Rebecca Krauthamer, co-founder and Chief Product Officer at QuSecure, a company focusing on addressing the quantum security threat, is interviewed by Yuval Boger. Rebecca and Yuval discuss QuSecure’s products that help organizations adopt post-quantum cryptography without needing to rip-and-replace existing infrastructure, ethical considerations in quantum technology, and much more.
Full Transcript
Yuval Boger: Hello, Becca. Thank you for joining me today.
Rebecca Krauthamer: Thanks so much for having me, Yuval.
Yuval: So who are you and what do you do?
Rebecca: Well, my name is Rebecca. You can call me Becca. And I am the founder and chief product officer of QuSecure. And what we do is we kind of solve for the quantum threat. So we take the problem that everybody knows about and we make it manageable.
Yuval: How so?
Rebecca: How so? That’s a great question. So we’ve been working on this for quite a while. And what we understood when we started out, and this was back in 2019, was that this is a necessary upgrade cycle. And just I’m sure most people are now aware of what the quantum threat is, but high-level, right? It’s the idea that a sufficiently powerful quantum computer will be able to break public key cryptography as we know it today. And luckily this is for now largely a solved problem. NIST has been working on standardizing the post-RSA world of algorithms. So what we understood is that this problem affects all data in transit, right? It’s a necessary upgrade. Everybody is going to have to do it. And we have to make it possible for people to do it now because of course there’s the immediate threat of store now or harvest now decrypt later for today’s data. So it’s not just waiting for that farm computer, but it’s a today threat.
So to end, long story short, when we started out, we kind of architected a product that is software-based, highly scalable, and something that at the core of all the design decisions we make is something that enables organizations to be able to adopt this on a broad scale simply that is compatible with their existing architectures and infrastructures. And that is what we do. We deliver to organizations and we work a lot with the government as well as a product called Kubertech that does that. So what we focus on, I think that’s a fair analogy.
Yuval: You’re describing it almost like an antivirus, where the upgrades happen once in a while because there are new threats. Am I reading this correctly?
Rebecca: When encryption upgrades are not new, right? We’ve been doing this since the ’70s, probably a long time. And each time they’ve kind of been taken as this point-wise, rip and replace, we got to take on this big migration. The problem with that today is one, we don’t know what we don’t know about quantum. We also don’t know about AI and all these technologies are moving faster and faster. So it’s likely that encryption upgrades will have to happen on a faster and faster scale. because the threats are here today. And we can’t wait. And we can’t take this as a big rip and replace. So hence the idea that you can put it on top of your existing infrastructure. You don’t have to do that rip-and-replace.
And to your point, it’s kind of like these periodic upgrades. We really focus on this idea of crypto agility, cryptographic agility. And so what we do at the core, it’s beyond even a post-quantum cryptography or quantum resilient cryptography product. it’s actually enabling organizations to say, I want this kind of post-quantum cryptography here. I want this key length here. And enabling them to swap out the cryptography and take control of the encryption for their data in transit. So that’s kind of the– yeah. So you are then able to upgrade when need be your encryption algorithms. You can also upgrade them for good, right? If you want higher strength encryption in certain places, say I want to– for iMessage, I want higher encryption than for my email, whatever it looks like to you. So just have full control of your cryptography.
Yuval: And that doesn’t have to be quantum-specific, right? I mean, if I find something that’s not necessarily about quantum, I could just upgrade that as well. Is that correct?
Rebecca: Yeah, that’s spot on. Right now, we’re talking about the migration from pre-quantum to post-quantum cryptography. But it’s likely that, yes, there will be other algorithms post these. We also work with certain customers who want to bring their own cryptography. And so that kind of modularity and ability to this big hairy problem that people get nervous about because it’s like, okay, how do I solve the whole problem today? And I think, you know, the message that we try to get across is not everything needs to be properly encrypted. If you have a weather application, that’s all public data, right? There’s no store not equipped later threat.
Yuval: Where do you see the pickup for this product? What kind of applications or is there a specific kind of customer that you see more traction than others?.
Rebecca: So the industries that we really see moving quickly, it’s the public sector, so it’s government, and it’s the financial sector. And you can imagine that both of those sectors have a really vested interest in protecting data that exists today, national security secrets, whatever it is, bank account information for a long period of time. So those are primarily the sectors that we see moving. Yeah, that’s a great question. So the way that we orchestrate, we do it in a couple of different ways, but really we use a key distribution center model and then sort of a mesh architecture that gets out to every connected device.
Yuval: Where is the software installed? Is it just on the endpoints? Do you have to install it on the routers and switches? I mean, is it equally easy to do it on all kinds of devices?
Rebecca: So you don’t have to install it on the switches and routers. It’s all software based. And so you really kind of can deploy it wherever you need it to be. And that takes a couple of different software-oriented forms. But really, for example, we have a part of the product called QuEverywhere that can get out to browsers and mobile applications without any installation for the end user. Think you’re a bank. And like I do my banking online, on my phone, with this product, something like Chase Bank can offer this out to their end customers so that all of their data transactions become post-quantum encrypted without me as the end user having to download or install or change my behavior in any way. So that’s kind of one of the sides of it. But the idea is you don’t have to install anything or break out any hardware or software that you already have going.
Yuval: What’s the backstory? How did QuSecure come about?
Rebecca: Yeah, it’s been quite a journey. I’ll tell it from kind of my perspective. There are four co-founders. And we all got together in like 2018. And my background, I came out of an AI world. And so I was– it was one of our co-founders, Skip, who brought the idea to us. And he was like, hey, this quantum thing, let’s check it out. And so I was coming out of the AI world. And I had enough implementation experience to start to see the delta between what we can do in theory and what we can actually achieve on today’s classical hardware. And so for me, quantum represented this big, cool thing that’s going to unlock so many doors in AI and technology broadly. And so I was like, yeah, let’s do this. All in.
What we did first, was we started a venture studio. And the idea was to– it was a bit of a venture fund and putting resources towards projects coming out of academia, moving them towards commercialization. And I think through that journey– we were working on actual quantum applications, but we understood, I think before most people saw the threat that the quorum feeders were a threat to encryption, that it was a today thing. There are a lot of really amazing thought leaders that were starting to talk about it– Jack Hidary.
And so we started within that venture studio working on this kind of defense against quantum computers project. And it just started to take off. We got our first government contract almost immediately. And it just, we all just understood that we had to go over and do this thing. And it’s just been kind of a rocket ship ever since. So that was really the birth of QuSecure here. Yeah, great question. I think one of the cool things I love is, again, you don’t need to fight quantum with quantum. I think a lot of people are kind of stuck in the idea that you do. So everything that we are doing is classical. And to your point, that’s a bit more of a crowded area. But again, it’s not solving for quantum. It’s not just a post-quantum thing.
Yuval: Where do you see the IP, if I may ask? What’s unique about QSecure as opposed to other sort of software updates, and distribution approaches?
Rebecca: So the broader picture, I think, is in the cryptographic agility. But the way that we orchestrate also, enables zero trust migration, which is, of course, a huge thing right now. There are a lot of mandates around it. And Zero Trust, really what it does is it helps take some of the human error out of cyber. And so I think there’s a lot that we work on in that space. We also– I think it’s pretty amazing to be able to– when we started out, the idea was to be able to address all data in transit or as much as we possibly could, because it’s an all data in transit problem. And so the way that we are able to get out to every endpoint or every connected thing, that, I think, is pretty cool and novel, right? And a lot of times, without actually affecting any of the end users, it’s an invisible experience. And then, of course, the legacy compatibility is a huge piece of it.
Yuval: You mentioned that you came out of the AI world and there’s a lot of discussion these days about the ethics of AI. Do you see parallels in quantum as something that you picked up and learned in the AI world about ethics also applicable to quantum?
Rebecca: Oh, 150%. And I love that question because it’s near and dear to my heart. I really, a large part of why I got into quantum and AI even initially was these technologies, technologies are multipliers, and they’re going to have such an impact on us. They’re already having an impact on us. And so we have to build for an ethical future, for a human future. And the ability to be in at the ground level in quantum when they’re really, it’s just starting to emerge as a technology, for me, from building ethical technology standpoint, that was just such a cool opportunity.
And I’ve had the opportunity to work with, before I got into quantum, I often acted as a subject matter expert for– I helped build the first Coursera course in ethical technology development, did a lot of exam authoring for university courses in ethical AI, and most recently got to work with the World Economic Forum on issuing a set of governance principles for quantum computing development, ethical quantum computing development, which I think was an awesome experience. And you really do see in all of those discussions we had around, OK, how is quantum different and similar to AI? And I think we found that in a lot of ways, to the extent that we understand it, we can take a ton of learnings from HPC, from AI. I think the flip side of it is– and we see this now as things like ChatGPT are becoming more and more popular. We don’t know what we don’t know. And we have to build frameworks that help us adapt to whatever comes our way.
And I think that’s especially true for quantum, right? Quantum is a huge multiplier in the way that it scales. And so when we think about building ethical foundations, you know, kind of like crypto agility, we have to be able to adapt and we have to be able to adapt to unknown futures. So I think we have to be very serious about it. We have to build into the very roots of quantum. thinking about the future, and not just, you know, when I think about data security, right?
For me, right, coming out of AI, there is no AI without data. And so data security is kind of a foundational, like if there’s a Maslow’s hierarchy of needs in terms of technology, the foundational level is getting data protection right. And so that’s why, you know, I love QuSecure so much. And I think there’s, the second tier is we have to think about what we don’t know yet, of course. And when we have a fault-tolerant quantum computer that can break something like RSA 2048, we also have like a 4,000 qubit fault-tolerant quantum computer, and that thing can do amazing stuff. It can also do data analysis in ways that we cannot imagine, right? So you think about a lot of us have taken 23andMe, so our genetic data is out there. We can only get so many insights today, but we have to think about protecting that data in terms of what a quantum computer might be able to do with that data in the future. So I think there’s a lot to unpack there, but it’s both. We have to take it very seriously and learn from our journeys and other technologies like AI, and we also have to prepare for the unknown.
Yuval: Is the primary ethical issue for quantum that it creates a disparity between those that have it and those that don’t, or is it something else?
Rebecca: That’s a large part of what we were discussing in building these governance principles. I think one thing that excites me about quantum computers is, unlike the classical computer revolution, where there were kind of haves and have-nots, you still see that with quantum. But I think because right now it’s pretty much all cloud-based, anyone can get access to it if they want. There are still issues, but I think that’s very cool. It’s a lot more democratized just starting out the gate. We can get into the arena of maybe one country or area will have it before another. But I actually worry less about the haves and have-nots of quantum. But I do worry more about who has access to education around it. And I think that’s a big area that a lot of us in the quantum space talk about how to get the information out so that everyone can use leverage, and take advantage of this technology.
Yuval: How is the World Economic Forum involved? What do guidelines look like for ethical quantum?
Rebecca: Yeah. So, I mean, the World Economic Forum does a lot of thought leadership, right? And I love it because being here in the US, we often think of quantum development from a, at least I do, from a US-centric place. But when I work with the World Economic Forum, it’s the whole world, right? So thinking about how it affects everybody. A lot of the guidelines, they’re guidelines for the governance of organizations, educational institutions, government, et cetera. And they really, a lot of them followed kind of ESG goals and also a lot of learnings from AI and a lot of the frameworks that have been put in place, some of the more famous ones around AI governance. So I think it’s frameworks that people understand, right? kind of adopting ESGs. And so you can think of sustainability, you can think of education, you can think of privacy in terms of quantum and kind of shift that framework that you have a reference for into the quantum realm.
Yuval: From a professional standpoint, what keeps you up at night?
Rebecca: You know, I’m so embedded in QuSecure. And so of course for me, the quantum threat is ever present. And I think, you know, what keeps me up at night is the pace of adoption, I think needs to speed up. There are so many things on cybersecurity leaders’ plates. There are so many things on, you know, there are so many things to solve for in the world that this one can often slip to the bottom of the radar. But it just is a fact that we are all sharing so much more data than ever online. And I think most people are not thinking so much about how that data ultimately gets used and the privacy of that data.
And so I think that because we face that Store Now Decrypt Later threat, I heard a talk by the CTO of the CIA, and he was talking about the quantum threat. And he said, “Everyone’s going to wake up in several years, and we’re all going to have experienced a personal WikiLeaks moment.” And I think that stuck with me. So what keeps me up at night, I think, is the pace of adoption. I would love to see a lot of industries adopting faster and faster healthcare, our electronic health records sooner than later. That is my personal nightmare is that we don’t move fast enough.
Yuval: Going back to where we started, if an organization wanted to address the quantum threat, they still have to go through an inventory process, prioritize the systems that they want to protect, and only then they could go to QuSecure and say, “Hey, could you help us protect this link?” Is that about right?
Rebecca: There’s discovery, inventory. We actually bypass a lot of that. And so you don’t actually need to identify all of your instances of encryption and da-da-da-da. Because of the way we work, we don’t actually rip and replace anything. We overlay. So it’s basically, if you do an inventory, if you do discovery of which of your encryption algorithms are vulnerable, it’s going to come back all red. All asymmetric encryption is vulnerable. So we actually bypass that step because of our software overlay. And we oftentimes will work with clients who come to us and say, hey, we’re very concerned about this. Help us prioritize which systems we need to work on. And so we will work hand in hand with customers to do that. And we’ll start with one application. We might go to more and more from there. Again, you don’t need to eat the whole elephant in one go. You can start with your highest-priority applications first. But to answer your question, yeah, no, actually, you don’t need to start there, which I think surprises a lot of people. You don’t need to do that big heavy lift internally first.
Yuval: And last hypothetical, if you think about the quantum grades or the cybersecurity greats, dead or alive, who would you want to have dinner with?
Rebecca: You said quantum or cybersecurity? Well, I mean, I think this is probably everybody. Well, maybe not everybody’s answer, but Feynman. He just seemed like a cool dude. You could get a beer with and just so brilliant and so wonderful at explaining things well. So I would love to be able to have dinner with Feynman.
Yuval: Perfect. Becca, thank you so much for joining me today.
Rebecca: Thank you so much, Yuval.