Industry Spotlight: QuSecure’s Dave Krauthamer on Post-Quantum Security

While AI is on everyone’s mind right now, quantum computing may not be far behind, at least when it comes to cryptography.  Networks are only as secure as the RSA algorithms, and when quantum arrives that will likely be the first target.  That means we will need post quantum security in place sooner than ever.  QuSecure has long been on the forefront of post quantum security when it comes to networks and communication.  With us today is the company’s founder and field CTO, Dave Krauthamer, to talk about the upcoming shift to post quantum security.

TR: What is your background and how did QuSecure come to be?

DK: I grew up in a super nerdy, Caltech/ JPL family. I was a CIO in telecom and then a founder and CEO of a company that became Oracle’s largest cloud applications services partner.  After a successful exit, I decided I wanted to do something both fun and intellectually interesting. So I started out in quantum, and people were like, “Why are you doing that? That’s a waste of time. It’ll never happen. There’ll never be a quantum computer.” And then we pivoted to this post-quantum security thesis about four years ago, well before it was really a serious topic. Having come out of IT as a CIO, we made some really interesting architectural decisions. Early on, the thought process was to fix the post-quantum thing, you should update all your source code and enhance PKI solutions, which would be kind of hybrid post-quantum. We took a very different approach with QuSecure: a heal-the-network approach.

This is a network issue, and if we can orchestrate this cryptography throughout the network, like SD-WAN for crypto, then it’s an easy way to actually affect this massive amount of infrastructure with a click of a button.  In fact, our thesis was that this is really the only way to solve this problem.  We have an orchestrator that can drop into the cloud, into hardware, or into an air-gapped environment for high-security zones. Then you just orchestrate secure communications.  When we create that connection between the orchestrator and the endpoint, it has a zero-trust fabric, it does micro-segmentation, it pulls telemetry, it’s continuously monitoring, and it gives you full crypto agility — the ability to swap out keys, key cycles, search algorithms. We believe we’re the only organization taking this heal-the-network path and we have some really great partnerships.

TR: What is post-quantum security?  Where does it fit into the next generation of networking?

DK: Post-quantum is just better math. It really is nothing more than what’s next in the algorithm. We have been going through these transitions around encryption for 40 years. Those cycles were really long: SHA1 to SHA2, DES, Triple DES, and now RSA. RSA is a prime number factored math. Fortunately, linear computers cannot factor prime numbers, or they can but the time horizon is millions of years. So we’ve been really very secure in terms of data being stolen and decrypted. But in the last couple of years, there have been a series of threats. Quantum is emerging, but AI can also do crypto analysis and find ways of figuring out a key, and just brute force poor implementations. So we need better math. NIST has been working on the math for a long time.

TR: How aware do you think the network industry is of the potential danger?

DK: There is this concept of cryptographic debt in these large organizations: telcos and the ones they serve.  They might have thousands of applications that have embedded cryptography in them, and in many cases there is no ability to actually swap that out. Some of those organizations that sold them the programs are defunct. And It is said that only about 25% of organizations actually monitor cryptography for threats. Putting on my CIO hat, we have very little understanding of this ticking time bomb.  These embedded keys, certificates, and cryptography are just embedded everywhere. Many of them are poor, downgrade implementations. It hasn’t been a focal area because there’s been a perception that this cryptography is unbreakable, which is a little misleading because we have poorer old implementations of crypto that is crackable.

TR: In what ways is the shift to post-quantum security starting to gain traction?

DK: The big push that we’ve seen in telco and other organizations is not so much from NIST, but from the compliance regimens (PCI, FIDO, DORA) are starting to say, “You need to be post-quantum crypto agile.” We were meeting with a large bank a couple of weeks ago, and they said the regulators were asking when the bank would be crypto agile post-quantum, something they had never mentioned before.  Now they are saying there needs to be a mechanism to swap out those algorithms in real time.

TR: That sounds like less of a math problem and more of a software problem?

DK: When talking about post-quantum, I like to think of it more as a transition to what’s next in secure communications. The algorithm is just a relatively small piece of it. It’s just lattice math versus prime number factored math. But we fully expect that it will be cracked too someday, and we don’t want to have to continually go through this upgrade cycle. We want to be able to put in the infrastructure that guarantees that we can swap these things out. And that’s the concept of crypto agility. The state of post-quantum is really that it’s already been certified by NIST. Now you’re starting to see all these standards bodies come out. There have been executive orders mandating this in the government. We work closely with DOD, the army, and the air force. In fact, it’s one thing the Democrats and the Republicans totally agree on, and that is that we need to move towards crypto agile post-quantum networks. You are starting to see now just a huge amount of velocity.

TR: How close is quantum computing to breaking RSA?

DK: So RSA-2048, 2048 can’t be cracked with a conventional computer. But with a quantum computer, you need about 4,100 qubits. The timeline for that was way out there, but just recently it has been pulled in. It was 2035, now it’s 2030. I’ve heard 2029. Some people even say 2028. But the reality is for us to upgrade every bit of crypto on these 20 billion devices out there is a monumental task. So as that timeline gets pulled in, I wouldn’t call it a panic but we’re starting to see a realization that this is a big problem that needs to be addressed quickly. It’s all hands on deck. Because once you get to those 4,100 qubits, it doesn’t matter whether it’s a missile, a plane, your bank account, or a satellite, it is all opened at that point.

TR: Why can quantum computing crack such problems so easily?

DK: In a standard instruction set for a computer you have 64 bits, which is a small word. And we’ve figured out how to process them very quickly in a linear fashion, which works for linear problems.  What that doesn’t work for is things that have lots of variables: molecular simulation, neural nets, things in nature. Enter quantum computing, where a bit can be in any state. So the word size is 2 to the 64^th power, which is just an immense amount of information to process at one particular time. For these problems that have infinite variables or near infinite variables, it’s great because I don’t need to linearly solve the problem. But the problem has been there’s a lot of noise in these quantum bits. 

TR: Who are the threat actors we should worry about using quantum technologies to bust open the old systems?

DK: It’s nation state actors, although hat might change as the quantity becomes more commoditized. If they get to 4,100 qubits, everything is vulnerable. It is said that our 25% of the global encrypted data is already sitting on servers in a city we are all very familiar with, waiting for that data to be decrypted. These state actors are not telling us what capabilities they have, which is way better than what’s being advertised in the news cycles.

TR: How is QuSecure taking its solution to market, and how are you seeing it deployed?

DK: It is an ongoing licensing model. How you deploy is your choice. Initially, a lot of organizations are deploying in an air-gapped, ultra-secure environment. But we also deploy in hardware when our main model is cloud deployment for private tenants. We are also coming out with IL-5 and IL-6 secured environments for government applications. We charge per endpoint. We’ve got really great kind of board-level reporting to talk about the threats you’re encountering. We deployed actually in one telco for post-quantum 5G, for a pilot.

TR: How much education do you have to do in order to get a telco client ready to use this kind of stuff?

DK: I think it’s a really natural fit to their skill sets because they already have crypto people and network people. Because we pulled this out of the app dev realm and into the network cyber realm, this is where they live. And what we’ve seen is that there is a handful of telcos that get this, and then there’s a layer that requires some education. Obviously, whenever you talk about generating revenue for them, they get kind of excited. More of the emphasis is on helping them with the business case and then helping them quickly get a pilot that gives them a proof point they can take on to their leadership.

TR: At what phase are you in the process of rolling it out in real world infrastructure?

DK: I think we’re still at the broad pilot phase. I think that the way we’re seeing the market is that these organizations are putting in budgets for 2026. It is NIST certified, and it is now a compliance requirement. We’re seeing larger pilots with the intent of kind of going live and driving down to the organizations in 2026, some as early as Q1. But I think that this becomes a budgetary item, a real budgetary item in the beginning of 2026.

TR: What other approaches are you seeing in the marketplace?

DK: There are the PKI vendors, who are taking a kind of hybrid PKI approach.  Our belief is that that’s a subset of the actual need set, not true crypto agility. There are the HSM vendors with hardware-based solutions. And then there’s just like, “I’ve got an SDK” with which you can embed some post-quantum capability in your code. Those are the primary competitors. I don’t think we have a competitor on the network orchestration side, or at least I haven’t seen one.

TR: What challenges lie ahead? 

DK: We’ve been at this for probably four and a half years. At the beginning of the journey people wondered what we were doing and why we were wasting our time.  Now we have gone from completely irrelevant to a state where everyone’s hair is on fire.  It is exciting. I think what’s next is going to be major global rollouts. The scope of this is probably the largest upgrade we’ve ever seen in technology history.

I think that as we as an industry identify key vulnerabilities in our application suite, those are the things that we’re going to go after first. But it’s every endpoint on every electronic device, especially the ones you don’t even know about, like the ones in your neighborhood or the RTUs for the power company, that are very vulnerable. There’s a lot of risk in operational technology, like out the oil field, those devices that might have no encryption.

I think the scale of the problem is not fully understood. A lot of times at the app player, we place value on an application because it’s a revenue application. But we tend to ignore the embedded crypto and vulnerabilities because the app is so important to us. But this is a wonderful opportunity to really create secure communications.

TR: Thank you for talking with Telecom Ramblings!

If you haven't already, please take our Reader Survey! Just 3 questions to help us better understand who is reading Telecom Ramblings so we can serve you better!

Categories: Industry Spotlight · Quantum · Security