Why Hackers Are Stealing Encrypted Data Now To Decrypt Later | David Close

[00:00:00] Chris Sienko: Today on cyber work, John Price of Futurex is here to talk all about cryptography. As quantum computing moves towards reality, attackers are beginning to take a harvest. Now, decrypt later approach to hacking and theft, betting that advances in computing technology will eventually allow them access to today's very strong cryptographic algorithms, which nevertheless would be no match for quantum computing enabled decryption.

Is this 10 years down the road? Later. A lot of hackers have chosen to play the long game and to find out what the cryptography innovators of today can do to create the next generation of quantum built cryptographic algorithms and how you can get into this work yourself. Please tune into this week's episode of cyber work. 

The IT and cybersecurity job market is thriving. The Bureau of Labor Statistics predicts 377, 500 new IT jobs annually. You need skill and hustle to obtain these jobs, of course, but the good news is that cybersecurity professionals can look forward to extremely competitive salaries. That's why InfoSec has leveraged 20 years of industry experience Drawing from multiple sources to give you, cyber work listeners, an analysis of the most popular and top paying industry certifications.

You can use it to navigate your way to a good paying cyber security career. 

So to get your free copy of our cyber security salary guide ebook, just click the link in the description below. It's right there near the top, just below me. You can't miss it. click the link in the description and download our free cyber security salary guide ebook.

Your cyber security journey starts here. 

Now let's get the show started 

[00:01:34] Chris Sienko: Welcome to this week's episode of the Cyber Work Podcast. I'm your host, Chris sko. My guests are a cross section of cybersecurity industry thought leaders, and our goal is to help you learn about cybersecurity trends and how those trends affect the work of InfoSec professionals, as well as leave you with some tips and advice for breaking in.

Or moving up the ladder in the cybersecurity industry. Um, my guest today, David Close, is a chief solutions architect at Futurex, and he leads the strategic vision and innovation, uh, of advanced cryptographic and key management solutions. With over 16 years at Futurex, he has driven global expansion through visionary leadership and deep expertise in enterprise security architecture.

Under his guidance, the Solution Architect's team has evolved to meet the demands of international projects, sealing up, uh, scaling up to deliver success globally. David's forward thinking approach and meticulous planning have been critical in implementing cutting edge cryptographic infrastructures trusted by Fortune 100 companies.

His initiatives have bolstered, bolstered future X's ability to provide top tier security solutions. And set new standards in compliance and operational excellence as a respected figure in the cryptographic community. David's influence extends beyond architecture to encompass the management of future X's product roadmap, ensuring alignment with evolving security needs.

He holds a Bachelor of Science and Computer Engineering from St. Mary's University, San Antonio, Texas, and is certified. To audit cryptographic infrastructure across industries. His interdisciplinary experience enables him to deliver innovative solutions seamlessly blending business requirements with technical demands.

Uh, so as you can imagine from, uh, that, that bio, I would be remiss if I didn't talk to someone about, uh, who's an expert in cryptography about cryptography. And that's what we're gonna do today. We're gonna talk really high level cryptography stuff, post quantum, uh, and what that's going to mean for the entire affair.

So, David, thank you for joining me today and welcome to Cyber Work.

[00:03:26] David Close: Yeah. Hi Chris. It's nice to meet you and, uh, that was a mouthful, but I, I appreciate you going through my background.

[00:03:32] Chris Sienko: My pleasure. Yeah. Well, we're, well, uh, strap in because I have a lot to ask you about your background here. Uh, so yeah, I wanna first, of course, always ask our our guests about your early years, I'm guessing from the sort of like tech intensive person you are now that you've been sort of a tech fan since you were a kid.

What was the initial spark that got you excited about computers and security?

[00:03:52] David Close: Yeah, I've, I've always been into tech, uh, growing up I was one of those kids who took apart electronics just to see how they, they worked. Um, I'm sure I, I broke more than I fixed, but the,

[00:04:05] Chris Sienko: Yeah. Yeah.

[00:04:05] David Close: is, is what got me started. Um, in college, I, I studied computer engineering and I found myself really drawn to embedded firmware development, which is low level programming that interacts, um, directly with hardware.

Uh, so that was the initial spark and it felt real hands on. Uh, from there, I, I moved into the, uh, cryptographic system space, specifically devices called HSMs Hardware Security Modules, which is what futurex manufacturers. these are hardware based cryptographic subsystems, and that's what really launched me into the, the cybersecurity space.

[00:04:45] Chris Sienko: Yeah, I was gonna say, because, uh, normally my second question to our guests is I go through their LinkedIn profile and say, how did you get to where you are now? Because a lot of times they start here and then they Z over here, and then they take a turn, get some, you know, whatever. Uh, but you know, as, as you basically said, you got a bachelor of science, computer engineering from St.

Mary's University. And then immediately founded or joined Futurex as a chief solutions architect and haven't looked back. So, uh, yeah. Talk more about this. You've, you've been here for 17 years. What is your role as Chief Solutions Architect all about and is it true? The company's been around for 40 years.

[00:05:19] David Close: Yeah, the, the company Futurex has been around for 40 years and,

[00:05:22] Chris Sienko: Wow.

[00:05:23] David Close: lucky enough to be with them for. I guess the last 17 years of those just,

[00:05:29] Chris Sienko: Almost half of it.

[00:05:30] David Close: Yeah.

[00:05:31] Chris Sienko: Amazing.

[00:05:31] David Close: I didn't join as the chief solutions architect. Um, that's where I ended up. Uh, but I started doing embedded development for our next generation HSM platform at the time. futurex builds cryptographic infrastructure, and that includes HSMs key managers, PKI systems, tokenization systems, the whole, the whole stack. And so my role today is a mix of strategy, architecture, and standards work. I, I represent us on, on various standards bodies, and I help and oversee with our product and service roadmap, um, particularly around new areas like post quantum cryptography, which, um, hopefully we, we get to spend some time on.

[00:06:15] Chris Sienko: Most definitely.

[00:06:16] David Close: and I also work with customers, uh, in designing their systems in a secure, um. In a secure way. And I, again, I represent futurex on multiple different bodies, um, that dictate how crypto is actually implemented. Um, so it's, it's a role that's both technical and outward facing as well. And I

[00:06:37] Chris Sienko: Yeah.

[00:06:37] David Close: of both.

[00:06:39] Chris Sienko: Yeah, yeah. Okay. So, uh, what aspects of the, the technical, I mean, I'm assuming that you have to be staying on top of different aspects of. Cryptography as the person who's, um, studying or, you know, examining what needs to be done to implement a solution rather than someone who is, uh, I don't know, working in the trenches, so to speak.

So what, what kinds of, uh, what aspects of, of cryptography and, and you know, cryptographic solutions are you learning about at this moment?

[00:07:08] David Close: So Futurex, we, we are much more into the practical application of cryptography. There are a lot of academic research firms and cryptographers that go into developing the algorithms that are implemented, but at Futurex, we implement those algorithms in a, in a practical way. Cryptography is used. in almost all enterprises and how they actually get implemented is something that people don't realize is a very, um, involved, uh, uh, strategy. And so we help with, um, taking protocols and algorithms that have been approved and standardized in the industry and look at how they're actually implemented inside organizations so they

[00:07:52] Chris Sienko: Okay.

[00:07:52] David Close: take advantage.

Of them.

[00:07:54] Chris Sienko: Okay. Now, uh, I guess just as a a, a brief, I don't know if history lesson is right, but you sort of, your, your view of it. Uh, I think when people think of cybersecurity, uh, and so forth, going back 40 years to think of some of these. Things, you know, we, we talk about sort of modern pen testing kind of happening in the early two thousands and certain aspects of what our sort of standard practice cybersecurity now happening in kind of the mid two thousands or early 2010s.

What was cryptographic, you know, what, what was, what was, uh, Futurex doing in, in, I guess it would be the 1980s? Uh, and and how has that changed in the past 40 years?

[00:08:33] David Close: Yeah, so I, I mentioned earlier that Futurex, uh, is a manufacturer of hardware security

[00:08:39] Chris Sienko: Mm.

[00:08:40] David Close: HSMs were originally developed for cryptography in the payment space. So in the eighties when online transaction processing was becoming big,

[00:08:50] Chris Sienko: Mm-hmm.

[00:08:51] David Close: a device was invented called the HSM that would handle all of the cryptographic operations around payments.

And that's when we originally started, um, getting into encrypting. Data that was used for settlement, online transaction processing, issuance of of card material, encrypting pins and cardholder data and all of that. And the technology grew to be used in general purpose. Enterprise settings for everything from databases, PKI encrypting email, you, you name it.

[00:09:24] Chris Sienko: Mm-hmm.

[00:09:25] David Close: are involved, uh, somewhere. So we grew outside of just the payment space and our, our HSMs um, today are used all over the world and pretty much any vertical that you can, you can name, but the origin, all of it, it was, was in the payment space. And if you think about it, securing payment information, um, that is tied to money is, is always important.

Um, and then, um, it expanded from there.

[00:09:51] Chris Sienko: So when you left St. Mary's with your, your, uh, computer engineering degree and you joined Futurex, uh, in this, in this space, the payment, uh, space and the, uh, the cryptographic space, were you already. Very deeply invested in cryptography, or did you have to become invested in cryptography by joining Futrex?

Was it what was, what was the chicken and egg situation here? Did you, were you already interested in this and you said, I have to get myself into Futurex, or did Futrex come along and you're like, okay, now it's time to start hitting the books about this stuff.

[00:10:26] David Close: Yeah, so I, I did have some experience with cryptographic algorithms and practical applications for cryptography just from my academic career. But my goal when I started FU with Futurex was actually, uh, doing embedded Linux development. and Futurex was perfect for that because they made cryptographic modules and hardware that that executed it.

So I was really in my comfort zone there. Um, but I didn't come with a, a deep background in cryptography. But what I did have was a strong curiosity and, and a desire, uh, to learn. Uh, and what I found pretty quickly was that I landed in exactly the right vehicle,

[00:11:08] Chris Sienko: Okay.

[00:11:09] David Close: to grow my career. I, I think that sometimes people underestimate early on how important it is to find the right environment that aligns with

[00:11:19] Chris Sienko: Yeah.

[00:11:19] David Close: interest and pushes you technically and, and gives you the, the room to evolve.

And for me, Futurex was that place. So it challenged, uh, it challenged me honestly. To understand cryptography at a very fundamental level, um, including how keys are generated, stored, and exchanged, and why all of that matters in securing digital,

[00:11:44] Chris Sienko: Yeah.

[00:11:44] David Close: and digital data in, in, in this new world.

[00:11:48] Chris Sienko: Did you have a particular, uh, mentor or supervisor there that was really sort of influential in helping you get up to speed that quickly? Or were, were you kind of left to, uh, self-study your way into, uh, mastery? I.

[00:12:04] David Close: I think the, the culture at Future X is very unique in that we have. F very, very talented engineers, very talented cryptographers and, uh, different individuals that manage our, our products. So I would say my mentor as a whole was all of the different, um, talent that we had at Futurex, and it really helped skyrocket my,

[00:12:29] Chris Sienko: Yeah.

[00:12:29] David Close: and helped me get in, in, involved in projects that I could have never, um, even dreamed that I would be involved with.

[00:12:38] Chris Sienko: Well boy, we're gonna talk about some stuff that I think our, our listeners would give anything to be involved with. Uh, we have a lot of students and a lot of sort of entry level people who are, uh, chop their careers, trying to figure out where they want to go first, where they want to go next. Uh, and you know, obviously, uh, cryptography is, is not one we get on the show very often 'cause it's, uh, not done by a whole lot of people.

But, uh, I wanna start out with, uh. Uh, one of the more unusual aspects of this discussion, uh, one of the first things that jumped out at me was the phrase post quantum cryptography initiatives. Uh, so you note that enterprises will be forced to start preparing for threats from quantum computing enabled threat actors in a timetable that's maybe not some years down the road, but within the next few years, you know, whatever the distinction is there.

Uh, so to start with, uh, David, could you. Catch us up on the state of quantum computing at the moment and why you think the gains being made will be weaponized sooner rather than later.

[00:13:33] David Close: Yeah, I think one of the, the key things to understand about quantum computing and quantum cryptography, um, is that it, it fundamentally changes. The math our current encryption. So algorithms that we use today, things like RSA and Elliptic Curve, they rely on problems that classic computers struggle with, uh, like factoring large numbers or solving discrete algorithms. with quantum compute computing architectures, the, the architecture is completely different and they're very well suited to solve these problems in a, in a fraction of the time. So, essentially. Quantum computers break the algorithms that we rely on heavily today. Things like mobile banking and online banking, um, transaction processing, securing data between one entity and another healthcare records. Everything in our lives require rely on these, these algorithm. So today, right now, quantum machines aren't, aren't powerful enough to break these. Uh, these algorithms, they're, they're noisy, they're in their infancy. They're, they're limited in scale. companies though, uh, like IBM and Google, they're very focused on rapidly increasing something called cubic counts.

Uh, which is, is really what the, um, essence and the foundation of quantum computing is, is, is about. estimates they're suggesting that we might have fault tolerant quantum computers capable of breaking  ​rSA 2048 bit, um, encryption within 10 to 15 years and possibly sooner.

[00:15:16] Chris Sienko: Mm-hmm.

[00:15:16] David Close: really knows right now.

[00:15:18] Chris Sienko: Right? Yeah. Now, uh. I dunno, maybe our listeners already know this. Maybe I'm asking this for myself, but I think someone will wanna know this, but like, can you talk about, you know, when we talk about, you know, encrypt your data, you know, if you have a a, you know, A-A-V-P-N, you've got encryption, you know, no one's gonna get through there, no one's gonna be able to commit a man in the middle.

Could you talk about like what is actually happening in terms of what can. Um, you know, what can realistically be done by a hacker with a more standard computer versus what the sort of like higher order sort of computing functions involved with like a quantum computer is that would actually be able to break something as sort of staggeringly complex as even a, a basic, you know, cryptographic algorithm.

[00:16:05] David Close: Yeah, so, so I, I think your, your question. Is is around, you know, I mentioned quantum computers are still a number of years off, so why

[00:16:14] Chris Sienko: Yes.

[00:16:14] David Close: it

[00:16:14] Chris Sienko: Yeah. Yeah.

[00:16:15] David Close: because class can't be, computers can't break these, these algorithms. The, the issue that we have and the, the, the urgency that we have is around the fact that the industry as a whole know, they know quantum computers are coming and because of that nation states and just bad actors. preparing for that, that deployment. And they're doing it in a way where, um, they're harvesting data now, encrypted data and storing large quantities of it, terabytes petabytes of data with the intention that once quantum computers get to a place where they can decrypt this data, um, they have the data ready to decrypt. And because of that, there are organizations that have data that need to stay encrypted and stay private for much more than 10 or 15 years. And so they're now deploying these, these algorithms. um, initiative for looking at new algorithms with, uh, that are resistant to quantum attacks started in 2017.

Nist. their competition where they started looking for submissions of algorithms that, that were not susceptible to known quantum attacks, and they just released last August, um, and ratified the first three algorithms that, um, were resistant. Um, di Lithium, Kyber, and, uh, Sphinx Plus were, were the first three. The, the problem with these algorithms is they are, they, they have a much bigger key size and, and the digital signatures that they create are much bigger than RSA or elliptic curves, uh, signatures and, and keys. And so all of the different protocols that we use today that utilize these algorithms, they're having to be rethought and re-engineered.

Things like TLS. So if you go to a website that has H-T-T-P-S, that protocol that's used to encrypt that data is having to be re-looked at in order to support these new algorithms. So a lot of companies are, are looking at hybrid algorithms where they utilize something like Elliptic Curve plus KYBER in order to, to secure data.

So that gives you kind of the best of both worlds. It prevents the um. Um, the issue that we have of, of larger signatures and, and key sizes. Um, but also if elliptic curve is broken, you still can rely on kyber. So it gives you the

[00:18:56] Chris Sienko: Hmm.

[00:18:56] David Close: of both worlds. A lot of organizations have started deploying that type of hybrid encryption approach with, um, web traffic. Um, Google and, and CloudFlare, they did a great case study and actually implemented it in a real life scenario. You're probably using it today and don't even know it. Um,

[00:19:13] Chris Sienko: likely

[00:19:14] David Close: yeah,

[00:19:14] Chris Sienko: know much.

[00:19:15] David Close: it was very successful.

[00:19:17] Chris Sienko: Okay. Now I, I wanna go back to. Sort of steal now encrypt or, you know, uh, decrypt later. Uh, 'cause it like a comparison that it, it, it made me think of was all the people, you know, maybe they're still doing it, but people who would, uh, freeze their body when they were about to die with the idea that, you know, science will get better x number of years down the road and whatever they're dying of now, they'll be able to revive, I mean, realistically.

Like what, what, what level of gamble are people who are stealing these p uh, petabytes of data? You know, with the idea that 15 years down the road quantum is gonna be, you know, riding to the rescue. And, and also like, is that 15-year-old data still gonna be of any use to anyone?

[00:20:02] David Close: Um, I think it really depends on the industry. So we work, I mentioned earlier with a lot of different verticals. If you think of something like a satellite that is launched uh, into orbit, these satellites have a much longer lifespan than 10 or 15 years

[00:20:22] Chris Sienko: Sure. Okay.

[00:20:23] David Close: and. A attackers are just waiting for, uh, quantum computers that are, are fast enough and fault tolerant enough in order to decrypt this traffic or make fake signatures that allow them to, to change the software running on these satellites.

So it's, it's

[00:20:42] Chris Sienko: Hmm.

[00:20:42] David Close: real, um, problem that exists today and it's really dependent on the industry. Things like, um, your fin financial records. They, they will need to be secured 10 or 15 years from now. Um, but other, other data, you know, a text message to your wife, you know, maybe, maybe that's not as as important.

So there are verticals and there are use cases where that 10 to 15 year mark is a problem.

[00:21:10] Chris Sienko: Yeah.

[00:21:11] David Close: I think unlike the, the freezing your body and, and. Getting ready to, you know, find a, a cure for whatever you have in the future. The, the difference there is the, the data that they're harvesting that doesn't decay right,

[00:21:25] Chris Sienko: Right.

[00:21:25] David Close: that secure it, it does.

They do decay.

[00:21:28] Chris Sienko: Mm-hmm.

[00:21:29] David Close: there, there's no question that the algorithms that we have now will, uh, be broken.

[00:21:35] Chris Sienko: Okay.

[00:21:36] David Close: the, the challenge that, that a lot of our customers and partners that we work with, uh, face is. Just because we're moving to new algorithms with post quantum cryptography and we're implementing these, that that doesn't really solve the problem because at some point in the future, post quantum algorithms will also be broken. So where Futurex really helps, uh, the industry is looking at ways to implement something called crypto agility. Designing systems where algorithms can be changed very quickly without having to re-architect. All of your, your solutions, all of your code and hardware that implement these algorithms.

[00:22:16] Chris Sienko: Yeah, that makes sense. Yeah. You know, obviously every, every story of cybersecurity is a story of escalating arm race between the hackers and the defenders. And okay, now we have more of this, now we have more of this and it keeps going back and forth. That makes sense. Um, I. Now if you know, for, for the sort of companies that have already had this encrypted data harvested and you know, is this like a 15 year ticking time bomb where they're just, they're waiting for the inevitable to happen?

Like what, what can they do in the meantime with, with the data that's already been stolen? Or is that just sort of a horses out of the bar and nothing to be done about it now kind of thing?

[00:22:51] David Close: Yeah. I, I, I think what organizations are doing now is looking, they're looking at algorithms that solve this problem. I mentioned, um, nist, the competition in last August. They, they publish new algorithms that are, uh, quantum resistant. Um, and organizations are deploying those today. There are a lot of systems and, and. Hardware and architecture and protocols that need to be updated. organizations are indexing where they use cryptography in their industry or in their, uh, their company, and they, they're classifying this data. How important is this data? How long does it need to stay secure? Um, what's the, the risk level involved?

And, and once all of this is indexed, then they can then prioritize from a project standpoint what needs to be addressed first. Right? Again, text messages to your wife may not need

[00:23:44] Chris Sienko: Yeah.

[00:23:45] David Close: the priority there,

[00:23:46] Chris Sienko: Right.

[00:23:47] David Close: you know,

[00:23:47] Chris Sienko: But, but these, these satellites

[00:23:49] David Close: Yeah,

[00:23:51] Chris Sienko: Yeah.

[00:23:51] David Close: Or, or even intellectual property,

[00:23:53] Chris Sienko: Oh, sure.

[00:23:54] David Close: you're, you're managing and it's really the value of your company,

[00:23:58] Chris Sienko: Yes.

[00:23:59] David Close: that that is going to.

Still need to be secured

[00:24:03] Chris Sienko: I.

[00:24:03] David Close: 10 years.

[00:24:04] Chris Sienko: Yeah, in 15 years from now, we're all gonna know what the 11 ribs and spices were in KFA. I just know it. Okay. Anyway, sorry about that. Uh, on onward here. So, um, I wanna talk, uh, you know, as you said about the scale of it and obviously the scale of, of what's valuable and what's not. I think there's also something to be said about scale in terms of.

The size of the target. I mean, we know now that everyone's a target. Even small, medium businesses are a target. And we hear things like, you know, state or cities and municipalities saying, oh, they wouldn't hack us. We're too small. Or, you know, that, that why, what would they get from us? Or things like that.

So, uh, you know, it's hard to know what to do if you're one of these small, medium businesses and you hear these kind of apocalyptic tech warnings. So, uh, where do you see post quantum encryption in defense progressing in the coming years? Uh, from like a scalable perspective towards. Sort of smaller targets like that.

Is there certain things they should be doing now to make themselves safer?

[00:24:59] David Close: Yeah, I, you know, I think for small and mid-sized businesses and even larger enterprise, it can feel overwhelming. Um, I mean, the good news is there, there is clear, there's a clear path forward. Um, first, as I mentioned, we've already seen real adopt adoption of quantum safe algorithms, kyber for key exchange

[00:25:18] Chris Sienko: I.

[00:25:18] David Close: and di lithium for signatures being standardized by nist. And large organizations, like what I mentioned earlier with Google and CloudFlare, they're already using these in, in production and hybrid models. Uh, so for any enterprise big to small, the most basic starting point is cryptographic discovery. Knowing where you use cryptography, um, you need to know where encryption is used in your environment.

And that is everything from TLS. So data in motion, uh, to file and storage, uh, data at rest. then prioritize those systems. So nist, when they published these new algorithms in addition to public publishing algorithms, they also published guidance on a roadmap for how to implement these, these algorithms.

And, and there was a very big focus on, um, inventorying where you use cryptography because it's not uncommon for an organ, a large organization, or even a small organization to have hundreds of different applications. That all use cryptographic libraries. They use encryption to secure data, and oftentimes they may have some one-off developer that that looked online for some method to encrypt data and implemented something off source forge or something like that.

[00:26:36] Chris Sienko: Right.

[00:26:37] David Close: knowing where you, you implemented cryptography is important, and then focusing on crypto agility where you can change the algorithms that you use every day, um, very quickly. So, um, also making sure your vendors like, like us are, are, have a roadmap for supporting, um, new

[00:26:55] Chris Sienko: Yeah.

[00:26:55] David Close: and are very focused on that because at the end of the day, you rely pretty heavily on vendors to, uh, for your cybersecurity infrastructure and that includes encryption and cryptography.

So there needs to be, uh, views there to make sure they have a roadmap to help you secure this data.

[00:27:11] Chris Sienko: Yeah, I have to imagine that if you're a, a, you know, a, a vendor that's, you know, mostly using, you know, retail and, and taking payment and, and so forth, like, you're pretty much setting and forgetting your, uh, you know, your sort of Shopify store or your payment software, whatever. So I suppose it probably, I.

Behooves you to be asking the people who are doing the, you know, encrypted services for you. What exactly do you need to know from me? Or what, what can we do to make this better? Is that, is that, is that probably true?

[00:27:39] David Close: That that is very true. And, and a lot of these more sensitive

[00:27:42] Chris Sienko: I.

[00:27:43] David Close: are regulated by, uh, bodies that, that define what algorithms can be used and how long these algorithms can be used and what key sizes you have and all of, all of these different nuances. And I would say all of these regulatory bodies are, are focused on these new post quantum algorithms and, and how they are, um, implemented in, in each individual industry.

And that could include, you mentioned payments, that that is true for payments, but many other reg regulatory bodies as well are

[00:28:13] Chris Sienko: Yeah.

[00:28:14] David Close: this. Everything from telecommunications to just different government regulatory bodies are very focused on this.

[00:28:20] Chris Sienko: Yeah. Now, um, I want to move on to the sort of career aspects of, of these things because again, again, as I said, we, we are people who want, you know, people who are just starting to sort of lower the bar to entry if you're, if this is something you're interested in. Uh, so I want to get your advice on how you kind of keep up to speed on the advances in cryptographic technology or.

Maybe it's future tracks who, who's doing the good writing or research on this topic right now? Who would you recommend our listeners be following each week to see sort of what's, what's happening in the space?

[00:28:52] David Close: You know, so I, I mentioned NIST early, earlier, and, and

[00:28:54] Chris Sienko: Mm-hmm.

[00:28:55] David Close: NIST is probably the most active in terms of relevant, um, papers that come out and, and guidance on how to implement this. But there, there are a lot of other bodies to follow as well. Um, the PKI forum, um, PKI is. What is used to, uh, secure identities, everything from websites to

[00:29:17] Chris Sienko: Hmm.

[00:29:17] David Close: OT devices. Um, they have had many, uh, different forums and conferences where they have guest speakers come in and, and look at it. Um, there was one last year in Austin, Texas, um, and there was an individual named Scott, uh, Aaronson that came in, um, out of the University of Texas. so he's, he is a great individual to follow.

He is one of the leading voices in quantum computing, and he

[00:29:41] Chris Sienko: Great.

[00:29:42] David Close: job of really breaking down complex concepts, um, in a way that's both technical, uh, deep and, and accessible. beyond that, uh, I really like blogs and publications from PQ Shield is, is a good one to follow and, and

[00:30:00] Chris Sienko: Okay.

[00:30:00] David Close: Quantum Safe Pro Project, they both do a good job. Uh, covering the practical side of implementing post quantum cryptography, um, what works today, uh, what to watch out for and, and how to, uh, start experimenting in, in real environments. It's, it's a fast moving space,

[00:30:22] Chris Sienko: Yeah.

[00:30:22] David Close: just carving out an hour or two a week to stay current on these sources can, can make a huge difference in, uh, having you stay ahead of the curve.

[00:30:31] Chris Sienko: Yeah. That's great. Yeah. That, that's, that's a gold mine. That's exactly what I was hoping for. Thank you. So, uh, turning to the type of work that someone just getting started in the space would do, I've, I've heard from past guests and you can maybe corroborate that there's really kind of only a handful of.

Brain acts in the world that are really doing the sort of top, top level, like creating these quantum grade crypto algorithms and solutions. But there's plenty of jobs in and around cryptography, like implementation as you do, or tool building or security engineering or architecture or GRC. Can you talk about the type of work that people who are really into learning cryptography can get?

[00:31:04] David Close: Uh, I've absolutely, and, and I think, you know what, if you are a mathematician and you have the wherewithal to look at, uh, the. Fundamentals of how cryptographic algorithms work and, and want to develop those, those algorithms, that is a great space to be in, and there is a need for that in the industry, but

[00:31:22] Chris Sienko: Yeah.

[00:31:23] David Close: need to be able to invent the next algorithm to work in this space.

[00:31:27] Chris Sienko: Yep.

[00:31:27] David Close: Um, there's a massive demand for people who can implement tests, scale, uh, cryptographic, uh, cryptography securely, that includes software engineers. Uh, working on secure libraries, uh, DevOps folks, integrating crypto into ci cd pipelines and security architects that are, are building out key management systems. Um, in our industry, we're very focused on h sms. Which the, the presence of HSMs in the industry have, have grown immensely over the last 10, 15 years. But, uh, operational aspects of HSMs are a very niche skillset. And having people that know what an HSM is or how they're implemented is, is very unique and is, is great for job security.

[00:32:17] Chris Sienko: Yeah.

[00:32:18] David Close: that's just one example. There are there. is used in so many different ways and, and everything from architects to operational, um, implementers need to be, uh, filled. There's positions that need to be filled out there.

[00:32:32] Chris Sienko: Yeah. Okay. So, um, again, turning back to very, very beginners or people who are still students, uh. You know, uh, this is always the hardest question, but where, where do you get the experience to get your start? You know, what would, what would you say to someone who has no experience, has learned the space? How do you stand out your resume?

You know, uh, are there certain projects you can do around cryptography that sort of shows your, your acumen? Uh, what, what would you recommend? What would, what would look, what would look appealing to you on an entry level person's resume or, uh, experiences?

[00:33:06] David Close: I think mainly interest in cryptography is, is the biggest, the biggest thing. They're following, um, industry publications, how the industry's changing, being familiar with how to use cryptographic tools and libraries. Things like open SSL, the Microsoft Libraries, Java Libraries. There's so many out there.

It's, it's a very intrinsic space. Um, but typically when you're looking at a. A, a career in cryptography, it's typically joined with something else, right? You're a software developer,

[00:33:38] Chris Sienko: Okay.

[00:33:39] David Close: implementing solutions around cryptography or using cryptography, or maybe you're an auditor that wants to go in and, and get involved in helping organizations look at their deficiencies and helping solve those.

So, not only being interested in the cryptography, the underlying cryptography that's used, but also. The, the actual core requirements, uh, being a developer who is very interested in cryptography is something that would be appealing to, to futurex, um, and, and many other organizations out there.

[00:34:11] Chris Sienko: Okay. That's great. That's, that's, that's excellent advice. And it, it also, it makes it sound like, um, you know, something, you know, it, it, it's, it's a little different than say something like digital forensics or pen testing where it's like, that's the major, whereas like the cryptography is kind of the minor, like you add it.

To another major thing that you'll be doing, and you can kind of like, it's like an add-on or something in certain ways, unless you're, like I said, you're really like in the heart of darkness, you know? So, so speaking of of that, I mean, we, we talked a little bit about the future here. Uh, if and when the dust settles after, you know, quantum computing really starts to break some of these algorithms, where do you see.

What, what, what do you see the landscape looking like in 15 years? Do you see sort of like quant counter quantum encryption sort of taking up the slack? Uh, like what, what is, what does the battle look like in the meantime, do you think?

[00:35:02] David Close: Well, I think if you look at five years from now, I think most enterprise systems will be running some form of either hybrid cryptography or just vanilla, um, post quantum safe algorithms. Um, and this is where classical and po, so hybrid is where, uh, classical, uh, and post quantum algorithms are used side by side.

We mentioned the use case.

[00:35:28] Chris Sienko: Right.

[00:35:28] David Close: TLS, I think PQC support will be built into TLS stacks by this time, uh, mobile operating system and cloud APIs, it'll be part of standard cryptographic toolkits that are used today. I think it'll be looked 15, 10, 15 years out. I expect most high security systems will already have moved away from algorithms that are used today.

Things like RSA Olympic curve. Um, that's actually not just speculation that that's direction from NIST and actively guiding the, the industry, they've made it clear that, uh, cryptographic community needs to, to begin phasing out RSA and elliptic curve algorithms in favor of quantum resistant standards. and those standards are already mostly adopted and they're, they're adopting new standards as, as we speak, but. by that point we will have robust vendor support already. Um, we'll have mature tooling, so libraries, like I mentioned, open SSL, that will be the standard and, and, they'll, they'll already now be operational experience, uh, running PQC applications.

You know, today, organizations are really craving experience with people that know something about post quantum cryptography and, and that knowledge can really help advance your career very quickly. Where 15 years down the line, that will be the only

[00:36:53] Chris Sienko: Uh, essential. Yeah. Yeah.

[00:36:55] David Close: space.

[00:36:56] Chris Sienko: Okay. Uh, now at the risk of unleashing my inner cynic, I know I've, I've certainly talked to enough people about things like CMMC or, or, you know, um, uh, other sort of, you know, federal government things where the, there's a directive, you know, in three years we need to go, uh, you know, completely zero trust or whatever.

NIST says, we need to phase out RSAA and elliptic curve. Is there a, is there an or else attached to that? Or is it going to be sort of on the, you know, uh, you know, on, on the good behavior of, of people who are using these algorithms? Do you think that there's gonna be a, a, a stick with this, with this carrot here?

[00:37:35] David Close: So in, in many deployments of cryptographic systems. Um, there are requirements and certification that these cryptographic systems have to go through. I'll, I'll give you two examples.

[00:37:46] Chris Sienko: Okay.

[00:37:47] David Close: Um, we mentioned the payment space earlier. There's an organization, um, called PCI, um, which governs the security around encrypting cardholder data and pins and online payments. Um, I, I, I sit on the board of advisors, uh, for, for PCI. And so in order to implement, uh, cryptography in PCI environments, you have to adhere to their, um, uh, recommendations and actually be audited against those by third party auditors. HSMs, which futurex manufacturers are certified under PCI and adhere to their guidelines.

So once PCI says, no more RSA 2048 bit keys, we have to adhere to that, and there's a stick there if I want to be able to run

[00:38:31] Chris Sienko: Okay. Got it.

[00:38:33] David Close: The, the second is, um, in federal systems. Um, NIST does have a certification under FIPs. Um, so the current, uh, certification is FIPs one 40 dash three, and they have different levels, level 1, 2, 3, and four.

And, uh, level three certifies hardware, cryptographic systems like HSMs, and in order to, um, uh, get audited and, and have a certified Phipps device. you have to adhere to what algorithms are supported. So there are a lot of regulatory bodies that do have sticks, um, to

[00:39:09] Chris Sienko: Okay.

[00:39:09] David Close: what,

[00:39:10] Chris Sienko: Yeah.

[00:39:11] David Close: algorithms use

[00:39:12] Chris Sienko: Okay. Yeah. So the biggest stick of all is basically do you want to accept payments or not use our new system? Right? Yeah.

[00:39:18] David Close: do you want to sell products?

[00:39:19] Chris Sienko: It's what I mean. Yeah, exactly. Do you, do you want money for your products, yes or no? Uh, yeah. No, no one's gonna be sending cash in the mail anymore. So,

[00:39:27] David Close: Yeah.

[00:39:27] Chris Sienko: uh, yeah. So as we, as we bring this episode to the, uh, close David, and thank you for taking the time to explain all of this to us, and especially to me.

'cause I don't understand it at all, but I, I, I understand it better now. But let me ask you a basic question. Uh, what's the best piece of a career or life advice you ever received?

[00:39:43] David Close: Hmm, that's a good question. I would say the best piece of advice that I ever got, um, related to my career path was it, it's important. To find the right vehicle for your, for your career and doing it early. Um, I've been with Futurex for 17 years and there's a reason for that. Um, you know, it's easy to get caught up in titles or flashy job descriptions, but the reality is your, your growth depends so much on whether you're in the right environment,

[00:40:17] Chris Sienko: Yep.

[00:40:18] David Close: the right vehicle.

It's is a place that not only aligns. With your interests, um, but it also challenges you and supports you and gives you a platform to evolve. One thing that I, I love about Futurex is just the encryption is used everywhere in the industry. And so Futurex is involved in pretty much any vertical that you can think of, whether it's telecommunications, payment, government use cases, you name it, we're in it, and that really interest, it interests me and I. on learning and future X requires me to learn something new every day.

[00:40:57] Chris Sienko: Yeah.

[00:40:58] David Close: and that's, you know, that's my interest. But other people have different interests. So I would say the best advice I ever got was find the right vehicle, whatever that is, earlier in your career, earlier in your career, and, and it will make you a more happy person and more, um, you, you will find a long career path if you can find that, that vehicle.

[00:41:18] Chris Sienko: Great. Yeah. Couldn't agree more. So, uh, just for fun and, 'cause I'm always curious is, is there anything you've been currently reading or listening to or watching or or playing that you would wanna, uh, tell us about that you're excited about? I.

[00:41:29] David Close: Oh wow. Um, I just finished read reading the, the age of, of ai, um, by

[00:41:35] Chris Sienko: Mm.

[00:41:36] David Close: Schmidt and, and Henry Kissinger.

[00:41:38] Chris Sienko: Mm-hmm.

[00:41:39] David Close: it's interesting. It's an interesting take on how the emerging technologies like AI and Quantum will. Reshape National Security and Policy, which

[00:41:48] Chris Sienko: Oh yeah.

[00:41:48] David Close: heavily in. I also listen, I guess, to, uh, dark Net Diaries,

[00:41:55] Chris Sienko: Oh yeah.

[00:41:56] David Close: full of real world cybersecurity stories that

[00:41:59] Chris Sienko: Yep.

[00:42:00] David Close: uh, educational, I guess.

And, um, what else? For fun, I've, I've been watching the peripheral, that's a

[00:42:08] Chris Sienko: Hmm.

[00:42:09] David Close: uh, that, that gets weirdly close to what the future might, might

[00:42:13] Chris Sienko: Yeah.

[00:42:14] David Close: So.

[00:42:15] Chris Sienko: Yeah, I was gonna say that's always, it's, it's always good to hear, uh, which ones are actually. Sort of hitting the vibe and which ones are still sort of using phasers and teleporters and things like that. So that sounds great. That sounds great. So, uh, alright, well one, one last request here, one last question.

Tell our listeners where to find out more about David Close and or Futurex on online.

[00:42:35] David Close: Yeah, I mean, the best place is uh, futurex.com. We have webinars, white papers, lots of educational content on cryptographic infrastructures and post quantum readiness. you can also find me on LinkedIn, David Close at Futurex. Um, and I, I think those would probably be the best res resources.

[00:42:53] Chris Sienko: Great look. Yeah, look up David, uh, all, all our listeners, I hope you'll, uh, get in touch there. So, David Close. Thank you for your insights. This was a such, such a fun conversation.

[00:43:01] David Close: Yeah. I thank you for having me. I, I really enjoyed our, our discussion.

[00:43:05] Chris Sienko: Great. Uh, this has been another episode of the Cyber Work Podcast. Thank you for watching and listening. If you have any topics you'd like us to cover or guests you'd like to see on the show, drop 'em in. The comments, make use of our YouTube community tab or let us know by. Commenting on our TikTok channel.

Uh, before we go, please check out InfoSec institute.com/free for a wealth of free and exclusive things for cyber work listeners, you can check out our free cybersecurity Talent Development playbook, which has in-depth training plans and strategies for the 12 most common security roles, including SOC analyst, pen tester, cloud security engineer.

Information Risk analyst, privacy manager, secure coder, ICS, professional and more, or take a look at our cybersecurity salary guide for the latest data on popular certifications and their related roles, as well as the average salaries for those roles. We've also got security awareness posters, search study eBooks, and you can sign up for 100 plus free courses in a free month of our InfoSec skills platform.

You can learn incident response forensic security architecture. All of that. So one more time. That's InfoSec institute.com/free. And one last time, thank you to David Close and Futurex, and thank you for watching and listening. This is Chris Ko signing off. Until next time, make sure to learn something new every day.

Keep one step ahead of the story and don't forget to have a little fun along the way. Bye