President Biden recently signed the Quantum Cybersecurity Preparedness Act into law to protect federal systems and data from the threat of quantum-enabled data breaches. However, encrypted data can still be captured during transmission and stored for later decryption by future quantum computers, a process known as harvest now, decrypt later.

Denis Mandich, a former CIA officer specializing in cybersecurity, is the co-founder and CTO of Qrypt, a company that offers a mathematically proven cybersecurity solution that aims to protect against the harvest now, decrypt later, threat. In this Q&A, Mandich reveals the scale of the threat to data security and what can be done about it.

Enter Quantum: What is the problem with current encryption methodologies?

Denis Mandich: The idea for public key infrastructure came about in the 70s and that worked fine through the 80s. In the 90s and 2000s, the cloud introduced a massively globally distributed and decentralized infrastructure that did not account for having that type of encryption operationalized for software and hardware networks.

It worked well enough, but people didn't realize the hacking and nation-state attacks that were going on, exploiting that central single point of failure. If part of that algorithm fails, if part of the software implementation fails, or even the randomness generation makes the keys fail, the whole thing collapses like a house of cards.

There are two parts to encryption. There's the asymmetric piece; the public and private key pairs that can be broken by quantum computers. And there's a symmetric piece, which is the actual algorithm that encrypts your data.

There are versions of the symmetric part. On the government side, they're absolutely quantum secure; we've been using it ever since the Cold War, and it’s never been broken. But we've also had this massive change in the asymmetric side via harvest now and decrypt later.

The main attack vector is to harvest whatever data is out there and then sit on that until it can be operationalized and ultimately monetized. It’s a majorly successful technique; it's been going on for a century and has nothing to do with the internet. It's just so much easier when you have access to all these systems globally.

What crypto has done is taken the older 1970s architecture and modernized it for this decentralized infrastructure. The asymmetric public key Infrastructure part only does one thing; it distributes the symmetric keys, and those symmetric keys are what's used to encrypt data.

The problem now is that all those things are coupled together. When you send the message through this channel or browser or any software, your health records for your financial records or that use the same mechanisms, the same channel that distributes the keys, and then also encrypts the data that's going back and forth to you and your service provider. Also, the random number generator it’s based on isn’t truly random

How does Qrypt’s cybersecurity solution differ from established technology?

Qrypt’s big innovation is that it doesn’t need that single channel, that single point of failure.

We went to the national labs and licensed all the technologies to make the quantum entropy sources that were used just to generate keys. This is what the government uses for top-secret and classified information.

That hardware was very expensive to use, so we spent two or three years working on making it inexpensive. Some of that fits inside of a server they can go through a data center, so we took those and deployed them in multiple different data centers.

We do something similar to the Cold War random number generation radio stations that would broadcast numbers that an agent could gather at certain times and perform an operation on to make a key.

We use these quantum entropy sources to generate random numbers and broadcast them to anyone who needs them, like a streaming service over the internet. Anyone can download bits of those numbers from multiple different locations and combine them using an algorithm to generate the key. So, we've decoupled the data from the key mechanism.

President Biden signed the Quantum Cybersecurity Preparedness Act into law and NIST has approved the algorithms that are going to support this. What more can be done?

There's not a single person who objected to this in Congress, and that’s amazing, because, from the government side, they have a unique perspective on this. They understand what they cannot disclose to the public what they know about the problem; the advances in Chinese quantum technologies and the scale of data collection.

They still have this relationship and economic interdependence with China. They can't just go out and shut all that down. But the Chinese will never give up. They will collect that data and monetize it one day, there’s no doubt about that.

For our government systems, that means everyone that does business with the government selling software or hardware will have to comply with post-quantum cryptography (PQC) standards. That includes prioritizing the highest value data, which is what every company should do for their IP. The problem is that this transition to PQC does not solve the harvest now decrypt later.

If those algorithms fail, they’re still collecting that data and they’re going to break that one day. The problem goes back to this fundamental issue of distributing keys and coupling them with the data, making it very easy to harvest that data and get the key material to break it later. We have to decouple those systems to start with, and then we have to stop using distributed keys and generate them at the endpoints by any means necessary.