Beyond Encryption: Achieving True Resilience Through Keyless Security Architecture
Our latest webinar explores the evolving landscape of cybersecurity, focusing on the challenges and solutions related to quantum computing and encryption. Our expert panel discusses the vulnerabilities in current systems, the impact of quantum computing on encryption, and the innovative approaches being developed by SQE to address these issues. The conversation highlights the importance of collaboration, regulatory compliance, and the need for advanced security solutions to protect against emerging threats.
Welcome
0:00
Uh so we’re a go. Thank you everyone. Hopefully you can hear us loud and clear. Um thank you so much for making
0:06
the time um for joining this session. We’re really looking forward to sharing some insights and of course gaining some
0:12
insights for um all the participants as well. Um I want to kind of just kind of raise a quick point here. I think um we
0:19
all see these breaches in the news every single day. Caitlyn just touched on you know one thing she does very well is
0:24
helping to spread the news about how to implement best practices. um breaches across financial services and other
0:31
sectors involving static encryption key vulnerabilities. They’ve led to significant extortion demands. We see it
0:37
in the news every day. Ransomware, malware, and so on so forth. And this highlights the urgent need for advanced security solutions. Today’s webinar um
0:44
is going to be an opportunity to um feature some leading experts discussing both the immediate cyber security
0:50
challenges as well as some of the postquantum cryptography readiness solutions that um we need to be thinking
0:55
about now, not yesterday, but now. and importantly um how SQE’s keyless
1:00
entanglement technology effectively addresses these evolving risks. And so it’s going to be very much an information sharing sessions. And with
1:07
that said um I’m going to hand over to Caitlyn uh to kick off the interview with uh uh with our boss Hamid.
Cybersecurity Girl Introduction & Quantum Urgency
1:14
Yeah, thank you so much Dennis. I appreciate it. And I’m honestly so so excited to be on this call. um when the
1:21
SQE team reached out to me, I don’t even know like a few months, no probably like five months ago at this point and they
1:27
kind of showed me everything that was going on and what they were doing and all their patents. I was like I was
1:33
floored cuz quantum computing is is getting so much closer. It’s already pretty much here and like how are we
1:38
going to tackle that as a cyber security um team? I feel like as people in cyber security we have to work together. So I
1:45
like to say cyber security team but most of the stuff that we currently do for cyber security hygiene, cyber security
1:50
awareness is going to be completely outdated um once quantum computing hits
1:56
and a lot of the tips that I give my followers which is you know passwords multifactor authentication like a lot of
2:01
that just going to like disappear because that is not going to be a risk anymore because quantum computing can
2:07
kind of completely crack the current encryption codes and there’s a lot of stuff going on. So when I heard about
2:13
this, I was really excited, but I was also very sad that I couldn’t talk to anyone else about it. So I’m very happy that it’s now coming out of stealth
2:19
mode. And I’m really excited to really introduce you to um Hamid, and we can kind of walk you through the um kind of
2:27
landscape of of cyber security, where it’s going, what quantum computing really is, because I love kind of breaking it down into simple terms and
2:34
really how SQE is leading the pack and all their patents that they’re working on and um or that they already have. And
2:40
so just a quick intro about me. I’m Caitlyn Syrian. I’ve been in cyber for now 13 14 years. I really specialize in
2:47
breaking down complex cyber security tips to the general public. And I’m now the largest cyber security educator in
2:52
the world which I’m so so honored to be. But I feel like it was my it’s always my duty to kind of lead the next generation
2:58
into the the new not trends but the new way of living. And that’s why I was so
3:04
excited about um SQE reaching out and like really seeing everything that they have. So on that note, I really wanted
3:11
to introduce Hamid and have Hamid kind of introduce himself and also kind of introduce what quantum computing is um
3:18
for our audience and like how it’s different than our traditional computing. So Hamid, if you want to take the take the reigns.
Hamid: Background and SQE Concept
3:26
Yes, thank you Caitlyn. Uh it’s really an honor to meet you and I’m I’m so glad that you uh decided to uh join our
3:34
group. Uh we have an unbelievable uh set of people who have been helping us to make this a possibility and thank you.
3:41
Uh my name is Hamit Pishtarian. I am the CEO and founder of SQE. Uh I have always
3:48
been an engineer. I think I remember the first time I uh invented something. I
3:53
was under the age of 10 years old and I’ve all just loved engineering every field of engineering not just uh
3:59
computer science but uh by by by schooling I’m mechanical engineer and as
4:05
well as I’ve developed probably a couple of million lines of code over the years and I think last time I counted I’ve
4:11
used like 40 different computer languages. Uh but my really my passion has always been artificial intelligence.
4:17
Uh I think the first time uh I developed a really intelligent system was uh to
4:23
actually track satellites when I worked for the company TCOM electronics uh uh back in Toronto uh I think it was 1992
4:31
and uh so ever since then I’ve been just developing products uh for different fields but uh so uh my passion has
4:40
really been just development product consumer product development and uh so
4:45
when I was faced with a a serious problem that I had while I was working
4:51
on a project uh in in sensing and for agriculture. Uh I I realized that I
4:57
needed to add security because this is in open field and that’s when I was a
5:03
bit shocked when I saw that uh the cost of security is actually higher than the
5:08
cost of the sensor that I had designed. It was kind of like a shocker. Well, you know, I’m trying to create a lowcost
5:13
product for for farmers and then the cost of security is just making it so it
5:19
just is not feasible at that point. Uh so uh I I always been a ma mathematician
5:27
uh ever since I was I think 5 years old and I love quantum physics. So when I
5:33
learned about quantum entanglement was probably back in the ‘9s and I was absolutely amazed what are the amazing
5:40
things that it does. And so even though I’m not a physics major, I I’ve never
5:45
I’m not a physicist. Uh but I’m I love science. So when I realized what quantum
5:52
computers can do, I was I was really shocked that they can pretty much hack
5:58
anything. Uh in fact, we have no idea What is the power of a quantum computer?
6:04
We have no idea. We think we do. Every time I look at it, it does something but more amazing. Uh imagine if you had a
6:11
system where it could pretty much solve any problem given some of the limitation. But once those limitations
6:18
go away, essentially there are no problems that it cannot solve. So the question is can it solve massive number
6:25
of massive problem like problems that are just so large that are just unimaginable
6:32
and uh so that’s basically about me. I’m I’m an engineer by nature. Yeah. I love that cuz we’re both
6:38
engineers. We both did mechanical. So it’s so interesting and I love how you explain quantum computing. It’s it’s
6:43
basically like a problem. No problem can be like unsolved with it. And the way I kind of try to describe quantum
6:49
computing to like the general public, right, is like normally our normal computing is like a really, you know,
6:55
great librarian, right? You need a book, the librarian knows exactly where to go. They go get the book and they give it to you. Quantum computing is kind of like a
7:02
magical librarian. Like they can just kind of conjure it up out of nowhere and then it just like goes directly to you.
7:07
You don’t even need like a person in the middle. Um, but I know with the rise of quantum computing, it kind of makes
7:13
traditional cyber security methods more vulnerable or kind of non-existent. So,
7:19
can you kind of describe like how quantum computing and the work that you’re doing at SQE like how it’s going
7:24
to tackle um kind of the cyber security aspect of protecting ourselves when it
7:31
comes to quantum? Yes. Um so when I was looking at this
7:37
problem uh with the sensor security uh you know one of my hobbies is quantum
7:43
computing and another hobby is uh uh following Steven Wolffra’s uh model of
7:48
physics. it one day I was just thinking about this problem and it just hit me that I can actually simulate uh simulate
7:55
quantum processes uh for example quantum superposition which is everybody’s doing
8:00
that by the way now uh but it’s more important the quantum entanglement itself can actually be done uh using
8:07
classical computers uh and that seems a bit like impossible and that has been one of our issues but believe it or not
8:14
it is not impossible if you take a look at what is the definition of entanglement. Entanglement means that
8:21
essentially a particle or a set of particles are created at the same time
8:27
at the same location. It’s just a matter of space and time. If if you have two
8:33
particles created so when I when I added that to uh to Wolffra’s model of
8:39
physics, I said, well, why can’t I create my own virtual universe? I can basically create a virtual universe out
8:45
of nothingness uh and essentially create them and put them in a small microcontroller and
8:52
essentially uh basically make two particles not exactly the same but
8:57
somewhat the same using a quantum proc uh processes which by the way everything
9:03
around us is in the state of quantum whether you like it or not right I mean that’s how the whole universe is made so
9:10
I just took some of the particles that is received by an antenna uh which basically creates a random processes and
9:17
I record the the processes um that that as a as a whole create a quantum
9:23
particle for example uh spin or or polarity and I just digitize them and I
9:31
put them in two different pieces of hardware and essentially once you convert it from an analog system to a
9:37
digital all you have to do is essentially follow a method of simulation And now you have two
9:43
differenti devices which you can just put on on a truck and ship it somewhere. And now you have entanglement at two
9:49
different locations which is exactly what a quantum entanglement. But you know you need more than just quantum
9:54
entanglement. You need the superposition but most importantly you need observation. Observation is one of the
10:01
properties of quantum physics. Well without it but really nothing exists. So
10:06
I uh created an observation process which by the way I didn’t I created a
10:13
system where the particles which what I call time particle observes itself. So
10:18
by combining everything we are able to create this system where essentially you
10:23
no longer need a private public key exchange and that is really what is SQL
10:29
about if you don’t have a key you can’t hack it. Yeah. So the idea is to remove the attack
10:35
surface and and it turns out that it actually works. Yeah. So can you kind of explain a
10:42
little bit? So right now we have our our standard encryption, right? How is that
10:47
like not relevant anymore with quantum and then how is SQE kind of fixing that?
Platform Scope and Components
10:54
Well, uh, back in the 90s, I believe, uh, uh, Peter Shore discovered how to
11:00
use quantum processes to essentially make, uh, uh, RSA algorithm kind of like
11:06
obsolete. So, you can always make the RSA algorithm which creates the private public key exchange possible. Uh, well,
11:14
because of the power of quantum computers, meaning that they have infinite power, right? In other words,
11:20
every possible solution is already there. You just have to find the right solution. What it means is that it
11:27
doesn’t really matter how complex the problem is, which is exactly what prime numbers do for uh uh for the private
11:33
public key exchange. Well, essentially it gives you the entire solution. Uh so what you have to do is you have to go
11:38
find the right one and Peter Shaw had one methodology to do it. There are other processes as well. So it doesn’t
11:45
really matter how complex you make your qu your your your encryption system as
11:51
long as you have an encryption key the quorum computer has the possibility
11:58
of decrypting it. Um so the I could not find any solution around it that I think
12:03
the solution was just get rid of the key. Okay. It’s like we don’t really know how powerful quantum computers are
12:10
and we don’t because we don’t know how powerful they are. Therefore, we really don’t know what protection we can have
12:17
against it. So, but by removing the need for a key uh that pretty much that I
12:23
believe in my opinion solved the problem. So we created a system where essentially people and and the people uh
12:31
things they all become entangled through a process that we call proof of entanglement. Two things are connected
12:37
to each other because of the ID system that we created and this ID system is
12:43
called SQD. Anyone uh anyone who registered with the SK platform uh
12:49
essentially gets an ID and through this ID system we create this extremely large
12:54
numbers numbers that are a thousand digits uh you know that that are even
12:59
for a quantum computer it would take a long time but more importantly it would take infinite amount of energy to
13:08
identify them. But another the function that we had to add to in order to make sure that quantum computers even cannot
13:14
attack us was literally uh the fact that we never retransmit the same code. So
13:22
every single communication excuse me every single communication has its own code. So by the time the quantum
13:29
computer wants to attack it it’s already changed. So that is really how SQE is solving this p issue that to get kind of
13:38
like getting away with the impossible because if you have a different key every single time and the keys are uh a
13:44
thousand bets uh then then by the time any system wants to even define the
13:49
problem the the the the question is changed. So you can’t come up with a solution to a problem that you’re not
13:55
aware of. It doesn’t matter how much power you have. That’s the approach that we’re taking. And I hope that answers
14:00
your question. No, it did. And I think that it brings up another interesting question is
14:07
the way that you guys have patented and the way that you guys are solving the quantum computing problem. It there’s so
14:13
many use cases to use it with, right? We have so many cyber security problems. We have deep fakes, you know, we have cyber
14:19
warfare. And I just see the reason why I got so excited about SQE is I really see it fitting into every single area of
14:26
kind of the I don’t like to say digital landscape because it sounds very chatty but it really does fit into every area
14:33
of like the online landscape um for everything that we use and we’re able to kind of like you said you have your your
14:39
unique SQI that really and then also this how it constantly changes so they
14:44
won’t ever kind of trace back to you but I would love to get your opinion on like what you’re most excited about like what
14:50
problem that SQE solves that you’re most excited about that it’s kind of like solved in the quantum computing realm?
14:57
Well, I think one of the information about people is their private
15:02
information. I think once you solve that problem which really directly goes into
15:08
a KYC problem if you can uh secure my information
15:15
so that only I have access to it. It doesn’t matter where it is. It could be in a database. It could be on my laptop.
15:21
Wherever if I can secure that information, then in my opinion, you solved all the problems. Every problem
15:28
that we have is really a KYC problem. Uh in my opinion, the reason is because if
15:34
somebody can pretend to be me, then it really doesn’t matter what security you
15:40
have, right? Well, I should be able to access, which means essentially if somebody pretends to be me, they have
15:46
access to everything about me. So solving the problem with KYC in my
15:51
opinion is the most important problem. But having said that uh this this notion
15:57
of security direct as you said applies to every field. So and and SQ as a
16:05
startup it just doesn’t have the power to go after even 1% of them. So we
16:10
created a platform where people can come in and solve their own problem. So our
16:16
goal is to create a set of tools that people can use for any field that they’re interested in and either partner
16:23
with us just use us as a tool or as an individual you could for example store your information in what we call cubers
16:31
which is our uh uh our our database a distributed database that we have created and essentially it’s your data
16:39
uh for example just to let you know I do not have access to my own information as
16:44
the creator of SQE I do not have access to my own information unless I follow
16:49
the right procedure. So we had to create a set of tool to to make this possible.
16:54
It’s not like one thing that I can point okay it’s because of that or it’s because of that. It’s it’s mainly
17:00
because of SQ simulated quantum entanglement but but it’s really a host of technologies that we discovered over
17:07
last two three years that we need to create uh these technologies in order to
17:12
make it possible. So I’m just going to go through that list really fast and over the course of next few months uh
17:18
Kadin as you know we will be introducing all of these uh technologies but just to name them uh we had to create a brand
17:25
new smart contract engine uh we had to create qverse which is a nosql uh I’m
17:30
sorry no uh yeah nosql database is a vector engine um and uh which we use for
17:38
user verification as well as other things Um uh so no information on SQE is
17:47
ever not encrypted. Everything is encrypted 100% from the moment the information is generated by
17:54
the user until the information is stored in the back end somewhere and that could
18:00
be your laptop. It’s a distributed engine. Um it’s all encrypted and it’s
18:05
only available on a need to know basis by the right people. uh for example if
18:10
you want to send a text message to someone only the person who’s the right person is becomes entangled with you
18:19
through our hardware entanglement which obviously we need to spend a lot more time to describe um so through this
18:26
process only the two of you have access to it and this could be an IoT system
18:31
connected to another IoT device or it could be an IoT system to connected to someone’s back end or it could be a
18:38
person himself self is connected through his mobile phone or his laptop connected to another person. Uh essentially only
18:46
the endpoints have access to it and uh which also bring us to we need to make sure that um even when the data is being
18:54
generated so we are introducing the notion of KYD which is knowing your data
18:59
as well because if somebody can fake the data then it really doesn’t matter what level of security. So we went through
19:06
every aspect of security one by one and found out what technology do we need to create in order to secure that aspect of
19:14
- So it’s not one thing it’s data transmission is data generation and data
19:19
storage. Uh let me just tell you one thing about our storage. We do not use
19:25
standard uh encryption methodologies. We have created our own methodologies. They’re generally based on uh a version
19:32
of cellular automata that that we have invented in invented. But these
19:38
methodologies require no key meaning that I can store my information but I don’t have to have a password for it.
19:45
The information appears seems like to appearing out of nowhere and being decrypted for the right person. Um it
19:51
seems like impossible and then frankly that’s one of our biggest problem. People don’t believe us. So what we want
19:57
to do today show all of the some of this technology how it works and and hopefully we can uh attract uh people
20:04
but but you know ju just to give you an idea if you had a 1 megabyte file we
20:10
will have 8 megabit of key since we don’t have to transmit the key well why
20:15
keep it at 256 bit and why does it have to be fixed the key changes with every
20:21
single bit of information and that is something we will showcase today. Yeah, I I love that. Again, there’s
20:29
literally so many uses and I’m so excited to see what everyone uses SQE
20:34
for, but I I already have so many that I would like love to see people start using it for. I know we’re over time, so
20:40
thank you so much, Hamid. And I will hand it to Jake, who’s the head of development here at SQE, or not here
20:45
because I’m not with him, but head of development at SQE. Thank you, Kaden.
20:59
All right. Awesome. Oh, can you guys hear me? Okay. Awesome. Thank you. That was awesome and
Live Sandbox Demo by Jacob Rausch, showcasing Zero Knowledge Keypad Authentication, Quantum-Secure Messaging, and Simulated Payments
21:05
super informational and really kind of segus into what I’ll be showing you guys today. Um, so hello everyone and thank
21:12
you for joining us today. Um, my name is Jacob Roush, head of development at SQE. And what you see on the screen here
21:19
right now is the SQL launch page. This is where every session begins by entering your unique session code. Today
21:26
I’ll be work walking you through the SQL, a live demonstration of the quantum secure foundation we’ve built to protect
21:32
uh data identities and communication um and a bunch of other features as just
21:38
previously mentioned. You’ll see how each user is assigned a 124-bit decentralized identifier known as an SQD
21:45
created instantly upon registration. From there, we’ll dive into a passwordless login process and witness
21:51
browser to backend entanglement through the use of our zero knowledge keypad. Our encryption framework eliminates the
21:57
need for traditional public key cryptography, delivering the same trustless security, but without the
22:03
exposure. Once inside the dashboard, I’ll show you two of our uh core use cases, secure messaging and uh a
22:09
simulated secure payments. Uh though we believe, as we’ve previously just talked about, this is just the beginning. I
22:15
think this is the tip of the iceberg of what this technology really enables. So to learn more after today’s demo, visit
22:21
sq.io or explore our YouTube channel sq_secure for deeper dives into the SQE
22:27
ecosystem. We have visuals, explainer videos that kind of go into each individual um you know specific topic
22:34
like our SQDs, our hardware devices and whatnot. Um so let’s get started by
22:39
entering our session code. In this case, it’s 1 2 3 4. And once you type in your valid uh session code, um you’re going
22:46
to be brought to brought to the registration and login page. And so here you’ll see a few different things. Um
22:53
you’re going to see information popups on almost all of our pages that give kind of a summary of what I’m talking
22:58
about today for future reference to go back to as well as where you can learn more about specific topics. Um and so
23:06
essentially we have just a basic user form for registration. We have the username, we have your email, first and
23:11
last name. That’s all that’s required for this sandbox. Um, it’s important to preface that this is just creating a
23:17
temporary SQD. Um, so it’s not reliant on your real personal user data. Uh, but
23:23
to create a level two registration, what is what we call that gives us enough information to be able to validate and
23:29
verify you to create uh and send receive secure payments. we show that the date
23:35
of birth, social security number, other things that we can uh that are essentially permanent to you uh that we
23:41
can tie the SQD, the encrypted information based on your user profile to identify you and uniquely uh tie it
23:49
to your user profile. And so we also have a drop-own menu as you’ll see with our banks that you can choose any one of
23:55
these four banks. And that essentially just um simulates a bank account that you may have uh that allows us or allows
24:01
you as a user to simulate uh bank transfers, sending and receiving payments.
24:07
And so essentially once you create that account uh before the SQD is created, you’re brought to our graphical keypad
24:13
page. And this is really where the magic happens um in allowing to secure your
24:18
browser um and and initiate that entanglement that we just talked about between the browser and the SQE network.
24:25
So right now you’re going to see a few different bit maps merge every 5 seconds. Um, all you have to do is click
24:31
four points at this at this time and that would be enough to using zero knowledge principles to create that
24:37
initial entanglement, create that quantum secure session for the browser and the SQ network to send encrypted and
24:44
be able to decrypt those packets without having to send a key um in the process. And so what we can also talk about here
24:51
is how this keypad is essentially can scale in complexity, right? So not only
24:56
is it can it be used for um initiating that entanglement but it’s also um allow
25:02
will allow be a tool for human validation using behavioral biometrics so that you can uh go through and
25:09
register through your SQE account without a um a password. So it’s a passwordless login as well as um as
25:15
previously talked about AI resistance making sure that you as the user are who you say you are when you log in. And so
25:22
we’ll do a deeper dive into the login process here in a couple minutes. Um, but what you’ll see is essentially that
25:28
keypad. You can click any four digits. It’s not a pin. You can uh select any four numbers every time that you want to
25:34
entangle yourself with the network. And boom, that’s it. That’s now you’re entangled. We just registered. We were
25:40
given a 124-bit SQD that was created through our network based on again that
25:46
temporary user profile that we’re creating in this sandbox environment. And what you’re going to see is a few
25:51
different things on this dashboard page. Um it’s important to also understand that everything now that we are
25:57
entangled now the brow the browser and the back end are now in sync with each other. The keys are uh evolving fast um
26:04
as time goes on. And so every packet that is sent on and received between the front end and the back end are now going
26:11
to be wrapped in our SQE quantum secure bit encryption. And so uh to kind of
26:17
describe a few things on this dashboard, you’re going to see the SQD right next to the username at the top. We have
26:23
ourformational button here that kind of gives a rundown and a summary of kind of again what I’m look what I’m talking
26:28
about today and the different tabs that we have on our page. You can view the full SQ by hovering or clicking and
26:35
being able to take a closer look at that. We’re going to be uh release having a lot of new releases and features to be able to get users to, you
26:42
know, test our ecosystem and the different features. Uh so we have that report issue button as well um to
26:49
continue to improve this sandbox page. Um, and so now here what you see is our
26:54
payment field. Um, and this is to uh demonstrate to you one of our core use cases, secure payments. And so we really
27:01
want to preface that this is just uh one of the many use cases that can be available. Right now our secure payment
27:08
is wrapped in ISO 222 compliance, but it this uh encryption wrapper, the idea of
27:13
this using the SQE encryption as a wrapper can go around any existing architecture. It’s not a rip and
27:19
replace. It’s a cohesive tool that can be added as a secondary layer to whatever encryption is already in your
27:25
uh tech stack. Um as well as uh be also because it doesn’t rely or eliminates
27:31
the need for public key cryptography, it can be a very strong um secure primary control as well. And so as you just saw,
27:38
we just sent a payment to virtual Alice. If there’s no other users that are active, we always have three virtual
27:44
users to be able to demonstrate these core use cases that I’m talking about today. Um you can see that it’s in
27:50
progress. Each milestone is happening live and that we are tracking each milestone to again simulate the
27:56
different points that are happening for a safe and secure delivery. We have our information button as well that goes
28:02
over each of the different tabs and what’s going on behind the scenes. We have our audit report here that shows
28:07
the payload of every single milestone being hit. again uh through the use of
28:12
the ISO 222 compliance we map each milestone to the controls based on that
28:18
compliance and again this is a wrapper so we can wrap this with any compliance which we’ll show later on with our
28:24
compliance mapper here we have uh what really the the the thick of it here is
28:29
this is the encryption right so we want to be able to display that encryption for everyone and be able to see that bit
28:35
level encryption that Hamid was just talking about you can see that there’s no correspondence uh there’s There’s no
28:41
patterns. It’s fully random. And again, it time is evolving. So the back end and the front end are per are perfectly in
28:47
sync with each other to be able to encrypt and decrypt these packets. Uh right now what you’re seeing here is the
28:52
initial payload. So the moment you send that payment, this the initial payload, which you’ll see here in a second, the
28:59
decrypted version is being encrypted. That’s what you see here. And then the backend receives that encrypted version
29:05
because it’s in sync. It’s got that entanglement initiated by our zero knowledge keypad. We can then decrypt it
29:12
on the other side and it will receive a response that you saw. And so here what I’m going to do now is log out. Uh we
29:18
see that the account balance updated and we’re going to describe a little bit about our login process now. So we
29:24
retype our session code and then in the login you can see as me previously mentioned this is a passwordless login.
29:31
All you need to log in right now is the username and uh and then we get brought back right to our uh zero knowledge
29:37
keypad. Again, we have a login specificformational uh popup for you for anybody any users to always reference uh
29:45
to get the behind the scenes. And so what I’m going to do here is type Jake123. And we’re brought back to our
29:51
zero knowledge keypad. And as previously mentioned, this is going to update every 5 seconds until four points random
29:57
points are clicked on the same image. And then that’s going to using zero knowledge principles create and
30:03
reentangle ourselves with the SQE network to continue sending uh that encrypted uh encry SQE encryption. And
30:10
so we have reentangled ourselves. We’re now logged in. And again that that zero knowledge keypad is just kind of the
30:16
foundation for initiating that entanglement. you know, we have further further futures and future features that
30:22
are going to be able to perform that user verification and AI resistance um you know that we pro just talked about
30:28
so that we can eliminate uh the need for a password and be able to guarantee that K that concept of KYC and knowing that
30:36
the user is who they say they are. And so now we’re going to go back to our payments. You can see the account
30:41
balance has uh updated itself um and stored um and so you can see all the
30:46
recent transactions that you’ve put through. This time we’re going to send a payment to virtual charlie $110. We’ll
30:53
add a description and what we’ll be able to do is again see that ISO compliance in effect, but also we’re going to be
31:00
able to compare the encryptions a little bit. And so you can see the milestones hit um in real time. They’re all
31:06
tracked. We have a safe delivery to virtual Charlie. And now we can compare the encryptions a little bit. And as you
31:12
can see, they’re completely different, but we maintained that synchronization after the entanglement um the
31:18
reentanglement through our zero knowledge keypad. And so now what we’re going to do is we’re going to shift over
31:23
to our core use case, our other core use case of messaging. And so this is where we’ll be able to take a deeper dive. And
31:29
what I’m going to be doing for you guys is splitting the screen and displaying Wireshark. And what this is going to do
31:36
is it’s going to demonstrate a few different things. It’s going to one be able to see the packets intercepted in
31:42
real time. And we’re not using TLS. I’m running this locally to be able to demonstrate to you guys that if the TLS
31:49
that was in use was ever compromised and you’re using the SQE encryption. That’s what you’re going to be seeing in the
31:55
wire strike. You’re going to see that application layer security that um is wrapped around your data. In this case
32:00
is going to be messages. Um to provide some context, what you’re seeing here on the right, we have our green uh which is
32:06
all the packets being sent from the front end to the SQE network. The blue is the responses. So the the backend
32:13
responding to the uh front end. And I’m going to scroll through a little bit of them. As you can see from the current
32:18
session here and uh you’ll see that every um packet because we are now
32:23
entangled or we’ve been entangled everything is encrypted with our quantum seccure SQE wrapper that’s happening at
32:30
the bit level that we’re just we’re going to get into a little bit now uh further now. And so we’re going to send
32:35
a example message here to virtual Alice. We’re going to send just a typical message of hello Alice. And you’re going
32:41
to notice a few different things. First you’re going to see that the uh message was sent. we got the confirmation from
32:47
the uh SQE network. You also saw that the wire sharkark uh picked up the the
32:53
request and the response uh from you know sending that message to Alice. And
32:58
what we’re going to see is we’re going to be able to compare the packets that were uh intercepted. And that’s just to
33:03
prove to you guys and demonstrate to you guys that the encryption that’s happening and being stored and displayed
33:08
in this sandbox is exactly what you would see over an HTTP uh communication
33:14
or if TLS was ever compromised um you would see the SQE encryption. So you can
33:19
see that we have our nonsensitive header here at the top and then the rest is our encrypted payload. you can see 465650
33:27
matches and that’s exactly what you’re seeing displayed that exact encrypted payload. And so what’s really
33:33
interesting is to to kind of tie this into and really powerful is to tie into what Jame and Caitlyn were talking about
33:39
earlier. And that’s that we sent a message as small as hello Alice. And now what you’re seeing is at least because
33:45
of how small it is, we’re sending at least a kilobyte of of encrypted data. And so now what we’re going to be able
33:51
to show is okay, let’s prove that bit level encryption. Let’s prove that the um if you send consecutive the same
33:58
character consecutively, you can see it matches it with the wire shark. But if we send six of the same characters, a
34:04
small message, six zeros, and we send it two messages back to back, you’re going to see how fast time is evolving. The
34:11
keys are different every time. And it you’re going to see the randomness between this encryption. And again, this
34:17
is all happening at the application layer. So we just copied and pasted six zeros. We sent them consecutively. You
34:23
can see they happened within a second of uh apart from each other. Both messages sent. The wire sharkark uh picked up on
34:30
all the requests and responses. You can see the encryption that’s happening in each of these pack uh the intercepted
34:36
packets. And now let’s view the encryption. And you can immediately see the difference between the two. Um
34:42
they’re completely different numbers, completely different packets. And you can see the zeros. they there was no
34:48
pattern between the zeros. We set six zeros. We received a kilobyte worth of uh encrypted data. And this is happening
34:54
again at the bit level. Uh this is a bit level encryption. So it’s happening at the bit level. Each character is
35:00
receiving its own encryption. And the other part is the security aspect of it. If any one of these characters were
35:06
tampered with, the responding would immediately know that they’re unentangled and that this packet isn’t
35:11
valid and would be unable to be decrypted. And so this ensures a huge security, huge data and this is again
35:17
just the tip of the iceberg when it comes to overall use cases. You know this can wrap not just around messages.
35:23
This can scale to large packets as previously mentioned you know in the megabytes. The encryption is very fast
35:29
and as long as the two endpoints are entangled each with each other and we can do this not just uh between browser
35:36
and server but this can occur between server to server communication hardware devices IoT and even mobile phones as
35:43
well as long as they have that zero knowledge principle to uh maintain and uh initiate that entanglement and to
35:50
create that quantum secure channel. And so now I’m going to kind of bring this back to full screen and go into our um
35:57
our information pages a little bit. And what I really want to talk about is kind of how this SQE encryption fits in the
36:04
overall kind of architecture of like secure communication, right? So the standard and what a lot of people and a
36:11
lot of uh applications are using the TLS, right? And so that’s either HTTPS or websocket secured. Um but we there’s
36:18
obviously known uh attack surfaces where if that TLS is ever compromised we know
36:24
that like harvest now decrypt later and if what this SQE encryption allows is an
36:29
application layer security so that if the TLS is ever compromised then essentially what you would see is the
36:36
encrypted the SQE encryption keeping your data uh safe essentially for the long term as well. And so how do these
36:43
pieces fit? We kind of talked about this a little bit with the wire shark. What does a network observer see? Well, you
36:49
can use this not only as a secondary control with TLS, but it’s also through
36:54
because we’ve eliminated the need for public key cryptography. You can send this over HTTP and you can and you just
37:00
saw the encrypted packets that were sent and intercepted by uh Wireshark. And then we also have our table here that
37:07
kind of compares uh how the if a TLS was ever um compromised or exposed, how the
37:13
SQE encryption kind of responds to that. Right? So again, if that TLS is ever
37:19
compromised and you’re using the SQE encryption, then that’s what you would see. It’s an added layer um that you can
37:25
essentially implement into your own transactions. Again, it’s fast and it’s at the application layer as well without
37:31
having to use uh public keys. We also have our compliance mapper here and this is kind of what I talked about earlier
37:37
with our ISO 222 payments is SQE is acknowledging and can comply with a lot
37:44
of the standards of today the KYC the user authentication. We have this dropdowns on this page that kind of go
37:50
in depth of how SQE’s encryption and SQE as an ecosystem kind of comply with the
37:55
standards of today and you saw in real time the the secure messaging and the ISO 222 payments as well. And so this is
38:03
really important as this is kind of how we continue to look forward on our roadmap. We want to continue to improve
38:08
the KYC and the keypad so that we can really uh verify users through their biometrics um and be able to uh have
38:16
that password login or passwordless login. Lastly, we have uh this portal that’s powered by Netrascale that gives
38:23
you the ability to create your own risk analysis report. Um, and this is really powerful as well and allows you to sign
38:30
up, register and uh check that out as well. And um, again for anybody that’s
38:35
uh really interested and is we have a QR code that’s available uh for you to
38:41
essentially uh sign up, register uh through that QR code and you’ll be able to kind of check receive a code that
38:47
checks this uh sandbox out in real time and uh really get your feedback and see this again, test it out, navigate it
38:54
yourself. So I appreciate everyone’s time. Thank you.
39:00
Thank you, Jacob. Really appreciate that great presentation and thank you Habid and Caitlyn for the uh session before.
Panel kickoff: Crypto Agility Obstacles
39:07
Very very informational. Um lots of insights. Um so with the next session um
39:13
we want to provide an opportunity to really kind of delve into some of you know what does the landscape look like?
39:18
you know, we’re talking about cyber security risks that we face today, but we know that, you know, very soon we’re also going to have to address the real
39:25
challenge that um quantum computers are going to be um uh creating as well. In fact, the timelines for migration
39:31
already started and so it’s really important we start to plan migration. If you look at what the Federal Reserve and
39:37
many other organizations are saying, this is going to be a multi-year effort. It’s going to require require lots of
39:43
change management internally and across supply chains, you know. So we want to have a robust discussion to start
39:48
thinking about the immediate cyber security challenges and how we start to balance that with planning for the
39:54
future of post uh postquantum readiness as well. Um and one thing I did if you look in the chat I popped in some FAQs
40:02
from the SQ website. So please have a look at that some of the terms that um Jacob and Jame have kind of addressed um
40:08
you’ll be able to get a bit more uh do a more of a deep dive. Okay. So please have a look at those uh FAQs. Um so one
40:15
topic we’re going to be doing now I think with our um esteem um executive team right now is going to focus on
40:21
crypto agility and how SQE helps to make a a change in preparing for that future
40:27
that we’re talking about. So um what is crypto agility for those of you perhaps who not necessarily in the in the cyber
40:33
security domain I’ve popped a link from the NIST website. Do have a look at that for a basic description. And with that
40:39
said, uh we’re going to jump straight into the executive panel discussion. Uh
40:45
so um uh I’m going to start off with Glenn Benson. And Glenn um and then the other participants once you’re
40:52
introduced, please do a quick introduction um after I’ve asked a question. So um I should put your point
40:57
out my colleague uh Rich uh Rich is not able to join um for moderation. Unfortunately was not able to make it.
41:03
So we’re going to kind of look to streamline the questions. And um if you do have any questions by the way, please
41:09
pop it into the chat and Mike and Joe and the rest of the team are going to be helping to kind of caption and share it
41:14
with you and make sure we get back to you. Okay, Glenn Benson, first question please. Um in your experience, what are
41:20
the most significant organizational obstacles? Examples may include system fragmentation, legacy integration,
41:27
skills gaps um that financial institutions face when enabling crypto agility across distributed environments.
41:48
It’s muted. Oh, he’s muted. I’m sorry. No worries.
41:54
Thanks. Um, I’m Glenn Benson. I was the distinguished engineer in charge of security at JP Morgan. moved on to some
42:02
startups and moved on to Santander where I was head of security architecture for
42:07
North America that was US and Mexico. Um answer to your question that it’s a good
42:14
question you good use of the word obstacle rather than barrier because I don’t think there’s really barriers to
42:19
to doing this. So, it’s more like an obstacle course where you have a lot of
42:26
hurdles and other obstacles to go through, but it’s long and it’s it’s
42:31
tiring. So, it is a multi-year thing. It it is the kind of thing where there’s
42:37
just a lot of things to remediate. You have to remediate your TLS like we talked about before, but your your IP
42:44
set, your your certificates, your your method of doing digital signatures. really anywhere you’re using
42:50
asymmetric photography. So, it’s it’s just a lot. Now, there are a few real
42:57
barriers like um there’s some of the stuff that hasn’t been standardized yet for um quantum for postquantum like um
43:04
IP set doesn’t have a postquantum algorithms built in. So, you know, that
43:10
that kind of slows things down. Um so you know then there there are other
43:17
things you know I don’t think you want to do the um upgrade to crypto agility
43:24
in isolation. You want to do it in concert with other things like your movements to the cloud. So if you have
43:29
application that you know is going to the cloud in the next couple years then um you know why why spend a lot of money
43:36
remediating it when you’re just going to throw away what you’ve remediated. Um and then the cloud has has has different
43:42
solutions. So yeah, so it’s you know to
43:47
to sum up it’s it’s really an obstacle course with a lot of obstacles and just
43:54
have to keep it going for a while and that’s probably the biggest the biggest issue. It’s just not one project and
44:00
you’re done. And of course planning ahead as well is going to be very important you know as
44:05
per this timelines. Thank you Glenn. Appreciate that. Okay. Uh, next question
44:10
uh for Jeremy Sheridan. Um, Jeremy, um, based on your investigations into modern
Fraud risks and Harvest-Now-Decrypt-Later
44:16
financial cyber crime and blockchain abuse, what persistent and emerging fraud risk should institutions
44:22
anticipate as crypto agility projects scale? Um, so with quick introduction,
44:28
please uh, Jeremy. Yeah, thank you very much. Thanks for having me. It’s a pleasure to be with everyone. My background is in law
44:35
enforcement and investigations. I spent 25 years with the secret service conducting financial fraud
44:40
investigations and protect protecting uh financial infrastructure. I now am
44:47
leading FTI consulting’s investigative work streams with a blockchain and digital assets practice. So in regards
44:53
to your question um you know has been discussed a lot today we’re we’re very
44:58
forwardlooking in terms of technology advancement quantum computing and how
45:04
that will affect the fraud and fraud mitigation landscape.
45:09
uh very difficult to encapsulate that in really a sound bite type of approach
45:17
because organizations and individuals need to conduct very thorough risk assessment to
45:24
not only identify the threats but identify how those threats impact their
45:29
specific vulnerabilities as it relates to their organization and their prioritization and identification of
45:36
assets. uh and that is part of the challenge here different for each entity, each
45:43
organization or each individual. But there are a lot of persistent fraud risks that exist and continue to uh be
45:53
present regardless of all of those factors considered. And unfortunately at
45:58
the root of almost all of them is the human factor. uh vulnerabilities around
46:05
human error, you know, whether it’s uh in implementation or operation execution or
46:12
otherwise uh still continue to be the most prevalent and most effective attack
46:19
vector avenue of ingress and subsequent fraudulent mechanism fraud execution
46:25
mechanism by the adversary. And so social engineering attacks uh that target target employees in any type of
46:33
crypto capacity whether it’s as a holder or as working in an organization or is
46:40
some type of of crypto provider um offer the most effective and prevalent
46:48
way in which these frauds occur. Um and then those are leveraged for you know more advanced and ways to conduct
46:55
certificate fraud such as forged or compromised digital certificates uh
47:01
taking advantage of key management vulnerabilities. We see a lot of issues with how keys are managed in terms of
47:07
inadequate protection uh leading to unauthorized access and as we see more
47:12
of the advent of these advanced technological approaches you know legacy
47:18
system exploitation uh the the especially in transition periods when both old and new systems are running
47:24
simultaneously there’s a lot of gaps in security that are taken advantage of those will continue to exist uh and and
47:32
be prevalent I think for many years to come. But as it relates to a lot of what we’re discussing today, the emerging
47:38
fraud risks around quantum computing threats, uh, potentially compromising
47:43
current cryptographic standards and even maybe applying some of the old school ways with the new school of, you know,
47:50
investor fraud or platform fraud, claiming to have quantum security and and taking advantage of users lack of
47:58
knowledge around quantum computing and quantum applications in order to defraud
48:03
someone for an investment scheme. or some other type of approach as well as you know supply chain compromises that
48:10
exist but will continue to be prevalent. um implementation errors as we’ve
48:16
discussed as we move to these new new methodologies and I I think compliance fraud too is something to discuss about
48:22
how organizations can falsely claim cryptographic compliance or quantum capabilities while maintaining
48:29
vulnerable systems will still present uh potential risks and threats to all users
48:34
in the crypto space. Bo, thank you Jeremy. And I think that
48:40
point around fraud um is worth by me just highlighting a concept which is increasingly in the news which is of
48:46
course uh you know harvest now decrypt later you know um this is something that is very difficult to quantify the risk
48:52
because very often um nobody really knows the value of the data that’s been compromised or breached apart from the
48:57
actual owner u but the reality is to be able to put some price or um some metric
49:03
uh to determine what impact that has later down the line is very very difficult you know which is of course why it’s important to be planning now
49:09
and trying to build the barriers to prevent actually happening in the first place which is why I think technologies
49:14
like SQ are very very important so thank you Jeremy um okay uh over to our friend
49:20
Simon Pon uh first question please Simon uh with EMV 4.0 zero and aggressive
49:26
timelines for PQC migration. How do you see the adoption of crypto adopt practices impacting real pay real
49:33
payment systems and PCI compliance in day-to-day operations?
49:38
Yes, thank you Dennis. Um yeah, my name is Simon Pont. Um I have run um as a CEO
Payments, PCI/EMV impacts and adoption
49:46
two software companies. one was in the uh health care industry and recently for
49:54
the last 20 years in uh the retail industry. So uh our experience is very
50:00
much dealing with large scale organizations, some of them global um
50:05
some of them just based in the UK. I’m based just outside of London. Um I’m
50:10
also a qualified lawyer um and so uh a lot of the uh legal side of this does
50:16
interest me as well. Um just to answer your question I think Dennis um part of
50:22
the problem is quite clearly the PCI compliance. So credit card fraud in the
50:29
UK just in the first six months of this year is 300 million sterling. Um so if
50:36
you multiply that globally it is absolutely a massive problem and this is something um that we have been working
50:44
against and EMV and PCI EMV level 4 as we’ve arrived at now um works to push
50:51
this back. Um but part of the problem is very much that there’s a lot of equipment out there that just does not
50:58
have that security built in. Um and if you think of the sort of smaller retailers, smaller hospitality sites, um
51:06
having something that uh would have this type of security that SQE is offering
51:11
would be an absolute massive bonus. It would stop a lot of the leakage coming out of these companies, out of these
51:18
organizations, which ultimately um the uh payment uh service providers, the
51:23
PSPs have to pay back to the end client. So it’s costing everybody a lot of
51:29
money. Um, and so if we could close that gap, close that door and stop this type of fraud, that would be fantastic. And a
51:36
lot of that fraud is all about identity, which of course is what the the uh the product is designed to stop. So, if we
51:43
could get in there, if we could get something that’s approved by um PCI um
51:48
and get it um globally approved, because that is something now that has to happen, um then I think it would be a
51:55
massive bonus and it could be a huge costsaver. as I said earlier. So yes,
52:00
thank you. Thank you, Simon. Appreciate that. And now over to Imran. Immran, um, question
Migration, Architecture, Compliance Alignment
52:09
for you, please. Um, how are leading financial institutions strategically aligning cyber security transformation
52:14
initiatives such as cryptographic inventory, a migration plan with evolving this postquantum cryptography
52:20
standards um um that backed up against regulatory expectations? So how you
52:25
balancing those kind of initiatives? Thank you for the question uh Dennis.
52:32
Yes, this is a new arena for most of us right uh and it’s in a constant state of
52:38
evolution but within financial services I would say there are many ways that uh we are
52:47
preparing for and it has to take a methodical approach. So firstly the
52:53
institutions start with a comprehensive inventory of the cryptographic algorithm
52:58
which serves as the foundation. bank big institutions like JP Morgan
53:04
Chase and HSBC are prioritizing exhaustive
53:10
uh inventories of the cryptographic assets and vulnerable algorithms and
53:18
systems applications and third party dependencies
53:24
that can mitigate the the big risk which is harvest now
53:30
decrypt later. These are directly
53:36
mapped to NIST 8411 uh for prioritization based on data
53:43
sensitivity and lifespan of the data.
53:48
Secondly, they are implementing migration road maps uh tied to risk nest
53:55
guidelines and uh with with the 2030 NIST
54:01
deprecation and the 2025 2035 sorry
54:07
uh allowance for legacy algorithms. Thirdly,
54:13
no uh they all realize that governance is an absolute necessity. So they are
54:19
implementing robust governance and executive sponsorship
54:24
by establishing crossf functional task forces and repurposing existing cyber
54:32
governance to oversee migration, training and accountability.
54:38
So now taking this proactive approach with regulatory integ uh regulatory
54:44
compliance uh and compliance with emerging regulations such as DORA and SEC the
54:52
compliance becomes in the heart of this effort.
54:58
Thank you. Thank you Iman. Yep. Great point. I’m
55:04
glad you touched on those regulations because of course it emphasizes the complexity involved in managing all
55:09
these inventories and and different initiatives while having to make sure that you comply and of course you’re
55:15
looking to protect your your reputation as an organization as well. Um and uh that applies not just with banking of
55:21
course but pretty much any industry to say the least. Thanks for that. Um okay
Defenses: AI and Social Engineering
55:26
so um coming back to um uh Jeremy I have another question for you please. Um uh
55:32
given that financial fraud still exploits human vulnerability, how should enterprises design their defenses
55:38
against increasingly sophisticated threats that blend both AI, automation, and classic social engineering?
55:46
Yeah, you know, as discussed earlier, the the human element unfortunately still remains the greatest
55:52
vulnerability. uh and that’s along a lot of different verticals that includes you
55:59
know technical controls, operational strategies, uh emerging considerations,
56:06
uh you know operational implementation. And so the most effective mitigation
56:14
approaches to that and to the those vulnerabilities involve multi-layer
56:21
defense, defense and depth. that’s often called uh that applies technical
56:26
approaches and technical controls to hopefully mitigate some of that human element. And a lot of those, you know,
56:33
are around zero trust architecture to verify access requests regardless of
56:38
source. Uh applying continuous authentication that systems going beyond
56:44
just point in time verification that monitor behavior p patterns. Um, a and
56:51
really I know it’s overused and and somewhat of a crutch, but leveraging AI
56:57
AI powered threat detection that can identify anomalous patterns that are
57:03
indicative of any type of attack behavior and weaving those into a technical control architecture.
57:10
Uh, is old school as it sounds, you know, email security still remains
57:16
imperative. uh but one a security framework that applies a AI
57:23
capabilities, you know, that can pick up linguistic patterns or uh fishing
57:29
attempts uh you know or uh seeming bot or other AI generated type of of email
57:36
construction or deep fake uh attempts for synthetic voice or video uh that
57:42
also applies behavioral biometrics and network traffic analysis.
57:48
And as boring as it sounds, you know, human- centered defenses, uh, a lot of
57:55
preventative approaches rely on proper training of personnel,
58:01
training to specific job roles and and access privileges, doing simulated AI
58:07
attacks around some of the the comp concepts I I mentioned, uh, having a
58:13
uh a a incident response plan in place, not only that exists but that is
58:19
practiced uh one that establishes and develops and maintains relationships
58:25
both internally within an organization and externally with appropriate uh you
58:31
know either law enforcement or thirdparty vendors who provide security services. Um and building these into
58:38
operational strategies of an organization regardless of size that has threat intelligence in integration has
58:46
uh security orchestration, some level of automation um and you know a crossf functional
58:53
security mindset, culture, practice and and governance mechanisms built into
59:00
place. um that combined with the technological approaches really build
59:06
that and establish that defense and in depth and uh meshed security
59:11
architecture. Thank you Jeremy. Um uh Glenn I’d love
59:16
to del a little bit more into that um security architecture type. Of course this is my domain as well so great
59:22
interest. Um Imran talked about Adora um and um Simon mentioned PCI the
59:27
importance of compliance. Um in terms of the security architecture uh what role
59:33
does designing security architecture in close alignment with business goals play in achieving both luxury objectives such
59:40
as door and PCI DSS what’s the link there
59:45
well architecture security architectures should really play a leading role in
59:50
building the road map and that road map is critical because it’s well as we
59:56
talked about before it’s such a a long road And um that road map really needs to
1:00:02
take into account a lot of different things and it’s going to be kind of up to the individual
1:00:08
um company of exactly how you prioritize the different objectives. But the kind
1:00:13
of things to put on the table are business alignment, the the risk you know like like um the harvest now
1:00:20
decrypt later the um ease of implementation um the readiness of standards in the
1:00:25
industry and you kind of put all those together and you build this multi-year roadmap. Now that multi-year roadmap
1:00:33
really should be getting to compliance. Um and as far as compliance is
1:00:39
concerned, you know, architecture should be part of the the company. I I I ran
1:00:46
the architecture group for for a couple major major banks. And the idea is the
1:00:54
whole infoset program should be really there to build good security, but good
1:01:01
security and regulations, you know, they they they should be kind of together. So
1:01:07
when you’re building good security, you really should be addressing regulations. I mean, yeah, you have to move it around
1:01:13
some, but it should regulation shouldn’t take you to one way and good security the other. So, as you have this this
1:01:20
infoset program that that’s built, you know, compliance with the the regulations, you should have the
1:01:26
architecture through throughout it. Um, one place that we haven’t talked about so much is
1:01:32
the the third party SAS, right? the architecture should be involved in choosing the SAS provider and then
1:01:38
bringing them up to uh to crypto agility and and quantum compliance or
1:01:46
postquantum compliance. Fantastic.
1:01:51
Thank you, Glenn. Appreciate that. Um I think that’s a nice little segue. Um Iran, coming back to you. Um I’d love to
1:01:58
get uh the seesaw perspective here. Um and so um in terms of both from a
1:02:04
regulatory standpoint, uh the question I have for you is what hurdles do seesource face when implementing crypto
1:02:10
agile architectures to maintain robust KYC assurance especially under regulatory mandates like the New York
1:02:17
DFS, SEC, GDPR um for KYC and anti-moneyaundering. If you could uh
1:02:24
delve into that please. Thank you Dennis. From a CISO perspective, there are many
CISO Hurdles For Crypto-Agile KYC
1:02:32
challenges for implementing cryptoagile architecture
1:02:37
because at its core, in my opinion, cryptogile architecture
1:02:43
should be one that would dynamically implement
1:02:50
uh a cryptographic algorithm based on the information that is being accessed,
1:02:57
processed are transmitted. So the first challenge that CESOS face
1:03:03
is the lack of a complete graphic inventory and visibility.
1:03:11
It becomes a a painful task to to document all cryptographic
1:03:17
elements in the KYC systems including embedded algorithms.
1:03:25
uh legacy app you have third party dependencies
1:03:30
uh and uh so these further complicate uh the risk
1:03:36
assessments for KYC systems. This also puts them in at risk for
1:03:44
disruptions when implementing uh a crypto agile uh
1:03:50
architecture. Now regulatory burden further complicates uh these uh this uh journey
1:04:00
because regulations such as the bank secrecy act and finson mandate
1:04:06
adaptation of standards like beneficial ownership
1:04:11
and transparency. This then creates a silo between the
1:04:18
security teams and compliance function uh in light of the tight compliance
1:04:25
deadlines. Now humans do play a part uh and the
1:04:31
most uh prominent gap here is li lies with the cryptographic expertise uh gaps
1:04:39
within the environment. Finally, for a CI. So, balancing
1:04:46
uh enhancing crypto transparency and and mu with transparency sorry
1:04:54
maintains uh remains a challenge where CISOs face hurdles to ensure operability
1:05:01
and auditability uh of to prevent illicit activities
1:05:07
within those systems.
1:05:12
Thank you. Over to you. Great. Okay. So, um I think you know a
1:05:19
lot of the and I should point out a lot of discussion clearly is kind of focused around financial services payments. Um
1:05:26
but a lot of this stuff would resonate with those of you who come for other highly regulated sectors as well. And so
1:05:31
I really encourage you to raise any questions, any kind of nuances you think that we should be reflected. Uh because as um Jake and Hamid mentioned earlier
1:05:38
on, the sandbox is very much designed to help to um help organizations create use cases that are going to be of most value
1:05:45
when you think about um what does a keyless encryption world look like? How do we start to create those use cases?
1:05:51
We’re really looking to get some ideas from you. So please continue to share them and we’ve got some fantastic ones coming already. Uh but thank you for
1:05:58
that Iran because that was a fantastic um uh segue. Right. Okay Simon I have another question for you. Um so u what
1:06:06
the most commercial sorry I should say what are the most effective commercial strategies for accelerating secure
1:06:11
technology adoption examples like postquantum cryptography new encryption key management platforms while ensuring
1:06:18
you retain customer trust and limit friction. Yes, I think that’s that’s a big
1:06:24
challenge, Dennis, because um you know, a large sector of the population
Commercial Strategies to Accelerate Adoption
1:06:30
um are uncomfortable with a lot of the security issues that they already have to encounter. But of course, the the
1:06:37
downside of that is that um as I said earlier, um there’s still a huge amount
1:06:42
of fraud going on, especially card fraud, but also advanced payments, etc.,
1:06:48
etc. Um so I think to keep people on side there’s three specific areas that I
1:06:54
would um suggest are quite important. Number one is the straightboard is the
1:06:59
card fraud. We’ve got to overcome that. Um if we can just um get that down
1:07:05
because that accounts for something like um half almost half of the total cash
1:07:10
fraud um globally. So if we could just manage that and get in there some form
1:07:16
of security um whether it be password protection or what whatever it might be in the back end of the system and I’m
1:07:22
not talking about on the front end pin entry devices etc etc um because I think
1:07:28
that actually in all fairness is reasonably well covered already by PCI regulations um but securing the back end
1:07:36
so that um people can’t break into a um an EFT excuse me electronic and transfer
1:07:43
um device and ensure that we can keep that information and those costings
1:07:49
safe. I think that’s very important. That would not impact the customers. Um they already expect that and I think
1:07:56
they experience it and they respect it. Um overcoming the fraudsters obviously is another matter entirely. But the
1:08:03
second piece I was going to mention is that a lot of the um fraud for instance um Marks and Spencers here in the UK um
1:08:11
Adidas across the world have experienced last year massive um cyber attacks which
1:08:17
is in the backend systems. So that it’s meant that for instance customer accounts um systems where people um have
1:08:25
bought something on account and need to pay for it are have been broken into and that causes a massive amount of issues
1:08:33
and problems to these retailers. Um therefore to be able to give them that sort of security I think would be very
1:08:39
very important and would help massively in terms of their um customer profiles
1:08:46
and ensuring that their clients their customers are comfortable and confident in uh purchasing things because
1:08:52
obviously that is a very major downside if they hear through the newspapers or on the television that a um retailer has
1:09:01
been um broken into and has had that information stolen. um people are going to walk away from
1:09:07
them. Okay. Um and then the the final part is that relationship between that
1:09:12
retailer, that customer and also the suppliers. So the supplier chain has you
1:09:18
know as much money going through it as of course the retail chain does. And so being able to give that security to a
1:09:24
supplier to somebody that’s selling to either an online site or perhaps a um a
1:09:31
shop uh or a series of shops again would give a massive amount of security and
1:09:36
again I think a lot of confidence to these people. So I think that that endto-end security system that SQE is
1:09:42
offering would give a massive amount of confidence to these people.
1:09:48
Thank you Simon. I’m glad you touched on the supply chain aspect because we know that’s one of the biggest ch one of the biggest risks within the value chain and
1:09:54
it’s often very difficult to quantify because it tends to be extensive um multi- geographies included and the
1:10:01
different regulatory considerations. So um it’s a massive undertaking. Um
1:10:06
it’s something in fact at natural scale our team um the market research team did a great job kind of like doing research into supply chain risk and it’s very
1:10:13
difficult to to manage but of course there are solutions um you know with um um using AI and so on so forth so uh
1:10:20
lots of opportunities for innovation there. Thank you. Um great. So I think that’s a nice um um
1:10:26
kind of bringing back to Glenn um to kind of like address those situations. Right. So trade-offs between cost,
1:10:32
technical complexity, and some of those areas that um and of course regulation Simon touched on. So um Glenn, I have a
Managing Cost, Complexity, Compliance Fatigue
1:10:39
final question for you is um how how can organizations manage the trade-offs between costs, technical complexity and
1:10:46
audit demands as they evolve their cryptographic uh infrastructure particularly to avoid compliance fatigue
1:10:53
under Federal Reserve Board, Office of U. controller of the currency and of course the Federal Deposit Insurance
1:10:59
Corporation which have their own operational resilience mandates. What does that look like?
1:11:05
Well, compliance fatigue is always there even before you start. It’s it’s
1:11:11
compliance is difficult, you know, and it’s a it’s a big issue. Now you do want
1:11:17
to do you know I think talked before about remediating applications before
1:11:23
you know before you’re about to deprecate them anyway. So I I think that that’s one way to to really address the
1:11:29
cost is to build this road map you know that that takes into account things like
1:11:34
that. Um I think in general, not always, but in general, you want to at least try
1:11:41
to have some centralized utilities, you know, so you have your centralized AM for example, and then as opposed to
1:11:48
having the whole organization be, you know, being trained in all the details of security, you know, you you you build
1:11:54
these centralized utilities, build APIs to it and you know, and the whole organization needs to work within those
1:12:00
APIs and then depend upon those central utilities. And I think that that will address the cost quite a bit. Now those
1:12:09
central utilities, you know, that’s heavily influenced by that security team
1:12:14
is going to have that that quantum roadmap. So that it’s going to it should have the right crypto agility to to
1:12:21
address the the post quantum algorithms. Um
1:12:29
I think that good standards within the corporation are are really important. I don’t think
1:12:35
you want to have every single application need to understand every single regulation. You want to have an
1:12:41
intermediary between the two and that that’s where your standards can come in. So you build up the standards that
1:12:47
comply with the regulation and then each of the applications comply with the standards and those standards should be
1:12:53
something that is you know unique or or at least dovetailed to that that
1:12:58
organization. Um and I think you you do want want to build to those standards and you want those standards to comply
1:13:05
with the standards that are required by the industry you know such as the postquantum algorithms.
1:13:14
Absolutely. Thank you, Glenn. Um, so Jeremy, um, I’d love to kind of come
Best Practices During Migration
1:13:19
back to the law enforcement aspect. Um, uh, perhaps, um, maybe drawing on your
1:13:24
law enforcement experience, um, what best practices help organizations build more proactive and crypto agile defenses
1:13:32
against, uh, during these migration periods, um, including the ones, um, of course, Simon touched on.
1:13:38
Yeah. And I think it harks back to previous answers around identifying that
1:13:45
threat intelligence, what the primary assets for
1:13:51
prioritization and protection are, what the vulnerabilities are, and what the
1:13:57
realistic risk mitigation procedures that can be put in place are around all
1:14:03
those answers. Uh and that’s done
1:14:08
similarly in those categories that we talked about around vulnerabilities in
1:14:13
you know strategic uh technical operational
1:14:19
risk management type uh approaches uh that
1:14:25
really have to be done with a human element under as as an undercurrent. So
1:14:32
strategically conducting a comprehensive inventory of all algorithms, keys, key
1:14:40
management practices and processes and how those are implemented across the enterprise. prioritizing that within the
1:14:47
risk framework um and defining the cryptographic governance with clear ownership policies
1:14:55
and decision-making authorities um for those structures
1:15:00
and applying a technical implementation approach on top of that
1:15:06
um that that centralizes or has robust access controls and audit
1:15:12
capabilities around key management. having crypto agility testing
1:15:17
environments that allow you to simulate migration or uh you know threat
1:15:24
scenarios or or threat environments or actual incidents. Um having a having
1:15:32
different abstraction layers to separate business logic from cryptographic
1:15:37
implementations that that will allow uh not only execution but future
1:15:42
transitions and having operational controls around those um that that you know have
1:15:52
staged migration approaches if you’re implementing new systems have regular health checks throughout about any type
1:15:59
of standard or migration process. Um continuous compliance monitoring with
1:16:06
with real-time alerts c certainly very important. Um you know and and having
1:16:12
realistic threat modeling around all of that with necessary compensating controls so that you’re organizationally
1:16:19
ready. Again, applying back to making sure teams are prepared, understand the
1:16:25
threats and uh vulnerabilities and responses so that there’s special and
1:16:31
specialized training for security teams within those considerations. Um very important to have executive
1:16:38
level buyin and reporting and communication uh between
1:16:45
you know frontline and and working elements along you know
1:16:51
with those with with executive level decision-m uh authority and having ways
1:16:58
to measure and improve along that process. um that that not only tracks
1:17:05
progress, exceptions, successes and failures to reduce risk uh
1:17:11
but verifies proper procedure, proper implementation for any advancement
1:17:17
um and and maintains alignment with evolving standards and all regulatory
1:17:23
and compliance requirements. Thank you, Jeremy. Very important
1:17:28
points. And um uh one thing we’re going to do by the way is uh we’re going to provide some uh data sheets. I going to
1:17:35
encapsulate a lot of these points. So please do have a look at those later on. Uh but yes, I think um having a a robust
1:17:42
understanding of um migration planning um as part of both the crypto aspect and
1:17:48
all the other initiatives um means that you’re going to be in a much stronger position. Um now I think this is a a
1:17:53
nice opportunity to kind of like delve a bit deeper into that because of course before things get to law enforcement if
1:17:59
in the ideal world uh if you have proper operation resilience practices in place then you know you can minimize the
1:18:05
damage right so um I have a question for you Iran um which is um how should teams
Resilience Testing and Incident Reporting
1:18:10
approach resilience testing and incident reporting in a rapidly changing threat landset because I think it’s fair to say
1:18:16
there’s insufficient um time allocated to resilience testing but please correct if I’m wrong. You know,
1:18:30
uh, Iman, you’re muted, I think.
1:18:35
Sorry about that. One of the challenges of technology. Now, this is a very important topic you
1:18:41
bring up resilience testing and yes, it is often ignored. Normally what what people uh
1:18:50
organization should do is establish comprehensive testing programs with
1:18:56
scenario simulations. They should also incorporate
1:19:01
rigorous principlebased testing including but not limited to penetration
1:19:08
testing, red teaming exercises and AIdriven simulations to validate
1:19:14
defenses. Additionally, they should integrate
1:19:19
incident response with disaster recovery to show to ensure that one process calls
1:19:26
the other and this should be tested via regular tabletops and live play
1:19:33
exercises. Now, resilience goes beyond keeping
1:19:38
backups. It should also ensure that backups are reliable and available should we need
1:19:46
them. So another so what organizations should do is look
1:19:54
towards uh backup means beyond the traditional
1:19:59
lift and shift uh that back up all the databases and
1:20:04
infrastructure. So one one such way to restore reliably
1:20:11
especially after a significant cyber attempt uh event is relying on
1:20:17
transaction log backups which is of course more time consuming and resource
1:20:23
inensive but an all-encompassing restoration effort.
1:20:29
Now lastly, they should also integrate continuous
1:20:34
monitoring and threat detection into their program using uh real time tools
1:20:41
such as the SIM. Log event log uh retention is an
1:20:47
important aspect of resilience. Now further to my comment on threat
1:20:54
intelligence, I recommend that organizations also establish
1:21:00
threat intel sharing between themselves and with the public sector. I
1:21:08
covered this extensively last month at the Lonear Cyber Summit.
1:21:16
Now in my experience I have discovered that one of the fallacies of in disaster
1:21:22
recovery and incident response is that organizations tend to ignore that these are living breathing processes which
1:21:30
must be continuously tested and updated so that we can adapt to the evolving
1:21:36
threat landscape to contain and prioritize incidents effectively.
1:21:44
Further to what U Jeremy said, reporting is an
1:21:50
uh important aspect of resilience. Hence, organizations must document
1:21:57
uh all incident details, actions and uh communications
1:22:03
extensively. They should also promptly res inform regulators and any concerned parties
1:22:12
uh that need the that need to be made aware of this. I have actually covered
1:22:17
this ext quite extensively in my podcast on form 8K filing.
1:22:24
Finally, intracompany and intercompany partnerships are crucial for GA
1:22:31
gathering and sharing uh this thread intelligence and post
1:22:38
incident analysis, lessons learned and strategies to
1:22:44
participate to anticipate newer threats. Now I will note that
1:22:52
uh this public private sector collaboration and interco company collaboration served us well when we
1:23:00
were dealing with the log 4j crisis. I don’t know how many of you remember
1:23:05
that but yeah this was crucial to that.
1:23:10
Over to you Dennis. Thank you. Thank you. Very good point. I think cross- sector collaboration and cross
1:23:16
functional collaboration is absolutely essential. Um the bad guys are sharing information we don’t do enough when it
1:23:21
comes to sharing and I think we need to kind of change that that mindset because of course the the the the studies show
1:23:27
that it does bring results. Uh very good points and you know I’ve had a chance to work with your your amazing cyber
1:23:33
security team at BMP Power as mentioned and you guys do some fantastic work. So thanks for sharing those perspectives.
1:23:39
Um I’d love to close with a final question for Simon. Uh because of course um um if you remember back to the um the
1:23:46
sandbox use case uh uh Jake walked through. Um there was a strong emphasis on payments and so we we opted for the
1:23:53
ISO 222 standard which of course is the global standard right now. Um why is this important? Well it doesn’t matter
1:23:58
what um the industry is. Reality is if you have some online presence there’s some kind of currency exchange or value
1:24:05
being exchanged in some form right? So um kind of representing payment is essential whether that’s crypto whether
1:24:11
it’s traditional payments we felt it’s important to kind of highlight the importance of building an encryption
1:24:16
model for the future. Um so with that said Simon I have a question for you please which is in your view how crucial
Global Regulatory Coordination in Payments
1:24:24
is regulatory coordination across regions to advance payment system innovation in the context of global
1:24:29
crypto agility requirements and varying implementation pace because you know not everyone’s going at the same speed you
1:24:35
know so love to get your thoughts on that.
1:24:43
Absolutely. Thank you Dennis. um you know it’s one of those things that now
1:24:49
it is a global requirement there’s no question about that I mean I remember when in the early days of um of credit
1:24:55
card transactions um you know you had different schemes so
1:25:00
you put up the information about EMV which is Euroard Mastercard Visa which
1:25:06
is the biggest but back in the day there was also uh China Union Pay had a
1:25:11
different system was different etc etc. There was lots of different schemes and
1:25:17
that um did cause a lot of problems with um with the retailers and I remember
1:25:23
specifically the airlines for instance struggled very hard to get a a uh solar
1:25:28
system um up in the air because there was different people with different cards with different payments. So I
1:25:33
think moving forward if we can get a system that has security um globally
1:25:39
based um for every single first of all every single acquirer but also every
1:25:44
single card system um I think that is very very important um and I’m I’m
1:25:50
actually fairly sure now that that would actually have to be a specific requirement. Um I don’t think um there
1:25:58
would be any areas of off the globe now that would not want to be part of a
1:26:03
system and the fact that SQE can offer that system that would go across the board I think is very a very huge bonus.
1:26:14
Very good points. Thank you. Thank you Simon. Um so that’s um a fantastic um um
Closing and Next Steps
1:26:21
ending to our panel discussion. Thank you so much everyone for taking part. I’ll just kind of quickly highlight um
1:26:27
uh if you want to book a consult a book a consultation session um the um Joseph
1:26:32
Scaliz Michael Goodwin are going to be sharing some QR codes. If you don’t yet have them, please let us know. It’s on
1:26:38
the screen right now. Uh so feel free to take a quick scan of that. And of course we’re going to be sharing more
1:26:44
information afterwards. Um if you’re interested in Risk Act, um we’re going to be um continuing our journey with our
1:26:50
demos. Um we’re working some clients, prospective clients right now. So if you understand your risk or your say your
1:26:57
threat landscape in more detail, uh please feel free to reach out. We’ll be happy to share more information, show
1:27:02
how we’re going to be helping to advance the sandbox and other initiatives as uh we on board new use cases. So um thank
1:27:09
you so much for everyone taking part. really appreciate um you all um Caitlyn
1:27:14
um Hammed um Jake and team and all the executive panel members all the team working in the background and of course
1:27:20
all participants in this event. We could not thank you enough. Thank you so much and have a wonderful day.
1:27:27
Thank you everyone. Thank you.
