John M. Scott, Crypto4A: “in a connected economy, everyone’s security posture does impact everyone else”

Published: 8 February 2022
Last updated: 15 November 2023
Crypto4a

There are countless cybersecurity solutions to countless cybersecurity problems, whether it’s encrypting our data, or preventing and mitigating cyberattacks. But what about the challenges that are just now beginning to rise, not yet big enough to pose a real threat, but bound to do so in the near future?

Creating solutions to problems that don’t really exist yet might sound ridiculous. However, when it comes to quantum computing, one recognizes quickly that it’s approaching fast, and it’s also bringing certain risks along with it. As quantum computers are bound to be used for cryptanalytic attacks, post-quantum cryptography to keep us safe becomes a must.

CyberNews reached out to John M. Scott, the CEO of Crypto4A, creators of quantum-safe digital roots, to talk about the future of cybersecurity in Web3, as well as discuss the current trends in cybercrime and companies’ approaches to tackling it.

ADVERTISEMENT

Tell us the story behind Crypto4A. How did this project come about?

Crypto4A founders met at Chrysalis-ITS where they were major contributors to designing the first generations of hardware security modules (HSM) and public key infrastructures (PKI) that secured Internet communications. Their ideas and basic approaches for what worked 30 years ago still help underpin the security of today's digital economy. Excited by the idea of working together again, and with major trends such as digital transformation and quantum computing requiring new cryptographic capabilities, Crypto4A was formed some 5 years ago to create quantum-safe digital roots of trust for today's new computing environments.

Can you tell us more about your Hybrid Security Platform? What issues does it help solve?

With today’s deeply connected economy driven by cloud migrations, IoT, identity-linked digital outcomes, emerging post-quantum cryptographic standards, and real concerns about reducing energy consumption and advanced threats in the tech sector, new architectures and forward-looking cryptographic approaches are needed to meet today's threat landscape and ‘zero-trust’ compute requirements. Requirements that are just not addressed by today’s offerings.

Today we look at that 30-year-old foundation for digital roots of trust, and they are still deployed from hardware security modules (HSM) also designed 30 years ago. All this needs to advance to keep up with today’s needs and tomorrow’s requirements. And we think the change starts at the HSM level and must include new architectures, new processing engines, new and expanded software, and improved visibilities. Solving all this results in a new construct that we call a Hybrid Security Platform (HSP) to provide the quantum-safe roots of trust that we previously mentioned.

You describe your solutions as quantum-safe. Can you tell us more about what that means?

With accelerating breakthroughs in developing quantum computers - which are exponentially faster than today's computers - our current cryptography can be broken. This will weaken or destroy the digital trust we all rely on.

Fully protecting our digital trust with new cryptography and new trust infrastructure will take decades. Given that it's reasonable to expect quantum to continue to advance at an exponential rate, now is a good time for everyone to start preparing their migration from 30 year old capabilities to the capabilities needed for today and tomorrow.

ADVERTISEMENT

Because of this scenario, we designed our HSP with quantum safety and cryptographic agility in mind from the beginning. What we mean by that is we already leverage known quantum-safe algorithms and update processes in our HSP. These features secure updates to new post-quantum cryptographic algorithms which will be needed in the future because of exponential advances and new threats arising from quantum computing. To help, we built our new crypto capabilities around a crypto agile FPGA-based foundation that can provide the best measure of quantum safety for today’s ‘zero trust’ compute requirements.

So in meeting today’s crypto requirements you are also prepared for quantum threats – a ‘like for like' replacement of today’s distributed cryptographic environments will be too expensive, too slow, too risky, and require way too many people.

Do you think the pandemic affected the way organizations approach cybersecurity?

Yes and no. The pandemic placed a lot of stress on today’s digital environments and accordingly budgets and resources went into the needed adaptations and enhancements, to deal with remote access and the volume of entitlement delivery. On the other hand, in the longer term, the fact that digital was so valuable and so critical to helping with the pandemic does provide additional clarity to the organization in the development and funding of its long-term digital plans - most agree digital works. In digital security though, regrettably, breaches are sometimes needed for companies to take their security capabilities and needs seriously. In this quantum concern, that approach may well prove to be a disaster.

We do currently see a rapidly expanding cybersecurity market propelled by the acceleration of the world’s digital transformation caused by COVID, as well as an awareness of greater exposure to cyber risks brought by work from home, and the use of digital identities as a new perimeter and tool for delivering digital value. A lot of people – and organizations – who may have been nervous about doing things online may well have permanently changed their behaviors.

The new organization’s security perimeter has become a moving target, with the employee working remotely, the customer accessing 24/7 digital value from multiple devices, and with infrastructures and applications moving into global 3rd party data centers. One thing that has historically provided assurance here has been a common secure application of proven cryptography. With quantum, all that has to change, and this will take time.

Therefore, cryptography and cybersecurity now become key enablers for new business continuity, innovation, insurance coverage and corporate reputation. In a connected - some now use the word ‘circular’ - economy, everyone’s security posture does impact everyone else.

In your opinion, why is cybersecurity still often pushed to the background despite the recent rise in cybercrime?

We believe that most organizations work very hard to improve their cybersecurity posture but they face ever-increasing challenges due to the rapid advance of knowledge, methods, and skills needed to stay current - cryptography as a business is no different. Oftentimes the ‘foundation’ of things is just taken for granted (if it's not broken, don't fix it) - just like with our houses. Most organizations wait for a breach before reacting thinking that a lack of a breach is a validation of their security posture – and then it’s not. But this must change to be prepared for the benefits and risks of a quantum future and to enable a new suite of innovations.

What are the risks associated with the quantum computing environment and how can these problems be tackled?

ADVERTISEMENT

Quantum computers process an immense quantity of information quickly and with deep insights. What a regular computer could break in eons, a quantum computer could break in since you started reading this article.

While quantum processing power will be revolutionary for solving computation problems in industries like material sciences, pharmaceuticals, data analytics, finance, climate change, and cybersecurity, to name just a few, this power could also bring devastating risks if it is used to crack our current cryptography. Hackers or adverse state actors could leverage the power of quantum computers to make the encryption that protects our identities, data, intellectual property, machines, IoT and SCADA infrastructure applications, and other digital constructs, unsafe and vulnerable to re-use for their purposes. Examples of successful exploits based on this probability could include misinformation campaigns or exploits that render unsafe, the critical infrastructures we all rely on for our physical safety and our collective well-being. A loss of confidence and trust in our connected digital world just as we have begun to use it so heavily and so well through COVID, would not be a good thing for society. Or remote workers.

Every breakthrough brings new vulnerabilities. The race to quantum computers started decades ago, and now is a good time to prepare and plan for all the future work required.

As we move into the world of Web3, what are your predictions for this new version of the Internet?

While we are watching with interest what is happening with Web3, I believe it is too early to fully predict the outcomes, although a number of people are beginning to think it may well look a lot more like Web2 than originally envisioned. This is because centralization is economically attractive and also always plays important roles in complex distributed systems. As an example, it's possible that the API structures developed for Web2 may become a point of concentration or centralization in Web3 for, say, access to ‘decentralized’ systems like blockchain.

We will see – however, the comments about the importance of new and better cryptography and structures due to quantum and new compute environments applies with equal force - if not more force actually - in Web3.

Which personal security measures do you think will gain popularity in the next few years?

We think we will see the continuing tensions between low cost, ease of use, and adequate security play out for some time.

This will continue to play out in the first instance around the eco-systems associated with smartphone/wearables and the possible rise of data and privacy regulations in many legal jurisdictions that touch upon access and control of personally identifiable data. It will also continue to play out in the cloud, and at the edge and in AI. These same issues remain in Web3 of course. An externality to all this remains advanced persistent threats, and that will not go away either. To the extent our world and its online behaviors continue to be concentrated on our digital devices, security must remain a basic design principle.

As you can see, cybersecurity remains a growth industry!

ADVERTISEMENT

What does the future hold for Crypto4A?

More of the same - working with customers, industry players, and government bodies. We are always seeking to add strategic partnerships with complementary or adjacent cybersecurity products so that we can, together, help address complex cybersecurity challenges faced by our customers and their customers.

We also see a huge potential to provide new cryptographic capabilities in a way that is cloud friendly, OPEX, as a service and future-proofed for timely updates delivered to the IT ecosystem. This approach aligns us with today's trends which include a pronounced and long term shortage of cybersecurity professionals.

Share
Post
Share
Share
Share
More from Cybernews
Companies using Fable 5 beware: it’s collecting your data, and there are no exceptions
World’s leading mathematicians ridicule AI hype in high-IQ declaration
Democrats are far more worried than Republicans that AI will take jobs, new poll finds
Europe’s tech revolution feels like Soviet déjà vu
New York demands advertisers use “synthetic performer” label or else
The surprising way Elon Musk is powering your next holiday flight
ADVERTISEMENT