menu

Separating the Hype From the Reality

peter-bordow

In this episode of Cybersecurity (Marketing) Unplugged, Bordow also discusses:

  • The quantum computing hype versus reality: His assessment of our quantum program’s current state;
  • Two camps in quantum: Hardware approach and software approach;
  • The importance of new technical approaches to preserve privacy.

Peter Bordow is the senior vice president, principal architect and head of quantum systems and emerging technology for information and cybersecurity at Wells Fargo Bank. Before Wells Fargo, Bordow spent 20 years in and around the information technology and cybersecurity business and also managed to compose and play blues, which earned him a Golden Music Award back in the year 2000. He studied film scoring, arranging and composition at the Berklee College of Musci, which may or may not have led to his interest in quantum.

Anything that Bordow tells us today is his personal opinion and not the opinion or official position of Wells Fargo Bank.

We’ve got criminals, bad guys and nation states stealing personal data. Company IPs know that future quantum computers will be able to decrypt any of that encrypted content and businesses are already being urged to switch to some form of quantum proof security for data transmissions.

How does Bordow think we are dealing with this and when does he think that capability will exist?

There really is a lot of concern today about what to do about that. There’s a number of different strategies that entities are taking to help protect and safeguard against that eventuality. The National Institute of Standards and Technology, NIST, in Colorado, has been working over the last few years on testing and validating a number of cryptographic algorithms that are quantum resistant. Now, we don’t say “quantum proof” in the field because there’s no such thing as anything proof in security. But mathematically, we’ve shown that these new algorithms are very resistant to the known landscape of quantum attacks.

Full Transcript

This episode has been automatically transcribed by AI, please excuse any typos or grammatical errors. 

 

Steve King  00:13

Good day everyone. I’m Steve King, the director of cybersecurity advisory services here at CyberTheory. Today’s episode we’ll explore the current state of quantum computing and see if we can separate the hype from the reality. With me to explore the topic is Peter Bordow, the senior vice president and principal architect, and head of quantum systems and emerging technology for information and cybersecurity at Wells Fargo Bank. Anything that Peter tells us today is his opinion and it’s not the opinion or official position of Wells Fargo Bank. And before wells, Peter spent 20 years in and around the information technology and cybersecurity business, and also managed to compose and play blues, which earned him a Golden Music Award blues artists the year back in 2000. Theater studied film scoring, arranging and composition at the Berklee College of Music, which may or may not have led to his interest in quantum it seemed like that worked pretty well for some guys named Heisenberg, Einstein and Planck. But far be it for me to know that. So welcome, Peter. I’m glad you could join us today.

Peter Bordow  01:27

Thanks, Steve. It’s my pleasure and honor to be here with you.

Steve King  01:31

Thank you. So let’s talk about quantum particularly the harvest now decrypt later idea. Harvest. Now decrypt later is kind of a pressing concern. At the moment I we’ve got criminals and bad guys and nation states stealing personal data and company IP knowing that future quantum computers will be able to decrypt any of that encrypted content, businesses are already being urged to switch to some form of quantum proof security for data transmissions. I don’t know what that would be, but maybe it’ll help shed some light on that. How are we dealing with this? And what is when do you think that capability will exist?

Peter Bordow  02:13

A couple of really big questions. So yeah, harvest. Now decrypt later is an emerging hot topic in many industries, especially financial industry, right. And I think you phrased it pretty well. So while quantum computing platforms today are not cryptographically relevant, per se, but we know they will be that doesn’t stop bad actors, states and nation states from actively capturing encrypted data today that stayed in motion, mainly right through rerouting of internet traffic, and so on, with the anticipation, knowing that they will one day be able to decrypt that information. And so a lot of this really is around shelf life of data value, right. And so in the financial industry, there’s a long runway, if you will have data shelflife. In some circumstances, things like mortgage information, and so on, can be relevant for, you know, as many as 30 years. And then things like personal information, like your name and address, phone number, ethnicity, and so on. Those things are timeless, right? They’re they’re valuable in perpetuity. So there really is a lot of concern today about what to do about that. And so there’s a number of different strategies that entities are taking today to help protect and safeguard against that eventuality. And so I’m sure you’re aware that the National Institute of Standards and Technology, NIST, in Colorado, has been working over the last few years on testing and validating a number of cryptographic algorithms that are quantum resistant. Now, we don’t say quantum proof in the field, right? Because there’s no such thing as anything proof insecurity. But mathematically, we’ve shown that these new algorithms are very resistant to the known landscape of quantum attacks, right. And so in the world of what we know will be a threat. There are some steps that organizations can take today to make more robust their current encryption and public key infrastructure. The real concern is what we don’t know that we don’t know. Right, in the world of quantum algorithms, we know that there’s a set of really good algorithms out there for breaking asymmetric encryption. But what we don’t know is what hasn’t been developed yet. Right? And if you look at the landscape of algorithms on classical platforms, there’s 10s of 1000s of algorithms out there, right, every flavor and variety. But in the quantum world, there’s really only a handful of well established algorithms that are available today. And so there’s there’s an enormous ecosystem of algorithmic solutions on quantum machines that have just not been developed. And so Oh, yeah, we’re always concerned about what we don’t know that we don’t know quite yet.

Steve King  05:05

In terms of quantum computing hype versus reality, what is your assessment of the current state of our quantum programs here in the States? And how far ahead do you think China is? And what’s the global impact when China gets there first?

Peter Bordow  05:22

Yeah, great questions. Well, just for a little context. So IBM, one of the most well known developers of quantum computing platforms, has had a cloud based solution available for seven years now, I believe. And there’s been a lot of iterations, right, they’ve gone from a handful of qubits, the quantum equivalent of a digital bit, right? They’ve gone from a handful of those, up to now they’ve announced over 100, I think, is 127 is the latest platform with plans are designed on releasing 1000 qubit machine here in the next 12 months or so, according to the Republic roadmaps. But you know, the reality is, is that these quantum platforms are just not ready for primetime quite yet. And it almost sounds like a broken record when you say anytime now anytime now, but really, it kind of is anytime now, in terms of what that date will be. When quantum platforms become, let’s say, quote, unquote, production ready, I think you’ll get a pretty good variety of answers. And we’d like to say when you when you ask an engineer and architect a question, you’ll get at least two or three different answers. You know, my personal opinion after looking at the landscape over the last seven years, knowing and experiencing 30 years of IT development in hardware systems, I’m going to say a good bet is about five to eight years before some production ready platforms are available, right. And there’s a lot to that. But I think it depends on the use case. Now, if you’re trying to crack or factor prime numbers for a cryptographic algorithm, that’s one thing. But if you’re trying to do chemical simulations, or if you’re doing optimized search operations, or even if you’re doing say, anomaly detection, or potentially applying for privacy enhancing technologies, that landscape might be quite a bit shorter. Right? It all depends on the number of usable qubits that you need to perform any particular use case. So it’s not an easy answer. But I would say that it’s it’s an exciting time. And we’ve all got our eye on the short term horizon for these developments. Next year, 1000 qubit, machines will be becoming quite common. And so who knows, the year after that it might be 10,000, qubit machines, and then 100,000, qubit machines, and then we get into some really exciting space, in terms of bad actors, bad actor, nations, and so on. So as you can imagine, it is difficult to get a thorough and accurate assessment of the state of the art of let’s say, the Chinese efforts to develop quantum platforms, right, as a closed society, we don’t have good visibility into reality. So all we know, really is from headlines and press releases, and so on, which would indicate that they are on par with the rest of the quantum technology community, in quantum communications, quantum security, quantum computing. But again, you know, you don’t know what you don’t know. So we’re always have a heightened sense of awareness and alert for signs that would indicate that there’s great advancements on that other side, right. In terms of the threat, though, you know, we’d like to think that any productive developments in the quantum technology community would benefit the whole community. There’s a real profound sense of information sharing, of collaboration. And that’s even across international lines. And so the community is very robust in their cooperation in exchanging information and publishing papers and so on. And so, you know, I think, what’s the old expression, we may not all be in the same boat, but we’re all rising to the same tide. Right. So I think there’s a lot of incentive for international communities to continue working together. And hopefully, you know, this will all shake out in the next five to 10 years and we’ll all be one happy global community in the tech industry. We’ll see how it goes.

Steve King  09:32

Okay. All right. I’ll buy that in terms of algorithms and quantum mechanics principles. That seems to be two camps in quantum right. The first is the hardware based approach the qk D quantum key distribution, which I think uses fundamental quantum mechanics principles to facilitate secure communication. The second is As A Software approach, post quantum cryptography is based on algorithms that, unlike RSA, are not based upon factoring a large semi prime number. In the future, large primes will be breakable by high performance quantum computers, which which is the preferred approach, in your opinion? Or will we sort of continue to use both?

Peter Bordow  10:22

Yeah, so personally, I think will be best served by the multi layer model that we often use in information security. I think there there are advantages to the algorithmic approach or the software approach of more robust algorithms and key lengths and so on. But I don’t think that’s the silver bullet. Right. I think, again, this goes back to what we don’t know that we don’t know yet. Right? So there’s a lot of mathematical theory and proofs around what is the magic number for key length? Or what is the magic formula for developing asymmetric encryption. But you know, that’s a moving target. And I think while it’s logistically easier to implement these algorithmic and software based solutions in the existing infrastructure and enterprises, I think long term, we’re looking at a layered approach. I think software based robust security solutions will always be part of the solution. But I think quantum mechanical solutions will put the icing on the cake, if you will, right, I think that’s going to be your more secure blast radius, reducing attack vectors significantly, if we can perfect quantum key distribution. And there are a couple of different flavors of that too, right? Like there are some mildly complex schemes where you’re transmitting photons across a fiber optic cable. And then photon loss, which is caused by Eve in the man in the middle attacks are calculated and detected. These are very well understood protocols, and easily implementable. And there are some off the shelf products today that you can buy and put into use, I think more exotic solutions, where you’ve got entanglement based authentication methods are still being developed. But I think they’re going to be, again, a key aspect of the overall ecosystem. And I think, eventually, we’re going to end up in a sort of a hybrid environment, from mobile devices to desktop devices, to data center applications, I think, and especially with satellite communications as well, I think we’re going to see a multi layered multifaceted approach.

Steve King  12:29

It’s hard for me to imagine all of this going on at the satellite communication level. Isn’t that instability that you just referred to part of the barrier to figuring out how to get this stuff to work?

Peter Bordow  12:45

Yeah, you know, like any technology, there are early days, there are maturity days, and then there’s production days. And you know, if you scan the headlines, you’ll see that there have been quite a few press releases and announcements about successful ground to satellite based que que de implementations, to the best of my knowledge. None of these are in quote of a production today. But you know, there’s a really large community hard at work here, right. And that’s government research, academic research, private industry research, and in many cases, partnerships, among those entities that are working very, very hard to make that a reality. And I think I think we’re not too far away. My personal opinion is I think we’re, we’re probably two to three years away from a production to kT system that leverages satellite communications.

Steve King  13:38

Wow, that’s pretty impressive. Keep in

Peter Bordow  13:41

mind that quantum key distribution is, as the name suggests, a security layer for exchanging keys, right, the keys are still vulnerable. And so there’s always going to be attack vectors that you haven’t considered. And that’s kind of like one of the organic rules of nature, right? Yeah, sure. So it’s not again, it’s not the panacea. It’s not the silver bullet. It’s not the end all be all solution. I think. I think there’s a long road to hoe here.

Steve King  14:07

Yeah, I’m sure that’s true. Talk to me about that. The whole privacy enhancing technology business, that Pet Pet stuff, the rap that we see huge adoption in digital services that depend on data. And that kind of underscores the importance of, you know, a new technical approaches to preserving privacy and, you know, confidentiality was policy evolution. Can you help our audience understand what a pet is and how it can be helpful in every regard?

Peter Bordow  14:40

Sure. So privacy enhancing technologies are sort of an umbrella term that relate to a family of privacy, enhancing technologies as the same would apply. So we’re talking about things like homomorphic encryption, where you can perform mathematical operations on encrypted data without having to decrypt them. So this is an interesting field, a lot of mathematics involved behind all of this a little bit out of my specialty area, there is differential privacy, where data sets are obfuscated by removing any data elements that would give an attacker the ability to reverse engineer a whole dataset. So in other words, if we take customer profiles, and we apply differential privacy to that data set, no one would be able to use any of the obfuscated fields to be able to determine what the real data elements are. Now, it’s a much deeper conversation that we can do in 30 minutes. But in a lot of these schemes, there are key mathematical principles that rely on randomness, entropy, if you will. And so in the Information Security profession, and in the field, we have for a long time relied mainly on what we call pseudo random number generation, which is pretty good, right? I mean, we can generate randomness, with what has been sort of an acceptable level of, of entropy. But quantum computing platforms give us the ability to generate true randomness, true entropy, where there’s no noise or interference within the system, that can be used to reverse engineer or facilitate better brute force attacks against random numbers, determining random seeds, and so on. And so I think there’s going to be some interesting research, and there probably is today, there’s some papers out there that you can search on archive and so on, that talk about the application of true quantum entropy to these privacy enhancing technologies to make them even more secure. And especially when you consider things like multi party computing, and confidential computing, and a number of the other approaches. It’s a very, very interesting convergence of the two fields together.

Steve King  17:17

It seems to me and I, my understanding of quantum is kind of paper thin, but it looks like the and the environmental issues are are going to be difficult challenges, right? I mean, the whole entanglement businesses are, you know, however, you want to consider that the instability of these of the systems, kind of a big problem that hasn’t been solved yet. Can you give us an update on kind of where that’s at from an entanglement point of view?

Peter Bordow  17:49

Yeah, so when we talk about system stability, or qubits, stability, and decoherence times and things, it’s really important to note that different modalities, different hardware, or engineering approaches to qubits have different performance characteristics. So the most popular one, I would say, or the most well known one, is what we call superconducting qubits, right. And that’s the basis for IBM’s machine. It’s the basis for Google’s machine and for Gettys, machine and so on, very common, right. And so there are very short coherence times, which is not getting too technical. Its coherence times is essentially, the window that you have to perform whatever operation you want to perform on the quantum platform. And those times are very, very short right now in that platform on those platforms. But there’s a lot of very interesting work being done in photonics. So using photons, as qubits as opposed to electrons, or even in Cold Atom technology. There are a couple of companies out there, that super cool individual atoms using lasers, and they can get much better coherence times. Now, there’s often trade offs, right? So there’s gait fidelity, there’s coherence, there’s a lot of different parameters associated with the overall usability or efficiency or stability of a qubit. And so there’s often trade offs. And so while your entanglement times are a bit longer, perhaps your noise or interference coefficients are higher, or vice versa, right. And I think there’s no clear declared winner yet in this space. But they’re certainly the equivalent of an arms race, which makes it very interesting, actually, every few weeks, if you keep a close eye out, you’ll see announcements and things like extending coherence times, or even software and hardware based error correction on qubits as well. And so yeah, it’s real hard. At this point. It’s determined a front runner, or even a potential winner in the space. But yeah, they are working hard on addressing the problem.

Steve King  19:58

Yeah, but until like It solves you there’s not, we won’t be able to have a practical quantum based solution of a computer essentially, right, that we can use for anything. And with reliability.

Peter Bordow  20:13

Yeah. So again, you know, it’s a real hard question to answer because there’s so many variables. So it’s like standing in a control room tweaking different knobs, right? What’s your circuit depth for your algorithm? How efficient is your algorithm? How many qubits do you need to perform your operation? And then how long do you need the stability of those qubits to survive to complete the various sequential operations? And then how long is the circuit setup time and so on. And so if you can make your algorithms more efficient, that’s one approach. If you can make the hardware platforms more stable, that’s another approach. And so by twisting these knobs and moving these levers, there will eventually be a sweet spot where we can be more productive in the intersection of engineering and software. So is IBM

Steve King  21:00

kind of leading in your estimation, and leading the way in that regard? Today?

Peter Bordow  21:08

is a really hard question to answer. If you ask IBM, they’ll say yes, if you ask Righetti, they’ll say no. And if you ask D wave or other platform developers still say no, right? It all depends on the eye of the beholder and where you’re standing. And really what what your use case applications are.

Steve King  21:27

Didn’t they do the breakthrough, though, in terms of the decrypting, or the ability to manipulate encrypted data? The Homo morphic morphic

Peter Bordow  21:36

encryption, yeah, yeah. So okay, so separate from quantum platforms. IBM has been an effective pioneer in fully homomorphic encryption. Well, look, we don’t want to mischaracterize this, that’s still a field that has a long way to go. So there are a lot of restrictions on what operations you can perform on this encrypted data, very simple arithmetic functions today. But IBM has been one of the leaders in that space, you can just look at the headlines and look at the papers that they’ve published. But if there’s there’s a really long way to go in that area, IBM, I would say, look before, before I got involved professionally, in the quantum technology space, I was a hobbyist. Right. And so IBM was one of the very, very first folks to put out a publicly accessible platform, where Joe year can could create an account, login, and go through some fundamental tutorials on what a qubit is, how to manipulate the fundamental logic gates on their platform, and then begin to actually write some real fundamental algorithms. I mean, they were doing that like five years ago, or maybe even longer. Right. And so you know, it’s not always the first to market that will be the eventual leader, right? But it is the first to market that typically gets all of the notoriety, the hype, the reputation, and rides that momentum to help motivate the rest of the industry. Right. IBM has done a lot of things, and they’ve done a lot of things very well. And they’ve done a lot of things that not so well. Right. But they’ve always been at the forefront. So you have to give credit where credit’s due, that’s for sure.

Steve King  23:29

Yeah. And to give us a little bit of context, when we talk about slowing these, these functions down. What are you talking about in terms of timing, for example, on, you know, whatever, whatever you’re using atoms or, or photons, for example, if you’re gonna slow slow that down, what do you what do you what are we talking about in terms of slowing it down to what?

Peter Bordow  23:55

Yeah, that’s a good question. And I’m not going to try and rely on my aging memory here for exact values here. But I can tell you that there’s, there’s orders of magnitude and difference between two the coherence time on a superconducting platform. And this may be off base. So big disclaimer here. Right. But I think we’re talking a handful of microseconds, I think somewhere 10 to 15 microseconds, and I’m sure there’s gonna be listeners out there already Googling, checking my, my numbers here, right? So don’t rely on what I say go ahead and Google this. But in other platforms, like photonic platforms or Cold Atom technology, you can get a 10 or greater fold increase in coherence times, which is enough to run, you know, a handful of operations. I mean, you can’t you can’t run 1000 lines of code like you can on a traditional machine. But we’re getting there little by little,

Steve King  24:51

yet. You’re still talking about 1000 fold increase in in overall speed of operations, right? Yeah, yeah. Yeah, it’s pretty amazing. Really. It’s pretty amazing what we’re doing there actually, it’s very Star Wars like, stuff. So you know, good for you. I’m glad you know, it’s, you must, must be a fun job up there at well. So,

Peter Bordow  25:18

man, I have the coolest job in the world and I work with the coolest people in the world, I am so privileged to work with the folks that I do. And wells and in this industry, look at you know, I’ve been around the block for a long time. And the level of collaboration and cooperation in this industry is really staggering. It’s, it’s a lot of fun. And I’m super privileged to be here.

Steve King  25:41

I wish that were more true on the cybersecurity side of the fence as well. But we have ways to go in that regard for whatever reason there. I think there’s some personality and ego involved, but whatever. So do you still have a final question is that is back to blues guitar? Are you still? Do you still play in record? Or is that a thing of the past?

Peter Bordow  26:06

Well, I’ve taken a bit of a hiatus work has been pretty time consuming the last couple of years, I have been working on my next album release, which is the working title is net profit. And that’s PR Bureau PhD, right? It’s a play on words, obviously, I’ve got like a third of the album down. As you may or may not know, I get paid not to sing. So part of the challenge is finding really good vocalists to match my aggressive if not brutal, and belligerent guitar style. So always on the lookout for good vocalist, if any listener out there thinks they can hold up to my playing please. Ping me

Steve King  26:46

is great. Where could somebody listened to something that you’ve done in the past?

Peter Bordow  26:51

Yeah, so I’ve got a bit of a song library up on my website, which is www dot Bordeaux dotnet. That’s b o r d o w.net. And, yeah, there’s not the highest quality reproductions of music, but you can listen to a whole bunch of stuff for free up there.

Steve King  27:08

That’s great. I have no problem promoting blues guitar here.

Peter Bordow  27:12

And you know, if anybody’s inclined, my stuff is available on iTunes, and amazon.com, and Spotify and all that crazy stuff, too. So you know, I do take charity donations.

Steve King  27:23

There you go. Well, listen, we only scratched the surface here. And so I’m gonna bring you back if I can, and about three or four months and dive a little deeper. But it was great talking with you. And let as you say, you do have an incredibly perfect job up there. And I’m glad that you have it. I’m glad you’re enjoying it. So thanks for taking the time out today to share with our audience a little bit about quantum computing. And it’s always a mystery for most folks.

Peter Bordow  27:56

Yeah, Steve, always happy to jump on with you. It’s been a pleasure, very enjoyable conversation. And yeah, just think me anytime happy to come back.

Steve King  28:04

All right. Great. Thanks, Peter. And thank you to our audience for spending another 30 minutes with us today. And hope you enjoyed it, and we’ll see you next time.