Preparing for cybersecurity in the quantum age
An interview with Rapid7 CISO Jaya Baloo
Computing talks with Jaya Baloo about how companies should be preparing for the quantum age, and about her efforts to make cybersecurity more diverse
Jaya Baloo, CISO of Rapid7 has, for as long as she can remember, been fascinated with the idea of using technology for something it wasn't intended for - with all of the attendant consequences. As a child of the eighties growing up in the US, Baloo found a TV show called ‘Whiz Kids', a show which essentially combined the teen hacking first showcased in John Badham's War Games with amateur sleuthing.
"They were using technology in a way that wasn't originally intended and that fascinated me," Baloo recalls.
Interestingly, despite this very early interest in computing Baloo never considered it anything more than a hobby. She studied political science at college - whilst supporting herself with part time work fixing printers and fax machines.
"It should have been a clue I suppose," she says, "but I just didn't see it as a serious profession when I was younger. I took computer science classes for fun." Yet her first job after university was at a company which provided early internet and VR courses, and she also worked at Bankers Trust helping them to build an application for high-net-worth customers.
Cybersecurity in the quantum age
Quantum technologies are already having consequences - not all of them bad. But Baloo worries that collectively we might be missing the bigger picture.
"With the focus on quantum computing we forget about broader quantum technologies. Yes, there have been quantum computing advances but what about foundational quantum science enabling earth sciences sensors for climate monitoring for example? You also have quantum communications which a bunch of telcos are working on, together with more specific quantum circuits."
Baloo thinks that there is a comparison to be drawn with what we saw in AI in terms of hype cycle and what we're seeing with now with quantum. A lack of investment now will impact progress and that will have other implications, particularly when you consider how this technology is likely to make sudden jumps forward after long plateaus.
"Cybersecurity needs to prepare defences for quantum," says Baloo. "Preparing for an amorphous AI threat is one thing but we know that one use of a quantum computer is to break our current cryptography which would break open just about everything we use securely today. How long will it take us to transition to a new algorithmic cipher suite? The transition time is what worries me most."
What advice would Baloo give companies? Does she have a call to action?
"I always start by asking three questions. What's the longevity of the data you have to protect? Banking data needs to be protected for the duration of the banking secrecy period but DNA data needs to be protected for multiple lifetimes. The second question is how long do we have before there's a viable quantum computer? The assumption is that once there is that significant speed up with enough qubits, that that expansion can happen, really quickly.
"If you know how long you need to keep data secret and that it's likely to be five to 10 years before there's a viable quantum computer, what do you need in terms of transitioning algorithms like RSA to a new post quantum algorithmic suite or hop onto a fully quantum communications network?
"That time? That's what's worrying me because we're not good with this. I'm worried that we're going to see a transition period of five to 10 years so we're already behind.
"I just want people to focus on using post quantum algorithms. There are lots of different open-source tools you can already start playing with. Start small, it doesn't have to be expensive and you can get comfortable. And then you can see where you use cryptography in your company because most don't know what they have. The second thing is to look at those new NIST algorithms and standardised algorithms and figure out what ones you want to use where then keep track of the standardisation process because some have already been broken.
"Make sure you have crypto agility, which is when something breaks, you swap it with something else."
Homogeneous cybersecurity
Unintended consequences run deep in the technology sector. Nobody set out to have so few women working in tech, and in cybersecurity leadership and yet here we are.
"We're stuck in a vicious cycle," Baloo says. "There need to be enough women in these positions to show people that this is normal and that they feel comfortable. But if you have a team of non-diverse composition and you stick in there for the sake of diversity, someone different from the rest of the team do you really think that person is going to be successful?
"To stay in a role and do well is so much harder than getting the job in the first place. If you feel that you are not appreciated, or if you are appreciated but set aside as an example of being special all the time then it won't encourage you to stay."
Baloo also gives the traditional defence against a lack of diversity in tech teams short shrift.
"Saying there's no pipeline isn't enough. If you're not doing something about it then you can't complain about it. But if you're only complaining that's not enough either. We waste so much talent. There are so many people who we aren't trying to recruit who desperately want a shot. It really bothers me."
Baloo has certainly made efforts to recruit outside traditional recruiting pools. In addition to encouraging and supporting other women by means of mentoring, when Baloo was at KPN she started a "hacker class" for interested youngsters, and also took part in an international program organising women in tech sessions with younger children. Part of this work involves tackling damaging stereotypes, although Baloo questions how committed society as a whole is to this. Recently published research about attitudes toward women in and out of work suggests she has a point.
"We're comfortable with the stereotype of the computer science nerd or cybersecurity professor because if we weren't we'd have changed them by now," she says. "You will not see ethnically diverse women in those roles as a stereotype. That landscape needs to shift in order that it looks appealing to young girls as a career. I think it's slowly shifting but I really feel like it's a social situation not just a company one."
You may also like
/feature/4334521/tech-isnt-meritocratic
Leadership
Tech isn't as meritocratic as you think
And relying on graduates to fill vacancies isn’t working
/news/4322678/tech-launches-manifesto-generational-change
Skills
Tech She Can launches Manifesto for Generational Change
Launch showcased an impressive community of sponsors, educators and policy makers
/opinion/4266426/essentials-short-step-fear-excitement
Artificial Intelligence
IT Essentials: The short step from fear to excitement
Leaders are diving into new tech head first