With quantum computers, some of the encryption we use breaks quickly. What should we do to keep it resilient? In this episode, Kosta Vilk, the Founder of QuSecure, delves into cryptography as the new frontier for quantum resilience in more advanced systems. He explains that by bringing in management, monitoring controls, and controlling how things play out. We have the opportunity to evolve beyond where we are today. With active cryptographic agility, we can turn the tables on the attacker by noticing when they will try to execute an attack or breach a system. Jump into this episode with Kosta Vilk and peek at the next evolution of a more advanced system.
QuSecure – https://www.qusecure.com
Link Tempo – www.linktempo.com
Reliant Management – https://reliantmanagementllc.com/
Watch the episode here
Listen to the podcast here
Cryptography: The New Frontier For Quantum Resilience With Kosta Vilk
In this episode, we’ve got this great guest. He’s a husband and father of two, a grower of early-stage startups. He lives life in the fast lane, enjoying anything with a motor and maybe even falling down a hill fast. He’s the Founder of QuSecure and COO of Reliant Management. Welcome, Kosta Vilk.
Thank you very much. It’s an absolute pleasure and it’s always a pleasure to connect with you, John and George.
You know why we’re here. If cyber risk was a pizza and the frameworks are crusts, what’s the riskiest topping you’ve seen? What topping would you equate that to?
I’ll give you an unusual one. The riskiest stopping is the pizza sauce, the marinara or the red sauce. The reason is if it’s missing, you know about it. If it’s bad, you know about it but if it’s good, it’s just part of the price. It’s what you eat. You don’t even notice that it’s there. No one ever says, “I go there for the pizza sauce.”
The reason it’s the riskiest one is because, to me, it speaks to cryptography, encryption and how we protect everything because that’s where the real cost to us is. We protect everything with encryption. This connection that we’re speaking about is encrypted. If it’s not there, for anything from a small transaction to a large transaction like when you go to do your banking, you want that to be well-protected. That to me sticks off risk.
Few people understand SSL certificates and certificate management. You think, “I get a certificate and it’s super easy.” With the signing requests and the other pieces, few people understand how that works and can manage it. It is required for everything that we do whether it’s encrypting drives, data at rest or data in transit. It is extremely important. We need more people to understand cryptography.
Surprisingly, what I’ve noticed is that even most cybersecurity professionals don’t understand it well. My joke about it is that we treated a redheaded stepchild. It’s there. We don’t know it. We don’t understand them well. We know that it’s an important part of the family but sometimes we don’t give it the attention that it deserves.
What makes it interesting is that in the new generation of the evolution of our industry, this is an existential part of what we need to do and how we need to look after it. That’s why we founded QuSecure, to look at what quantum resilience is and how we address the next evolution in computing to keep us protected, safe and all of these things. Cryptography is a 40-year-old tech, give or take 20 years in the direction and that’s what we use daily.
You’re leading into our next question, which is what seems to be the problem? You talked about some quantum computing there. My understanding is that with quantum computers, some of the encryption that we’re using can be broken fairly quickly. What keeps you up at night? What are the problems that you’re seeing in the industry?
I try not to stay up at night. I need my beauty rest. It hasn’t worked so far but I try. All of those jokes aside, I do see encryption cryptography as the new frontier. We’re getting good at managing identity and access. The tools and the practices are there with stem threat hunting and so many other techniques.
With zero trust, we’ve got so much that’s being built out. Even if it’s not articulated well in the industry, they always try to claim zero trust when it isn’t. Cryptography is one of those things that we take for granted. We put a lot of belief and trust in it, even though we see so many failed implementations and a lack of understanding of how to implement the algorithms effectively.
As a matter of fact, I read a piece that came out of one of the largest internet threat protection companies out there, especially as it relates to post-quantum and quantum resilience. What they wrote about it is, “Go ahead and replace the algorithms with the new ones that were approved, that got standardized and away you go.”
To me, it is such a short-sided view of things because we have an opportunity to evolve the practices and what we do. We don’t understand cryptography well. I spoke about controls. We monitor behavior, identity and so many things. We act against things that we perceive or recognize as a threat. We don’t do the same with cryptography.
In other words, let’s bring it back to this connection that we’re on. It’s SSL encrypted. We’re running over TLS with it usually and as part of that, we’re assuming that this connection is safe and secure. We don’t know if there is a man-in-the-middle attack, a replay attack to get into our session or anything around the side channel or so many other vectors that could be affecting this communication that we’re on. There is no real way for us to monitor it. We try to put in trust-based controls, single-pack authorization, SPA or a mutual TLS to create a trust relationship but an attacker sitting in the middle is still able to pick up all of these things.
We spoke about quantum computing and what it is before. The reality is you are right. We tested it against RSA and ECC algorithms and figured out the steps that it takes to break classical cryptography, which we use as a single process. With enough computing power, which is going to come up quickly, we can’t rely on either the handshake or the encryption algorithms anymore. Replacing them alone is not necessarily the right thing to do because of performance impacts. We still want our connection to be fast and speak naturally. Also, the resilience and security that we still need to have. When they apply a quantum of computer against that encryption, we still want it to be safe.
As classic cryptography is changing and being able to be broken, we have an opportunity to change that. Tell me a little more about what that might look like.
We don’t have controls. We can’t monitor for advanced threats and persistent threats. Even simple man-in-the-middle or replay attacks are not something that we can see. That connection can record the data stream, send it on, replace it with its credentials or do so many other things as an attacker. By bringing in management and monitoring controls and controlling how that plays out, we have an opportunity to evolve beyond where we are. That’s on the communication side of things.
We have the ability to bring in cryptographic agility, which breaks out into active and passive cryptographic agility. Passive cryptographic agility means you update your libraries and software with new quantum-resilient ones but you also build in the controls to be able to switch out the algorithms as they prove to be vulnerable.
In other words, you’re setting yourself up for success over time. We can’t assume that something will not be broken tomorrow, even though it’s resilient now. We also know that there will be answers that come up that are able to replace what fails tomorrow with what should be resilient tomorrow as well. That’s what I would describe as passive cryptographic agility because it doesn’t respond or react.
If we look at my early example of what happens when we start monitoring, it gives us also the ability to start responding. That’s where active cryptographic agility comes in. In other words, we can turn the tables on the attacker by noticing when they’re trying to execute an attack or breach a system. Even in transit, we can automatically respond by actively changing the algorithms, the cryptographic strength, the key generation or so many other aspects of it. That is an opportunity that I haven’t seen anyone in the industry capitalize on yet. This is something that we’ve been working on at QuSecure for quite a while successfully.
Go ahead and tell us more about that. What is QuSecure? How are you making it better?
We started years ago when we noticed that the entire paradigm of how we encrypt data started shifting. I came out of financial services as a CISO or a CIO. What became obvious is that we had the controls but we were starting to the protections that the controls were able to leverage effectively. That gap is something that made me uncomfortable.
It was the reason why we started looking at what happens to the next evolution as more advanced systems come online like quantum computing. We’re also seeing a lot of the attached by automated means like machine learning AI-based ones. We used AI and machine learning in our protections and controls and a lot of the software that we used for protecting it but we never looked at what happens when the computing power exceeds our ability to protect the data using encryption.
That became something that we decided to tackle. Beyond looking at the encryption itself, how do we implement new algorithms, we started looking at, if we have this opportunity, how do we get to the next stage? What we are continuing to do is leverage 40-year-old practices. That’s when SSL came out in the late ‘80s with the handshake protocols, the IP set protocols that came afterward, the AEs algorithms and hashes and so many other things. It gave us an opportunity to say, “Why don’t we start monitoring? Why don’t we start responding to what we see because it wasn’t being done?” Doing the same thing and expecting a different result is not the best of ideas.
Looking at cryptography and some of the changes that have happened there, where do you expect the future to go with that? You mentioned some of those items but what do you see as the future? There’s quantum computing and being able to change those but tell me a little more about that.
NIST has been working on new standards for quite a while. They first recognized the need back in 2015. They opened up a search within a couple of years after that. We’ve completed the fourth round. Some of the algorithms have already been standardized and they’re continuing to look for more but in real-life implementations, the devil’s always in the detail. In other words, can you implement it well? More importantly, what will it do for your SLAs?
Cryptography: NIST has been working on new standards for quite a while. They first recognized the need back in 2015.
Bigger encapsulation methods replace our asynchronous cryptography, which we use for data in transit handshakes and things like that. That’s being worked on heavily. It’s being standardized, which is going to be a great benefit but because of their size, they could be quite impactful to those same SLAs. We want our tech to be equal to or better than what we’re using. We don’t want to take a step back and say, “My Zoom session is going to be in jeopardy. It’s going to have interruptions.”
What happens when we’re trying to synchronize large volumes of data for large enterprises when we’re moving terabytes or petabytes around every single 24-hour session? That’s existentially impactful and we don’t want to rock that boat. The devil’s in the details. How do we implement it? How do we optimize it? What do we do moving forward?
How do we also bring in those controls around passive cryptographic agility for the applications that you build and active cryptographic agility for the data as it’s being used? How do you do that with adequate monitoring and adequate responses? All of these things are our industry-wide opportunities. That’s what we need to work on.
You brought up the NIST. We utilize the NIST CSF and a lot of the things that we do but we also do 853 and 800-171 and help customers implement those. Although you’re talking about the control specifically around cryptography, all the other controls can help a business understand better how to manage their entire organization rather than just IT or cryptography but it can get detailed quickly.
I once had a customer that called me up and said, “It’s taking 30 seconds for me to send an email. I sent an email over here and I don’t get it for 30 seconds.” I said to him, “Do you have any idea what happens as far as encryption, sending, TLS, spam checking and this and that?” He was not impressed. He wanted it to be a one-second item no matter what. Some of those expectations sometimes are pretty high for the technology. That’s okay to have high expectations but we got to be a little bit real realistic when it comes to some of these items.
What happens when that login takes 30 seconds? We’ll have a lot of frustrated people.
Kosta, what events do you go to to learn more about cryptography and security pieces?
Typically, I look for larger events where I see speakers that I trust and respect. That’s your RSAs, Black Hat conferences and Risk Conferences via ISACA. I’m in quantum space. I live IQT quite a lot and I’ve got some content up there also. A lot of it comes down to education. A lot of it also comes down to us creating that content as well.
For example, I’m working on a book with a large publishing house to help convey the knowledge, our findings and the practices we’ve developed both historically when I was still in financial services and over the last few years at QuSecure to understand what this next evolution means to us and how does it work with all of the AI systems that are coming online. We look everywhere and read up a lot of publications and research and double-check everything because we’ve seen a lot of science journalists come out with certain publications. When you go and test them yourself as a new peer and review them, you realize that some of this stuff is full of crap.
You’re writing a book. Are there any other books that you might recommend?
There are and sadly enough, I don’t remember them off the top of my head but most of them have to do with leadership rather than technology. Approaching a problem with the right mindset is what I’ve noticed to be the biggest challenge for most people. We get enamored with our ideas. We know what we know but it’s hard for us to take a step back and step out of that perspective. Think about what’s the greater relationship here and what does it mean? I look more for leadership type of books that open your mindset more so than technical ones.
Honestly, you’re hitting the nail on the head with that one. We find many times that it’s not a technology problem anymore. There are some technology problems but we have so much technology that’s available to people, expertise and configurations. A lot of it does come down to that CEO that says, “I’m not doing the two-factor authentication or this.” It then gets hacked and wonders why, “Why didn’t you protect me?”
It comes down to leadership and not wanting that extra complexity in their life. It is a leadership thing and a life thing. In your life, sometimes you can be distracted and that’s when we find that we catch a lot of people with phishing attacks or different things like that as well. It comes down to the person and what’s going on.
That’s the reason why all of these memes have been created to make fun of what we do as professionals.
What’s the adage cliché? Culture trumps strategy 100% of the time. That’s about leadership and the right mindset. Once upon a time, I work for a home improvement center that had a lot of orange racks and we used to say, “Bleed orange.” The culture and the leadership of that home improvement center were fanatical. It was amazing.
The cybersecurity problem we had was a physical security issue. They called it shrinkage. It became loss prevention. Asset protection is what they call it. The culture of that organization is if somebody was potentially shoplifting, there was a code that they put out and everybody would love to hear that code because everyone wanted to work together and stop the shoplifter. The culture of the organization made everyone feel like an owner at the time and that’s about leadership. Whether it’s a cyber world, an internet deliverable, a cybersecurity issue or a physical world, it’s the same in terms of the mindset that has to be right or you’re not going to get rid of it.
What’s funny to add to what you were saying is all of these things play a huge role but your customers can also feel it when all of your company functions together, when they can feel when the people that make up that team believe in the company. That’s driven by the culture and leadership like you two gentlemen provide for your company.
Kosta, how did you get to where you’re at? You’re in California. If I’m a fifteen-year-old kid, how do I get to be a Kosta in the future?
By making lots and lots of mistakes proudly. That would be the right go. I’ve never thought about following a standard ascend model as in go work for someone, build things, collect your paycheck, go home at 5:00, spend some time and then move on. I try to create the time for the things that I want to do. It gives me the space to also focus on what I see as opportunities that need to be addressed because I can’t find the right ways to trust them that make enough sense.
It spills over into everything that I’ve been doing. That was the reason why I founded I-Span or QuSecure. It’s the same reason why I started Link Tempo with a few of my friends and colleagues. Some of the people from QuSecure as well, including some of my fellow founders are helping out with it. When an opportunity presents itself, it’s a bit of a disservice to yourself, the opportunity and the greater community in general, not to address it. You’ll make mistakes but learn from them, apply those learnings next time and assume that hard things are the way of doing things.
What advice would you give your younger self? It seems like you covered a little bit of it there but is there anything else that you’d specifically tell yourself at fifteen, “You should be doing more of this and less of this?”
One of them would be to diversify and invest in some stocks. That doesn’t hurt and start building a nest egg early. Some of it is to be thoughtful about what your plans are. I’ve managed to make decisions in a way that I don’t regret but being thoughtful about how you make those decisions, which you get involved in, how to study it and how to make decisions themselves is important. Think about what your decision-making process is.
How do you tell right from wrong? How do you not get stuck in the analysis-paralysis stages of things? How to apply them both from the practical standpoint and also from the growth standpoint as well? One takes imagination and one takes practicality but how do you merge them? It’s the same as being able to translate between technical talk and business talk. It’s different skillsets but finding a way to understand both of those skillsets has been quite helpful.
Your point is well-taken on that. I wish you would’ve told me that when I was fifteen.
I wish I told that myself when I was fifteen.
Kosta, where can people find you?
I’m on LinkedIn. I use my full name, which is Konstantin Vilk. The Link Tempo website is launching soon. That one is my new passion project because we’re taking a lot of the learnings from the cryptographic side of things, data protection and data management but we’re applying them to business cases. We’re taking a step above, the next logical step from the core tech that we created at QuSecure which is QuSecure.com and then applying them to, “How does the business function grow?”
To do that, we’re creating stand relationships with data that tend to cause problems for everyone that has ever had to integrate a piece of data into what they want to do on the business side of things. That’s the next big challenge that we’re tackling and it’s frankly very exciting. That company is called LinkTempo.com. At Reliant Management, that’s how we make things happen. I’ve taken a step back from my active role at QuSecure to focus on Reliant and Link Tempo. I’m only serving as an advisor to QuSecure but the ecosystem and the relationships are there.
That takes us to the next question. You’ve mentioned a couple of passions but tell us more about what you do outside.
In a little bit, I’m going to take my family. We’re going to go traveling. We’re very much looking forward to it. My wife has been working extraordinarily hard. She’s a senior exec probably more accomplished than I am, spotted between the two of us. We’re going to take a little break, see a little bit of sunshine and spend some time with our kids. One is off to college. We want to make some memories. We’ll hit Spain and some other places in Europe as well. That’s exciting. Other than that, spending time on the beach and the boat will be nice. That’s something I’m looking forward to. If it’s got wheels on it, I want to drive them off.
I enjoy that myself. I traveled back and forth across the country and some other long travels as well. It’s a part of my passion.
A brilliant person suggested who tried bobsledding so I’m looking forward to that as well.
I’ll be on your team. Let’s put it that way. I’m not sure whom the anchor’s going to be out of the three of us.
We’ll see who’s most reputationally challenged.
There are supposed to be 4 to 1 of this login slash but those are skinny 20-year-olds. We’re going to stick with maybe the three of us. We decided to do so.
That’s right. The 3 of us will make up 4 of them.
Let’s see if we come up with a record time. Kosta, I appreciate your time on this. This has been educational as far as cryptography and quantum computing. There’s so much more to learn. I’m looking forward to the NIST controls that are going to help us with that, as well as the NIST controls that help govern businesses and the changes that happen there. Some exciting things are coming, regulations and other things that will help push this for many companies.
Thank you very much, Kosta. We appreciate it. To our audience, thank you for reading. If you’ve learned something or laughed, please tell someone about this show, pass it on, link them in and put it on LinkedIn. There are always some great things that we find in this. That’s it. This has been another great episode. We hope to see you next time. Thank you.
About Kosta Vilk
Father of two (2)
Lives life in the fast lane – Loves fast cars, boats, and planes
Konstantin Vilk, CISSP, CRISC, has a passion for making a difference using advances in technology.
Specialties: Operations, Product Design and Development, Business Development, Partnerships *Grower of early stage start-ups