Understanding Quantum Computing - podcast episode cover

Understanding Quantum Computing

All Things Internal Audit
Aug 20, 202421 minSeason 2Ep. 16
--:--
--:--
Listen in podcast apps:
Apple Podcasts
Spotify
Download
YouTube
Overcast
Pocket Casts
Episodes.fm
Download Metacast podcast app
Listen to this episode in Metacast mobile app
Don't just listen to podcasts. Learn from them with transcripts, summaries, and chapters for every episode. Skim, search, and bookmark insights. Learn more

Episode description

All Things Internal Audit Tech: Quantum Computing

In this episode, Frontier Foundry Co-founder and COO, Nick Reese, delves into the groundbreaking world of quantum computing and its game-changing potential for auditing. Discover how this cutting-edge technology could revolutionize the profession and learn practical tips on how internal auditors can stay ahead of the curve.

Guest:

Nick Reese, co-founder and COO of Frontier Foundry & former director of emerging technology at DHS

Frontier Foundry Website

hello@frontierfoundry.com

Host:
Lynn Moehl, director of internal audit and chief audit executive at The IIA

Key Points: 

  • Introduction to Quantum Computing(00:00:02 - 00:00:21)
  • Quantum Computing’s Impact on Auditing(00:00:54 - 00:02:47)
  • Data Security and Cryptography Risks(00:03:2 - 00:06:22)
  • Opportunities with Quantum Technology (00:07:41 - 00:08:54)
  • Resources for Staying Informed (00:10:23 - 00:10:43)
  • Practical Steps for Auditors (00:06:32 - 00:07:07, 00:10:15 - 00:11:48)
  • Current State and Future of Quantum Computing (00:02:54 - 00:03:08, 00:14:44 - 00:14:49)
  • Workforce Education and Preparation (00:18:12 - 00:19:34)

Resources Mentioned:

The IIA Related Content:
Interested in this topic? Learn more about the role of internal auditors in providing organizations assurance for emerging technologies here.

Visit The IIA's website or YouTube channel for related topics and more.

Transcript

00:00:21)

The Institute of Internal Auditors presents all things internal audit tech. In this episode, Lynn Moll, director of Internal Audit and Chief Audit Executive at the I a A discusses quantum computing with Nick Reese, co-founder and COO of Frontier Foundry. They explore the revolutionary impact of quantum computing on auditing with Nick, offering practical insights on how auditors can prepare for these advancements. What is quantum computing?

So quantum computing is a new kind of computation that is entirely different, not better, not worse than the traditional computers that you and I use every day. And we can talk about exactly why that is, but it really gets down to, uh, the ability to use the strange and quirky and weird, uh, properties of quantum particles, uh, to affect computation. So how, how will quantum computing change the field

00:02:47)

of internal auditing in the next few years, do you think? Well, quantum computing is gonna change a lot of fields in the next few years, and, and that change is actually already underway. And depending on how you look at it, we might actually be already a little bit behind. And so it'll change internal auditing in a lot of probably very specific ways.

But really it's gonna change, uh, a lot of, a lot of different areas chiefly, because this is probably going to be one of the most important cybersecurity challenges that any of us face in our lifetime. And it really is gonna get down to the difference in how we protect data and what privacy is going to mean in the future in a world where we have quantum computers.

Okay. So what I hear you saying is organizations are gonna be using quantum computing and internal audit has to be aware of the risks around quantum computing. 'cause they're risk to their organization. Well, Yeah. So they might be depending on the different organizations, but I, I think the first thing we have to think about is, uh, actually kind of malicious use. And, you know, I, I hate starting at a place of risk, right? Because there are risks and there are opportunities. Mm-Hmm.

And I wanna touch on the opportunities, but if we're talking about the things that internal auditors are gonna have to eventually look at, it's gonna really come from that risk side of things. And right now the technology is at a place where we are going to need significant investment to be able to have a quantum computer that's capable of threatening our cybersecurity. And so really we're thinking about, uh, large multinational corporations, maybe in partnership with, uh, nation states.

And so, uh, we've already, we're already seeing activity in this area. And so for the nation state purpose, uh, we're already thinking about how they might try to use a quantum computer to disrupt steel, um, or otherwise kind of decrypt sensitive information from other organizations. So I think that's the place that we should probably start. Okay. So what, what industries are now using quantum computing?

00:03:08, 00:14:44 - 00:14:49)

Well, quantum computers aren't actually, uh, mature enough to this point that they can be really impacting value for, uh, for, for, you know, organizations. And so, you know, what we are seeing right now in this state of quantum computing is a lot of, uh, kind of laboratory level testing, proof of concept, things like that.

Um, mathematically, and by the physics, we know what a quantum computer of sufficient capacity, which is kinda the right way to say it, some people say big enough, which is not the right way to say it, of sufficient capacity, can threaten our current, uh, asymmetric public key encryption. And that's really, you know, the, the, the heart of it is the ability to decrypt what we thought was practically at least, uh, kind of uncrackable can now be, well, not now, but it will be cracked in a matter

of a few minutes with a quantum computer. What Are some security risks linked to quantum computing that auditors need to know about? So this is, this is really the crux of the matter. And I think that auditors need to know kind of, kind of two things. They need to know what the threat is, but they also need to know why it's a threat. And it's, it's kind of not good enough for me to just say to you, well, there's a threat and you know, you as an auditor say, well, I'll be on the lookout, right?

Like, that's not, that's not good enough, right? We have to, we have to talk about why. So I think there's a huge kind of workforce training component to this. And then there's the, you know, what does this mean for, for auditing? And so where I'll start with this is, you know, quantum computers are fundamentally different. And the way that I would describe that is, you know, the world we live in is deterministic. What does deterministic mean?

Well, it means that, you know, if I, you know, drop a book from my hand, you know what's gonna happen Mm-Hmm. Before I even do it, right? Does that mean you're clairvoyant? No. It means that there are very specific rules, uh, in physics that govern our world, like gravity, like air speed and things like that. And the, the same applies to, to our traditional computers. When we do computation, we, we do computation kind of linearly, binary code ones and zeros, and we read those ones and zeros.

But in quantum computers, it's kind of a, the best way I can say it is two plus two doesn't necessarily equal four. Sometimes it does, but it only does with a certain probability. And so, what a quantum computer can do is, instead of looking at answers, so to speak, linearly, it can actually look at all possible answers at the same time and then collapse into the correct answer.

And what that ultimately means is that if you're trying to decrypt, uh, an, an encrypted message, instead of having to try every possibility one at a time, you can actually try them all at the same time and then find the answer. And so this, this is what, this is the threat that we have right now to our public key encryption. Public key encryption is one really, really big number that goes out as a public key. And then the prime number factors of that number are the private keys.

And it's a, and, and it's, it is increasingly, well, it's, it's very difficult for a traditional computer to guess what that factor is because it has to try them one at a time, and it'll take literal billions of years, but now it'll just take a couple of minutes. And so that is, that means that effectively all of our encrypted traffic on the internet, communications, finances, all of that stuff would be effectively in the open as

This progresses. What can internal auditors do to get ready for this challenge? So, uh, I think number one is, is, uh, educate your workforce. And so make sure that your auditors know what the threat is. And again, not just that there is a threat, but why, uh, you know, what is the difference between a bit and a traditional computer and a qubit and a quantum computer, and why does that matter?

So educating the, the auditing workforce, but then knowing what the impacts are to the specific organizations that you are auditing. And so maybe you're auditing a, an organization with, um, intellectual property, or maybe it's PII or SPII or something like that. And if that's the case, is that organization preparing now for the emergence of a quantum computer.

And, you know, I, that, that I'm not myself an auditor, but that it seems like something that could be very easily, uh, placed in as, you know, a, a criterion in, in the internal audit because it speaks directly to privacy, data security and things like that. And, and even, you know, we could have even a bigger conversation about what does privacy mean now in the world of, you know, quantum computers? What does this look like in the future?

Does my company have to be using a quantum computer or it being used by maybe a vendor or a supplier we use, or the government? Or how does that Well, well, let's, let's talk for just a second about the opportunities, right? Okay. So we talked about the risks. Let's talk about the opportunities. So on the opportunity side, we're quantum computers can do things like run simulations on increasingly, uh, sophisticated and complex systems. So a good example is the weather.

So there are so many factors in predicting the weather that, you know, we actually can't go out more than like, I think you said, it's like 10 days after 10 days. Our, our accuracy for weather goes way down. But what we could do with a quantum computer is simulate an entire weather system and get accuracy down to like your neighborhood level, down to like the minute level. And because we could actually crunch kind of all of those factors, Mm-Hmm.

The same thing would be true with like a complex supply chain. Same thing would be true for like, um, creating new pharma, uh, pharmaceuticals. Um, these would be all things that are, are these insanely kind of complex, uh, systems that we could actually simulate. And so we're not gonna get to a year where we all have quantum laptops. Okay. Right. That's not, that's not where we're headed because that do different things. Not better, not worse. They just do different things.

And so, you know, there might be some organizations that, you know, supply chain, you know, uh, pharmaceutical, mm-hmm. Companies, things like that, that, that will have them. But I don't think all will, because there's not, at least at this point, a, a good use case kind of for that sort of broad adoption that everyone would have one kind of on premises, you know, What is post quantum cryptography and why should auditors care about it?

Yeah. So post quantum cryptography is what I was referring to just a second ago ago with the asymmetric cryptographic, uh, threat. And so, so we've already talked about what the threat is, but let's talk about what we would do about it. And so in a post quantum cryptography would mean that we replace our old cryptographic system with a new one.

And what that really means, we can get more into depth on this, but what that really means is just replacing that math that I told you about where we factor a big number into prime numbers. We're just going to change it to new math. And that new math is math that quantum computers are not, aren't not good at. And so what that does is that is going to protect our encryption from a quantum computer because we're changing the math.

And so in this case, the, the math, uh, that's being used is something called, um, lattice learning with errors. And, uh, it, it's, it's a very much more complex, uh, cryptographic scheme than kind of the factoring a number, which mathematically is actually not that hard of a thing, but it's just really hard for computers. What should organizations do to switch to post quantum cryptographic methods? Yeah, so this is, this is an excellent question.

And, and, uh, my, one of my previous roles, I was the director of emerging tech policy at US Department of Homeland Security. And in that role, uh, my team actually produced a post quantum cryptography roadmap, which is available online. If you search dhs, post quantum cryptography, you'll find it, I believe it's dhs.gov/quantum.

And in that we actually give, I think it's seven or eight, uh, steps that organizations can give or that they can do and, uh, that don't necessarily cost them a lot of money right up front. So one of the biggest ones is inventory, the current cryptography that you have, right? Like that, like just know what you have, what you don't have. But what you need to do is watch for the new standard cryptographic algorithms.

Okay? There's a organization within the Department of Commerce called the National Institute of Standards and Technology. Mm-Hmm. And, uh, nist. nist. And they are actually standardizing new public key asymmetric cryptography for post post quantum. Now, my, my advice would be don't go out and buy anything right now, wait until, uh, the standard comes out because you, you don't want to tran transitioning once is hard enough. You don't wanna transition twice.

So make sure that you are, um, when the standard comes out, make sure that you're, you've already done the inventory, you've already kind of made a plan so that the day that the standard comes out is not day zero for you. But that's day one of you executing your plan. And in some ways, you know, uh, cryptographic transitions in the past have taken a long time, and so in some ways we're already a little behind.

And so doing this kind of pre-planning will, uh, cut the timeline considerably and keep, uh, data, intellectual property, SPII, all these things much safer than they would otherwise. How will quantum computing influence governance and compliance frameworks within organizations?

Well, I, you know, I think at some point, whenever we know that we have a, a crypto, what's called a crypto analytically relevant quantum computer, meaning a quantum computer that is of such capacity that can break, uh, can break cryptography. And I wanna make clear that we're not there today, right? Mm-Hmm. That does not exist today. Okay.

But when that happens, and, you know, could be five years, could be sooner, um, I, I I would imagine that a lot of different organizations will have requirements to have transitioned or at least have a plan to transition for, uh, particular types of data.

So if you look, uh, at the, you know, there's an executive order, um, or I'm sorry, not an executive order, a national security memorandum on post quantum cryptography, which only applies to the federal government, but it does still lay out a plan for how the, the federal government is gonna execute it. There's also a law in the books now, um, the Quantum Cybersecurity Preparedness Act that is really roughly a mirror of the National Security memorandum, but also lays out requirements.

And these requirements at currently only apply to the federal government. But you, I I, I imagine that there would be you some form of that that would apply to other industries, critical infrastructure sectors, um, different organizations in the future. So I, I would imagine that soon there will be within regulated industries, kind of a line item for that, you know, within critical infrastructure or other places, a line item to make sure that this transition has

either happened or is being planned for. Understood. Are there any real world examples of quantum computing being used in internal auditing? I, I'm not aware of any in internal auditing specifically, but I mean, there are definitely real world examples of quantum computing. So there are several companies out there that are building quantum computers. Um, they're taking different approaches. And so we don't quite know which version will be the dominant version just yet.

Um, there's a lot of activity in Europe, a lot of activity in Silicon Valley. Um, there's a lot of activity in China as well, although that's a lot more opaque. Um, we don't really know how much money they're putting into it, or like the state of their research, but we do know that it's, it's ongoing. And so we're, we're seeing kind of at a big strategic level, this geopolitical, uh, prioritization of quantum computing because of what it can do for data and information and things like that.

But then, um, you know, we're also seeing kind of at the lower level, like people just start putting their finger on business cases. And as these organizations, uh, are starting to see the business cases, they're really starting to talk about how they will implement quantum computing, even though it's not available today. Okay. What ethical issues should auditors think about when dealing with quantum technologies? I, so here it's, it's privacy and, and, and data.

And so, again, I I, I don't wanna sound like this is all risk, it's not, right? Mm-Hmm. There is, there are, there's a lot of good news to be talked about in quantum computing, but ethically, we're really talking about, uh, the ability to protect data. Because there was a time where we thought, well, it'll take literal billions of years for us to break RSA encryption. So that means that it's practically safe, right? Well, that's not true anymore.

And so now we have to start actually thinking about that instead of just saying, oh, we're, you know, we're, we're safe. We've already got it. You know? So Would it be auditors or you trusted advisors when they're organizations? So not only warning about the risks or being prepared for those, it's also making sure their companies exploit any benefits that come with quantum computing as well.

Yeah, I, IE Exactly. And I think that, I think the first place that we're gonna naturally start is with the transition to post quantum cryptography, right? That that's kind of the, the, the closest thing that we can focus on the most, uh, kind of practically, uh, thing that we can practically, uh, grab onto and, and, and implement.

Oh, and so, and so I think that, that, that's kinda the first place we're gonna go, and we're gonna see NIST kind of standardize the, the new algorithms within the next year or so. And so again, I would really advise organizations to start planning for that. Where do you have asymmetric cryptography in your organization? Which forms of asymmetric encryption is it? What data is behind that encryption?

Start to answer those questions for yourself and then pull, and then as the the standard comes, you can pull it in and you can implement it kind of step by step. So I think we would naturally start there, but as we, as we start to see what quantum computers can really do in, in a practical sense, when they're really kind of running, we're gonna have to really think through, uh, the opportunity side.

And so we're gonna think, you know, is there a way that we can, you know, do something with a certain process or that we can maybe make security better even? How do we, how do we go about that?

And so I think that those conversations will come, but I think we have to start at the protection of data place, because again, uh, you know, this wouldn't be something where just every transmission is, is is basically open, but it is something where it could be meaning if a bad actor intercepted your communication and, and got ahold of it, they could decrypt it in a couple of minutes. Mm-Hmm. Uh, and so that doesn't mean that kind of all of us are at risk.

You know, they're gonna worry about the cat videos that I send to my wife, but like, it would be something where if they, you know, if a bad actor kind of focused on you, they could grab those emails or organization, they could grab those emails, things like that, decrypt them all and cause, you know, significant harm. Okay. Is there anything else you wanna add that we didn't discuss? I, I would just say that I, I, I really believe that the workforce education piece is really important.

Okay. And so when I was at DHS, and, you know, I, I did a lot of reading on this and I talked to a lot of experts and I, you know, really came up with this, this roadmap.

00:19:34)

I, I remember bringing it to kind of my bosses and saying, I have this great idea, and here it is, and this is what we have to do. And all of 'em kind of looked at me and said, well, what's quantum computing? And I thought, you know what, that was a mistake, right? That was a mistake on my part. Mm-Hmm. I should have started at the education side and then done the, the formation of the policy.

And so I would actually recommend that internal auditors do the same, which is to say, start with the education side, and then start to walk down the road of, you know, how do we prepare, how do we include it in our audit structures and frameworks? But start at the education piece. Education, because I'm in that boat. I, I wasn't sure what it was. And, um, but what I hear you saying is that regardless if my organization, they're not getting a quantum computer Mm-Hmm.

The organizations aren't doing quantum computing. However, organizations will be infect affected by the encryption. Absolutely. Right? Okay. Gotcha. And so, and so I, I think that there's, there's a couple different ways to do this. I think there's, you know, the, the really technical down into the weeds physics side of it, and then I think there's the kind of, you know, for the folks that are doing like policy strategy, audits, things like that.

So I think there are a couple of different, um, versions of, of kind of this training, but I, what I would really advise people to do is go out and kind of find those experts and, and dial in the right training for the right people. Mm-Hmm. Because just knowing that quantum computing exists is not sufficient. You actually have to understand why it's different. Why is it different? What does probabilistic computing mean? What does, you know, things like quantum superposition and entanglement.

What do those mean? And why does it matter to this problem? And I'm not saying you have to be able to code a computer or do the physics, you know, equations yourself, but you should at least know what they mean. And that, I think is the place where we find a, a lot of people today is at that cusp of, well, I've heard the term, but I don't really know what it means.

Okay, well let's, let's take that next step and let's talk about what it means and create those, kind of, those internal trainings to make sure that your workforce knows what to do, and then can thus make better policy strategies, auditing frameworks, you know, things like that. Mm-Hmm. It's been a pleasure. Thank you so much for, uh, having me. This has been really fun. Thank you. If you like this podcast, please subscribe and rate us. You can subscribe wherever you get your podcasts.

You can also catch other episodes on our YouTube channel@theiia.org. That's THE iia.org.

Transcript source: Provided by creator in RSS feed: download file
For the best experience, listen in Metacast app for iOS or Android