Brian Miles, a cybersecurity expert at AT&T, is interviewed by Yuval Boger. Brian and Yuval discuss AT&T’s Quantum Security program. AT&T aims to be “quantum ready” by 2025, meaning they will understand the security gaps posed by quantum computers, have mitigation strategies, security policies, and a security architecture in place. Brian emphasizes the importance of awareness and education about quantum computing, the potential for quantum-enabled services for customers, the ongoing risk of quantum attacks, and much more.
Full Transcript
Yuval Boger: Hello Brian, and thank you for joining me today.
Brian Miles: Hey Yuval, thanks for the invitation.
Yuval: So who are you and what do you do?
Brian: My name is Brian Miles, I work for AT&T. I am in our cybersecurity organization within AT&T and I am focused on quantum security, getting AT&T prepared for the onset of quantum computers.
Yuval: How long have you been doing this for AT&T?
Brian: So this quantum program, it really started as kind of a, maybe a side, I don’t want to say side of my project, but kind of a secondary project, I will say. And that was about five years ago. And we just, we kept at it, kept educating ourselves, me and one of my peers. And then, you know, in the last couple of years, it’s now a formal project with an AT&T. And this just continued to grow. We started off with our program built around three pillars, as we could find out. Now that is turned into 10 different work streams that we’ve got going on and all the different aspects within AT&T. So yeah, there’s been a lot of growth and a lot of activity in the quantum security part of AT&T.
Yuval: Obviously, we’re doing quantum security and I could imagine that AT&T is looking at quantum communications. Is there also sensing and computing thinking or activity at AT&T as far as you know?
Brian: Yeah, so we obviously are part of the cyber security organizations, so cyber security is first and foremost in my mind. But yeah, we are a telecommunications company and obviously, there’s some effort behind security communications within AT&T. So we also add a fair amount of AI, used internally, kind of behind the scenes in some of the services we offer. So quantum computing, and you’re using large data sets, so quantum computing offers some capabilities to be able to speed up the training and the throughput of those models.
Yuval: So really the full spectrum. I read someplace that AT&T aims to be quantum ready by 2025. I don’t know if that’s the correct date, but what does it mean to be quantum ready from an AT&T perspective?
Brian: Yeah, so quantum ready in 2025 is the date that we have stated publicly. So what it, hate to start off with what it doesn’t mean, but I just want to make sure, make this point clear. It does not mean that AT&T is going to be fully quantum-resistant, quantum secure by 2025. However, what it does mean is that we’re prepared, and we’ve done our homework. We understand the security gaps posed by quantum computers. We have mitigation strategies for dealing with those. We have security policies. What every large enterprise has, I’m sure pretty large security policies about how to go about securing assets within a company, we do as well.
So you need the security policy in place for these new cryptographic requirements. We have to understand our risk. So we have such a large footprint of IT infrastructure. There’s no way to secure all of that and to just do that within a few years. So prioritization becomes very important. using risk modeling or risk quantification or some other form of criticality assessment to prioritize our work efforts is very much required. So understanding that by 2025 is definitely important. We’re also involved in a number of technology evaluations and that’s going to continue on. We’ve already been at that for a little while now. And that’s just about not only understanding the technology, does it do what it’s they say it can do and those kinds of things, but also looking for solutions for AT&T like for us to implement within the company.
And also potentially maybe there are some product or market opportunities that we could partner and collaborate on. And then a couple of the big things, a couple of things I guess near and dear to me are the cryptographic inventory and agility. So we definitely have to have this inventory and be collecting this cryptographic inventory by 2025. And the crypto agility, that’s the end game you want to get to. So that’s putting the automation in place. That’s getting, I guess, the capability to change out cryptography quickly on short notice with little impact to all the existing applications. So having an architecture defined by 2025 is a key part of that.
Yuval: In your opinion, how long do enterprises have to get ready for quantum? I know you’ve been describing a process that took a number of years. If you were speaking with a friend who runs cybersecurity at, say, a national bank, do they have to get started already? Should they have started two years ago? How long do they have?
Brian: Hopefully, if they’re involved in a national bank in that, it seems to me of the different industry sectors, my sense, the financial sector is maybe a little bit ahead of the just general industry, it seems to me. So that’s a good thing. But you know, the fact of the matter is we don’t really know when this cryptographically relevant, a lot of the computers are going to emerge. And so a couple of years ago, I think there was a census of the 2034, 2035 type frame. Now at least my opinion, I think we’re more of that 2028 to 2030 type frame.
But you know, the factory managers don’t really know. I would say one of my colleagues brought this up one day. It’s a good realization or rationalization for some security efforts. Even though it’s not likely for another five or even seven years, there’s still a non-zero probability that it could happen in the next year. So we just risked modeling a couple of years ago and that was one of the things that we exiled from the past.
Then if you look at the whole harvest now, decrypt later problem, that’s the first quantum attack arguably, and that it’s happening now. That’s where these bad actors are harvesting data and gobs of it and storing it away till today it’s encrypted with today’s technology. So some data has a long lifespan. At some point in the future, these bad actors will be able to encrypt that data. And that’s a big issue. So that alone is a reason for companies to start. And especially companies that have sensitive data that needs to be protected to start getting on this quickly.
Then if you just look at SHA-1, just from a general industry perspective, how long did it take to get rid of SHA-1? That was proven to be vulnerable a long time ago, 15 years ago or so. We’re finally just in the last couple of years, I imagine it’s still out there, but we’re is finally as an industry getting rid of SHA-1. So look how long it took for that one algorithm out of the industry, out of the ecosystem. Now we’re talking about not one, but lots of different algorithms and kind of a complete change or a complete paradigm shift of technology changes.
Yuval: Is there a customer-facing side to this? Would you be able to offer quantum-enabled services to your customers based on the work that you’re doing internally?
Brian: So there have been some conversations with our product development team and some of the marketing folks. I would expect there will be something along that lines, but this is my opinion, that’s another part of the business that I’m not really involved in, at least making decisions there. But we are absolutely having a conversation with some of those people.
Yuval: You’ve been doing quantum security at AT&T for a couple of years now. When you think about the accomplishments of your team, something, of course, only the things you can talk about, is there something that you’re particularly proud of?
Brian: Yeah, so early on, you know, one of the things that was utterly apparent was there was almost no awareness. So we started an awareness campaign probably year and a half ago now. And that awareness campaign has been all about making the AT&T enterprise aware of not only just what quantum computers are in general, but some of the impacts that people have on AT&T, both negative and then positive. Not just to AT&T, but positive to society. Now there are a lot of really interesting capabilities within quantum computers and new medicine development, simulating chemical processes, maybe we can, you know, start making, for example, maybe we start making fertilizer way more efficiently. Right now, fertilizer production takes something like one to two percent of the world’s energy supply. So, if we could start doing that, you know, way more efficiently, I mean, those are some good things. Medical devices, medical technology, I think there are some really good capabilities that I’m going to come out of the problem that realm. Um, so I think there are some very positive things that come out of it as well.
Yuval: To what extent do you have to educate customers? I mean, do customers come to you and say, Oh, we heard about quantum. What are we going to do about it? Or is it the other way around where you have to go and say, well, there’s this thing called Shor’s algorithm, and this is what it could do to you. So you should really be thinking about quantum. Where, where is the market in terms of education?
Brian: I think the market is starting to catch on and I think a lot of companies have maybe assigned a couple of people to start looking at it. I would still, I guess my sense is that, and there are still many people to look at, but maybe not so much on the action front. I think companies really need to get on the ball largely and start putting things in place, putting strategies in place, and starting to do like we’re doing. the technology evaluations, defining the strategies, building an inventory, all those kinds of things. I don’t think from what I’ve gathered in front of the companies I talk to, I think there’s a little bit of motion there, but I’m not seeing a lot of action yet, really.
Yuval: There’s a lot going on within AT&T, but what would you like to see other industry players do more of, or perhaps develop faster than they are today?
Brian: Yeah, so AT&T has a pretty big footprint, so we have relationships with a lot of different vendors, all kinds of things to help AT&T manage our business. One of the biggest things that I would like to see more of is I would like to see some of these more prominent, mature products in the companies that own those products start developing and start integrating some of these post-quantum solutions or crypto agility or crypto inventory and those capabilities those features into their products I’ve seen a little bit of traction there but not nearly that the amount that I think we should be saying by now and the amount of need that’s you know I guess in that area.
Yuval: And last, a hypothetical if you could have dinner with one of the quantum greats dead or alive who would that person be?
Brian: That is an easy one to answer and actually I’ve had this conversation with one of my peers here in the final program Paul Dirac. He just did a lot of really phenomenal things if you think back to the time when he was doing a lot of that. It’s just really incredible how much of a genius he was. And I don’t think most of everybody knows Einstein, but I don’t think people realize guides like Paul Dirac and some of these others, Heisenberg, Schrodinger, and the impact that they have had on society as well. You know some of the things that they felt about, and discover are just absolutely stunning and phenomenal.
Yuval: Wonderful. Brian, thank you so much for joining me today.
Brian: Thank you, Yuval. It’s been a pleasure being here and look forward to talking to you again in the future.