Quantum computing isn't a reality yet, but most experts concede it is not far away. When that day comes, threat actors will have the ability to decrypt data they've stolen years before -- unless that data is protected by quantum-resistant cryptography.
On this week's episode of The Secure Communications Podcast, we talk with cybersecurity investor and policy expert Ron Gula about the promises of and challenges associated with quantum cryptography.
Welcome to the Secure Communications Podcast
Data in motion is complex, chaotic, and unsecure, but the ability to seamlessly communicate is what drives innovation, growth and progress. Discover how the leading minds in the fields of technology, cybersecurity and communications are tackling the challenge of securing data in motion, and gain insights into what’s new and what’s next on the Secure Communications Podcast. Each week, host Kathleen Booth interviews bold thinkers who are developing and/or employing transformational technologies to solve communication security challenges.
In this episode
Ron is President at Gula Tech Adventures, which focuses on cybersecurity technology, strategy and policy. Since 2017, GTA has invested in dozens of cyber start-ups and supported multiple cyber funds.
From 2002 to 2016, Ron was the co-founder and CEO of Tenable Network Security. He helped grow the company to 20,000 customers, raise $300m in venture capital and grow revenues to $100m, setting up the company for an IPO in 2018.
Prior to Tenable, Ron was a cyber industry pioneer and developed one of the first commercial network intrusion detection systems called Dragon, ran risk mitigation for the first cloud company, was deploying network honeypots in the mid 90s for the DOD and was a penetration tester for the NSA where he got to participate in some of the nation's first cyber exercises.
Ron is involved in a variety of cyber nonprofits and think tanks including Defending Digital Campaigns, the Cyber Moonshot, the National Security Institute and the Wilson Center.
Listen, watch, or read
Want to hear Ron's perspective on the past, present and future of quantum cryptography?
Kathleen (00:08): Thank you for joining today's episode of The Secure Communications Podcast. I'm your host Kathleen Booth. And today my guest is Ron Gula. Ron was the founder, cofounder, I should say, and CEO of Tenable. Today he is the president and cofounder of Gula Tech Adventures. Ron, you have an unbelievable bio. You know, you've been on the board of so many different cybersecurity companies. You're an active investor. You are, have served as a global fellow at the Wilson center, an advisory board member for George Mason University's National Security Institute. You have such a fascinating perspective on the cybersecurity industry, you know, too much to name. If I went through your whole bio, we could spend the entire podcast on that. But, but I'm really excited to have you here and, and get your perspective on a topic that I think is really interesting, which is quantum cryptography.
Ron (01:00): Thank you very much for the the kind introduction and thank you very much for having me on the podcast today. So quantum cryptography, I, I it's, that's a topic that people should be very, very afraid of. But unfortunately we're really not doing a whole lot about it right now. So you know, assuming your users know a good bit about cryptography already, I kind of look at this problem as if somebody's collecting all of your encrypted traffic. Can they use a quantum computer at some point in the future to somehow break that traffic? And you would think that because of that threat, perhaps from quantum computers, you know, that there'd be more investment here and more awareness, but there really hasn't been.
Kathleen (01:43): So let's start out by talking about the timeline, because I think this is something that, well, it's certainly something that I find fascinating. And I don't know if, if everybody understands it and maybe this is one of the reasons for a lack of investment in it, you know? We don't have quantum computing yet. What is, what is your opinion as far as when you think that it will actually be usable?
Ron (02:07): So it's, it's interesting. I, I've, I've gotten a chance to spend some time with quantum computing companies and I ask them, so, you know, I ask them, so when can we break crypto? You know, when can we solve certain kinds of other problems and whatnot? And typically there's not a good answer there. And, and, and I said, well, do you think anybody else has done it? And they typically say no, because as soon as somebody has figured out how to do it, all these people are going to disappear and go work for the CIA or the NSA or a bank or, or, or, or something like that. So I think it's really difficult to put a number on, is this like a next year thing or next decade thing? And the problem kind of also overlooks the fact that you've got to collect all this traffic.
Ron (02:48): Now, if you think about, if you imagine that the NSA and our adversaries have an infinite amount of storage and have infinite points to collect our data, then, then this is a problem. But, you know, the reality is that we live in a world based on physics, and, you know, a lot of these things need to be stored and kept in places. And I don't think the average person's having, they're, they're, they're having more stuff stored on them in social media, then perhaps an adversary is going to, you know, kind of come after them and collect on them
Kathleen (03:17): Now, and, and, you know, I'm not a highly technical cybersecurity expert. And so my understanding of quantum the risk associated with quantum computing is that, you know, we don't have to worry right now that somebody could use it to, you know, crack, crack into some of the most protected information we have, but someday it's going to be a possibility. And I think, you know, the average person might think, well, who cares? So someday we'll deal with it then. But I guess my understanding is it's, it's more, you know, we can have that data stolen now and it can be held and eventually compromised in the future when that capability does come online. Is that right?
Ron (03:57): It is a good, a good application of that is imagine you have something today that a crypt, cryptography that we all use - the TLS, SSL TLS you know, basically the, the S in your HTTPS. Technically you should be able to go and, you know, go to a coffee shop and go visit your favorite, you know, Facebook website, that's got, that's protected by that kind of, of crypto. And even if it was collected, it's going to be hard to break. But if at some point in the future, you know, somebody does come along and have an easy to use quantum computing, you might be able to do that. Now it starts getting a little far fetched. Is there a coffee shop somewhere, of course, pre COVID or whatever, you know, but it's some place that we're all using, you know, publicly collectible traffic that we could then say, well, the one day Ron Gula came in and happened to check his bank account.
Ron (04:49): I have those packets that are in there and all, all set to go, you know? It's, it's just, it's when you think of all the things you have to do to protect yourself online, you know, patch, two factor authentication. This, it's just not the top of list for most people. And if they want to, they can just use their own, you know, a VPN, a product that you guys offer, right? Where I've done my key exchange ahead of time. You know, granted, you might be able to collect those packets and, and do it, but now you're, you're still a much harder target than people who are just relying on the cryptography from the web applications that they're using.
Kathleen (05:26): Yeah. And it seems like for the average person, the notion that somebody could steal my data now, and, you know, 10 years from now, they could crack into it, I would think, so what? Like, my credit card numbers will have changed by that point. Who knows if I'll be at the same bank? Like, it almost, it doesn't seem like much of a risk to me, but where I think it gets really scary is when you think about data leakage from a place like the NSA, which, which has been compromised, you know, and there has been information stolen out of there, and maybe somebody can't process it and get into it right now. But, but if 10 from now, they're able to discover the identities of certain people or, you know, different programs that the U S government has, that then becomes a truly frightening prospect it seems.
Ron (06:08): It is. And again, it's hard to be a, you know, a cybersecurity pro, cyber security person and say like, this is just not that big of a deal. But for me, I used to be like, Hey, look, this is a big problem, right? Computer's gonna be a lot faster, whether they're quantum or not. And, but at the coffee shop, you know, with using your quantum resistant cryptography, chances are the, the, the 20 dollar lock on your house that you bought from Home Depot, somebody can bust through that and put, you know, sniffers in your house you know, but little bugs that can get the same kind of information that you're trying to protect. So the question is really is, you know, when you bring that over to a large enterprise, it's, it gets, it gets interesting. It's just not the number one thing that people are working on.
Kathleen (06:53): So given that the differences in the kind of, the level of risk and the implications of a compromise, do you think that, where, where do you see most of the work coming from on, on quantum resistant cryptography? Is it, do you see a lot of it coming out of the government or being funded by the government, or do you see more of it coming out of the private sector?
Ron (07:15): So, so the biggest innovation I've seen in quantum resistant sort of security is, is this concept of, of multipath communications or shredding. So if I'm going to go from point A to point B, and you're assuming that your adversary is collecting on you between those things, if you can take a thousand different routes, every second, you're going to minimize the amount of data that they can collect on you. And of course, they're on your computer. Your computer is compromised. It's not going to help you, but neither will quantum resistant cryptography. And similarly, you know, if you're worried about data at rest, and you've got a one MB file, if you had a, like a hashing algorithm or a way to just physically separate that file into many, many different places - a little bit on Amazon, a little bit on Google, a little bit on your USB drive - you know, whatever, whatever that combination is, an adversary would then not only have to be able to break, your crypto, like get access to all of that, that data, that data. So the strange thing is, I've been pitched a bunch of companies like this, and there's pretty cool things. And I just, haven't seen a lot of people jump on this because they're on this mindset that the future is basically endpoint cryptography, or endpoint computing and cloud computing. You know, there'll be no CASBs in the middle. There's no, it's just about that secure access between where I need to go and where I need to go. And they're not worried about, you know, making sure that it's crypto or quantum resistant at that point. Okay.
Kathleen (08:37): What do you think is, needs to happen to change that?
Ron (08:42): There's gotta be a little bit more, I think, demonstration of this. And unfortunately, you know, the demonstrations we are getting is that when we break crypto, it's usually a software bug, right? Someone's figured out a way that they can see the CPU, change a crypto algorithm, extract keys, extract that, that type of stuff. But the problem is, is that, you know, just doing basic cryptography is so hard. You really have to understand who has access to your keys. You have to rotate keys, you have to do all those things. And I always like to point out that a lot of people got into cybersecurity came out of the military. They were key custodians, right? They were the people who would re-key the point to point bulk encrypters. They would, they would do things like change the codes for, you know, for duress, the duties got protocols for changing these different things. And the commercial world, private citizens, they have no concept of that.
Ron (09:29): Right? I mean, I, I know people who have bad passwords to get into their password manager, you know? It's like, that's not the point, you know? So, so that's my concern is that, you know, we've really got to level up, a lot of basic hygiene things before we go tackle this. Now don't get me wrong. If, if tomorrow you know, Facebook or, or, or, or Amazon, or, you know, whoever has got more advanced, you know, ways for us to authenticate and, you know, encrypt as we, as we connect to them, you know, I'm, I'm, I'm happy with that. But in the meantime, you know, I still recommend people, like, if you're concerned about this, you should be buying products like Attila. You should be buying products that where you control your own infrastructure and then make use of what you control, because you can't just control everything else.
Kathleen (10:17): So who's, who's doing really interesting work in the field of quantum cryptography? Who's out there kind of at the cutting edge?
Ron (10:26): So there's, it's a little bit like the supercomputers, right? And so they, they every, every month or so you hear, Oh, the Japanese have got the world's largest supercomputer or the Russians do, or the Chinese do. Right? So the quantum folks are doing, doing interesting things. So the quantum computing folks, you've got here in Maryland, you've got that. Everybody's got a project because there's such interesting things. And, you know, I get to watch a lot of science fiction and, and play a lot of science fiction. You know, like World Builders. I'm playing Expanding Universe 2 right now. And it's kind of like Civilization, right? And quantum computing is usually one of the things you unlock that gives your, your race or your species, you know, magical powers. The problem is that the promise of what the quantum community just hasn't, it hasn't delivered yet. I think if anybody has broken it, you know, or they haven't done a lot of a lot of practical things with it just yet, that we've, that we've seen.
Kathleen (11:19): So do you think it will be broken at the nation state level or in the private sector?
Ron (11:22): Yeah. These are very, these are it's um, so without trying to sound too negative, so venture capital people talk to each other and you know, why would you invest in this company? Why would you not invest in this company? And it really tracks, the quantum computing, it's really tracking like healthcare research, where it takes a long time. There's a lot of PhDs in involved. A lot of universities involved. A lot of research. I mean, this is not true trivial stuff that you're going to do in your, or your, your garage. You're talking, moving atoms your, and then getting them to do things, things, and compute. And it sounded like wasn't that what a chip is? Like, Oh, the science is a lot different.
Ron (12:07): I was very lucky. One day I got to visit one of these, these super computing, quantum computing companies. And there was another visiting fellow and, and this person had been to like nine other places. I got to hear about all the different kinds of, I'm dated because it's only two years ago. But at the same time, this could be a 20 year journey before we have a practical computer that you can buy in your, your you know, in your house. And it reminds me of when you, when you go and you see these, these quantum computers, you, you're like, where's the computer? They don't look like computers. It's telling you, there's a couple of these organizations.
Ron (12:50): They show basic things like, show me how to code the traveling salesman problems. And I'll, I'll get the look like, no, we're not, you know, we're not really there yet. It's something I think is, is worthwhile to do. And if we're going to talk, talk a bit about quantum encryption and a bit about, there's this third area about quantum communications, where you can basically encode you know, the photons, the wave lengths in a certain way. Possibly you can, you can change a quantum object here. Maybe you can, you can stimulate it moving on the other side of the universe as a form of communications. I would love to see that. Everything I've seen has been snake oil. So, you know, I'm all for that kind of stuff, but it's, it's, it's not ready for commoditization in prime time just yet.
Kathleen (13:37): Yeah. Now how accessible, if, if somebody is concerned about this and they do want to take steps now to try and protect their data, how accessible is quantum resistant cryptography now?
Ron (13:51): Well, one of the reasons, so it's very accessible. You know, one of the reasons that the venture capital community has not jumped on this, it's because the cryptography becomes an OEM type of type of market. And before, you know, I get jumped on for, not from you, but know my business model. There's nothing fundamentally wrong with that.
Ron (14:20): I have to do similar things. I probably have been pitched the last three, four years, probably about maybe 10 or 11 different quantum crypto library companies, where they actually don't sell anything to a direct customer. They sell it as a third party. Like a you know, w which is the believer that it's the right thing, because, you know, photography is hard. What you want is you want a team of really, really smart people who that's, all they've done. They focused on the cryptography has been vetted by the U S government. You know, that, that that sort of approach, the problem is that if they're out there selling well, licensing a library, it's not a huge, a huge thing. Back in the late nineties, early two thousands, I remember that you know, ISS, for the product that they were doing, they switched to elliptic curve cryptography to you know, communicate with their agents. And it was more resistant and that kind of stuff. Didn't really make a lot of difference I think for, for, for people that were like, okay, that's cool. That's, that's, that's better crypto, but, you know, does that really make you a better, a better security? And you would think it would be, especially since people do break into security products, but the market didn't, the market could have cared less. They want easier to use products. They don't really want, you know, that kind of stuff, but that's kind of where we're at right now.
Kathleen (15:31): That's so fascinating. I mean, I think it's, it kind of applies to a lot of security, the sense that, you know, while we know there are risks out there, we just choose not to protect against them. It's, you know, it's like buying insurance, it's the same principle. It'll never happen to me. It's not going to happen anytime soon. That sort of thing. So I'm, I'm curious to see, what's going to take place that will prompt more of an interest in this.
Ron (15:54): Yeah, what's going to happen, in the United States, it's NIST. N I S T is the group that does that. You've probably heard of it. DES encryption and triple DES, and then there was AES encryption and, and NIST does bake offs the same way that the air force does bakeoffs, like we have the F22 Raptor aircraft. But, but what do we really want? And this has got a lot of input from the NSA. They got a lot of very, very smart mathematicians and they're baking off these algorithms. And you know, I haven't gotten a recent update, but almost every pitch I get is like, Oh, we're part of the bake off for NIST. We were, we won this, this, this part of it. That's great. That's awesome.
Kathleen (16:45): Yeah. Demand just needs to follow, I guess.
Ron (16:49): It is. It's, it's one of those things where you, you know, like, let's say I got a tip from somebody who had a breakthrough in, in cryptography. You almost don't want to touch that because historically, that's where, you know, something's wrong and you, you miss a leak, you miss some sort of entropy sort of, sort of where you can actually decrypt it. And now crypto is the NSA because they have enough people to do the peer review and, and literally red team it and attack it. And I think that's very apt in these kinds of things. If you're a small company, a 10 person company, and you're coming up with the next generation, you know, quantum resistant, crypto, great prov it. You know? Go to NIST. Go to all that stuff. And, and then even after that, what's your business model? Like, why is your crypto going to be that much better than, than, than everybody else?
Kathleen (17:44): Yeah. Well, it sounds like the U S government will lead the way, at least in creating demand if, you know, for it to protect itself. And then, and then it sounds as though that that could roll out a form of standards or regulations that would eventually bleed into the private sector. Is that accurate?
Ron (18:00): Yeah. It's, it's, it's, it's very accurate.
Ron (18:12): There's like satellites, if you've did right. It's, it's there. But when you're, when you're in space and when you're, you're there, know that's, that's weight on that device. So, so there's believe it or not, you know, there's a really a need for just encrypting in general. And it can even be bad encryption, but there's a lot of stuff that's, un-encrypted, that's, that's, that's still going on today. Actually, we have more encryption everywhere that you know, we have a lot of other things that were, that are in the clear now, that are not so much in the clear.
Kathleen (18:42): Yeah, yeah. It's fascinating. I was talking to somebody the other day about IOT and it sounds like that's one area that, that is incredibly vulnerable for that same reason.
Ron (18:52): So not only with IOT, do we have an issue where the device itself might have not been coded securely, but the protocols that'd be an inline when, if you look at something like SMB version three, which is very enterprise ready and has all sorts of which of levels of, of cryptography, you know, kind of built into it, you know, you just don't see that, you know, and, and talk to the cloud and we're going to give you a web interface, or a mobile app to talk to that cloud, you're hardly ever, so we need to reverse engineer it. With like one of your portfolio companies, you know, Refirm Labs from DataTribe there, you know, they find tons of stuff in IOT devices, all, all the day. Encrypt, you know, can, can you encrypt that better? Can you keep it, what's being collected half the time? So, so that's kinda where I'm seeing that market at right now.
Kathleen (19:53): Yeah. Now, switching gears, you are an investor, you, as you mentioned, you get pitched by a lot of companies. You see a lot of technology. Is there a particular cybersecurity technology that you're really excited about right now?
Ron (20:12): My friend's at DataTribe have some of my favorite companies. So way, the way I like to talk about it, is that, you know, I've done two companies. I've done Network Security Wizards, which was a network intrusion detection company. We did Tenable Network Security, which is cyber, you know?
Ron (20:36): And swim lane. And after I left Tenable as an investor, I really got to explore. There's Huntress Labs. Huntress Labs is really focused on the SMB and finding malware, or finding back doors, finding, you know, phishing, phishing targets, you know? I find that very exciting. It's not about just their detection is it better than, you know, a Crowdstrike or a Sentinel One. It does it. Cause when, when you're dealing with a dentist office, it's a such a different mindset than, you know, dealing with like a bank, you know? Where we're, where they've got, you know, so I'm enjoying stuff like that. I'm, I'm really enjoying a lot of the different ways we can solve some of these problems. Some of the things that, that we've invested in is like cyber education. So if you look at the work that we're doing with Cybrary and you extend that to people like Catalyte, you know, that's, that's really interesting. The ability to use AI and, and, and create, you know, developers and IT teams, or in Cybrary's case, you know, the development or the ability to really, you know, pull people either from you know, inner city, retiring veterans, just anybody who's got a, access to the, to the internet, you know, into the cyber you know, career is, is just, is just really, really fun stuff.
Ron (22:05): So it's, I think my biggest frustration sometimes is I'll, we'll invest in a certain category and somebody will solve it a certain way. And then another company will come along and solve it almost completely differently. Then we're sort of like, okay, well, do we want to invest in both of these companies, because they're going after the same dollars.
Kathleen (22:27): Yeah.
Ron (22:34): On the cloud, like Cloud Flare, or are you going to be in like a contrast, you know, and those two completely different businesses, well, security, it gets, it gets in there. That's the world I get to live in. And I really enjoy helping people think through that. And you know, hopefully we're making a difference and invest in the second and third tier here.
Kathleen (23:02): Well, I love that you're involved in so many different education organizations and, and trying to kind of bring up the next, the next generation of cybersecurity professionals. I also love that you've been in business with your wife for so many years. Fun fact, I owned a company for 11 years with my husband. And so I feel like we could have an entirely separate podcast episode just on, just on working with your spouse, but I think that's, that's fantastic. And I love that story about what you guys are doing.
Ron (23:30): So it's, it's funny you know, a lot of people know our story. You know, Cindy didn't get sort of the cofounder or on the web sort of, sort of u, you know, I had it explained to me, if you look at the, just for example, the divorce rate, you know, that kind of stuff, there's just, there's a, there's a 50% chance one of you is going to get divorced and leave the company and it, and that's a real risk. I get it. I get it. Having said that though, now that we've been a lot more public about it, I'm finding like you, you, you did business with your husband. I'll find a, to a brother's team, you know, that, that, that are working together. Now, brothers don't get divorced, but you can have fallings out with your families and stuff like that. I find that if you can make it work, it can be a very, very strong thing. But whenever we do sort of like off the cuff marriage counseling or anything like that, it's not like, Hey, why don't you, you guys go start a business. That'll solve all your, you know, all your things. But, but yeah, no, glad that, glad you brought that up.
Kathleen (24:35): Yeah. I think going into business with anyone is kind of like getting married. Like, you have to be a phenomenal communicator and you've got to talk about everything to make it work. I always say that my greatest accomplishment in life is that I'm still married after 11 years of business partnership. So you're right. It's, it's, it's great. You have a level of trust you can't get with somebody you know, somebody else, who's not your family, so fantastic. Well, I really appreciate you joining me for this episode. It was, it was fascinating. If somebody wants to learn more about you and some of the work you're doing, where should they look online?
Ron (25:12): So we maintain a webpage at gula.tech. We have a list of all the portfolio companies, including the DataTribe companies like you guys. And you know, we blog a good bit about podcasts. I'll be putting this on our blog eventually. And then you know, if they want, I do, I do post pretty pro, a good bit on LinkedIn, a little bit, you know, business. You gotta keep it on LinkedIn, but I appreciate anybody that wants to look us up. So let us know.
Kathleen (25:48): Fantastic. Well, I'll put those links in the show notes. And if you're listening and you enjoyed this episode, please consider leaving the podcast a review on Apple Podcasts or wherever you choose to listen. And we want to hear from you. If you have an idea for a future episode, tweet us at @Attilasecurity. Thanks for listening. And thank you, Ron.
Ron (26:06): Thank you.