Sandbox AQ CEO: Enterprises must prep for quantum threats

Sandbox began life as a secretive division of Google parent company Alphabet in 2016, and in March 2022 became a company in its own right, Sandbox AQ. The A is for artificial intelligence, and the Q is for quantum, says CEO Jack Hidary.

The company plans to apply those technologies in the development of software-as-a-service products for the enterprise, tackling problems such as cybersecurity, navigation, and drug discovery.

Hidary, an energetic figure, is a serial entrepreneur. With his brother, he co-founded web design firm EarthWeb, leading the company through its acquisition of job site Dice.com and an IPO, and co-founded financial research firm Vista Research and solar panel installer SambaEnergy. He has also sat on a number of boards.

In his current role at Sandbox AQ, he has also found time to become a published author: His 2019 introductory guide, Quantum Computing: An Applied Approach, is now in its second edition.

One of the applications of quantum computing that he discusses in that book is Shor’s Algorithm, which — if you have access to a working quantum computer — makes it possible to crack many of today’s encryption algorithms, finding private keys in seconds rather than (billions of) years. It may only be a few years before quantum computers up to the task are on the market, so the threat to enterprise data is imminent.

Under Hidary’s leadership, Sandbox AQ will be taking an applied approach to using quantum technologies in enterprise IT. Shortly after the company’s creation, Hidary spoke to CIO.com about his plans. Here are edited highlights of that conversation.

Sandbox AQ

CIO.com: What enterprise problems will Sandbox AQ focus on?

Jack Hidary: The primary focus right now is post-quantum cryptography. That’s because of the urgency around cybersecurity in general, which I know that your readers are very familiar with. But specifically, there is an open war in cybersecurity on theft of IP [intellectual property]: The store-now-decrypt-later attack that is happening now.

Companies across the western world are being attacked, and data that is encrypted is being exfiltrated. That’s the “store now” part. The “decrypt later” part is that when sufficient computing capabilities are available to those adversaries, they will decrypt it and have access to it.

Think about IP in terms of chemical formulas at consumer-packaged goods or chemicals companies. Or of formulas and know-how and trade secrets at pharmaceutical and biotech companies. Not just the pharma products that are on the market: Almost as important or as critical are the thousands of compounds that every biotech is working on in development. It takes 10 or 15 years to develop some of these drugs, so if you have access to the IP of Novartis or Roche or Pfizer or Merck, you know these, this is very, very valuable, even if it takes you a few years to decrypt it when you have sufficient computing power.

We also have to think about sensitive financial records. We have to think about HIPAA. The definition of HIPAA will have to change because we need to keep medical records around for years, and right now they are RSA encrypted, but unfortunately, RSA is vulnerable to quantum attack and the same thing with elliptic curve cryptography and with Diffie–Hellman key exchange.

The core encryption algorithms that we use for data in motion and data at rest are vulnerable to quantum attack and specifically, and this I want to emphasize, right now to store now decrypt later. You know, CIOs sometimes ask us, do I need to act now? Can I just wait until we’re at the precipice of an RSA cracker? And the answer is unfortunately, one has to act now because of store-now-decrypt-later or hack-now-decrypt-later attacks.

If quantum computers can crack today’s encryption algorithms, will all our data be vulnerable?

Hidary: The good news is that the cyber community came together about six years ago — multiple countries, Western and Eastern European countries, the US, Canada, other leading countries in cybersecurity came together and formed the NIST process to examine, validate, and test a series of protocols that could replace RSA. Over 60 protocols were accepted into round one. The NIST process worked its way through, on an international multi-stakeholder basis, an open process, open to all, on the NIST website. It came out after three rounds with the finalists and indicated just last week that in the next two weeks, we’re going to see the specs on the first protocols that we can use.

(Hidary spoke to CIO.com in late March 2022, but participants in the NIST process continued to make tweaks to the encryption algorithms through April, and at time of writing, NIST had reached no conclusions.)

What do CIOs need to do to prepare?

Hidary: The timing is propitious for the migration now from RSA to post-RSA encryption. Had we tried to do this three or four years ago, what would we have used? What would the new protocol have been? The good news now is that there’s a software fix. One does not have to buy new hardware.

The first step though, as we put ourselves in the shoes of a CIO, would be discovery, encryption discovery. We know that large enterprises, no matter how hard they try to avoid it, are ad-hoc patchworks of multiple networks, M&A transactions that happened over the years of the company, so there’s encryption all over the place both for data at rest, and as well as in payment hubs, transaction hubs, and other points of data in motion.

What is needed in every large enterprise is a discovery process, a piece of software that crawls over the network, finds all the places where one is using RSA or elliptic curve or other vulnerable protocols, catalogs it, inventories it, presents it to the CISO, presents it to the CIO, and then makes recommendations for migration plans. It takes years to migrate a large enterprise, and so one needs a plan to do so.

What we’re seeing now is governments kicking in various rulings, various compliance calendars and milestones: The Jan. 19, 2022, national security memo from the US federal government enjoins the sensitive agencies of the United States to start moving from RSA towards post-RSA. The SEC proposed a cybersecurity compliance ruling on March 9, 2022, to take effect within 60 days. ANSSI, the French national cybersecurity agency, issued a post-RSA communique on Jan. 4, 2022. The UK government has issued its communiques. This is a global effort, a multi-stakeholder effort to bring the entire world from RSA to post-RSA. There are 20 billion physical devices that will need software upgraded: 7 to 8 billion phones, billions of laptops and servers, billions of IoT devices, all will need software upgrades.

So, the software service that you are offering is the scanning and the advising?

Hidary: Exactly. We have three pieces of this. One is the scanner, Sandbox AQ Discovery Tools. Many of our customers want to keep that information to themselves, so we don’t run it as a service. We license it to the companies where they can run it and see the results themselves. We don’t need their internal results. 

Second is the migration planning tool. Once you get the inventory and assessment, let’s put it all in a massive Gantt-chart-like piece of software that we have, a module for migration planning. That also is a compliance report output module, which allows you to hit a button, output a compliance report that you file with the appropriate regulatory bodies.

The third piece is the set of KEM [key encapsulation mechanisms] and encryption modules that instantiate and represent the protocols that came out of the open multi-country multinational stakeholder process known as the NIST process. The good news is we did not have to invent any new algorithms. That was done by the cryptography community, the mathematicians, the cryptanalysts, over a 25-year period since Peter Shor’s paper came out. They did their work brilliantly.

So, the third piece of what Sandbox AQ offers are these actual encryption APIs and SDKs. Let’s say, for example, you’re a large bank and you have your banking apps for your customers to do online banking, mobile banking, mobile brokerage, and so forth. Those apps need upgrading right away. If we’re going to protect that transactional data, that customer data, we need to update the SDK that’s in the app, and then update it on the app stores so that further communication will happen via post-RSA encryption.

If these are open algorithms, what is the added value that you offer here? What can you offer that other companies cannot?

Hidary: Firstly, it’s a strength that the algorithms are open. There’s no source code out there. It’s not open source, but it’s open algorithms and that’s the strength of the cyber community now: We only trust open algorithms, the ones that have been validated and tested by the open community.

The value-add we offer is the following: The discovery tool and the encryption modules all have our machine learning modules in them. Why machine learning? Is it just pixie dust we have to add to everything? No. The reason is that, coming out of the NIST process, we don’t have just one protocol: We have multiple valid post-RSA protocols.

For a large enterprise architecture, we need a control plane and a data plane, and we need to separate the control plane from the data plane. The data plane is the encryption plane. That’s where the encryption happens using the post-RSA protocols. The control plane is where the machine learning sits, to choose in real time the parameters and which protocol to use. Some protocols are faster, some are a bit slower, some offer a bit more security, some sufficient but a bit less. An ML model is necessary to make these real-time choices.

We offer a lot of value-add with our deep heritage of machine learning and our knowledge and expertise there, suffused with our understanding and deep expertise in quantum-safe cryptography. Bringing these two together, that’s where the value-add is.

To do the scanning, obviously, one needs some smarts in the system. It can’t just be a dumb scan: You will not be happy with the results with a passive dumb scan. You need a smart scan to do the scan across massive enterprises on premises, in the cloud, on mobile phones. A typical enterprise might have 200,000 mobile phones in the hands of its employees. One has to scan all these devices for what encryption protocols are being used.

Let me further add that another piece of all this is telecoms. One needs to think about inventorying all telecom products that one uses at a large enterprise. An example would be VPN and SD-WAN.

Is that why you are working with Vodafone Business and Softbank Mobile?

Hidary: Yes. These entities are moving ahead with post-quantum-cryptography-enabled VPN. This is a critical piece of the new infrastructure for the CIO, for the CISO, and for the network manager in every large global enterprise, to have tool sets so that when one is using a PQC-enabled VPN, one is assured that even if there is an eavesdropper, even if there is infiltration, even if there is exfiltration of that data as the VPN is active, one is assured that there’s not a store-now, decrypt-later vulnerability. That is another piece of what we are offering as value add: not just direct software to the end user business, but also the ability to enable our telco partners, which are critical in the whole communications link, to have PQC-enabled telco products. This is critical to the future of business-to-business telecom, of enterprise telecom.

With the new investment that came with the spin off, how are you going to stay focused and not get dispersed in a bunch of different projects?

Hidary: Well, you know, one has to prioritize. Cybersecurity is the priority right now, and we are focused on that. You can see the initial customers we’ve announced, and we’ll have more no doubt over time, both strategic partners and customers there in cyber. You’ll see that as our core focus externally.

In terms of the other parts of Sandbox AQ, these are more in development. I think it’s always a healthy balance to have some products that are ready for commercialization, and at the same time having an R&D facility, having the ability to develop products for the future.

We have security as the lead and commercialized right now and then we have, in development, quantum sensing and quantum simulation. Sensing includes, for example, navigation, includes other kinds of applications of these quantum sensors in development, as we indicated, so we’ll take a number of years to get to market on that.

And then of course, we have simulation, which is simulating molecular interactions using quantum equations, but doing so on today’s classical hardware, on GPUs. We have found ways to harness the computing power of the next generation of ASICs and GPUs from Nvidia, from Google, from so many companies, and architect for the hybridized future, the future that I believe will happen in computing, which will be CPU, GPU, QPU. It’s not classical versus quantum computing: It’s hybridized together. The fact that quantum is cloud native, is being launched and birthed on cloud, is so positive because this is how you can integrate and hybridize the computing.

The enterprise simulation software we have written is to advance drug discovery faster. It takes about 10 to 15 years to develop a single molecule to make it a medicine. A lot of that is because we didn’t have sufficient simulation tools to simulate the molecular interactions of how this compound might interact with a target receptor in the body. And now we’re offering new tools in development to the biotech and pharma sector.

So, these are two areas more in development at Sandbox AQ, but that I think hold great promise for significant impact. There’s a healthy balance in our company between commercialized products right now in cyber, and then in-development products in sensing and simulation.