Quantum computing is advancing fast, and with it comes a major cybersecurity risk—the potential to break today’s encryption standards. In this episode of Threat Vector, host David Moulton speaks with Richu Channakeshava, Senior Product Manager at Palo Alto Networks, about the urgent need for organizations to prepare for a post-quantum world. They discuss the risks of "harvest now, decrypt later" attacks, the painfully slow process of cryptographic migration, and the steps security leaders must take today to protect sensitive data. If your organization relies on encryption for long-term data security, this episode is a must-listen. Learn why waiting could be a critical mistake and how to start your transition to quantum-resistant cryptography now.
Want to hear Nir Zuk’s predictions for cybersecurity in 2025, including his thoughts on quantum computing? Check out episode 47 Why Big Data Will Rule Cybersecurity in 2025.
Protect yourself from the evolving threat landscape - more episodes of Threat Vector are a click away
Transcript
Richu Channakeshava: Why should everybody care about it and why should everybody start doing something around this migration today? Right? So, if you're not heavily regulated or even mandated to do that, the bigger problem with cryptography is that painfully slow migration process.
David Moulton: Welcome to "Threat Vector," the Palo Alto Networks' podcast where we discuss pressing cybersecurity threats and resilience and uncover insights into the latest industry trends. I'm your host, David Moulton, director of Thought Leadership for Unit 42. Today, I'm speaking with Richu Channakeshava, senior product manager at Palo Alto Networks focused on SSL, decryption and post-quantum security initiatives. Today's conversation is going to be a little different. We're diving into quantum computing, a technology that has fascinated scientists and cybersecurity experts alike. While quantum computing has the potential to revolutionize industries like pharmaceuticals and logistics, it also poses a significant threat to modern encryption methods. If a cryptographically relevant quantum computer becomes reality, today's encryption, widely used for securing everything from online banking to government communications, could be rendered obsolete. That's why organizations need to start preparing now. So, today, instead of a typical interview, I'm going to be the student and Richu will be our professor. Quantum computing is a complex topic and I want to make sure that I and our listeners really understand why this matters, what's at stake and what we should be doing about it today. Richu, welcome to "Threat Vector." I am so excited to have you on the show today.
Richu Channakeshava: Thank you, David. Thank you for having me.
David Moulton: Before we get into today's show, which will be a little bit different, can you tell me a little bit about your background and maybe specifically what got you into the world of cybersecurity?
Richu Channakeshava: Sure, yeah. I started out my journey in application security. I was extremely interested in understanding what security means from a fundamental physical standpoint as well as from an application standpoint. I think this has been just a passion project of mine just understanding how security is adopted at different layers and different levels from when - way back when I was young. I would take things apart just to find out where are the nuts and bolts and screws and where are they hidden and why are they hidden and so on. So, yeah, that's where my excitement about security started. And, here we are 15 years later, I have moved from application security to digital security to everything under the umbrella of quantum security now.
David Moulton: Richu, did you put all of those things back together after you took them apart?
Richu Channakeshava: Not always.
David Moulton: No?
Richu Channakeshava: Not always.
David Moulton: Brilliant. Well, let's get into our conversation today. Okay, Richu, we're going to come back to a conversation that we started a couple weeks ago, a couple months ago, it's been a minute, where we were talking about quantum. And, in that conversation, I got so caught up in being aware of my limitations on understanding quantum, quantum security, quantum computing that I just interrogated you with a boring list of questions and provided you no conversation, no feedback. And, afterwards, I was grateful that you called it out. You were like, "That was not great. What - we shouldn't release that." And, so, we're back today and it's in the inspiration of one of my favorite podcasters, a guy named Roman Mars. And he has a show where he is the student and he's trying to learn about con law. If you're into constitutional law you should check out that podcast. The idea is that you have a professor, that's not going to be me, and you have a student, that's who I'll be today. And I'm going to ask some questions and try to keep up with you. Now, that's what we're doing today. It is a little bit different episode than we normally go after. I like to say that - you know, that I take pride in these shows being a place where I can go learn. And that's certainly going to be an area that we get into today. Sound good?
Richu Channakeshava: Sounds great. David, I appreciate you for, you know, taking some of that feedback and retrying this with me.
David Moulton: Yeah.
Richu Channakeshava: So, thank you for your time -
David Moulton: Yeah.
Richu Channakeshava: - again.
David Moulton: So, maybe we start at like the most basic. Richu, I look around and I see classical computing - quote/unquote "classical computing" everywhere, laptops, phones, the cars we drive, right, those sorts of things all the way to, you know, giant server installations and cloud compute. But what I don't know is where does one go to see quantum computing happening?
Richu Channakeshava: Quantum computers are not meant to be your general-purpose computers. So, you will not see them - not in the history of it, at least as far as I can tell today, you will not see them as a daily use for a general-purpose application. Instead, what quantum computers are is for a very niche set of computations which are -
David Moulton: Okay.
Richu Channakeshava: - complex which require quadratic speeds which are mathematical algorithms which have not been kind of force tested on the classical supercomputers. And, if they did try, they would take billions of years, if not millions. Right? So, that is the niche where quantum computers can start playing a big role. They are, of course, based on a completely different set of rules, they're based on quantum mechanics.
David Moulton: Okay.
Richu Channakeshava: And then, if I go into the technicalities, it gets to a place where a quantum bit called the qubit almost -
David Moulton: A qubit?
Richu Channakeshava: - can exist. Yeah, a qubit, q, u, b, i, t. A qubit can exist in multiple states at once. So, if you look at classical computers, it's zero or one, it has a binary state. And, at one given - at any given point, it's either zero or one or a combination of it. But, with qubits, they can be at all at the same time.
David Moulton: Okay. That's a little hard for me to grasp. What is it about that quantum state, that qubit, that makes it such a powerful computer in a different way than a classical computer? That ability to be in all the states has to be part of it. Right?
Richu Channakeshava: Yeah, yeah. So, the ability to exist either as zero, one or a combination of it all at the same time is a property called superposition, which means that if you have multiple different algorithms or that you - or let's say you have different states in which you want to test out an algorithm to arrive at different kinds of output to then envision a certain output being the actual result, you can run all of those different computations at the same time. So, your requirement now to run these different computations serially now becomes something that you can do parallelly and you can do that on a set of qubits so the speed at which you can arrive at different outputs is significantly reduced. Right? So, that's one.
David Moulton: Okay.
Richu Channakeshava: Second is, of course, today, you acquire a lot more qubits and the mapping of a logical qubit to the underlying physical qubit has been the bigger conversation and then error bits added to that and so on. But once we get to a state where the overall errors can be reduced, and Google Willow is taking a good - has taken a good step ahead from the last update that we heard in December '24, you will see that there are going to be less error bits required and just enough qubits to actually arrive at multiple outputs out of which one of it is going to be the right result that you're looking for. So, it's more of a probabilistic solution that quantum computers help arrive at versus something that's more deterministic or linear that classical computers focus on.
David Moulton: Okay. And this may be in the wrong direction here, but I'm picturing a cube, right, a three-dimensional concept. And when you're talking about serial versus parallel, is it useful to think about the ability to process things in classical computing as point-to-point linear and then you get to the next task and start that task and onward until you're done? Whereas like a computer - or a quantum computer could go in the X, Y and Z plane to solve something at the same time. They have the ability to move in all directions at once.
Richu Channakeshava: I think that's a fantastic example, by the way. I'm so glad you bring that up. The way classical computer would look at it is try to arrive at different ways of moving each piece of that Rubik's Cube or cube to get to the solution. Right? And it would try out different combinations, so it would be a trial/error. It would then read some dead ends and then say, "Okay, the final answer to solving this Rubik's Cube is XY." However, with the quantum computer, it kind of takes a bird's eye view, looks at how the Rubik's Cube is configured today and then probabilistically determines all the moves that you can make in that Rubik's Cube and then summarizes the best one to get -
David Moulton: Okay.
Richu Channakeshava: - to the final solution. So, it's less trial/error and more of probability-based approach.
David Moulton: So, as I've read about quantum computing, one of the big threats or big risks that it presents is around breaking our cryptographic methods, right, our different ways of securing the internet, securing our data. And you've just described the ability for this to look at all options at once and summarize. And that's not just for solving a simple thing like a Rubik's Cube that applies to our cryptographic standards. And can you talk about this idea of breaking the cryptographic standards? What does the - what are the effects of that? They seem far-reaching.
Richu Channakeshava: Of course, quantum computers, when they were envisioned, they were for a great cause, to solve some of the most complex mathematical problems, be it in pharmaceuticals, be it related to nature, even optimizing logistics and so on. But the same powerful compute can break what today's encryption depends on. Asymmetric algorithms, like RSA or elliptical curves, one depends on the prime number factorization. So, even to find out those factors for a very large prime number, a classical computer would have taken millions of billions of years. But a quantum computer can take less than a few minutes, at least theoretically. So, solving such complex mathematical problems, which is what today's cryptography depends on, is what a quantum computer proves to potentially break. And that is the underlying challenge which we are trying to now solve. And NIST has done a fantastic job in the last decade trying to bring in applications from researchers, from academic experts to see if there is a net new complex mathematical algorithm that cannot be broken not just by today's existing classical computers, but also potentially, at least theoretically, cannot be broken by a quantum computer. And -
David Moulton: Okay.
Richu Channakeshava: Yeah. And that's where the industry is moving is perhaps adopting and leveraging these quantum-resistant algorithms of cryptography.
David Moulton: So, to set the stage, we've got these computers that are very niche, as you put it. They're not shipping in my next smart refrigerator. And - although I've seen a quantum computer at an event and they told me that most of the stuff I was seeing was actually refrigerant in ways of keeping it extraordinarily cold. Maybe we'll talk about that later. They have the ability to do something phenomenal. It is to collapse time on mathematical problem solving. And that could lead to the data that we encrypt with today's best cryptographic standards no longer standing up to this type of computing. And, so, we need these new algorithms. And you talked about them a little bit there a second ago. Who's making the algorithms and how do we test them? And how do we know that they work if these computers aren't widespread and we have great Q&A on a concept that's being tested by another algorithm or another concept?
Richu Channakeshava: So, it is important to note that a lot of these newer algorithms that we are going to adopt as a quantum-resistant or a post-quantum cryptographic algorithm is only theoretically proven to be so. Right? So, the concerns of once a cryptographically relevant quantum computer, which is the quantum computer built for the niche of breaking cryptography, does come to fruition, will these algorithms in real life prove to be resistant to a quantum computer? Only time will tell.
David Moulton: Okay.
Richu Channakeshava: We don't know the answer to that yet. So, that is something to be strongly aware of. And this talks about it very openly as well. And that is the reason where you will see a lot of standards' bodies making recommendation to not just rely on one algorithm or a set of algorithms, there is going to be continued research in this area where newer algorithms will be introduced. And, so, the opportunity to switch between something that let's say is broken tomorrow and seamlessly switch to a newer quantum-resistant algorithm is going to become a foundational requirement in cryptography as we move forward. David, if you look at the last 30, 50, something years, RSA was introduced in 1977.
David Moulton: Right.
Richu Channakeshava: And, since then, we've only increased the size of the RSA algorithm. Elliptical curves only, you know, came into reality and in terms of adoption in the last decade. Right? So, not much in terms of evolution of cryptography. However, moving forward, I think that that fundamental principle itself has to change where you say it's not just one cipher or algorithm that we depend on, we depend on a variety of them -
David Moulton: Yeah.
Richu Channakeshava: - number one. Number two, it's also going to be dependent on the use case. I guess that if it's for web access it's probably going to have something that's computationally meaningful for the endpoints that are doing web access.
David Moulton: Okay.
Richu Channakeshava: And, if it's an IoT device, it has much smaller compute on these IoT devices, so an algorithm that perhaps is a smaller key size, but gives you just enough security is also a key factor to look into. And then, similarly for your servers and services which are hosted in data centers which have sufficient compute compared to endpoint devices and so on. So -
David Moulton: So -
Richu Channakeshava: - a lot of these, you know, variabilities in the infrastructure will start playing a role in what algorithm is used as well as what algorithm is - can be switched into should one of it be broken in the future.
David Moulton: So, you've got to get the right size. You've got to layer in different algorithms or algorithmic sets. You'd likely still have to consider classical computing. Right? Like there's a - there's no reason to pull the algorithms that stop classical compute or protect you from classical compute so now you've got a variety of things to think about. And, earlier, when you were talking about this, you mentioned that the quantum computer allows you to go faster because it looks at multidimensional ways of solving things through that bird's eye view. Why wouldn't you wait until all these things are proven true to worry about them if you're a security leader? What's the risk in holding off and letting this play out before you invest a lot of time and effort in moving towards these, you know, hopefully, resistant algorithms?
Richu Channakeshava: That's a fantastic question. I think this is most of our customers' question, if not my own question. Right? The top risk today, of course, is for an industry with sensitive data, number one. And, number two, the shelf life of that sensitive data. So, if you have highly confidential information that cannot land in the hands of the wrong person, number one, and it has a lifetime or a lifespan of about 20+ years, this is the moment where you should feel threatened I'd say.
David Moulton: Okay.
Richu Channakeshava: The reason is because harvesting of data, either by a nation state or by a potential third-party hacker, is ongoing today, has been ongoing for the last decade.
David Moulton: Yeah.
Richu Channakeshava: And harvesting of data is only getting more - becoming more common surprisingly or sadly I should say because it's not too difficult. You know, you consider my Wi-Fi access point and just make copies of encrypted data. It's not very difficult to do that. Of course, that's not what nation states are doing. They're doing it at the data centers -
David Moulton: Right.
Richu Channakeshava: - federal agencies and so on. But the idea that a harvesting attack is the biggest threat is true. Right? And, once there is a CRQC, a cryptographically relevant quantum computer that does become reality, a nation state is not going to come out and talk about it. Instead, they're going to work on decrypting that sensitive information that they harvested and then do something with that information that's in their hands. So, it's - if you look at it, it's almost a race to a superpower who potentially will have information as their weaponry. Right? So -
David Moulton: Yeah.
Richu Channakeshava: And sensitive information [inaudible 00:20:29].
David Moulton: Yeah. I can see this being really sensitive data that sticks around and is likely harvested, you know, satellite communications for governments. You know, that -
Richu Channakeshava: The military.
David Moulton: Yeah.
Richu Channakeshava: Nuclear.
David Moulton: Yeah. The military communications, you know, how do you communicate off the battlefield and/or how do you make sure that your allies and your conversations are protected? So, at the end of 2024, I talked to our founder and CTO, Nir Zuk, about some predictions. And one of the things that really stuck out to me in that conversation was his take on quantum. And I don't know if this is a widely shared opinion. Nir says what Nir thinks. But he said, "Quantum is a giant hoax on Silicon Valley and tech companies and not to worry about it." And then he backed off at the end and he was like, "But you might as well look at some of these algorithms as worthy to put into play." It's - you know, maybe he's wrong. And I wonder how do you square somebody like Nir and/or maybe others having an opinion that quantum is never going to come to fruition? It's been in the works for, what, 25, 30 years? With this timeline of about 10 years from now, there are regulations and there's this move or this push to move towards these more secure algorithms against quantum computing. Like how do you square that?
Richu Channakeshava: So, I don't completely disagree with Nir. Let me put it that way. So, he's right about the niche use case for a quantum compute having a lot more power when it comes to pharmaceuticals, when it comes to protein engineering, when it comes to drug manufacturing customized for a certain user. Right? So, there's so much value in that space. And, like we already discussed, quantum computers have to be built in a very specific way for a certain use case. If you don't have a general-purpose quantum computer that doesn't, it cannot exist. So, it is going to come down to where does the investment flow? Where does the money go? The money that's going into building a quantum compute for pharmaceuticals, there's a lot of value that's already being done today. Cleveland Researchers have been at the forefront in their partnership with IBM trying to drive that. Then you look at, of course, cryptography that's being threatened and the harvesting that we have known from nation states. So, in an effort to combat that, you will perhaps see some investment flowing into a niche for a quantum computer which is cryptographically relevant as well just to have that as an ammo or an ammunition. Right? Just like how the nuclear ammunition works, this is potentially going to be a strengthening use case there that a nation state would leverage CRQC to hold as an ammunition. And then maybe a third one exists for logistics and a fourth one and we go down the list of use cases that can be relevant. So, there is investment. I - it would be hard to deny that there isn't investment in CRQC.
David Moulton: Sure.
Richu Channakeshava: So, while that is true, is a cryptographically irrelevant quantum computer going to come to fruition in the next five years? In the next 20 years? I think that's the statement Nir is trying to make. He doesn't see that anytime soon. And, perhaps, in two decades or maybe more or maybe never. And that's not a bad statement to make because you have to prove this use case, number one, which seems to be proven at this point, but you have to then get to fruition of such a quantum computer and then break an RSA encryption for a small set of data to then say, "Hey, I've done this, this looks viable. Now all the harvested data in my data centers can be pushed through this quantum computer." And, remember, a quantum computer only works for a millionth or a fraction of a second at subzero temperatures and then that chip is gone. Right? You have to rebuild the chip every time you want to run a certain set of algorithms. And that is a state of a quantum compute today. So, to have a sustainable quantum compute large enough, fast enough and that can sustain a five-minute operation, that can sustain a few minutes of an operation is still somewhat of a dream state. And that's why it's fair to question whether it'll become viable in the next few years. I'd love to hear from Google. Google's been doing some great work in investing in error correction there. So, let's see how that goes. While that is a fair statement, I'll tell you where I think it's going to matter to the larger set of the - just companies and industries in the world. Cryptographic migration is painfully slow. Okay? So, I'll say that again. Cryptographic migration is not just painful, it's painfully slow.
David Moulton: And why is that?
Richu Channakeshava: [inaudible 00:26:06] was - just look at the history. RSA was introduced in the 7 - 1977, as I said. It took 25 years since then to stabilize, be adopted, undergo some operate - some upgrades in key sizes. And, finally, by 2002, we landed out of say 2K key and everywhere - and almost all applications said, "I think we are okay. I think this is strong enough." This is computationally supportable from a resource perspective. It is just enough for internet bandwidth. It does not increase my MTU size for a packet size to go through my internet cables and so on and so forth. Right? So, a lot of things had to stabilize, had to come together to say cryptography can take a backseat, we are good, we will just continue to adopt RSA 2K until elliptical key, elliptical ciphers came about and they said, "Hey, we do computation much better. We are much stronger at smaller key sizes. Okay, let's try to adopt them." And there was many other reasons as well without going into the technical details there. So, you will see some sort of that, some version of that history repeating. That was a good 25 years when RSA was introduced to when it stabilized. You will see that happen now. So, you see that 25-year journey-ish that we have to take, that starts today. So, to the point that if your data is sensitive and it may take five years or 20 years, if your data takes 20 years, you better start now because it's going to take you 25 years to slowly migrate. And I'm giving you approximations. I'm not [inaudible 00:27:50] -
David Moulton: Sure.
Richu Channakeshava: - this is not just [inaudible 00:27:51] -
David Moulton: You don't have a -
Richu Channakeshava: - 20, 25 years.
David Moulton: - crystal ball that you're [inaudible 00:27:54]. It's -
Richu Channakeshava: It's - yeah -
David Moulton: - you know -
Richu Channakeshava: - I certainly don't.
David Moulton: - exactly this long, but long periods of time. This isn't -
Richu Channakeshava: Yeah.
David Moulton: - a single quarter sprint that your IT team is able to execute on, you know, say, 90% of the crown jewels. This is a multi-years', decades-long effort. So, if you're not regulated in the way that you described, how do you figure out where you're at on the scale between I've got to start immediately - I've got to start immediately in six months and/or I'll wait and see? What are the types of decisions or how would you think about the type of data and go through that process so that you're investing appropriately, you don't have to cram for the test, so to speak, at the last second if Q Day shows up early, but you're not focusing on a theoretical problem that's potential in the future when you have a real problem knocking at your door today?
Richu Channakeshava: Yeah, that's a great question because that's where we then try to answer why should everybody care about it and why should everybody start doing something around this migration today. Right? So, if you're not heavily regulated or even mandated to do that, the bigger problem with cryptography is that painfully slow migration process. So, when you are thinking through where do I start and I want to make this as less painless for myself and my teams, but I want to start the process and phase it out, it's going to be slow. There is no two ways about it. This upgrade or migration is going to be slow. But how do I make this painless? You start with something called a cryptographic discovery or inventory. And then, once you start with that, you are looking at all of your user side devices or user endpoints. You're looking at your applications and the host machines that are hosting these applications, the data centers they're located at. Then you're looking at your infrastructure. So, one of your infrastructure could be Palo Alto Networks, it could be Firewalls, it could be a set of other vendors, the routers, load balancers, you name it, right, all the way to IoT devices in your printers, your cameras, your Voit devices in meeting rooms, so on. The list goes on. There are many, many devices connected over the internet or the intronic today. So, you start with inventorying all of these devices and that cryptography supported cipher list. So, that's where you start. And then, once you've done that, you recognize who's the top-level user that you absolutely want to secure. Also recognize where is your most sensitive data that you absolutely want to secure. And if the top-level users and the data are a great match, you're good to go. But if they're different sets, then you kind of prioritize both at the same time and take that in paces. So, that's ideally how you would try to start, your more sensitive data and users.
David Moulton: So, it always starts with knowing what you have and who you're protecting and then -
Richu Channakeshava: Yeah.
David Moulton: - building your Venn diagram even for this data security problem. A question that came to me while you were talking back on the investment and I want to go back to this for a second. Has the advances that we've seen in AI accelerated the likelihood of cracking, if you will, the quantum problem? And/or has the investment shifting to another technology slowed things down? Or is there just no good way to answer that question?
Richu Channakeshava: Based on some of the investment that we have seen in AI, it certainly has been a tool that can be used for reducing error, at least when it comes to designing a quantum compute chip. Besides that, what, of course, we know is eventually AI is also going to benefit from the quantum computer because the large data sets that today's machine learning algorithms that then, of course, are a small piece of the big AI umbrella have to process, can be done much, much more faster than an [inaudible 00:32:52] possible outcomes with a quantum computer. So, there is some synergy there, but it - the synergy actually coming to fruition and helping out is going to be based on the use case that the quantum computer is built for.
David Moulton: So, we've been talking a lot about data security. I'm wondering what are some of the other implications of quantum computing beyond that cryptology that's out there for people to think about.
Richu Channakeshava: A lot of it is still related to cryptography when I think about it. But, of course, beyond it is data integrity itself. Like, again, algorithms that are in use today for the integrity of data, so any piece of code or firmware that's coming out of any enterprise, any company today, has to maintain a certain integrity without being tampered. And there is a signature way in which that is verified. And, so, since these signatures are susceptible to a quantum attack, what could potentially happen is that the integrity of that code or that data is lost. So, now replacing that with a quantum algorithm is another place that we see a big need for PTCs. Of course, besides that, there are - there's a little bit of conversation around potentially how quantum and AI can impact jobs and -
David Moulton: Okay.
Richu Channakeshava: - just kills and how the culmination of these two technologies will, of course, open more doors and newer sets of use cases and job opportunities. But existing software engineering or existing automation that manual intervention is required for perhaps will definitely get replaced. These are some that I can think of, but - yeah.
David Moulton: Okay. And it seems like the data security level or the breaking the encryption is level one. And then could you go through and mess with the data and make it seem like it hadn't been messed with? So, you've got to worry about that. So, that's a problem to be solved. And I agree with you that the idea of quantum and/or AI, it always rises of what will the humans do. I've been around the sun a couple of times, I've met us humans, we are innovative, we cannot seem to put ourselves out of a job. I just think that we're going to put ourselves out of some of the jobs we have today and give ourselves new ones in the future. I just can't predict what it's going to be. And maybe that's the looking back at history. You know, there's a moment where - there's a podcaster that talks about this idea of moving to the automobile was really frightening for those who made buggies and, you know, took care of horses. But, in the future, you had people that were inventing heated seats and satellite radios. And it was such a -
Richu Channakeshava: Yeah.
David Moulton: - strong story of like, "yeah, that's where innovation goes" that I've really latched on to that story. I like it. I just wonder if the gap between when the job goes away and when the new one exists will actually shrink to the point where we're able to re-skill or come up with the next thing as fast as it's needed. I imagine we will. But, you know, that's a fascinating thing to think about, you know, the CIA triad, right, for -
Richu Channakeshava: Yeah.
David Moulton: - your data in and around quantum and/or quantum and AI together, whatever the cookies and cream mixture of those two is. Richu, at the end of every podcast, I like to ask the same question. What's the most important thing that a listener should take away from the conversation you and I have had today?
Richu Channakeshava: The most important thing, I think I have a few, but I'll start with the most important one, the first. The first is I think it is critical for every one of us to understand today's algorithm is at risk. So, let me let me say it in simple terms. You, I, everyone has a handheld device. We have our own personal mobile devices. At the very least, understanding that does my handheld mobile device support these stronger algorithms either from a hardware perspective or even the applications that are running on them, do they support these newer algorithms. Am I truly secure? Is my WhatsApp secure? Is my Signal messages secure? Is Zoom secure? But that is the level of question I think that's worth asking so every one of us are thinking about it from a personal standpoint as well as for our employers. Are we asking these questions as, "Is my IT team doing something about this"? And then that percolates into IT team working with the vendors to do something about it and so on, so forth. So, I think that would be the top one. The second and the third is I think there is so much good potential to AI and quantum coming together, so keeping an eye out for upskilling in these two technologies would be something that I would recommend as well. And the third one is definitely when you go to bed switch off and sleep well. All of us working in cybersecurity, you probably forget to do that. So, try, try to sleep well.
David Moulton: That is great advice for everyone, switch off. I thought you were going to say, "Don't wait. Today is the best day to start that migration because it takes a while." I remember trying to cram for a couple of tests as an undergrad and always regretted it. And, as you've described this painfully slow process, you would hate to go hit that moment where you need it done, but it's painfully slow and you can't do anything about linear time. You're just exposed.
Richu Channakeshava: David, that's the best takeaway. So, I'm glad you're speaking for me.
David Moulton: Well, it has been a pleasure to be the student in the conversation today here on "Threat Vector." Thank you so much for coming back on and talking to me about quantum computing, the future of algorithms and some of the potential that may show up in the next couple of years or the next couple of decades and giving us a heads up that we shouldn't delay.
Richu Channakeshava: Happy to be here. Thank you for having me.
David Moulton: What a conversation. If there's one thing I'm taking away from this discussion with Richu, it's this. Quantum computing may not be an immediate crisis, but waiting to prepare could be a huge mistake. This is something that Nir Zuk touched on in Episode 47 of "Threat Vector" when he said -
Nir Zuk: Some people are worried that quantum computers will be able one day to decrypt the traffic that we have today and decrypt the files that we encrypt today and so on.
David Moulton: That's the real risk, harvest now, decrypt later. If organizations don't take this seriously today, they could wake up a decade from now to find that critical data, whether it's government secrets, financial transactions or intellectual property, has been exposed. And, by then, it'll be far too late to do anything about it. And here's the real challenge. Cryptographic migration isn't fast. As Richu pointed out, when we moved from RSA to newer encryption standards, it took decades for organizations to fully adopt them. The transition to post-quantum cryptography will be just as slow, if not slower. So, if you're a security leader, here is my advice. Start today. Take an inventory of where encryption is used in your organization. Identify your most sensitive data, the information that must stay secure for decades. Plan for a phased migration to quantum-resistant cryptography. Because, by the time the cryptographically relevant quantum computer exists, the organizations that prepared early will be the ones that remain secure. That's it for today. If you like what you've heard, please subscribe wherever you listen and leave us a review on Apple Podcasts or Spotify. Those reviews and your feedback really do help us understand what you want to hear about. I want to thank our executive producer, Michael Heller; our content and production teams, which include Kenne Miller, Joe Bettencourt and Virginia Tran. Elliot Peltzman edits the show and mixes the audio. We'll be back next week. Until then, stay secure, stay vigilant. Goodbye for now.
