Speaking notes for Scott Jones: Opening remarks at 4th Annual ETSI/IQC Workshop on Quantum-Safe Cryptography

September 19, 2016, Toronto

Good morning everyone, and welcome to the 4th annual ETSI/IQC workshop on Quantum-Safe Cryptography. 

I’m Scott Jones, the Assistant Deputy Minister responsible for IT Security Programs at Communications Security Establishment, or CSE, the Government of Canada’s cryptologic agency.

I’m pleased to be helping kick off this most important workshop.

The next three days are about sharing expertise, research and ideas to help address a critical question for all of us:

How do we protect systems and information, in the face of emerging quantum technology, which will render much our current cryptographic tools ineffective?

But put another way, this is really the question: If we don’t address the impending reality of quantum computing, how do we maintain trust and confidence in the cyber world upon which so much of our economic prosperity depends?

Before I get into that, I’d like to talk a little bit about what CSE does to help protect information and information infrastructures of importance to the Government of Canada. 

We’re the lead technical IT Security agency for the government.  We work to detect, prevent, and mitigate potential damage from cyberattacks on government systems. That’s the cyber defence side. We also provide advice, guidance and standards to protect the government’s online systems and information.  Like you, we do much of that through encryption. We also lead the Canadian program for Common Criteria and the Crypto Module Validation Program.

Quantum represents a fundamental change and challenge to encryption for all of us. So it’s important for CSE to continue to work in partnership with academia, industry and standards organizations on our future collective challenge.

So back to the questions we’re facing, particularly around trust and confidence.

It’s fair to say that, for most Canadians, encryption equals trust and confidence when they are interacting online.

And Canadians are interacting online.  A lot. More than any other country on the planet. Virtually every aspect of their lives relies -- in some way, shape or form -- on the internet.

So whether they are posting photos to Instagram or Facebook friends, banking, filing their tax return, booking flights, buying Pokecoins, or purchasing Blue Jays’ or Leaf tickets, they want to know that their online transactions, and their entire online experience, are safe and secure.

Having that trust on the internet is critical, not only because so much of our daily lives happen there, but also because the internet is inherently untrustworthy.

But those transactions are fine, from an encryption point of view, until the day after a cryptographically-relevant quantum computer becomes available.

What we don’t talk about is that information has a life associated with its value to someone else.  For a transaction, that life is typically measured in milliseconds.  Once the transaction completes in some sort of assured way there is little to no value. 

However, as more data is moved into the cloud we need to start asking ourselves “how long does this information have value?”  And if that lifespan passes the creation of a quantum computer capable of breaking the encryption, our question then becomes “is the information worth the effort of someone to obtain?”

Citizens are becoming more and more wary – as they should be – about what they see, about what they click on, and most importantly, about what they do online.  But they don’t understand the impending reality of quantum computing.

Encryption provides trust and confidence in our online lives, whether we understand it or not. And the emergence of a quantum computer would put that trust and confidence in jeopardy.

There is, of course, tremendous potential in the advancement of quantum science.  I’m primarily talking about quantum computing.   With previously unthinkable speed and power, quantum may be able to solve complex problems exponentially faster than today’s classic computers. And that can mean huge advances in many areas of society, such as medicine and engineering.

But with this potential will come challenge and change in how we can effectively protect online information.  Quantum computing will undermine our current encryption methods. Ultimately those encryption methods will be easily broken, making the systems and information they currently protect vulnerable.

People use the word threat when it comes to quantum and encryption, but the fact if that at some point in my lifetime, quantum computing will be a reality. The question isn’t if quantum will force us to change how we encrypt online information. It’s when.

So we know what’s coming. And though we may not all agree on the exact when, this reality could be arriving as soon as ten years from now. 

And we can’t wait a decade to have the conversation about what to do. The time to have it is now. And that’s what this workshop is about. 

So what can we do about it? How do we build encryption that will be quantum-safe and also effective against classic cryptanalysis? Obviously we don’t have the answers yet, or we wouldn’t be having this workshop.

In our world of low patience and short term thinking measured in quarterly profit, the next election, and the next software release, how do we get academia, industry, and governments from around the world to think long term and join together to address this new reality that will impact all of us? 

As we work to play the long game, protecting data in the so-called cloud will be an integral part of it. Governments, companies and academia are all adopting cloud services. And while these services are convenient and agile, they have two huge impacts.

One is that the secure physical and network perimeters that used to surround systems and data are disappearing. Today’s cloud servers are software-based and virtual. This introduces challenges in how we protect them.  But that’s not our topic for today.

The second is that the data itself is now out in the wild, trusted to someone else. So that cloud data, wherever it is and wherever it goes, will need to be properly encrypted.  And some of that data has value beyond the life of our current crop of encryption. 

As we deal with the quantum challenge, I mentioned the need to think long-term. The second thing we need to do is to remind ourselves this is a team imperative.  It won’t be solved by government alone, or academia or standards associations alone, or industry alone, or a single nation alone.

It will take collaboration and partnership between all of us and the constant sharing of the considerable expertise that we each bring to the table. 

We will need common approaches. That means standards. 

And we can’t wait to develop them. We’re already behind. 

So how is CSE contributing to this collaborative effort? Well, we are at the centre of the Government of Canada’s activities on quantum. Our Tutte Institute for Mathematics and Computing, a world-class research body, is focussed on the problem. 

But this isn’t a government problem. It’s something we’re all facing. That’s why Tutte and CSE are working with government partners, with academia, with industry, and with standards organizations. 

We’re working with these partners on a range of research programs to address the quantum challenge, projects that include developing and assessing next-generation algorithms. Projects that could one day lead to quantum-safe solutions.

The next three days are important. The research we share, the partnerships we develop, and the ideas we generate here could one day successfully solve the quantum challenge.

And that success will mean that we can all benefit from the enormous potential of quantum. And at the same time, we can keep Canadians’ online experience safe and secure.

This workshop can help lead the way to that quantum-safe future. And CSE is thrilled to be a part of it.