Decrypting the future.
[ Music ]
Dave Bittner: Hello everyone and welcome to "Caveat", N2K CyberWire's privacy, surveillance, law, and policy podcast. I'm Dave Bittner and joining me is my co-host Ben Yelin from the University of Maryland Center for Cyber Health and Hazard Strategies. Hey there, Ben.
Ben Yelin: Hello, Dave. On today's show, Ben has the story of a new California bill regulating AI. I've got the story of the controversial technology transfer from the US to the UAE. And later in the show, my conversation with Rebecca Krauthamer. She's a Stanford quantum computing researcher and CEO of QuSecure. We're discussing the National Quantum Cybersecurity Migration Strategy Act. While this show covers legal topics and Ben is a lawyer, the views expressed do not constitute legal advice. For official legal advice on any of the topics we cover, please contact your attorney. All right, Ben, we're going to jump right into our stories here. What do you got for us this week? So I don't just talk about California because it is my native state. There are good reasons to talk about it. It is the home base of most of the big tech companies, and so a lot of regulatory regimes will start in California, especially as there's a vacuum at the federal level.
Dave Bittner: Right.
Ben Yelin: And with that in mind, I wanted to share an article from Politico about California lawmakers passing a bill and sending that bill to Governor Newsom's desk to regulate AI. Before I get into the specifics of this bill, it's worth noting that a similar but slightly stronger bill passed the California State Legislature last year, but Governor Newsom ended up vetoing that bill, basically saying, We don't want to stifle innovation in the industry, that the bill was too heavy-handed. So, he sent lawmakers back to the drawing board. The other context here is that Gavin Newsom is, like, kind of a part-time governor of California.
Dave Bittner: Yeah.
Ben Yelin: Spending a lot of time podcasting, and --
Dave Bittner: He has his sights set on something bigger, doesn't he?
Ben Yelin: Yeah, like, he's thinking about being president and fighting Trump and all that stuff.
Dave Bittner: Right. Right.
Ben Yelin: So, I don't know how much he's paying attention to the details of AI policy, but it is critically important and it'll be really interesting to see what happens with this legislation. So the bill requires companies to disclose and certify their safety testing practices. In contrast to previous versions of the bill, there is a threshold at which these regulations apply. So all companies, regardless of size, have to disclose certain aspects of their safety testing practices. But for the most stringent requirements, it only applies to the big companies. And I think this is intended, per the author of the law, to set kind of a national floor, a precedent for AI regulation the way CCPA did for data privacy. It's leveraging California's influence in the tech industry. The sponsor of this bill is a guy named State Senator Scott Weiner, who's a pretty prominent guy. People who know about housing policy, he's, like, a big pro-housing policy guy. So, he's both kind of controversial, but also very, a very prominent and important legislator who's somebody that's pretty trusted in Sacramento. And they are largely drafting this bill to comply with a report commissioned by Newsom himself after last year's veto, that basically encouraged the California State Legislature to constrain itself a little bit. And to make life a little bit easier, especially for smaller companies to not have to comply with as many requirements in outlining their own safety features. Big question is how Big Tech was going to react to this. Anthropic endorsed the legislation, which is really interesting. OpenAI, which is obviously a huge player in this space, is against it, but they haven't really said anything definitive. They are not outspoken or loud-spoken about this issue right now. So, Altman and company are not really playing in this game as of this moment. The big lobbying groups like TechNet and the California Chamber of Commerce do oppose this bill. So, that might create some headache for Newsom as he tries to weigh the interests of the Big Tech industry, which is kind of the industrial base of his state, versus wanting to pioneer AI regulation. The other thing is that if Newsom is trying to contrast himself with the current president, this does give him an opportunity to do so. The big Trump line on AI right now is we need to be an international leader in the development of AI, and all policy decisions should be to accelerate that development so that we can out-compete countries like China and others who are in this space. And what Newsom would be doing by signing this legislation, regardless of what you think of the merits of it, would be at least, but, kind of grinding the gears of unfettered acceleration in this industry. So, I'm really interested to see what Governor Newsom does here. Again, I don't know how much attention he's paying to this since he spends most of his time mocking Trump tweets.
Dave Bittner: Or at least someone on his staff does, right?
Ben Yelin: Yeah, somebody on it. I don't think it's actually Gavin Newsom. But it'll be really interesting, because I think this is a major pivot point in AI regulation.
Dave Bittner: Yeah. A lot of these types of things get criticized because they, I guess an often-stated result of these is that the big already-installed players get an advantage. In other words, it discourages startups from entering the field because of the regulatory burden. Is that in play here?
Ben Yelin: Yeah, I mean, I think that's one of the reasons they modified this bill from the previous version. Any AI model developed by a smaller company with less than $500 million in annual revenue only has to disclose basic high-level details about safety testing. By the way, I want to correct one thing I said earlier. I said OpenAI was against this. They actually have spoken about this in somewhat positive terms. So --
Dave Bittner: Okay.
Ben Yelin: -- mea culpa on that one.
Dave Bittner: Yeah.
Ben Yelin: I, but yeah, I think that's kind of, that provision is designed to address the barrier to entry, that we're not looking to go after the smaller players who want to get in on this market. They're going to have to comply with very basic high-level demand, regulatory demands for information on safety testing. But it's the larger companies, the ones that are already established that are above that revenue threshold who are going to have to create more detailed reports. They have to say exactly what their plans are, the exact tests that they run, and that's the regulatory regime being put in place here.
Dave Bittner: So it seems like after the last round, Governor Newsom wrote them a roadmap for what he wanted to see modified, and they followed it, yes [laughter]?
Ben Yelin: Yeah, but I also think, I mean, he has to care what the industry thinks --
Dave Bittner: Right.
Ben Yelin: -- because of the prominent space they play in his state. And so when you have the Chamber of Commerce and TechNet, which represents huge players, like Apple, Amazon, and Google, opposing the bill, I don't think even if this does, at least in spirit, comply with the roadmap that Governor Newsom's work group came up with, I think he still has to tread carefully here. He doesn't want to be seen as stifling innovation. And there are other avenues where you can achieve AI safety without requiring this type of disclosure. One thing OpenAI did do is they wrote to Newsom as this legislation was making its way through the California legislature, suggesting that any state legislation should encourage compliance with voluntary federal testing, or the state could sign on to the EU's AI Code of Practice, which could stand in for safety certification in California. The legislature rejected that approach, although it did say that AI companies should write and publish frameworks that applies to their programs and to consider national standards, international standards, and industry consensus best practices. So, there is a little of that. Let's not try and reinvent the wheel here. The EU has already put together a regulatory regime. The federal government has this voluntary testing program that they're ruling out. Newsom still has to tread carefully, to answer your question, even though this is at least in spirit along the lines of what his work group has proposed.
Dave Bittner: Yeah, he's got a lot of, a lot of people he has to please here, right?
Ben Yelin: Yeah, I mean, it's balancing the main industry/economic driver of his state. All of these companies are not exactly happy with the state of things in California. They're still there, but they complain about tax policies, and, you know, a lot of their leaders have high-level complaints about how California is a hellhole, it's crime-ridden, taxes are too high, housing is too expensive. He really can't afford to lose them to other states, and so he always has that in the back of his mind. Like, what if Silicon Valley moved to Austin, Texas because we just went too far? Not that that's what's going to happen as a result of this legislation, but that's something he's always considering.
Dave Bittner: Right.
Ben Yelin: And I think it's important to consider. It's, it is in the interest of his state that California maintains their competitive advantage in the tech industry. But you have to balance that with California, especially as a relatively progressive state, wants to be at the forefront of these issues and wants to set the national baseline. You have very ambitious California legislators, all of whom want to run for Congress and think that they're going to win --
Dave Bittner: Right.
Ben Yelin: -- wanting to protect consumers against abuses from AI. So, it's just a really interesting dilemma.
Dave Bittner: Yeah. How do you suppose this is going to play out? I mean, if he does or doesn't sign it, what are the possibilities after that?
Ben Yelin: I think if he does sign it, my guess is that industry opposition, while it does exist, is muted enough that we're not going to see, like, lawsuits on this. I think we'll get compliance. There might be disputes on exactly what companies have to do to comply, but I don't think this is the type of thing that's going to be tied up in litigation for years, although I've been wrong about that in the past, so it's certainly possible. And then if he vetoes it, I think, you know, Newsom only has a year and a half left in his term as governor. He's term-limited in California. California will have a new governor in January 2027. And I think the legislature will start looking ahead to that time, and thinking about what kind of approach they want to outline that might pass in a post-Newsom California. So, they'd probably go back to the drawing board and maybe put something together next year, realizing that Newsom will still be there. It might not pass or be enacted into law. They'll take another bite at the apple in 2027 when they might have a different governor who has a different perspective on this issue.
Dave Bittner: Right, right. I mean, if he, I mean, if he vetoes it twice, it's kind of a fool me once, fool me twice. Situation, right?
Ben Yelin: Yeah, although sometimes that does happen. I mean, you just keep paring it down until you reach that sweet spot where he'll sign it. It happened with Bill Clinton in the 1990s with welfare reform. Like, the Congress just kept sending him bills and he would veto them and then they'd, like, moderate them just a tiny bit and they did that two or three times and then eventually he just signed the bill. So, you know, it does happen.
Dave Bittner: Okay.
Ben Yelin: Especially if he has a very specific list of demands or reasons why he issued the veto. If it's just a vague veto statement that's, like, I care more about innovation, then they might be out of luck. But I suspect that that's not what a veto statement would say. It would say, Here are the three or four things that I'm concerned about, and maybe that would encourage legislators to go back next year and take another bite at the apple. Especially if they can get the support of Big Tech through the Chamber of Commerce and TechNet.
Dave Bittner: Yeah, it strikes me that it's, I don't know if it's, well, let me ask you, Do you think it's a fair assessment that Big Tech has shifted over the past couple of years? In other words, I think in the past, I thought of Big Tech's leanings to be more aligned with California, right? And it seems to me like at the moment, they're more aligned with Washington, D.C.
Ben Yelin: Yeah, I mean, there's definitely been a shift. It's more like a vibe shift. I mean, they always had skepticism of overregulation, and they always thought taxes were too high in California. But I think, like, a lot of Big Tech mavens, obviously led by Elon Musk and others, have also undergone kind of a cultural shift to the right. And they have a big influence in the current administration. Many of them were seated behind the president during his inauguration this past January. So, that's definitely a thing. I don't know how much of that is really about changing views on cultural issues among these executives, or it's a cold-blooded calculation that this is the way the winds are blowing. And if we want our interests properly represented in government, we're going to have to align with the current administration. Like, do I think Tim Cook is bringing gifts, what did he bring, a diamond?
Dave Bittner: Gold, it was a gold --
Ben Yelin: Yeah, gold something to the White House.
Dave Bittner: Yes, solid gold.
Ben Yelin: -- because he agrees with President Trump's immigration policy? No, I don't think so.
Dave Bittner: Yeah.
Ben Yelin: I think it's just politics. It's my personal opinion. I obviously don't know for sure.
Dave Bittner: Yeah, no, I agree with that assessment. I think they're faced with the reality they're faced with and not unlike Governor Newsom here who has a lot of different people they need to please, so are the Big Tech gurus out in California.
Ben Yelin: Yeah, and I think, like, they always kind of go along with the trends. Like, if you look back at the late 2010s when there was a liberal vibe shift in terms of things like metoo and Black Lives Matter, like all the tech companies got really into that stuff and they all had DEI statements, and they were all doing implicit bias trainings. And then the pendulum swung culturally, and they're, now they're against all those things. So, like, part of that is just realpolitik. Like, you try and swim where the current is going. So, I do think, like, they have probably a more contentious relationship with the progressive state that they're located now than they did several years ago. And that tension will manifest itself in a number of different ways.
Dave Bittner: Yeah. All right. Well, we will have a link to that story in the show notes and of course, keep an eye on what exactly Governor Newsom does or does not do. We will be right back after this quick word from our sponsor. [ Music ] My story this week comes from The New York Times. I don't know, is it fair to call this a bombshell report from The New York Times, Ben?
Ben Yelin: Well, it barely made a ripple, even though this is a major story, but.
Dave Bittner: Bombshells ain't what they used to be [laughter].
Ben Yelin: No, they're really not. I mean, if this came out in the 1970s, I feel like we'd have --
Dave Bittner: Right.
Ben Yelin: -- major congressional hearings on this.
Dave Bittner: Right, exactly. So, this is a story from The New York Times, and it is about goings-on in the White House with President Trump. Some international intrigue here. And this has to do with President Trump's allowing of AI technology, AI chips, to be purchased by the UAE and then almost simultaneous to that, the UAE investing in a crypto company that the Trump family has a large interest in.
Ben Yelin: Can we just talk briefly about this Trump crypto thing?
Dave Bittner: Sure. Because I think, like, I guess probably our listeners understand what it is, but right before he took office the second time, he and his family members, including Melania, started their own, I don't know, is it a meme coin? Yeah, yeah.
Ben Yelin: And people are, basically what's happened throughout Trump's life is people invest in him as a person, him as a personality, him as a media figure. I mean, like in the 1990s, when his casinos were going bankrupt, he started a public company and got people to invest in it because he was this image of success. And most of those people ended up losing all of their investment. But yeah, this is a meme coin, and enough people have bought into it that it is now valued at over $2.7 billion, while at the same time the administration is taking a pretty active role in deregulating cryptocurrency. It's just, like, it's one of those kind of crazy things to me that's been under-covered. So, I don't know if you have the same reaction. Maybe we're going to get more complaints about our political bias, but I just find it kind of, like, a disturbing development. Like it's a, it's an easy legal-at-this-point way to just get super rich for being a public figure?
Dave Bittner: Yeah. Well, and I think as, you know, time and time again, Donald Trump has demonstrated that he can do things that are outside of the norms of what any other president would be able to do, and get away with it.
Ben Yelin: Yep.
Dave Bittner: Right?
Ben Yelin: Yeah.
Dave Bittner: Any of these things, if another president had done it, we wouldn't see the bulk of people just sort of shrugging their shoulders and going, Well, yeah, that's our, there's, there's Donald Trump again doing, you know, he tells it like it is.
Ben Yelin: Right, right. No, it's true. And again, like, as far as I know, there's nothing illegal about this meme coin, but as you'll get to, there's kind of a quid pro quo element here that's gross.
Dave Bittner: Yeah, that's the allegation that seems to be being made by The New York Times here. So let me just back up a little bit. So, there's a gentleman named Steve Witkoff. He is a New York real estate developer and longtime Trump confidant. And he became President Trump's Middle East envoy after the 2024 election. Not long after that, he cultivated a relationship with Sheikh Tanoon bin Zayed al Nahayan, who's an Emirati royal, who also controls 1.5 trillion, trillion with a T, in sovereign wealth, and he chairs a tech conglomerate called G42. Now, back in May, Witkoff's son announced that Sheik Tanoon's investment arm was going to place $2 billion in World Liberty Financial. That's the crypto startup founded by the Trump and Witkoff families, $2 billion, billion. So, this transformed World Liberty into a global player. This promised tens of millions of dollars in recurring revenue to them, and the families all have a lucrative financial stake. And later disclosures showed that Steve Witkoff had not fully divested, despite his public claims that he had. So that happened, and that's the meme coin thing that you're talking about. Weeks later, the White House agrees to dramatically expand Emirati access to advanced US AI chips, going from around 100,000 a year to as many as half a million, many of these chips destined for G42, the company that the Sheik controls. These chips are essential for AI research, and they're tightly controlled because of the risks of having them diverted to China. G42 has past ties to Chinese tech firms, and they have done joint military exercises with China. And the negotiations involved someone named David Sacks, who is President Trump's AI and crypto czar.
Ben Yelin: He's also like a, he's a Big Tech maven, right?
Dave Bittner: Yeah.
Ben Yelin: Like, he's a super-rich guy.
Dave Bittner: And he got a conflict of interest waiver, despite his investments in AI and Gulf-linked ventures. So, there's a lot of stuff here, right [laughter]? So let's go through some of the complications here. Obviously, there are ethical concerns.
Ben Yelin: Pssh, ethics, yeah.
Dave Bittner: Well, so federal rules prohibit officials from participating in matters benefiting themselves or their relatives. And Whitkoff's dual role drew scrutiny. And Sack's dual hats as a government czar and active investor prompted a lot of raised eyebrows inside the administration. We've got the operational overlap. So, a G42 executive also worked for World Liberty, which links the Emirati technology company with the Trump-Witkoff ventures. And then G42, one of their affiliates, later used a stable coin channel to do a $2 billion investment in Binance, which effectively granted World Liberty this massive deposit to manage. So, it gave them even more funds. to play with. The NSC staff initially resisted the chip expansion, pushing the America First chips plan to restrict exports. Somehow Laura Loomer got involved with this [laughter].
Ben Yelin: She has her hand in everything.
Dave Bittner: I don't understand it, but she's an activist and I guess has the ear of the president and people in the White House. After her intervention, six officials from the NSC were dismissed, which tipped the balance toward the UAE's interests. And these Emirati leaders have been to White House dinners and summits, President Trump has praised their family as "brilliant men of vision", and they showcased these deals as "historic partnerships" while the whole financial overlap didn't go mentioned. So, there's a lot to unpack here, Ben. What do you think?
Ben Yelin: I think most charitably we should say that there isn't, like, an explicit connection, smoking gun that says the investments in Trump coin or by the UAE into this company started by Whitkoff and his son that's benefiting Trump and his family. You can't definitively say that that is connected to giving the UAE access to these chips. Like, it's not, there's no transcript where they're like, Here's an explicit quid pro quo, but that's not really how it works. I don't even know what to say here. I guess just at a really high level, if you are working on behalf of the US government, ideally you wouldn't have financial conflicts of interest because you want to make decisions that are in the best interest the people that you're representing, and not in the interest of yourself and your beneficiaries.
Dave Bittner: Yeah.
Ben Yelin: And that's why we have ethics laws and conflicts of interest laws. Those are enforced by the executive branch. So, do I think these individuals are going to get indicted by Pam Bondi's FBI, or Pam Bondi's DOJ for violating these laws? No, I do not. But yeah, this goes against a principle that even the appearance of using your position as a government official to pay back a country, or it's more just, like, I mean, what would you call this UAE guy? Like, an oligarch or a?
Dave Bittner: Yeah.
Ben Yelin: Yeah. It just, it stinks a little bit --
Dave Bittner: Yeah.
Ben Yelin: -- is all I'll say.
Dave Bittner: Well, and is it fair to say that, again, you know, the bucking of norms, that every other President, Republican or Democrat, have divested themselves when they take office, right? They put all of their wealth in --
Ben Yelin: Jimmy Carter put his peanut farm in a blind trust.
Dave Bittner: Right, and they've all done that so as to avoid the appearance, even the appearance, of this sort of thing. And that is a norm that President Trump has chosen to not continue.
Ben Yelin: Yeah, I mean, do you, I don't know if you remember, like, the genesis of the Hunter Biden scandal, but it was the fact that he was on a board of a Ukrainian energy company, Burisma.
Dave Bittner: Right.
Ben Yelin: While simultaneously the Obama administration, where President Biden, former President Biden was Vice President, was trying to get this Ukrainian prosecutor fired. And the alleged quid pro quo was, like, it was actually Hunter Biden trying to get this prosecutor fired because he thought it would help this company. And, like, I don't actually think that's what was happening. But even if you believe that that's what's happening, that's just way less of a quid pro quo than what we're seeing here in terms of, like, raw financial benefits that are accruing to the people representing the government. Not to mention that Hunter Biden himself was never a government official. He was never, like, the AI advisor to Vice President Biden or President Biden. Whereas the principal players here are government officials. So, yeah, it's not great. It's not great.
Dave Bittner: Yeah, and I wonder, will anything come of this? I mean --
Ben Yelin: No.
Dave Bittner: That's my suspicion, yeah. Nothing will come of it. It's just, you know, this, because as you say, technically, no law is broken, I guess, or no... There are certainly, well, let's flip it on its ear. Had this been any other president, right, there'd be all sorts of ethical questions.
Ben Yelin: Oh yeah, and we'd have congressional investigations, and it's possible if Democrats take over the House that there would be investigations on this. But, you know, Democrats have already impeached Trump twice and it wasn't politically effective for them.
Dave Bittner: Yeah. Yeah.
Ben Yelin: They would never get a conviction in the Senate, so I don't think even if they do win control of the House, they are going to move through with impeachment basically no matter what. And, like, I just don't think members of the Trump administration are fearful that they're going to be held accountable for this. And I think there's good reason for them not to be fearful. And it's just like with the news environment the way it is, it's very hard for a story like this, which is kind of complicated, it's just very hard for this type of story to break through. Not to mention that, like, half the country, just by their nature, will disbelieve any story about Trump at this point, because they think that previous crusades against him, like the Russia hoax, were fake, so everything, every story that portrays him in a bad, or his administration in a bad way, must be fake. So yeah, that's kind of where we are.
Dave Bittner: Yeah. I have some MAGA cousins who would, I believe, make the argument that President Trump is sacrificing so much by not taking a salary and by giving the time that he gives to the nation as president instead of the time that he could spend as a businessman making billions of dollars, that that's why we should overlook these things, because of basically how generous he's being.
Ben Yelin: I think that's, like, a very commonly held viewpoint.
Dave Bittner: Yeah.
Ben Yelin: Which I certainly respect, but just in terms of raw numbers, you're giving up a $450,000 salary, while at the same time, like, this meme coin, which isn't actually, like, doesn't have any inherent worth, it's a coin with Trump's picture on it, is getting him billions of dollars in profit. Not all of it is going to him, but certainly a good portion of it is going to him and his family. So, that certainly supersedes any public gains we're getting from him foregoing his $450,000 salary.
Dave Bittner: Let me ask you this. In the years following the Trump administration, right, whether President, let's, I don't know how long it needs to be. Do you envision Congress shoring up the ethics policies so that they are more based in statute rather than simply norms?
Ben Yelin: That has happened in the past, like after Watergate, Congress took a lot of actions to limit executive power and just kind of generally took actions that were seen as good government. The largest congressional ethics law this century passed after those mid-2000s Jack Abramoff scandals. So sometimes it does motivate Congress to act. I think, though, at this point, we're just a very polarized country. And if half the country believes that this is all a witch hunt, they're not going to be interested in legislation to shore up our ethics laws. I could be wrong about this and, you know, maybe Congress will surprise me, but my guess is that Republicans would see this as a direct attack against former president Trump at that point and would be reluctant to support it. But, but maybe, maybe that's incorrect.
Dave Bittner: [Laughter] All right. All right. We will have a link to the story in the show notes. We're going to take a quick break. We will be right back after this sponsor message. [ Music ] We are back. And Ben, I recently had the pleasure of speaking with Rebecca Krauthamer. She is a Stanford quantum computing researcher and CEO of a company called QuSecure. And our conversation centers on the National Quantum Cybersecurity Migration Strategy Act. Here's my conversation with Rebecca Krauthamer.
Rebecca Krauthamer: What people need to understand about quantum computing is it is not a bigger, better, faster, stronger computer. It is a machine that calculates answers in a fundamentally different way. So, it opens the door to solving problems that we never could in the past, or could never dream of with regular computers. And there are a lot of really incredible and exciting applications that we can look forward to seeing from quantum computers as they advance, like advanced drug discovery and optimization of problems where we couldn't crunch that many variables with regular computers. And one of the things that we know that quantum computers will do at scale is break encrypted communications. The math problem that we came up with to protect communications, protect data as it travels between points, is secure. That math problem is secure against regular computing attacks, but enter quantum computers, and quantum computers of about 4000 qubits of scale. That's how you measure the strength of a quantum computer. that quantum computer can slice through that math problem in a way that regular computers never can. And so that's really the important thing to know about quantum, is it can bring really exciting applications. And like any powerful technology, it also, it also promises to be used for the flip side of the coin, for nefarious purposes. Now, the good news is we have a fix. We have a fix for the decryption capabilities of those quantum computers. And that is what this bill, this new bill deals with. It's how do we quickly migrate to those protections, those known protections, so we can move on as a country, both public and private sector, protected against quantum computers and just benefit from all the good things that quantum computers will bring.
Dave Bittner: So let's dig into the bill itself. This is the National Quantum Cybersecurity Migration Strategy Act. What is in there, and what is your take on how effective it may be?
Rebecca Krauthamer: We started to see government action back in 2022. The first bill was passed into law in December of 2022. And that kicked off the cycle of, all right, first let's, throughout the government, government agencies now have to assess, understand where they're using encryption and start reporting on that. And so fast-forward to this year, we're seeing across the world more and more money put into quantum computing research and development, and more acceleration in timelines when we see quantum computers getting to what they call that cryptographically relevant stage. This bill comes, it's the most recent of the government action, and it is the most aggressive that we've seen so far. And what it lays out is a path to lay out a national strategy. And this is important. It's not just for government agencies and public sector. It also is talking about laying out these hard deadlines and this roadmap for private sector as well, which is the first time that we're actually seeing it applied to private sector, not just national security, for example. So that's what I see as being the most interesting thing about this. And it starts to draw these hard lines of this is very important for us to address now. Let's get this plan in place and let's move on it, rather than just assessment and understanding.
Dave Bittner: And where do we suppose we stand now with the various nations around the world and this race for quantum supremacy, let's call it. Do we have a good sense for where our adversaries may be?
Rebecca Krauthamer: One thing that's important to understand about why we're seeing more government action and these more aggressive timelines around adopting the quantum-safe infrastructures that prevent quantum decryption. It's not just getting ahead of when that quantum computer, that scaled quantum computer, comes online. It's actually an issue today. And it's an issue today because what is a common type of attack, it's called harvest now, decrypt later, or store now, decrypt later. And it's this idea that whether nation-state or otherwise, there are these big initiatives to harvest data as it travels across networks and stockpile it for later decryption. So, they'll harvest that encrypted data, that data that we trust to be secure when we're sending emails, when we're sending text messages, all the way through to electronic health records, to bank account information, when I do my online banking via app on my phone, to national security. So there are these big and coordinated initiatives, at the government level often, to harvest that data as it travels and keep it for decryption via that scaled quantum computer when that data is still relevant and still sensitive. So that is why we need to get ahead of it and adopt the protections today. And so back to your question, Where do we stand? Where does the US stand in relation to other nations? What we know is that the US has put, from the government side, upwards of a billion, $2 billion into quantum computing research. But there is also billions and billions of dollars flowing into privately-funded businesses in the US. So we have a lot of initiatives that are advancing very quickly. You'll see IBM, Google, but also a lot of startups based in the US that are making really, really, really rapid advancements. So that's where we stand. Now, we know that China has put in $15 billion or more at the government level and largely into what is a centralized research and development initiative to achieve what would ultimately be a very powerful quantum computer, cryptographically relevant, and otherwise. So from my perspective, the US is still in the lead with one asterisk, and I think this is important for people to understand. The reason we're seeing this government action speed up in the first place because of that harvest now, decrypt later threat. In the second place, because when, for example, if it is China, right, if China does get that cryptographically-relevant quantum computer, there's not going to be a press release about it. The general public is not going to know. And if we think back to World War II, when Alan Turing and his team broke the German code, they did not advertise it because it was strategically important that they keep that private, that they had the upper hand for as long as possible. And what is most likely to happen is whoever wins the quantum race, is, they're not going to make that information public. So whether it's two, five, ten years down the road, we don't know and we likely will not know when people like to call Q-Day will happen.
Dave Bittner: So, we're unlikely to have a Sputnik moment where suddenly the world is a different place than it was the day before.
Rebecca Krauthamer: Right, exactly.
Dave Bittner: Yeah. Help me understand here, because, you know, we all use encryption day to day in our web browsers, all sorts of ways that it helps keep our information secure. And I, we hear folks talk about quantum-safe encryption. Are our regular run-of-the-mill computers that we use today, I'm sitting here looking at my laptop, is it up to the task of using quantum-safe computing being a run-of-the-mill non-quantum machine?
Rebecca Krauthamer: That is a great question, and it's one that still most CISOs are learning the answer to. And so I love being able to go in and tell people that you do not need a quantum computer to fight a quantum computer. You barely need a Raspberry Pi to fight a quantum computer. So your laptop, as long as it was made in the last 20 years, it's likely to be able to handle the type of encryption that is secure against quantum attacks. And most things that can handle today's encryption, the kind that's vulnerable to quantum computing attack, it's likely that it can also handle the quantum-safe encryption. Okay. So what does this legislation hope to accomplish here? This legislation is we're seeing crawl walk run. And back in 2022, that was crawl. That was, Let's take a look, let's assess the situation. Now we're seeing walk. We have yet to see run, where we have these hard deadlines, these, the carrot and the stick that say, You've got to address this immediately. And here's the prioritization of agencies that have to do that, as well as in private sector, and here's the consequence of not doing that. That is what we will likely see in, I believe in the next 12 months. What this legislation accomplishes is setting the stage for us getting to that run stage. So it's assessment, lay out the plan for both public and private sector migration. And that will, again, that will pave the way for us to put that legislation in place that says, All right, we have the plan. Now go here. Here's the carrot. Here's the stick.
Dave Bittner: It strikes me that we're sort of running towards this finish line. And I'm reminded of, you know, those of us who were around when we were coming up on Y2K. But the thing about Y2K was we knew when the deadline was, right? And in this case, we might not know that. Is there a sense that we can get this done in the amount of time that we have?
Rebecca Krauthamer: I've been working in the quantum-safe space since 2019. And one of the biggest changes I see from then until now is how much better understanding there is, especially in cybersecurity. But even more broadly, we talked to non-technical, non-cybersecurity folks, and they also are starting to understand not just the implications of the quantum threat, but what the solution looks like. And that to me is really, really encouraging. But the biggest, the biggest challenge of the last five years has been that education piece. And I think it's natural, right? There's so many kind of buzzwords and exotic terminology in this space. We have quantum, we have cryptography, we have all these things that make you think of higher-level physics classes. And when it comes down to it, this is yet another encryption migration. We've done it before in the past. We're going to do it again in the future. So back to your question again, Do people have an understanding and are we able to meet these timelines? The answer is a definitive yes. The biggest challenge that we face is helping people understand that it's not as complicated as it sounds. And that's what we're seeing. So with this crawl, walk, run, it's built around, Hey, we've got to get everybody to the starting line to understand, to assess, to really map out what this migration looks like. But within that is still this fundamental, for lack of a better word, I want to call it fear, that this is, this is something that's going to take a long time, that this is something where there's R&D involved, and none of that is true. It is all a very well-beaten path that we're walking down. So long answer to short question, this migration does not have to take years and years. And there are no dependencies left on R&D. There are now NIST-approved, government-approved algorithms that are known to be quantum safe. And it's simply a matter of adopting those. And there are new solutions in place that make that as simple as upgrading in days or months. And so that's the most important thing for organizations to understand, is it is an immediate threat, and it is not one that's worth waiting and stressing about. Because at the end of the day, it is much more simple than most people are assuming.
Dave Bittner: So what are your recommendations, then? What should organizations be doing to make sure that they're on the leading edge of being prepared for this?
Rebecca Krauthamer: A lot of organizations are starting with taking inventory, taking stock of where encryption lives under their domain. And while that's an important part of the process, it shouldn't be a critical path to finish that process before you start migrating. And by that, I mean if I run a bank, I have some idea of what my most sensitive assets are. I might put near the top of that list my IP, along with my customer-facing applications when I am collecting PII from my online banking customers or customers that are, say, applying for a loan. There's a lot of sensitive information that is exchanged via that interaction. And I want to make sure that my customers are secure, that that data remains secure. Because your social security number does not change throughout your lifetime, and that's still going to be a valuable piece of information when a cryptographically-relevant quantum computer comes online. So all that is to say, organizations already innately have some sense of what is top priority to protect. And those you can start migrating immediately. You don't have to do all this house cleaning. And one of our federal leaders said it really well. When the house is on fire, it's not the time to be organizing your filing cabinets. And so understanding that the house is already a little bit on fire and you know that you want to grab your wallet before you run out. So that's what I would advise organizations, both government and private sector, to think about is, What are the most sensitive applications? What are the applications, if you think ahead in two, five, ten years down the road, you want to make sure those are secure, you can start that process today. And again, it can be, we work with organizations in migrating those applications to quantum safe. It takes anywhere from a couple of days to a couple of months, depending on how scaled those are, but it's really not a huge lift. It's just yet another software migration in that case. [ Music ]
Dave Bittner: Ben, what do you think?
Ben Yelin: It's very interesting. I don't know that much about quantum computing, though, along with AGI, I mean, these are the technologies of the future that I think we have to be concerned about. So, it's just a, it's a really interesting conversation. It seems like our, it's an open question whether we're going to have a competitive advantage in quantum computing relative to China.
Dave Bittner: Yeah. Yeah, it's interesting to me kind of, you know, whether or not we're going to have some sort of Sputnik moment or something, you know, where suddenly someone makes a big quantum breakthrough, or would they keep that sort of thing close to the vest? Would nations not want their adversaries to know when they've made a big quantum breakthrough? I could see either scenario happening.
Ben Yelin: Oh, definitely.
Dave Bittner: Yeah. All right, well, our thanks to Rebecca Krauthamer. Again, she is a Stanford quantum computing researcher and CEO of the post-quantum cryptography firm QuSecure. We do appreciate her taking the time. [ Music ] And that is "Caveat", brought to you by N2K CyberWire. We'd love to know what you think of this podcast. Your feedback ensures we deliver the insights that keep you a step ahead in the rapidly changing world of cybersecurity. If you like our show, please share a rating and review in your favorite podcast app. Please also fill out the survey in the Show Notes, or send an email to caveat@N2K.com. This episode is produced by Liz Stokes. Our execute ve producer is Jennifer Eiben. The show is mixed by Tre Hester. Peter Kilpe is our publisher. I'm Dave Bittner.
Ben Yelin: And I'm Ben Yelin.
Dave Bittner: Thanks for listening. [ Music ]
