The Infra Pod - Quantum is breaking security soon?! Chat with Michele from EvolutionQ
Episode Date: June 10, 2024Ian and Tim sat down with Michele (CEO of EvolutionQ, founder of Institute for Quantum Computing) that has been building quantum safe security products for enterprises to adopt, to talk about where Qu...antum Computing is today and how close we are to see the tipping point where majority enterprises will care and adopt solutions.
Transcript
Discussion (0)
Welcome back to yet another Infra Deep Dive podcast.
As usual, Tim from EssenceBC, and let's go, Ian.
Hey, this is Ian, helping Snyk turn into a platform.
And I couldn't be more excited to talk about quantum computing
and specifically how it's going to impact cryptography.
We're joined today by Mikele, the CEO of EvolutionQ.
Why don't you tell us a little about yourself, sir, and what you've been working on. Well, great to be here. I'm a
mathematician by background. As you said, I'm currently the CEO of EvolutionQ, and it was quite
an unplanned journey that took me here. So I liked mathematics when I was a student. Didn't really
know what I was going to do with it.
I was good at it.
I liked the program too.
And then I got lucky and just met a cryptographer at the University of Waterloo.
One of the pioneers of elliptic curve cryptography, but I didn't know or appreciate that at the time.
I just thought he was a really friendly academic advisor who said, you should come work for me sometime.
So I did.
And he got me working on code breaking. And I was breaking what was very new at the time, public key cryptography.
Again, at the time, one could fairly describe it as a niche area of information technology,
but banks and others are really pushing it because it enabled many things. But up until then,
you really had to do out of band you would manually
share encryption keys and authentication keys out of band and then you could use them in band through
the telecommunication system of the time we didn't even call it the internet back then when you look
back i think was a big part of the last 30 years of economic growth because how could you possibly
securely connect or confidently connect and do auto
updates and so on without cryptography and trying to manage pre-sharing keys from every device and
and so on is just completely impractical so i didn't know it at the time so it was much cooler
than i thought but i just thought the math was cool trying to find a way to to work around these
math problems people assumed were really hard. And that was fun. And
then it motivated me to keep studying those things in grad school. So I went to Oxford in England
to keep working on the mathematics underlying communication and information security. I heard
of quantum cryptography when I was undergrad, and I just dismissed it as just science fiction.
And then saw quantum computing
when I was doing some literature search related to my master's thesis and I literally thought it
was a you know crackpot paper I didn't know who the author was and actually year two years before
I even met somebody who helped them with that paper and I thought it was a weird project that'll
never work so it's a bit ironic, but my supervisor said,
you really, you know, the physicists say
they could break these problems
that you're trying so hard to break.
And, you know, I thought, yeah, this is nonsense.
So it's one of these things where you say,
sure, I'll look at it, but you don't.
And he kept insisting I take a closer look at it.
And then he introduced me to somebody
who I didn't know at the time,
but it was a pioneer of quantum cryptography, invented entanglement-based quantum cryptography.
And he was looking for a student to help work on quantum algorithms.
So they really needed more of a math, computer science person because it was largely dominated by physics.
I was very reluctant because I thought it was the dumbest thing ever.
And I was doing all this cool stuff.
And then I met him and I realized, okay, he's not completely crazy,
but I don't know, I'm still not convinced.
Then he invited me to Italy to a workshop.
I said, sure, I'll go to Italy.
That's where my family's from.
So I went there and I met all these pioneers of quantum computing,
people who've since won Nobel Prizes.
And I realized, okay, I was wrong.
This will eventually work, not for more than 20 years,
but it'll eventually work.
And there's a lot of hard problems that a mathematician, computer scientist needs to work on here.
So I started working on it, assuming that while things didn't work out, I could always go back to what I was doing.
Of course, I never looked back and did my thesis work on quantum computing algorithms.
I was recruited back to Canada to help start a quantum center
in our cryptography center at the time. It was the largest applied cryptography center of its time.
And I started a rogue effort basically to build a quantum computing group. It quickly turned into
a center and then eventually the Institute for Quantum Computing, especially once we got the
support of Mike Lazaridis who invented the Blackberry. So that was quite a journey building up this center from scratch at a time when everyone
thought it was a crazy idea.
Like I'd been convinced, but I had a lot of work to do to convince other people.
But I always kept my ties with the cryptography world, which eventually we started calling
cybersecurity and a broader thing than just cryptography.
So I was always asked to do consulting and so on, which was fun.
And then the CIO of Canada once asked me to meet her.
So I did.
She wanted, you know, to look at how could we translate
the potential of quantum cryptography to protect government networks?
What would you do if you were me?
Again, I had no idea what she wanted, but she called me to meet her.
So I said, okay, this is what I would do if I were you.
And she said, okay, let's do it. So that's when I really had to start to put a team together to do
this audacious project I just proposed so we started forming a company to do this sort of
thing because people wanted had various questions related to being ready for the quantum era
and then it was really probably around 2020 that we found the product opportunity.
And that's when we turned into a product company.
And then as a product company, there was a number of inflection points.
I'm going quickly here.
I know you'll dig in on a lot of this.
We needed to go faster than our bootstrapping was allowing us. So I went to some investors, Quantum Nation, which is the lead quantum investor in the world, and a few others, and started growing the company even faster.
So now we actually have two, three products that we're selling around the world.
Awesome. I mean, I'd love to jump in, help us understand and our listeners understand, what is it about quantum cryptography?
Why should we care? What is it about modern cryptography? What is it about quantum?
What is the chasm or what's the difference between the two and why is it really important?
Yeah, like we don't get to make up the rules of physics.
Like you don't get to choose. You don't get to say, well, quantum mechanics, I don't like it.
I'm going to force my adversaries to stay in a classical world.
You can't. Again, in 1996, I said zero chance of having a cryptographically relevant quantum computer in 20 years.
But in 20 years, there will be about 20 quantum bits and the path will be clear.
And that's almost exactly what happened.
And the path has become clearer.
And once we get a few thousand, like 2,000 to 4,000 quantum bits, you can start breaking the codes, ECC and RSA, that underpin public key infrastructure and
basically the way we exchange keys in band. Again, in 96, it would have been bad. In 94,
when this was discovered, it would have been bad. But ever since then, we've just kept doubling down
and doubling down. So now the whole global economy, directly or indirectly, relies on this
mechanism for exchanging keys in band. It's so ubiquitous, we don't even
keep track of it. When people every once in a while claim they can break RSA, people panic
because they don't even know what that means, what will break. So it's ubiquitous. It underpins
almost all of our IT systems one way or the other. If we could build a quantum computer with a
2,000 to 4,000 logical, robust quantum bits,
you can break the foundations of cybersecurity today, which is in many ways more dangerous
than the attacks we see now.
And just to be clear, I'm not one of these guys who says, no, no, ignore all those other
things.
Just pay attention to my problem.
Absolutely not.
I'm constantly advocating for all the other cyber maturity, even the boring stuff. I'm like, I know it's boring, but you got to do problem. Absolutely not. I'm constantly advocating for all the other cyber maturity,
even the boring stuff. I'm like, I know it's boring, but you got to do it.
So unfortunately, you still have to worry about ransomware. You still have to do better patch
management. You still have to stop using default passwords and all these other things.
But this would be giving people the digital master key. It'd be systemic, right? So it's
not like an advanced persistent threat
where you try hard enough,
eventually you'll get into that system.
Then it's, you're detected and then it's remediated.
It's all systems are effectively broken
and we don't have a plan to fix them quickly.
So that's a really good framing of the problem
is sort of these sort of classical cryptography based on prime number factoring effectively.
And if a sufficiently large quantum computer were to be constructed with the number of 4,000 logical qubits, the person who has that computer now has the capacity, if they have the information to break the encryption right there's really two questions one question is like how much data would they have to capture over the network to actually
have sufficient data to begin the process of cracking assuming that computer existed and on
the other hand or who's capable of building a system of that number of logical qubit yeah and
i should probably also add when i mean broken i mean broken. It's not like, okay, fine. I'm going to go to RSA 3000 and I'll be fine. It's like, oh,
it's so-called polytime algorithm. So when you increase the key length, you're creating as much
pain for you as you are for the adversary because it's harder to use. So let's consider two use
cases where you're worried about store now, decrypt later. So you're worried about the confidentiality of information that you basically have to be monitoring the traffic in between the
two parties. You record the cryptographic handshake that establishes, you know, uses an
ephemeral encryption key. So use RSA to establish or ECC to establish a key. That's just a few
messages back and forth. Several thousand bits,
I don't know the exact number, but it's not even gigabytes. It's kilobytes of data,
but not much more than that. And then you have to capture the message that was encrypted with that
key. So whatever that message is, if it's a video or document or whatever. So you don't have to
capture terabytes and terabytes for that message. Of course, what's happening is people are capturing terabytes, which has many different encryption keys and different messages encrypted under those keys,
triaging them somehow using metadata or something so they can prioritize to keep archiving it for future exploitation when they can break the cryptography. That's one sort of threat one has to worry about, especially this is more
for highly valuable, long-lived information. For less valuable, short-lived information,
I wouldn't worry so much about record now, decrypt later. But for trade secrets and other
really valuable assets, this is possible. Another model is just faking digital signatures. An adversary can pick their
favorite software vendor whose auto updates he used every day and fake a signature. Fundamentally,
you can't distinguish their signed malware from legitimate auto updates. So how do you authenticate
anything? They can start faking ledgers. And also you start trusting the information on
the internet. So obviously it's bad Toronto updates. You be downloading malware and then
it's kind of game over if you can't figure out what the updates are legitimate. Anyway,
so those are two examples. Oh, which people could realistically get access to one of these platforms.
So if you look now, there are several dozen companies all around the world working on this.
Large multinationals like IBM and Microsoft and Intel, Google.
There's military contractors that are also working on them.
Companies like Honeywell, who spun off a joint venture called Quantinium.
So there's just massive players.
Many of them have their quantum computers available on the cloud.
They already have access to it.
So I don't think the plan is to stop doing that
when it's actually useful, right?
They're going to keep making them available
as they're more and more powerful.
And then there's other smaller players,
but by smaller, I mean a few hundred million dollars of investments that are also building platforms, again, all around the world.
And many of them already make them accessible.
In terms of who will own their own hardware, it's these players who are then reselling the services to their customers.
Again, these are large industrial players and military contractors,
typically, or government, nation states would have their own. That's one category. Like now
there is a market for this form of high performance computer. There already are customers of that.
So they're going to keep being customers of them. There's not going to be a 10-year time lag.
Well, we can't assume one anyway,
between them being available to state actors and so on versus them being available more broadly.
Of course, there's going to be know your client controls
on who can access everybody's quantum computer.
And of course, we know Black Hats will completely bypass
those controls and get access to them. And so then it's a matter of how well cyber criminals
monetize those capabilities. What we've known over the last 10 years is it moves very fast.
They're very creative at finding lucrative business models for monetizing different
cyber attack capabilities.
So there's often this naive picture of there's a bad person who somehow gets a quantum computer,
buys one or builds one or steals one. Then they run it. They run the algorithms themselves.
They get the private keys themselves and they somehow come and steal your asset or blow up your power station or whatever they want to do. That's not how cybercrime works today at all.
It's certainly not going to be how it's going to work here.
It's going to be very segmented and specialized,
where you'll have one flavor of cyber threat actor
who will get access to these devices, start getting private keys.
Eventually, they'll hand it off to other players.
It'll be signed malware as a service or who knows what and
eventually it'll pour fire on the existing cyber attack methodologies and it'll rebalance what's
the most lucrative cyber attack to do because we often think we've got this figured out and we'll
have a countermeasure against one thing but then you know it's whack-a-mole or you know there'll
be the next easiest way to makele or there'll be the next
easiest way to make money. And there'll be a whole new line of cyber business that suddenly we see a
lot of. So there's always going to be the next easiest thing. So it's hard to predict exactly,
but when you have something that is such an accelerator of the existing cyber attacks,
they'll flare up, but they'll probably rebalance in terms of
what they most do.
And there'll be fundamentally new cyber business lines, so to speak, that this will enable.
So are there sort of like examples, quantum attacks already happening when you're selling
to your customers?
Like oftentimes when you see companies selling security, they always point to like the solo wins they point to like certain certain exploits or certain big losses
right because for people to even know like i should spend money now it hasn't mattered now
right it cannot be matter like five years ten years from now like what are the sort of examples
you typically use for your customer to say hey this is something you cannot ignore anymore because
this is happening the challenge and anymore because this is happening?
The challenge and opportunity, because no, there are quantum-enabled attacks now, right?
But thankfully, there aren't.
Because if there were, we're years and years away from being ready.
We're talking about critical infrastructures potentially collapsing systemically.
There really is no quick fix for this.
But there's a chicken and egg where you're right. Normally, everyone's like, sure, whatever, until the attacks start happening.
And even then, they're like, I'll be the lucky one. And then when it happens to them or a close
friend, then they'll start doing something. Like people don't change their behavior because they
see the light, they change it because they feel the heat. You know, I asked a friend of mine who's
an expert in IoT, industrial IoT security,
how can we make security by design, you know, business and political imperative?
Because until we do, it's like you said, it's just not enough is going to happen.
And it's fine with something where, like with seatbelts, like you have cars, people would die,
but not a lot of people. And then as it got worse, you know, then, okay, maybe we should have rules and seatbelts and so on.
But it was gradual.
But with cyber, it goes from zero to systemic, or at least pretty quickly, will scale quickly because you don't need physical actors around the world.
And there's all sorts of reasons why this is a very scary and fast-moving attack methodology.
So we have a big problem with cybersecurity.
Forget about quantum, just cyber in general.
Now we have cyber-physical systems,
and as people update other critical infrastructures,
like dams and electrical grids,
from these old systems that are not connected,
the new systems will be connected,
whether you want to or not.
It'll be hard to buy the non-connected version
of a lot of these components, so it's worrisome and i asked i'm like we need security by design
and resilience by design as design principles not reactive oh i should have done that i'll do it
next time and he said well the way it normally works is something bad happens people die and
then you have a business and political imperative.
And I asked him, like, is there a way to skip that middle step?
You know, can we simulate people dying and so on?
He's like, well, no, you didn't know of a shortcut.
So I think we need to find a shortcut that gets around that middle step.
And the way we're doing it is just awareness.
So it's a big awareness campaign. And then once you get a
few people who buy in and do something, then you get the followers who mimic that. So we do have
the problem of the attacks aren't real. This is not a new problem. So we kind of knew to get around
this. We've got to create awareness. Regulators are starting to get informed because with the
awareness and public awareness, then it kind of starts to force some of the other pieces in place a little
sooner.
We're not expecting perfection.
We just want to be more prepared than we otherwise would.
And then a lot of players are like, I get it.
Logically, you're totally right.
And what's my competitor doing?
You know, the fact that you're right.
And I know I should do it usually doesn't.
But if you can just get one and then maybe two,
then everyone starts doing it.
That's what's happening now.
We're seeing banks are getting very prepared for this.
And the US government has started requiring quantum readiness and so on.
So we've crossed that chasm.
It was a long journey to get there,
but it all started falling into place around 2015, I would say,
when it was something that only believers or people who cared understood.
The NSA said, if you want to sell us products to the U.S. government, you're going to have to get quantum safe.
Then that changed the market forces.
And then there was a number of other changes since then that have been sort of snowballing.
Once again, two questions, which is kind like, they kind of piggyback one another.
What has happened on the quantum side where these attacks have become realistic?
Is it currently the amount of availability or how close we're getting to availability
and the fact that we found a scalable way to create qubits with enough people working
on it that we have enough potential in the same way that like for lack of a better analogy like it's kind of like
uranium enrichment with nuclear you know it's like nuclear bombs like well once you get to like
enough people doing it you know the probability of you know some producing nuclear bomb or
potentially having enough of a rich uranium to then produce nuclear bomb becomes very high is
that category what's what's going on on that side on the actual quantum computation side and then on the flip side what are the options for quantum safe
cryptography how do you actually protect against these attack vectors yeah so to your first
question you'll get some grumpy folk who'll say oh it's always 20 years in the future which is just
a false statement back in 96 i said% chance, and it was 1% and
10%. Now it's over 85%, probably close to 90% chance in 20 years. So who cares about 20 years?
Because to say, oh, don't worry, I'll be okay with the 10% chance is not good. 50% is not good.
The chance of this happening in the next five to 10 years, in my view, is about 30%. And other
people might disagree and say, no,
it's only 5%. What do you mean only 5%? But I think it's 30. And I'm not at the extreme.
I'm sort of middle of the pack here. If you average the views, it's between 17 and the low
30%. That was people we asked last year. And I think that number will go up this year.
So the 20% odds have gone up to being far beyond an acceptable
risk years ago. Now we're talking about what's the five and 10 year probability. Really, the answer
is too high to accept. So you have to have a mitigation plan in place. What's happened over
the last 20 years, or the last 20 months, 20 years ago, we came up with an in principle way to do
error correction. The reason you know, we initially thought with an imprinciple way to do error correction.
The reason, you know, we initially thought it's impossible to do quantum computing
because you're never going to control these things perfectly, these quantum bits.
If you have even a tiny epsilon error, you know, one in a 10,000 error,
which is really, really hard to achieve,
you're not going to get more than about 10,000 gates in
before your computation starts to fall apart.
Quantum cryptanalysis, it's efficient, but it's not that efficient. You need thousands of bits
running for hundreds of thousands or even many millions of steps. You need error rates,
logical error rates way below one in a million. Good luck getting that kind of native error rate.
So we didn't see that, but people found a way to do error correction quantum error
correction initially people said you can't do quantum error correction here's why peter shore
and others interesting calder bank they found a workaround and the way you can actually do
quantum error correction but the codes and the methodologies we had in the 90s like we went from
impossible to possible but with these ridiculous assumptions but that's much
better than impossible correct and you need like 10 to the minus six error rates and you needed
connectivity that was just impossible like full mesh connectivity without the error rates going
up when you built a bigger computer so all not going to happen but we all knew we'd improve
we'd get rid of those assumptions and improve it.
So about a decade later, people came up with what's known as a surface code for error correction.
We brought the error rates down to 1% or 0.1%. So stuff that was more or less happening in the lab only assumed nearest neighbor connectivity. So now you could build a gigantic grid and you just,
qubits over here didn't need to interact with the qubits a millimeter away. So it started to all become more reasonable. So we're doing the building
blocks for quantum error correction. And people would often ask, well, how many qubits do you
have now? Wrong question, because we need a fault tolerant logical qubit. And about five years ago,
what we knew was, and this was major progress over the previous 15 years, if you have on the order of 1,000 or so physical qubits with 10 to the minus four or so, five ideally error rates, nearest neighbor interactions, you could achieve fault tolerance and start factoring.
And depending on your assumptions, 20 million physical qubits
running for eight hours could break RSA 2048. That was amazing progress. But that was like
five years ago. And in the last few months, even what's been happening is more platforms.
So the front running platforms for building qubits were so-called superconducting qubits,
which are little superconducting circuits. You print them on a chip, really hard to get working, but if you do,
then scaling is easier, they're fast and so on. Or ion traps. The beauty of ion traps is the qubit
is a natural, like nature optimized it for you. It's a very stable, robust thing. And the hard
part is creating a giant array of them because nature didn't do that for us.
So we're trying to juggle these ions
in oscillating electromagnetic fields.
So these are kind of the front runners.
But there was other stuff,
other spin-based approaches, optical approaches.
Neutral atoms was even a later one.
Now these five or so platforms
are all kind of still in the race.
And the neutral atoms has really leapt ahead.
It could potentially be the front runner in a year or so.
And now, like just in the last few months, you know, my colleague, John Preskill at Caltech
has declared that we are now in the era of quantum error correction, which was over 25
years in the making.
We're not done.
There's still major challenges, but we're no longer like the main focus now is
on scaling and getting these codes to work better. There's new codes with much better overhead. So
it's not necessarily a thousand physical for one logical. The short summary is we are now in the
era of quantum error correction, where people have really validated that it works. You can get
logical error rates that are much lower than the physical ones. And, you know, one Q era, which spun out of Harvard, which has demonstrated like a handful of logical qubits now, says it will have 100 by 2026.
And you only need like 4,000 to break RSA.
And they've gone from zero to 100 in two years.
So people should be very, very nervous.
We're seeing a massive acceleration just in
the last few months all right so now we want to jump into our favorite section called the spicy
future spicy futures and i think you already pretty alluded to the whole thing up to this
point uh so you know i've been reading a little bit of your quantum threats reports.
And basically there is like this,
how soon you think we can break
the R-sickle encryption 24 hours, right?
So what do you believe will happen
in the next five years?
So maybe before I get to the spicy part,
I'll answer the part of Ian's question I forgot
in terms of what do you do about it, right?
And we know what to do about it.
The problem is just doing it.
Like we know we should do patch management better.
And there's a lot of stuff we know we should do.
We just, the economic forces don't necessarily reward it.
And there's two things.
So first of all, the lesson isn't just let's replace a broken code with a new code.
The real lesson is it's forcing us to ask the question of
what if these codes are broken and we don't have 30 years head start or even a 10 year head start.
We were absolutely unready for that. Like NSA said in 2015, we're going to switch to new
post-quantum algorithms. And we're still like FIPS are coming out in a few months
and people are saying we're not going to be done by 2035.
Like we'll get a lot of systems done, hopefully the important ones.
But 2035, like 11 years from now, and people are saying that's really aggressive.
So it takes forever to change these codes.
And we're just lucky that the codes weren't broken in under 10 years.
If they're broken in 10 months or 10 minutes, we're talking
about systemic collapse of our digital infrastructures. So we need to move beyond
security by design and think about resilience by design. If that does happen, the most important
systems will keep working so we can fix and upgrade the new system. So what it's begging
for is two layers. First of all, let's fix the beautiful in-band public key methods that have
been a central part of the economic growth of the last 30 years. We want public key cryptography,
and that's what the post-quantum process is all about. And it's everybody's top priority,
or it should be in terms of migrating. But then how do you get that cryptographic defense in
depth? Well, how did we do it before? There were always systems that some people were
nervous about, and they did symmetric key cryptography and pre-shared keys. That's
largely 1980s technology. So for that cryptographic defense in depth, there's really three options.
One is ignore it, don't do it, accept the risk. The other is, which is again, not a good idea
for anything important, old school symmetric key cryptography and pre-shared keys,
except maybe we should architect it for the 21st century.
And that's one thing our company has done
and a small number of other players around the world are saying,
hey, the symmetric key stuff, it might seem old-fashioned,
but let's come up with the 21st century version of it
and make it scalable because you don't need quantum technology.
You can deploy it now.
And the other is the same community that's building quantum computers is also building
long-distance quantum communication networks. And that quantum cryptography stuff that I
dismissed as science fiction in the early 90s will be enabled by this new quantum band of
communication. So it's not the only solution. It's certainly not replacing public key cryptography.
It's not even replacing public key cryptography.
It's not even replacing symmetric key cryptography.
It's kind of enabling more symmetric key cryptography.
Because instead of having somebody with a briefcase,
you can now just tap into this quantum network that was built by somebody else.
You just need to say, can I please use it? And you grab the keys and you can self-validate that they're secure, right?
So that's this beautiful new band of communication. So that's kind of a new option that will be more and more available in
the quantum era. But it enables this alternative key exchange and key management system alongside
symmetric keys and pre-shared keys. So that's kind of what we need to do about it. Now, in terms of
the spicy future, I'm going to say two things that one of my colleagues in
the German government, he's been pushing people to get post-quantum ready for years and years and
years. And he was blown off as this is a niche, why are you wasting it? You know, all the usual,
we have more important things to worry about. And he was saying, you know, Schopenhauer said
there were three, all new truths go through three stages.
The first is ridicule.
The second is violent opposition.
Right.
You ridicule.
And then when you realize some people are taking it seriously, then you really oppose it.
And the third is accept the self-evident.
Right.
So you go from this is stupid.
I don't need to do it.
There's more important things.
It's never going to happen to.
Well, of course.
And of course, we need to migrate to
post-quantum. And then he said, but there's a fourth phase. This is not from Schopenhauer,
but he's coined it, Schopenhauer's fourth phase, where the people who were opposing you are now
saying, why aren't you done yet? I've started seeing that already, where I'm talking to
telco equipment manufacturers and others, and they have some of their customers are saying, you know, the NSA says be ready by 2035.
And they told you that years ago.
We want you to go faster.
Well, they're like, we're going to struggle to meet, you know, 2035.
So like, no, but, you know, the customer is asking for it.
So we're going to see more and more of people saying, oh, it's not a priority.
Got other things to worry about.
Oh, now it is a priority.
They're going to go to their vendors and their own other team members and say, well, you're
done, right?
And they're not going to listen to you say, no, but I remember, remember five years ago,
I asked you and they'll be like, no, I don't remember that.
Or you weren't clear enough.
You didn't explain it well enough.
So, you know, we're going to have this Schopenhauer's fourth phase. In terms of, you know, this future looking, you know, prediction, I think we need to create the future we want. You know, there's people who try to, you know, try to predict and ride the wave. There's people who try to sort of shape the wave, maybe to suit some sort of parochial interest that maybe doesn't make sense for the ecosystem.
Those efforts generally don't work terribly well.
I mean, in some cases they do, but for the most part, it's hard because a lot of people are trying to do that.
These attempts to shape the wave cancel each other out because people are pulling in different directions.
But if as a society we can find a few directions that we all agree on,
we can start shaping the wave in a way that's good for all of us. Like, let's find some common denominators that would be good for
everybody if we kind of changed the way humanity worked. I know it's idealistic. We can't do this
with everything, but let's do with a few things that serve our common interest. And I think one
of them is to start demanding resilience by design. As a customer, start asking for it.
It sounds like a super naive idea, but when we go to providers of technology and say,
hey, why aren't you secure by design?
Why aren't you resilient by design?
They'll be like, our customers aren't asking.
So obviously, they're not going to prioritize it.
Then you go to their customers and they're like, don't you need this?
They're like, well, yeah, but we don't build our own cryptography.
We rely on our vendors.
Have you asked them?
Well, no.
So again, don't be unreasonable.
Just have a conversation.
Just communicate your assumptions about what your vendor is going to do for you.
Don't assume it because it's pretty critical that your digital platforms keep working in the 21st century.
So I think we all start doing this more and more,
it will start creating those market forces for resilience by design.
And if we know our systems are more resilient,
then we can all trust them more, right, and just live happier,
more productive lives because the tools we're assuming are there for us
are more likely to actually still be there for us
when unexpected things happen.
I don't know if that's spicy enough for you,
but I think it's crazy enough.
Yeah, I think it's really good to hear
because we don't often hear about the progress of quantum that often.
But it is, like you mentioned,
it's super important for us to know the progress
because when things are already happening, it's too late.
But that's really we all are having our eyeballs on.
And it's good to have that more insight.
I mean, I think what I would predict is we're not going to have this five-year warning shot where everybody agrees.
Like people have this fantasy that it's for sure not going to
happen within the next five to 10 years. So whatever time they would need to get ready,
they have this fantasy that somebody is going to guarantee it's not going to happen within that
timeframe. Right. And then when they do say, okay, now it's going to happen within that timeframe,
for sure, it's going to happen. Like it a one-year window. Because heaven forbid I'm ready two years early, right?
So they have this fantasy that the confidence interval
is going to be like a year or two wide.
It's not even going to be five years wide.
It's already within any acceptable risk tolerance.
So everyone has to very quickly migrate their more precious systems,
more critical systems immediately,
and be thankful if they're done before cyber
attacks start, you know, quantum enabled cyber attacks start becoming reality.
Yeah.
Yeah.
That's awesome to hear.
Cool.
Well, thanks for being on.
I think we have a lot of things to glean on for this episode.
Is there places people can learn more about Evolution Q or maybe the kind of work you're
doing?
Do you have like some kind of social people can learn more about evolution q or maybe the kind of work you're doing do you have like some kind of social people can follow well i mean there's our web page evolutionq.com
and there's our linkedin page has some posts we don't have too many so it's not yeah yeah i think
actually the quantum threat timeline reports is actually quite good i like them quite a bit so
those are we're working on the next one i'm anticipating a bit of an inflection point,
but it's hard to tell because our experts knew this was coming.
So how much did they know?
Did they already know that Misha was going to predict 100 qubits in 2026?
Some did, probably.
But I think we're going to see a bit of a bigger uptick.
But we'll know by the end of the summer.
Or I'll know by the end of the summer.
And it'll probably be posted by Christmas.
Awesome.
Well, thanks a lot, Michele.
I think we have a lot to learn from.
And thanks for being on our pod.
Yeah, I hope it's helpful and interesting for your listeners.
Thanks so much.
Yeah, it's a pleasure.