and let’s talk about a different problem. And you mentioned harvest attacks.
John OMalley: Yes sir.
Scott Emo: So first of all, what is that all about? Can you describe a harvest attack for us?
John OMalley: Harvest attack is also what I call a database attack. That data sits there, it’s encrypted, and it sits there, does nothing with it. And so what hackers do is they go and collect that data and then turn around and take it and send it somewhere else and start crypting that data at another location. Well, right now that’s happening so often businesses don’t realize it. And so what’s become now a big ordeal is that you can take those and send it to countries that have quantum computers, and they can start taking that and charging against it, and really starting to hack those databases or that data without you even knowing it with a quantum computer.
John OMalley: And to understand this, USA, Canada, and Europe aren’t the only people that have quantum computers. There are quantum computers that are built that are not at all within the United States or regulated. They’re owned by third world countries and they will make money doing this because this is [the] ability for them to get data. The best example I can use is take your debit card out. You use it on Google Pay, you use it at the local grocery store. They have a copy of it. You know what I’m saying? And what are the chances in 18 months, or even a year, that debit card is still relevant? 90% of the time, because they only change them out every four to five years. So, if I’m going to hack a database, it’s going to take me 12 months, 18 months, if it’s 256. Chances of me hacking that debit card is down to 80%. But 80% on a terabyte worth of data that’s millions, if not billions of dollars right there ready to be harvest.
Scott Emo: Yeah. That’s bank for a hacker looking for funding. That’s a win for them for sure.
John OMalley: Oh, yeah. Very much so.
Scott Emo: So it’s really about grabbing the data. So, the harvest attack is almost in the same genre of the encryption problem, but it’s where a hacker will take the data, bring it somewhere else and just pound on the data to decrypt it and then use that database for whatever it is. I mean, you used debit card or credit card numbers for an example but, boy, that’s really dangerous for data at rest. What do you think we can do? What are we doing or what can we do to solve this harvest attack problem?
John OMalley: So again, upgrading your data at rest solutions, upgrading your databases and things to use. Now they need to understand and read quantum technologies and things like that. Start monitoring your networks, get with your SAS programs and ask them to, Hey, look, we want to start tracking quantum problems. You need to start providing us or what can we do together to provide support where we’re starting to see these quantum attacks on the network. They are much faster and most network monitoring tools don’t even know where to look for when they start looking at this. Until you and other people, businesses saying, “Hey, look, we really want to take care of this and go into this SAS providers, we can’t help them. We have to get everybody up and have to get everybody on it and we have to start talking.”
Scott Emo: Great advice, great advice. So, now I’ve heard about quantum cloud. This is [the] Security on Cloud Podcast, so I’d be remiss if I didn’t bring up the cloud. And now I’m hearing about quantum cloud.
John OMalley: Yes.
Scott Emo: Can you tell me what that’s all about?
John OMalley: So, nicely put, not trying to throw names around, but IBM, Microsoft, AWS, Azure, all of them are developing what they call a quantum cloud. On the front side, [it] is a standard computer. On the backside, it’s tied to quantum computers. We are literally — and please follow my rabbit for a second — we are in the 80s of regular computers today. So, we’ve started networking computers. We start a networking quantum stuff. We’re putting quantum computers on the network. We’re building them to task together like we did in the 80s, we’re building that quantum network. To do that quantum network and then you start putting them together where we’re stacking quantum computers next to each other, we’re creating the quantum cloud.
John OMalley: And so businesses now can write data to the cloud. It’s encrypted. It’s going to be encrypted at the quantum level. They can write programs to execute in there. The quantum cloud’s first true interaction, which just ran not too long ago, they took a problem that would take a regular super computer 900 years to complete. And it did it in 36 seconds. So that’s how big these quantum clouds are going to be. And that involves, everybody’s starting to use on-premise quantum so they can write to those clouds. That means changing your APIs, that means changing a little bit of all that so that quantum cloud can grow and develop more.
Scott Emo: So are you concerned about well, are you concerned about this crazy increase in compute power due to this quantum cloud concept?
John OMalley: It does keep me up at night, but other things keep me up at night too. So, let’s be honest.
Scott Emo: Like your five-year-old, for instance. Yeah.
John OMalley: Yes. And then I’ve got a teenager and her boyfriend keeps me up at night. So, you know how that goes? Yes, it does bother me, and it scares me, but at the same time where, and again, I want to not show, but where our company has developed ways to protect and the ways to develop, it’s we are helping you and these people are going to continue. And the listeners here are going to continue to talk about it and it’s going to build that security, it’s going to develop them so much more and so much better.
Scott Emo: And this is just great advice, John. I’m glad that you’re able to help us out with this. And do you have a final piece there?
John OMalley: I want people to start listening and talking to themselves on the quantum. Everybody needs to know it, but the quantum itself is not going to be solved overnight. This is a group effort that we have to develop together. I also want our listeners to know that no matter what we do together, we always are going to have a binary team and a quantum team. And what I mean is that not everybody can understand quantum text, not everybody is going to want to deal with binary text, but we’re going to need both teams. And the only way we can fix this — because we made a mistake with the first time in regular computers — is we kept it siloed to just each group [having] their own stuff. We need to start sharing stuff together quantumly, as a whole, to fix the mistakes we made with binary.
Scott Emo: Alright. Well, John, we could keep going on this topic all day, but we’re running up against time. So this was a great discussion and a great eye opener for me and our listeners. I’d like to thank you so much for joining us today. If our listeners want to find you, how would they go about doing that?
John OMalley: Well, of course, I’m on LinkedIn. I’m the ugly guy on LinkedIn. So, if you look at John OMalley and you see the really ugly guy, that’s me. I have my email address. It’s [email protected]. So you can email me and then I will always answer whatever you guys need me to answer and I will give you as much information as I can.
Scott Emo: That’s great. Well, and remember, the Security on Cloud Podcast is brought to you by Anitian, the leading cloud security and compliance automation provider delivering the fastest path to security and compliance in the cloud. Thanks again to our guest, John OMalley. Until we met again, I’m Scott Emo. See you next time on Anitian Radio.
About Our Guest
John OMalley – Director of Cyber Security at American Binary
John OMalley brings over 21 years as an IT security and Identity Access Management specialist in both the U.S. Army and U.S. private sector healthcare system to American Binary as an Infrastructure and Security Specialist. After beginning his career in the U.S. Army as a computer analyst, Mr. OMalley served in increasing roles of responsibility as an IT security specialist while supporting both Department of Defense and interagency computer security operations in multiple Geographic Combatant Commands spanning, the Russian Federation and Europe, Africa, the Middle East, and South and Central Asia.
Mr. OMalley later transitioned to IT security in the private sector as the Identity Access Management (IAM) for LifePoint Hospitals, where he managed identity solutions for a network of over 50 hospitals and 30 separate emergency rooms. In this role, Mr. OMalley developed the network’s first Privilege Access Management (PAM) initiative before taking on a greater role in IT security.