Eddy Zervigon, Quantum Xchange: "the pandemic reminded us all that data is now more vulnerable than ever"
The pandemic has turned private environments into working spaces and companies faced enormous challenges to keep businesses safe. Cybercriminals noticed that remote workers are extremely vulnerable and can be easily targeted to steal business data.
So, employers had to provide effective security solutions to protect the home networks of people scattered in different places and cybersecurity became the number one priority across all industries.
Today, we’ve talked to Eddy Zervigon, the CEO at Quantum Xchange – a company that specializes in security and data protection, about the most common cyberattacks, encryption solutions for data security, and whether existing encryption technologies would be effective with the rise of quantum computing.
How did Quantum Xchange originate? What has your journey been like since?
Quantum Xchange launched into the market with much fanfare in 2018. Our Phio Network was the first quantum fiber network running from Washington, D.C., to New York City, and on to Boston, including key connections to the financial markets on Wall Street with back-office operations in New Jersey. This Quantum Key Distribution (QKD) superhighway proved to be too early to market. So, necessity being the mother of invention, we created Phio Trusted Xchange (TX).
We took the best of QKD – quantum entropy and out-of-band key delivery – to create a new product and a reimagined, simpler, affordable, and practical approach to securing data in transit. Today, Phio TX is our flagship, or anchor, a technology from which all our other solutions and services derive. It offers the market a foundation architecture for delivering the future of encryption available in a variety of deployment options – physical appliance (Phio TX), cloud implementation (Phio TX-C), or quantum-safe VPN (Phio TX-D).
Can you tell us a little bit about what you do? What are the main issues your solutions help solve?
Phio TX is a quantum-safe key delivery system and simple architecture overlay that works with a company’s existing encryption and a quantum-key source, such as QRNG, PQC, OKD, or a combination of those. The system sends a second, symmetric key out-of-band down a quantum-protected tunnel and mesh network independent of the data path.
Phio TX can help protect against and minimize the risks associated with current attack vectors, including:
We do this by overcoming the inherent vulnerability gaps of Public Key Encryption (PKE) – where data and keys travel together allowing for an attacker to compromise only one connection to obtain all the secret information. Phio TX also improves and automates basic security hygiene practices. For example, most VPNs rely on the IPsec protocol using static keys that are not frequently (or ever) rotated – a poor security practice that weakens the overall security posture of the network. In the Phio TX hive, keys are generated and rotated on demand and even on every transfer – providing key delivery to every VPN node automatically. With Phio TX, secure continuous key rotation is the norm rather than the exception.
What are the most concerning threats surrounding quantum computers?
Experts predict that a commercial quantum computer will arrive on the market in the next 5-10 years. When it does, the processing power will have a transformative impact on business and society, with the ability to usher in new medical breakthroughs, engineering feats, and technical advancements that are impossible today.
Quantum computers will also have the power to break today’s encryption standards and will create an unprecedented threat to the security of our nation, global economy, and digital infrastructure. Since our launch in 2018, we have warned that state-sponsored hackers are stealing and stockpiling encrypted data waiting for the day when a quantum computer arrives to break its encryption – an attack known as harvest today, decrypt tomorrow, or harvesting.
These concerns are slowly becoming more mainstream. Major consulting practices and system integrators, like Booz Allan Hamilton, are warning CISOs of the risks of harvesting attacks and what can be done to prepare for the quantum revolution.
Additionally, in January 2022, the White House issued National Security Memorandum 8 (NSM-8) which instructs federal agencies to use quantum-resistant algorithms within the next 180-days with the overall goal of improving the cybersecurity of National Security, Department of Defense, and Intelligence Community systems.
Companies must invest in affordable, standards-based technology that can be integrated into their existing crypto infrastructure to make it immediately quantum-safe today and quantum-ready for the threats of tomorrow.
Do you think the pandemic affected the way people perceive cybersecurity?
Absolutely. The pace of cloud adoption increased exponentially to support a distributed workforce. At the same time, big data breaches and cyberattacks like scams, phishing, and ransomware increased by 400% due to the pandemic, according to ReedSmith.
This perfect storm put cybersecurity in the spotlight and reminded us all that now, data is more vulnerable than ever. Organizations had to, and are still working to seek out new methods and technologies for securing communications channels and the data that flows between on-premise, remote, and cloud-based systems.
In your opinion, what misconceptions do people tend to have regarding data security? If so, what are the most common myths?
People tend to assume that if data is encrypted, it's inherently secure. This is, unfortunately, not the case. Public Key Encryption (PKE) is one of the most important technological innovations used to protect our digital lives and it’s at risk of becoming obsolete. Continued advancements in mathematics and computing, and the fast-approaching Quantum Age, mean that PKE is no longer fit for the purpose for which it was designed. The inherent vulnerabilities of legacy encryption – the data and the encryption key used to unlock the data travel together – combined with a quantum computer’s ability to break today’s encryption standards in a matter of minutes, will require the greatest cryptographic transition in the history of computing.
What are the main risks when it comes to handling data that hasn't been encrypted?
Data that has not been encrypted presents a massive business risk. However, in keeping the above response in mind, today, even handling data that has been encrypted is risky. In fact, the compromise of outdated VPNs – which create a secure encrypted connection for data to travel through – has been the genesis for many cyberattacks, including the Colonial Pipeline breach. On any encrypted network connection, the encryption keys used to create the encrypted tunnels that secure network traffic are sent on the same session as the data they protect. This means an attacker has just a single connection to monitor and compromise to gain access to the network and all of the secret information. As we’ve said, quantum computers make this inherent vulnerability of legacy encryption a much bigger problem.
In 2016 the National Institute for Standards and Technology (NIST) warned that all organizations start preparing then for the coming quantum-crypto break. Unfortunately, companies are slow to heed this advice. Y2Quantum is still ambiguous and too many companies take a wait-and-see attitude to quantum preparedness planning and execution. Many are waiting for the Post-Quantum Cryptography (PQC) selection process by NIST to yield the final standard before they act.
Experience shows and NIST warns, another 5 or 15 years will be needed after the publication of the cryptographic standards before the full transition is completed. This timing is problematic on many fronts and presents a host of adoption challenges. Regardless of which math-based encryption algorithm is standardized, the PKE design flaw of sending keys and data together exists today and must be remedied.
In your opinion, what other new technologies are going to arise in the near future?
As I mentioned above, companies are hyper-focused on securing communications channels to accommodate a distributed workforce and technologies are emerging rapidly that will address this need. As a result, we are seeing the rise of the quantum-safe VPN, and for good reason. Quantum-safe VPNs are ideally suited for organizations looking to better protect remote worksites from internal and external threats with stronger, quantum-based, secure communications. In addition, large, sophisticated networks that are looking to test the quantum-safe waters can benefit from an economic-friendly solution, like a quantum-safe VPN, that provides unparalleled security for protecting data in motion, and a future-proof solution that addresses the emerging threat of quantum computing.
What security solutions do you think everyone should implement to protect from future threats?
I recommend organizations replace their PKI with an out-of-band key delivery system to future-proof their crypto. This new key delivery architecture should be:
- Quantum-safe and crypto agile – supports key generated by any source, protected by any method (PQC, QRNG, QKD or combination)
- Interoperable with existing network security solutions
- Separate key generation and key distribution from the endpoints that encrypt data
- Designed to work with large area networks where multipoint key transmissions to the network’s edge
- Third-party viewed and credited, i.e. FIPS 140-2 validated
Organizations must also embrace security-in-depth practices, which include diversifying their crypto and implementing quantum-safe symmetric keys into their existing crypto infrastructures. This recommendation is reflected in the 180-day mandate to use quantum-resistant algorithms in the recent National Security Memorandum (NSM-8) from the White House.
Share with us, what’s next for Quantum Xchange?
We have many exciting initiatives coming down the pipe in 2022. We recently announced Dr. Vincent Berk as our Chief Revenue and Chief Strategist Officer. Vince will be a key member of our leadership team and joins us at a momentous time for the company and the global quantum security market. We will continue to explore new industry partnerships and optimize existing reseller relationships to help increase our global footprint.
The U.S. government has shown great interest in quantum technologies in 2022 through inclusion in a series of Executive Orders, National Security Memorandums, NIST's plans to release final PQC standard candidates, and the DoD's Technology Vision. We plan to take full advantage of this momentum with federal agencies and their partners. The continued proliferation of 5G and private 5G networks is another area of interest for us in 2022 and a proven use case for Phio TX-D.
Lastly, with thousands of LEO constellations being launched, we see great opportunity with the emerging space-based economy and protecting the final frontier from cyber criminals and malicious exploits.