 All right. Good afternoon. Come on guys. I need some energy. I know this is before a break. All right. Much better. Much better. Hope you're having a great time here at the summit. Yes. Yes. Yes, you are. I know you are. Anyway, you have heard that we have launched the era of quantum utility, right? So in addition to bringing useful quantum computing to the world, we are committed to focused on and have also made great progress in making the world quantum safe. So what does making the world quantum safe really mean? What it means is that we are going to work collaboratively with our clients across the industries and partners across the ecosystem to chart a course for the development and deployment of quantum technologies in a responsible manner. What does then therefore responsible quantum computing mean? It is simply expressed as having an intention to develop and deploy quantum technologies in the most inclusive as well as accountable and transparent manner. That's what responsible quantum computing really means. Now, in order to guide us through this, we have come up with five principles that we wish to apply to see whether anyone is following responsible quantum computing or not. The first is you choose your use cases in such a way that they do create positive societal impact. The second, anticipate potential side effects, if you will, unanticipated side effects of even these positive use cases. The third is represent the capabilities as well as the limitations of quantum computing. In other words, don't overhype, right? And the fourth is we want to be intentional about being consistent and transparent in making decisions. And finally, we want to build an inclusive ecosystem that represents the diversity of the world at large. All right. Now, while we believe in these principles and we are committed to doing this, we fully recognize that others outside may not be. One such classical case where this may happen is with the application of quantum computing to break encryption. Now, let me double click into that and talk a little bit more. As quantum technology advances, we find that the extended problem of prime factorization, which is what the modern day cryptography depends upon, becomes a solvable problem with a quantum computer. So when a cryptographically relevant quantum computer becomes available in the future, one can apply Schwarz's algorithm to solve the problem of prime factorization in a matter of hours. What that means is there are two key things that it leads to. One is that the cryptography that we rely on for all our digital communications, including the cell phone, including the WhatsApp that you have and text messages you send is all likely to be vulnerable or even be broken. That is a reality of the existential threat. The second is even more concerning, if you will, in that there is this notion of harvest now and decrypt later. What that means is bad actors can exfiltrate data today with absolutely no means of decryption. But they'll sit on it for several years and then when a quantum computer of sufficient scale and capacity becomes available, they can apply that to decrypt the data that they exfiltrate it today. Both of these are problems that need to be solved. So what is being done to solve them? In 2016, NIST announced a competition inviting submission of algorithms that cannot be broken by quantum computer as well as classical computers. We submitted a set of algorithms for that along with others and there were 80 plus submissions. Fast forward to last July, four algorithms were selected around which standards are going to be built and three of them came from IBM. We didn't stop there. We continued to come up with new algorithms that are somewhat special purpose and submitted three more for consideration called Oil and Vinegar, Mayo and SQI sign. So we have continued our work in that progress. Now, while we have been doing this, the US federal government and some key agencies have continued to publish certain guidelines. So NSA published the CNSA 2.0 guidelines that called for national security agencies to be quantum safe by 2034. They laid out a very clear schedule as to when what needs to happen in order to achieve that. The US president issued executive orders and national security memorandums that called for government agencies to become quantum safe and also asked them to submit an annual inventory of cryptography on an annual basis. Now, in anticipation of this and responding to this, we created a quantum safe roadmap and also a set of technologies to support our clients in their migration or journey towards becoming quantum safe and we announced this in May of this year. Subsequently, we also released a technology capability called IBM Quantum Safe Explorer. I'll talk about that in a minute and even show you a demonstration of that. We released that in October. So we are working diligently to provide technology capabilities that will enable our clients to not just start this journey but continue this journey and also maintain the level of cryptography on an ongoing basis. Now, all of these have been done not in a back room, lab situation or scenario, but in our work with existing clients. There are a number of clients here who have been part of our initial set of clients and I will call a couple of them out as I move forward at the appropriate time. So the bottom line is these were capabilities and ideas that were tested in the field and our response of solutions was a reaction to that. Now, earlier I talked about working in collaboration with industries and industry consortiums and ecosystem partners, right? Consistent with that, in 2020 we announced the open quantum safe consortium, right? We have been an active participant of that and it has pushed the boundaries on open quantum safe quite a bit. Next, we are an active participant in the NCCOE as it's called the National Cyber Security Centre of Excellence and we were also the first to announce an industry consortia in the telco space called the post quantum telco network. And we announced that in collaboration with GSMA and Vodafone and a shout out to Luki Bitsen from Vodafone who is here who has been a tremendous partner, not just in driving this, but in collaborating with us. Thank you, Luke. And we're also a partner, you know, or a leader, I should say, driving two of the four world groups in the post quantum cryptography coalition led by MITRE. I also wish to share with you that we are close to announcing a couple of other consortiums in the payment space with NACHA in North America and emerging payments association of ASEAN in the Australia space. So we are expanding from telco into financial services and payments as well. This is the industry play that we have been sort of talking about. Now I started with what is responsible quantum computing called out what the potential risky use cases there is with respect to shows algorithm being applied and breaking cryptography and laid out what has been done in the last few years to get prepared for addressing that challenge. Now to go a little bit deeper into the specific technologies that we have developed approaches and technologies that will help clients migrate through their journey to becoming quantum safe. Now, again, all of this was based on the work that we have done over the past year or so year plus in a way with various clients and we learned a lot from that. So we created a three stage approach. One of the common problem that we saw first was that almost all of the clients didn't know comprehensively and completely where all cryptography is being used within their enterprise. I'm not poking fingers at anyone but I'm pointing out the reality that keeping track of every little cryptography usage within the enterprise is not part of what people do now and they don't have a good handle on that. So discovery of cryptography and creating that inventory of where cryptography is being used becomes a very important step and that is step one. And we have a tool called IBM Quantum Safe Explorer that helps identify that or discover that. And as indicated earlier, I will have a demo of that for you shortly. The second stage is having discovered what you have. You have to augment that with what other cryptography that may exist that you observe in the actual execution of the system in the network. So observe is about observing the dynamic cryptography exchange by looking at traffic that goes across your network and using that information wisely to prioritize what do you go after first and how do you sequence your operations of remediation such that you're quite effective. I talked about the harvest now and decrypt later problem. For example, if you know what your critical assets are, crown jewels as they are called, if you know what your crown jewels are, you want to protect them first. And that's prioritization. Plus, observe is also about observability so that it is not a once and done kind of a solution. But you can apply the capabilities of observe to really observe on an ongoing basis so you can continue to manage the problem in real time as well. The tool that supports that is IBM Quantum Safe Advisor. And I will show you a short demo of that as well. The last piece is around transformation. So having discovered and prioritized the work that needs to be done, how do you go about beginning the transformation of your cryptography in the application and infrastructure to support what you need to do? That is what transformation is all about. And we have a tool called Quantum Safe Remediator, which is a collection of codified best practices and patterns that we have observed in the field and recorded that and that we can apply today. So you don't have to wait for standards to be announced sometime next year or published, I should say, sometimes next year around the four selected algorithms. You can begin that work today to prevent yourself from being caught in this harvest now, decrypt later issue. Now, earlier I talked about calling out certain clients and thanking them. Here is where I'd like to call out the excellent support that we have had and then we learn together in this exercise is Customs and Border Protection. They have been extremely supportive and they actually exercise. I know, you know, CTO Sunil and Dagmiz are here in the audience and the team is there. So a shout out to you guys. Thank you for your support. They exercise all three of these, right? In a limited manner, of course, but they have gained a lot from this, so did we, right? So this is how we experiment in the field as well as learn from that and begin to sharpen these products, right? So now let me move over and begin to show you a demo of the Explorer as well as the advisor. So I start off with the Explorer and I indicated that the Explorer is about discovering cryptography. It discovers cryptography in static code. It discovers cryptography in your software programs and some object code as well. And it creates an inventory and this inventory is created in the form of a cryptographic bill of materials. It is a standard that we have created that is going to be part of the Cyclone DX 1.6 version, if I remember right. And it's going to be published as a standard for folks to use. So it's critical that we create this inventory in a standard form that others and other tools can also consume. So what it does is it has three modes of operation. One is a VS code developer view, which is what I'm going to show to illustrate the capability of this tool. The second is a command line interface that you can use because if you are a large enterprise, you're not going to go have a developer go through every single one of the modules. You want to run a batch program that points to the GitHub repository and say go through that, find out all the cryptography and create an inventory, please. That's what the command line interface or CLI interface accomplishes. The third is, okay, I've done this. Now, how do I manage this on an ongoing basis? For that, we provide an API interface that you can integrate into your CI CD pipeline so that every time somebody does a commit, an automatic scan occurs and you have a report of what you need to get from a cryptography standpoint. So it is not just about discovering it once, but also about managing it on an ongoing basis. So simply if I go and scan this program called fund portfolio analysis, you will see on the lower right-hand side some stats begin to appear. And let me make this window a little bit so that you can see. So now it has completed the scan. And there you go. It discovered 32 artifacts. This program had both C++ and Java code. We currently support five languages, C, C++, Java, Python, Dart. And it can also scan JAR files. We are currently working on C sharp. And next in line is Node.js and ABAP. So we have the ability to add languages at a regular basis depending on the client's need. So we discovered these number of artifacts. And let me just highlight the ones in Java. So you have seven from a library called Bouncy Castle and 12 from another library called Crypto Utils. This is what you discovered. You can go in and see where is this coming from. All of a sudden you find that there is code that pops up in the window above you and some red highlight appears. This is exactly the line where the scriptography is used within that program. So we are able to pinpoint down to the line where the scriptography is being used. So in case you need to know more about that or you are looking for remediating it, you know, it's taking you directly to the area where you need to focus on. In addition, you can also go in and say I did talk about C-bomb or an inventory being created. And you see that the C-bomb gets created here as a JSON file, which is nothing but a JSON expression of what the inventory looks like. So what we have done here is we scanned a software program, identified all the cryptographic usage. There's a number of other stats that I'm not showing you and other features, but just to get the point across that we have the ability to scan languages, extract cryptographic usage, document it and create the inventory, which is required for the CSO in the organization to get a comprehensive view of where all cryptography is being used. That's what this accomplished. Now one thing I'd like for you to remember is this point I called out about 12 different artifacts that are being used in Java, sorry, 19 being used in Java and 12 coming from a library called CryptoUtils. Let's hang on to that thought and then let me go back to this slide. Can we go back to the slide please to talk about what advisor is? So I talked about Explorer being the static view. That complemented with the dynamic view that comes from Advisor is what completes the picture. So the comprehensive picture comes from adding the static view and the dynamic view. Advisor takes data from six different sources and puts them together in an intelligent manner for you to draw insights out of. The six sources are standard network scanning information that you currently have from your network monitoring tool, whether it be Nessus, Tenable Nessus or Qalis or Rapid7 or whatever your network scanning tool may generate. So we know the data that's running across your network. The second is your configuration management database or CMDB database. The third is the asset database that you have that calls out all the assets that you have including the endpoints. And the fourth one is the provisioning database. So we know what's being provisioned where. And two other sources which are the Cbomb file from the scanning that we just completed and additional metadata that this Explorer tool creates about all the other goodies that I didn't show you. So these six things put together is what gives you a comprehensive view. Now what problem does this solve? This solves the problem of a CISO not having a comprehensive view of what's happening in cryptography across their enterprise. Now with that thought in mind, let's switch over to the advisor demo. Let me make this a little bit bigger. All right. Good enough for now. Right away you have a dashboard where you can show your selected set of metrics that you would like to track and that's what is shown at the top. So you see a number of metrics. What is my Cypher suite strength? How many endpoints am I managing? And what are the various TLS protocols that I'm running? What version of them am I running? And how many different libraries are being used by my developers? All these are interesting things. And this graph that is half visible is about the cryptographic posture. How many violations did the enterprise encounter in the month of January, February, and March? So you see a significant drop month after month after month. And the story here is that they started implementing policies to manage cryptography in the December, January time frame and slowly you find that people are adopting it, following it, and it is decreasing now to a stage where you are now at a very small number in the month of November. So the idea is the CISO has a view of what's happening across the enterprise, can create policies that will help address the hot areas that they want to address. One of them could be I don't want any more use of TLS 1.0 or 1.1. Or they may say here are the set of libraries that are allowed. Any other usage need should not be permitted so on and so forth. And on that point, I do want to call out that this fund portfolio analysis application that we just can appears here in a compliance violation for applications. If we drill down and look at that, you find that there are 12 instances occurring. And these are the 12 instances that we saw in the crypto utils that Explorer called out saying there are seven from Bouncy Castle, 12 from crypto utils. And the policy states that Bouncy Castle is the recommended library. The crypto utils that used is not. Therefore, it is trapped as an exception here. And not only that, you can take action on it and say go create a ticket and send it to the ticketing system and make sure that we are able to manage that in real time. Real life demo as you see. Anyway, you'll be able to create a ticket and send it to the user and they can take care of handling that. So the bottom line is, advisor gives you the dynamic view and together you have a comprehensive view of what's been happening in the enterprise. Now, we didn't do this in isolation. We did that, you know, working over the past year with a dozen clients in six or seven industries. And these, at these clients, as I called out CBP, we delivered tangible, quantum safe solutions going across the discover, observe, and transform stages. That's what this is about. Now, talking of clients, I'd like to invite for the next session here. This is a client panel discussion session. And leading off that discussion is the IBM quantum safe public sector leader, Charles Robinson. Charles, thank you. Good afternoon. My name is Charles Robinson and I work for the IBM quantum team. And I've spent 30 years working in the intelligence community and a DOD in the national security community. And we have a treat today. We're privileged to have a gentleman who spent most of his career working for one of the largest telecommunications companies in the world. And I want to introduce to you today Brian Miles. Brian. Hey, Charles. Hey, Brian. How are you? Good. So I prepared some questions for you. And I want to start with something fairly simple. Okay. Introduce yourself and your role at AT&T. Yeah, so my name is Brian Miles. I've worked at AT&T for a couple of decades now. Been in cybersecurity for about six years. And I spent about five years working on the quantum security aspects, trying to learn quantum. And really that started off with a little, like kind of almost a little side project. And the last couple of years I've been working on that full time now. And I'm leading the crypto agility and crypto inventory efforts within AT&T. Awesome. So what does it mean for AT&T to be committed to security innovation alongside of technology progress? And how does quantum safe figure into that responsibility? Yeah, so there's a, as far as commitment, I see commitment starting to show up, I think, across a lot of companies, a lot of enterprises, especially ones with critical infrastructure. The federal government has issued a number of memorandums and joint statements and some other guidance that's, I think, helping with that. For example, the NSA, CISA, and NIST just published some joint guidance on quantum readiness and kind of the path or the steps you need to take for your migration to post-quantum cryptography. Outstanding. And I know we have some individuals in the audience from CISA. And so we appreciate you guys getting the word out. What led you to start your journey in quantum safe cryptography now? Yeah, so there's a number of reasons. It's going to take many years. This is a huge problem. It's just going to take a lot of work, so it's going to take a long time. If you just look at SHA-1 as an example, you know, that was an algorithm known to be vulnerable for a long time and it took over a decade for that to finally get deprecated and kind of worked out of common use. So that's definitely one big reason. It's also going to take a village. It's not a small team within a company that's going to be able to do this. It's going to affect a lot of your network infrastructure, your applications, if you have IoT devices. I mean, there's a lot of different things to consider. So it's going to take involvement from a lot of people across the enterprise. So that's going to take some time. That's also a reason to get started now. It's getting costly. So some recent reports somewhere in the neighborhood of $170, $180. Is the cost per record breached? You know, that in itself doesn't sound like much. Now start multiplying that by the millions of potential records that could be breached by a cryptographically relevant quantum computer. And that starts to become a big number. We don't know exactly when it's going to manifest itself. You know, what's the timeline? Is it five years out, you know, this cryptographically relevant quantum computer or is it 15 years out or is it two years out? You know, we just don't really know. There's a lot of indications suggesting that maybe, you know, more in the five to ten year range, but we don't really know. But that's another reason to start now. Finally, the whole harvest now decrypt later problem. You know, that's the first quantum attack. It's a two-part attack. That first part is happening now and it's been happening. At least there's some indication it's been happening for a number of years now. So since not all data has a shelf life, it's very important to start securing the more sensitive data and the data with the long shelf life sooner versus later. Outstanding. I agree. You know, it's best to start now sooner rather than later. So what opportunities do you see in terms of cybersecurity modernization, cryptographic agility and crypto bill of materials, etc., that AT&T is planning for and ultimately executing on quantum safe transition? Yeah, so as far as opportunities, one of the, I guess right off the top, opportunity to transform a cybersecurity infrastructure that's decades old at this point. We've kind of kept adding to it and adding more features and different types of security to it. But the original concept is decades old at this point. So that's definitely an opportunity. Quantum is providing that impetus to make those changes. Having a good visibility of your crypto estate is another key point. Putting the C-bomb or the cryptographic inventory in place and just getting a good visibility into where all your cryptography is at, who owns it and what exact cryptography is being used across an enterprise is a big thing. And quantum is providing an opportunity for that. There's been a lot of work towards looking more at risk and risk quantification. I think around business in general, but it's specifically around quantum. I've seen here lately. So being able to use a risk-centric approach to prioritize your work efforts, I think that's another opportunity that's coming out of this whole programmer problem. So I wanted to ask you, how do you see AT&T in the entire industry making progress in this space in the coming years? So those opportunities, of course, crypto inventory is a big one. I see a lot of security solutions that are starting to emerge. There's a lot of vendors out there, and there's a number of different technologies that are starting to kind of bubble up as getting to the point of being commercially viable. So those are good things. The opportunity to build crypto agility into our IT infrastructure, that's a big deal. I think that one of the things I think comes out of that is not only from a security perspective, but we've been, a lot of companies, carry this technical debt just over the years of just not having the IT budgets to deal with some things and maybe some older systems and that. So I think this presents some great opportunities to get rid of some of the technical debt, retire some of that older technical debt, and hopefully crypto agility and having that agility in place and automation helps minimize future technical debt. I love that concept of technical debt. Most of the systems that we use in this country has been layered upon for many years. And so this is an inflection point opportunity to change the security posture of those systems. I love that concept. So finally, I want to ask you, what advice do you have for others who are starting to think about their own quantum-safe readiness and transformation plans? Yeah, so just, I think one of the things that, frankly, help does, I guess, get a good foothold is awareness. I think just awareness across an enterprise is a big thing. There's starting to be some awareness, but it just, you know, there's a lot of different companies I talk to, a lot of different people. It seems like awareness is still lacking in a lot of ways. I mean, obviously here we're good, but you get outside of this room and there just isn't the awareness there needs to be. So I think awareness is a key thing, and that's not just of leadership. You know, it's also different stakeholders within the enterprise. You know, people over different business units and things like that. And also the workforce, you know, it's going to take a village, so making sure your workforce is up to speed and understands what's coming and why it's coming. I think those are all things. And, you know, one of the benefits that can come out of just awareness alone is, as just in the normal cycle of things, these tech refresh cycles, having awareness across the company, you know, maybe somebody says, oh, I got to replace this platform over here. I should look at a quantum, you know, secure, quantum safe replacement as I worked to upgrade that. So I think those are all good things. Mitigation strategy and having a roadmap. The mitigation strategy being more of the, kind of the, I guess, the North Star, kind of having, here's where we're at today, here's where we want to get to, kind of use that as your guiding North Star to make sure you're focused on the right things. And then the roadmap, you know, this is going to be spread out over a number of years. It's going to take a long time to make all these changes. So just mapping it out year by year, kind of having a good roadmap of where you're going as we saw with IBM earlier today. And then the C-bomb, you know, we talked about the inventory and the crypto bill of materials. If you don't know who owns it, what cryptography is being used and where it's at, you know, it really, it limits your ability to really move forward in a post-quantum world. So that's absolutely paramount. And then finally, supply chain. You know, there's, I think pretty much all companies have a lot of suppliers, right? So if you're not working to secure your supply chain, you're kind of missing, you know, that's a big segment of your security profile and security posture. So I think it's really, really important to start having the conversation with your suppliers and ask, you know, just ask, you know, to see their quantum roadmap and their recent visibility as to whether they're prepared or not prepared kind of thing. Yeah, Ray mentioned that we work with many clients from a quantum safe perspective. And we're appreciative to have the kinds of partnerships that can make the impact. And I want to thank you, Brian, for working with us. And we really appreciate the partnership with IBM and AT&T over the years. Brian Miles. Thanks, Charles. So I will close. And I want to thank Ray Harry Shanker for that illuminating technology brief on the quantum safe technology capabilities. The one thing I will share with you is a concept that my colleague, John Moselli, has often said to me and that is, don't panic, just plan. Although there may be a complex transformational journey coming down the path, you have partnerships and capabilities that can help. And with that, I just want to thank you for your time.