THEOS Cybernova: The Cybersecurity Podcast for APAC Leaders

Paul Jackson: Welcome to another episode of THEOS Cybernova podcast. I’m delighted today to be joined in sunny Hong Kong by the wonderful Cathy Chan from Cyber Force who is going to talk to us today about a very interesting topic, which is the cyber threats around quantum computing. Now the term Q-Day, Cathy, has become a real buzzword hasn’t it? Can you explain to the audience in layman’s terms what that actually means? Also, could you perhaps enlighten us is this is going to be just another Y2K thing, something about nothing? Or is it real?

Cathy Chan: Okay. Imagine that you have the most valuable treasure in a room with a door with a secure lock that you think is really safe. But now someone is telling you, I’m developing a super keys that can open your door.

Paul Jackson: Wow.

Cathy Chan: Yeah, so is it a Y2K? I don’t think so because it’s based on physics. It’s really something discovered from the universe, and actually I think it works. I mean I think opening the locks, the locks are super key is, something that works theoretically. It’s just a matter of how it works.

Paul Jackson:  Wow. And what does Q-Day actually stand for then?

Cathy Chan: Q-Day is actually the future days when Quantum computers become strong enough to break the protections that protecting most of your important data nowadays.

Paul Jackson: Wow. So it means that they will be able to break all kinds of encryption that are commonly used in software applications, etc..

Cathy Chan: Banking transactions, your emails, your digital signatures. Yeah.

Paul Jackson: So the whole thing could be opened up.

Cathy Chan: Yeah.

Paul Jackson: Oh, boy. Okay, if that hasn’t got everybody scared right away then, nothing will. So, you do think this is more of a big deal than the Y2K date thing?

Cathy Chan: Yeah.

Paul Jackson: Okay. Well, whether you’re forewarned then everybody and that will dig into this. But what is a quantum computer? Is it possible to explain this in layman’s terms? Because I hear about qubits and all these kind of things. It sounds incredibly complex.

Cathy Chan: I asked AI to explain it to me as a child. I got this results: Quantum computers are special super powered computers that use tiny things called qubits to solve really hard problems, it’s got a state called superposition so that they can solve the difficult problems. I mean, try many solutions to a problem or at the same time. In our traditional computers it is doing it linearly. Just one or zero, one or zero. But quantum computing can be one and zero at the same time. This would be some things that they can process really fast. We can say that because the companies who are building the quantum computers have very realistic statistics that traditional computers need a few hundreds of years to solve. They just solve it within ten minutes.

Paul Jackson: Wow. But it sounds like we need to be geniuses to actually understand these things, doesn’t it? I mean, it’s really incredibly complicated.

Cathy Chan: I think I am also not a professional, I mean a physicist or scientist. I think that we just need to think of it as another kind of computer, which is totally different from a traditional computers that we are using now. You just need to know its capability, not how to build it up.

Paul Jackson: Right Okay. I think I get you there, just understand that it’s capable of doing all these things. We don’t need to understand entirely about qubits and stuff. Right, anyway let’s talk more about the impact because the threat timeline for quantum computing impacting today’s encryption standards is something that’s not really clearly defined, is it? Some people think that it is some time and others will say it’s later in the future, right? So when should organisations really start to worry about Q-Day.

Cathy Chan: Okay, so let’s talk about the predictions of the Q-Day, when will it happen? It actually the protection of the Q-Day falls into 2028 and 2030 or 35, something that is actually a few years to go.

So, why and when will our organisations really start worrying about Q-Days? Well actually it depends on what data that they have, the more data that they have the sooner that they will have to act on it.

For example, if your data is valid for maybe 50 years, your banks, your government nations or health care system, the data will be valuable for a very long time. When your data is valid for a long enough and it has already surpassed 2028 to 2030, you need to start acting now.

But Why? Why do you need to start acting now?  Because the quantum computer is not here. I need to mention the terms about ‘Harvest now, decrypt later’. This is an attack, where some people are tyring to steal your encrypted data and they are not going to do anything about it but rather just store it.

Paul Jackson: Right, and then wait for the technology to be sophisticated enough to be able to unlock it to use your key analogy.

Cathy Chan: Yes, when the quantum computer is ready. The important thing is at the time, your data is still valuable to them and they can still sell it to make money, then you’re already at risk and you need to start worrying about it now.

Paul Jackson: But I mean in reality though who is going to be doing this? I understand it from a nation state point of view. Right they’ll be looking for state secrets. Perhaps also as you said medical history is going to last forever, right? So maybe they’re looking for medical history on politicians or famous people, right? Is it really something the average person needs to worry about, or is it just nation state?

Cathy Chan: I think so, because the problem is actually we are doing some as a security consultants we are doing some monitoring on dark web actually. Even organisations as you mentioned like average companies, yes their data is still valuable right? Someone still wants the data, and especially if it is personal data. These are the data set and everyone wants so that they can sell it for money in that way.

Paul Jackson:  Right. I guess if it’s worth money then they’ll do it. So, this ‘harvest, harvest now, decrypt later’. Wow. Fascinating, but you know going back to the criminal groups again, I mean do they are they really good at quantum computer? So how can your average hacker have a quantum computer? Surely these things are going to cost millions, right? So again, isn’t it really only nations that are going to be doing this at least initially?

Cathy Chan: No, I don’t think so. Because, the companies who are building the quantum computer is not from nations, maybe they were subsidised by nations, but actually they’re building it for making money.

Paul Jackson: Got it.

Cathy Chan: When one day the technologies become mature enough and, mature enough for them to make money to pay back. I think there will be something like quantum computer, the service. Something like this service provider, just like you don’t need to build your own LLM in order to use AI.

Paul Jackson: Got it. Yeah, so in other words you just rent.

Cathy Chan: Yes, you can rent it, you can buy the servers from people who do have.

Paul Jackson:  Do you not think that there’s some way they could put controls in that they have to prevent the quantum computers being used to decrypt, you know.

Cathy Chan: Yeah, I believe so. Yeah. There will be some strict requirements or compliance or policies against who is going to rent it. But I think one day when the quantum computers or technology become cheap enough maybe fifty years or hundreds of years later. Yes, It’s really become widespread in every corners of the world and that time you can’t control it.

Paul Jackson: Yeah, wow there’s a lot of food for thought here Cathy. I’ve got to say, you know it’s kind of creeping up on us because you mentioned 2028 right? As the earliest. Yeah, that’s three years away. Yeah, well not even three years away because we’re almost in 2026 now. Wow, so what can organisations do to build effective quantum readiness plan? What are the first practical steps towards I guess we could call it cyber. Sorry. Quantum agility.

Cathy Chan: Crypto agility. Yeah. Crypto agility, okay yeah, I think actually I need to mention one thing NIST, our national institution of standard and technology. They released some four new algorithms, which is called a quantum resistant algorithm. They just want the market or the word to start preparing for changing their data, data protection or their algorithms for the encryption method to these kind of quantum resilience or resistance algorithms. So, I think as or now, it is not a one click process that you just click and then everything would change. So what is an effective quantum readiness plan?

I do think that you first need to know what kind of data you have and where your data resides, how is it being encrypted, with which algorithm and also with the data leaves your controls and environment across nations or how far they will route to external environment. You first need to have the visibility and then you need to have the inventory of what kind of encryption or cryptography set exists in your environment protecting your data

Paul Jackson: Yeah, I actually was speaking at a conference, run by the network Forum for bankers just recently. And of all the topics I raised, I was the only presenter on cyber. Of all the topics I raised, this one raised the most eyebrows. I think a lot of people are totally unaware and they’re not really thinking ahead in terms of this data you know, it could be unlocked in a few years’ time. And what’s going to be the impact on us? Confidential information, account details, you transaction details. That was supposedly confidential at the time, it’s pretty scary, isn’t it? Well are the regulator’s picking up on this, you know are the regulators starting to enforce in the banking world, for example, for the banks to be taking steps to being, ready,

Cathy Chan: The market is expecting it. The strict regulations or compliance requirements

will appear sometimes maybe around 2030s. But the problem is what the earliest time that we mentioned just now is 2028. I think things may work faster or may may go faster, but the problem is actually the standard or even they release a standard, the market is still haven’t kept up.

When we talk about regulations, we need to make sure that it is feasible. The problem is when the hardware or the technology need to do with the new algorithm, the new regulations, they need to in order to increase their performance, the solutions or if they need to wait. A lot of computing power is needed when they you adopt the new algorithm, so the problem is the markets haven’t kept up.

Going back to what you mentioned, what is the plan? First you have the feasibility but nothing I can do, I need to wait for our vendors or supply chains that need to get ready then I need to start. The term that we mentioned just now is crypto agility, you need to get ready for the change. You need to review your current workflow, you need to review which team is actually doing about the keys, the cryptography, the certificate that you need to figure out the current workflow and then try to automate it, trying to adopt it. Maybe, solution or some automation change in order to adopt the change.

Paul Jackson: Right before we go and talk about some of these solutions and distinguishing marketing hype and things like this. Just pause for a second just to ask,  our audience listening today to please do click on the like or subscribe button because we’re trying to push out very important information to the community here and your support really helps us. So please click the like and subscribe buttons. Now Cathy, before we go into that, just tell me I’m a bit curious because you obviously live and breathe this. You love this, right? Don’t you? I can see it, by the way we are in person here. I could see how passionate you are about this subject which is great, but how did you actually get into this? Did you come with a cyber background?

Cathy Chan: Yeah, because I actually I graduated from computer science, and started my career as programmer for a few years and then I jumped into the field of cyber security and now it has already been 10 years. I can’t say I am really have progressional or experienced people in the field but I can feel that cyber security is really an interesting field that we always have new questions and problems to be solved.

Before I touched quantum computing, I actually touched with certificate. First, I help our customers to automate their certificate management as actually renewing certificates sounds easy but it is actually the pain points for many of our customers, and from this point I start digging into it and why we need to renew the certificates. When I touched the quantum computing and knowing that the cryptography is going to change in a few years and that is why I jumped into studying, not studying but more learning about the quantum and the quantum computers and also script cryptography.

Paul Jackson: Wow. It’s a great journey, though.

Cathy Chan: I mean, yeah, it’s interesting.

Paul Jackson: Yeah, I could see it written all over your face, you know that you clearly love this. It’s fantastic that we got somebody here in Hong Kong who can explain this clearly, who can help clients who really are trying to navigate this and just beginning this journey. So, when we talk about that, there’s obviously going to be a lot of, I guess marketing hype because much like AI, companies are going to jump on this, they’re going to realise that there’s a market, there’s potential money to be made. So how do you know, clients or companies that are looking to be safe in the post-quantum world? How do they choose vendors and what should they be looking at for solutions?

Cathy Chan: Okay. Yes, I think first things first they need to define or they need to explain how they will become quantum ready. If the companies or if the vendors the product say that they are quantum ready, 100% quantum safe, I think that we need to doubt that because even the scientist who are building the quantum computers don’t know the capabilities of the quantum computers.

NIST actually released a new algorithm , they also have a sentence at the end of their announcement that we can’t guarantee these new algorithms safe forever but we will work on the bigger plan. To define wild marketing hype or something, you need to know the story behind how they get ready with the new algorithm or get ready with the quantum era.

I think first of all, maybe they need to know how they are going to deal with the performance impact, when they adopt the algorithm, so understanding the story behind knowing which algorithm they are they are using to protect, your data or their data is important to define. Which of them is just a marketing high, but which of them is really the solution that they are helping you.

Paul Jackson: Wow. Yeah. It’s going to be challenging, isn’t it? Because, you know we’ve already sort of realised in this conversation this is not going to be easy. I was fascinated by something you just mentioned about NIST with their new technologies, they’re saying that even this may be broken in the future.

Cathy Chan: Yeah. Because no one can tell the capability of how powerful the quantum computer can be. We can’t exaggerate it too much because they are still doing a lot of error detection so the quantum computer are still experience a high error rate. We can see that some recent news that this may not be happening very soon, none of us can tell except for the companies that are building the computers. There is no 100% security, no 100% safe in any kind of environment

Paul Jackson: No, you’re absolutely right. I guess it’s something that we can only find over time which is a little bit worrying. Now, you mentioned about certificates, right? That’s obviously critical. That’s something your company Cyber Force is heavily involved in, ensuring that organisations are able to have secure certificates that are future proof, if I can say that or future proof to an extent.  Can you explain a little bit more about that? The importance of certificates and what they used for and what you actually do to help organisations to stay ahead?

Cathy Chan: Okay so, certificates let’s say, because there are many kind of different digital entities with certificates that we are mentioning is mainly a TLS public cert that we are using, for example, some external facing websites. You can see the certificate there, that is actually protecting the data transfer, the transition in and out.

The problem is what we are dealing with, I think I can mention a news, I’m not sure if this is news, but a CA browser forums is actually confirmed to the shortening the public cities certificate lifespan to 47 days in 2029. I think I need to let the audience know that most of our companies is now dealing with one year certificate usually, so renewing the certificate is usually a yearly practise and in 2029, its become the quota, maybe you need to do it every quarter.

Paul Jackson: Are organisations doing this on the whole or are they kind of ignoring it?

Cathy Chan: Yeah, most of our customer is actually adapting to this change, they are adopting some certificate lifecycle management solution that is actually helping them to adapt to change, become crypto agility. Even the algorithm keep changing from time to time, you need to have something automated. I still have something changes and will be real quick.

Paul Jackson: Okay. Now, we first met at a recent conference which was focused on AI and actually you gave a brilliant presentation which is why we’re meeting now you know, all of the topics we discussed today. But you also spoke about AI, right? And, the role of automation and AI in supporting quantum resilience. Now, is AI supporting quantum resilience, or is it making the quantum computers ability to crack the encryptions faster and easier? Is it our enemy or our friend? In other words.

Cathy Chan: I think both because you can’t tell if AI is a good or bad person, it is neutral person, we can’t blame AI. But the problem is, I actually have a little funny story that I have, a struggle linking the quantum computing with AI in the first place. The problem is, when we are doing AI the two paths are working in parallel but sometime AI is helping quantum to build faster but at the same time maybe the quantum computer can also equip AI running a more capable way.  So when you mention just now, is it helping or is it holding back people, what kind of direction is it going, is quantum computing and AI helping each other?

I think there is a different dimension that we can dig into, but the problem is how is AI and it is helping quantum computing so that we can see from some quantum projects. They now have a term called quantum AI, it is a combination of both of them. But, it is really making some breakthrough on the development of quantum computers, like in their error correction, noise reductions that actually push the quantum computers development much faster.

Paul Jackson: Yeah, okay and does it also affect the ability to decrypt I mean, to correct. I mean, you know what is the skill set behind that is it just computing power or other clever techniques that AI can develop to make the decryption faster, not just relying on computer power.

Cathy Chan: I think it is both way they can decrypt, AI now doing the decryption faster because they still rely on the qubits the quantum computer which is not mature right now. There’s still years to go so I think AI can speed up, but they are not going to help it decrypt our current algorithm faster.

Paul Jackson: Right, so if I’m setting up an average company right now, how could you help them? I mean your company how could you help them? If somebody is listening to this goes, oh crikey I haven’t done anything to prepare for this Q-Day, this horrible word that’s becoming a buzzword, you know, how could you help them?

Cathy Chan: Okay, so I think the first step is to know your environment. So, the first step I think for now when we touch to our customers who is really worrying about it, we need to first start with, building the inventory for them. Feasibility is our first step you need to have before you gain control.

First of all, you need to have a centralised inventory. You need to know Seaborn. Seaborn is cryptographic built of materials in your environment, this is the first step, and then the second step is control. You need to know their key length, you need to know how secure they are right now and moving forward. Maybe, you need to explore whether they can do it, do the encryption or cryptography in with a hybrid model, meaning we can do the classical AI where from resistant algorithm together. Which is the cloud vendor is doing right now already because, they host many important access on the cloud. They are doing the hybrid most of our crypto cryptography nowadays.

So I think at the advice for them is to try our very best to automate any procedures for example when you need to change your certificate, you need to change your algorithm, you need to change your key, do it seamlessly and do it with minimal effort. Don’t make for example, for a company nowadays, use two months to change a cert, right? So this is important, it is impossible to run it in this way in the future.

Paul Jackson: Do you resell or do you develop and automated tools that can make this process efficient.

Cathy Chan: We just resell

Paul Jackson: Fair enough. But there are tools to it. The point that I am trying to make are that there are tools out there. That can help because that sounds like a heavy lift right? To do those the work that you just mentioned, and I’m sure there’s a lot of organisations listening to this who think yeah, that would be very helpful for them. It’s, a bit of a drain. Is there anything else that companies should be worried about. You know, because there’s a lot of small companies here. Is there anything you should you know anything else they could be doing to prepare or does that cover it?

Cathy Chan: To prepare, I have some of our cases that now we’re looking for some the bridge attack simulation tools that actually they put in some quantum elements inside. Of course, they don’t have to. Yeah, quantum computers themselves but actually the attack can be simulated in some ways. So, some of our customer is looking for this kind of solutions. We can tell it’s just a security validation or a bridge attack simulation tool that they can think of. They don’t need to buy the products. They can just buy some subscription service that we can run against your environment. And actually, you know where the points are that you need to pay attention to.

Paul Jackson: Do you incorporate that ever into. Because obviously we at THEOS we do crisis exercises for companies but more on the traditional side, you know is it ransomware or is it a data you know, whatever kind of incident insider threat. Have you ever run those kind of or been involved in those kind of exercises with clients where the scenario is about a quantum computing attack that breach there some form of encryption in their environment?

Cathy Chan: I mean, I’m not really, retelling something very solid, but I know that some of the attacks will be like, key distributions. I think that we need to dig into this more.

Paul Jackson: You triggered my thinking on this. There’s definitely a need. I think for crisis preparedness around this because having listened to you for the last 30 minutes or so, I think this is, definitely a big deal. And it’s something that needs to be taken seriously by organisations. At the beginning of our conversation, you mentioned that predictions range from 2028 through to 2035 roughly. What about you? What’s your prediction? I’m going to put you on the spot here. When do you think Q-Day is going to happen?

Cathy Chan: I am going to pick a medium number. As a cybersecurity consultant, I hope this can be can be comes earlier, just joking. But the problem is, I think it’s welcome because I’m actually there a different voices set. I mean also doubting is it really coming is it really something. Is that going to happen?

Actually, we don’t know. But the problem is with the money that has been invested into this field, even some national alliances, they put it in the scope. We can see in some polls that our tech giants, they also start mentioning about this word, so I don’t think that they would suddenly quit from this development.

But the problem is, I think the question shouldn’t be should we worry about it. But the problem is, I don’t think the question should be can we afford to wait? Because, there is something that feels radically feasible there is some things that are already building and, actually, is supported by physics. So I think we need to get ready for it as soon as possible.

Paul Jackson: Oh, I definitely agree. And I think Cathy the work that you do and the work at Cyber Force is going to become increasingly important as we approach that dreaded Q-Day. And that’s going to be big news as and when it actually happens of course we’ll see what happens then and whether it is another one. Well looking forward with trepidation I should say.

But one thing I’m convinced about is having heard you speak on this and obviously having you know spent time with you today. I know we’re going to hear more from you in the coming conferences here in Hong Kong but just a quick question though. Do you support outside of Hong Kong? Will you just focus on Hong Kong at the moment?

Cathy Chan: Mainly on, Hong Kong, China, Macao.

Paul Jackson: It’s because our audience is around the region. But if they wanted to get hold of you I guess that you would be, helpful no matter where. Well, it’s been a real pleasure having you on the show today Cathy. Fabulous episode of frightening and enlightening information about something that’s poorly understood I would say across the industry.

So you know I really appreciate you giving up your time to be with me today, but I always ask my guests before I close up because as I explain often my way of unwinding is to listen to music and I am a music lover, I always I’m always curious what my guests are currently listening to. So, perhaps I could ask you Cathy, what music are you currently listening to?

Cathy Chan: If you mentioned about currently I’m really thick into the children’s songs. Cocomelon because my son is that love dancing, just singing.

Paul Jackson: Doesn’t it drive you nuts, though?

Cathy Chan: Yeah so I now when I’m dreaming, is to the children’s on the wheels on the bus. Yeah. It is coming up in my dreams, but wheels on the bus. Just kidding. As for myself, I usually listen to Kenton pop

Paul Jackson: So you’re not with the local, trend of K-pop, though?

Cathy Chan: K-pop. I listen to Blackpink.

Paul Jackson: There you go. Yeah, it, energetic.

Cathy Chan: I know when you works in the late nights, that is. You want to fall asleep? Just, open a music videos, Blackpink. And you have become energetic again.

Paul Jackson: Good to know. Good to know. Cathy, thank you so much for joining. And I’m really honoured because you told me this is your first ever podcast. So I’m so honoured that you chose to do it with me. And thank you. Thank you very much for your time today, Cathy.

Cathy Chan: Yeah. Thanks, Paul.