Yudong Cao Of Zapata Computing On What We Must Do To Protect Critical Industrial Systems From Cyber Attacks
An Interview With David Leichner
I think there’s an immense need to focus across the industry, so I wouldn’t suggest IT and security professionals split their attention across five different priorities at once. Instead, I think focusing on the threat that presents the biggest risk (and security professionals can get ahead of) is paramount. And that threat is the vulnerability of our encryption foundation when quantum computers come online. So, you could consider that the first thing and then I would add the four steps I just mentioned: research, assess, test and verify.
Ransomware attacks have sadly become commonplace and increasingly brazen. Huge enterprise businesses, gas pipelines, universities, and even cities have been crippled by ransomware and forced to pay huge ransoms. What can an individual or a business do to prevent and repel a ransomware attack? In this interview series, we are talking to cybersecurity experts who can share insights from their experience and expertise about what we must do to protect critical industrial systems from cyber attacks. As a part of this series, I had the pleasure of interviewing Yudong Cao, CTO and Co-Founder of Zapata Computing.
Yudong Cao has a background in Mechanical Engineering and Computer Science and is responsible for driving innovation and tech strategy for Zapata Computing. The company is a quantum computing software company helping enterprises and divisions of the government prepare for a quantum future — including post-quantum cryptography (PQC) — a growing threat to critical industrial systems. Zapata aims to be the authority in PQC research, assessment, testing and verification for customers and continues to publish research (https://arxiv.org/abs/1808.08927) regarding methods that leverage quantum and classical computers together using heuristic algorithms like Variational Quantum Factoring (VQF) that could potentially break current encryption standards like RSA well before fully fault-tolerant quantum computers appear.
Thank you so much for joining us in this interview series! Before we dig in, our readers would like to get to know you. Can you tell us a bit about how you grew up?
I grew up in China, in a city on the southeast coast called Hangzhou. Both of my parents were college professors and they taught very different subjects. My mom was a fine arts professor and my dad was an engineering professor. My dad was responsible for setting up and maintaining the university computer labs in the mid-90s and as a result, I was exposed to computers at a very young age. I was fascinated by them and started to get into programming early in my life. That fascination grew, and it still grows today in my career in quantum computing.
Is there a particular story that inspired you to pursue a career in cybersecurity? We’d love to hear it.
My journey was never a straight line, but it always touched some aspect of physics or mathematics. During school I came across a textbook by Nielsen and Chuang called “Quantum Computation and Quantum Information” and it completely changed my trajectory. It taught me that I could use my passion for physics with computer science — merging the two things that interested me the most. Shor’s algorithm is another major result that led me to dig deeper into quantum computing because of its implications on cybersecurity.
Can you share the most interesting story that happened to you since you began this fascinating career?
It’s amazing how quickly the quantum computing industry has grown. I can remember in 2013, I was in grad school, and I was speaking with one of my professors in the computer science department about the future and quantum computing. He said that quantum computing wasn’t very impressive, and its future was uncertain. He tried to steer me away from pursuing a career in quantum because he thought it would be difficult for me to find a job. Yet, I still pursued my passion and here I am today and the quantum computing market continues to gain traction at a very fast rate.
You are a successful leader. Which three character traits do you think were most instrumental to your success? Can you please share a story or example for each?
I can actually narrow it down to one character trait and that’s persistence. The willingness to stick with something you believe in, especially when it gets hard or when others are skeptical of your opportunity for success. For example, in late 2020 we took on a challenge on behalf of a large beverage company that was looking to optimize their vending machine restocking process. They wanted us to work with their existing data warehousing process to see if we could find a better way to identify which vending machines needed to be replenished and how they should go about replenishing those machines logistically. This was a complex challenge with an incredible number of variables — and the beverage company already had a solution in place… So, we needed to find a way to improve on their existing process — and what made us successful in this project was persistence. We kept pushing ourselves to squeeze every ounce of performance out of the process by digging deep into the data and not becoming discouraged when we hit a roadblock. Ultimately that persistence resulted in us helping the beverage company discover the machines that needed replenishing and replenishing them significantly faster than their legacy approach.
Are you working on any exciting new projects now? How do you think that will help people?
At Zapata Computing our mission is to deliver quantum advantage to the enterprise. We’re persistently identifying new ways that a quantum computing can be used for good — across various business functions like cyber security.
Ok super. Thank you for all that. Let’s now shift to the main focus of our interview. In order to ensure that we are all on the same page let’s begin with some simple definitions. Can you tell our readers about the different forms of cyber attacks?
It’s clear that the landscape for cyber attacks is evolving quickly. It’s an ever-changing game of cat and mouse. Hackers are becoming more sophisticated in their tactics and enterprises and governments are doing everything they can to stay a step ahead. As these large organizations become more complex technologically, the challenge to thwart prospective attacks becomes more difficult. The variety of attacks and attack vectors is becoming more diverse, but we’re seeing an increase in malware, phishing, ransomware and various password attacks. These threats are serious, but the future holds a broader risk as quantum computers become more powerful and fault-tolerant.
For the benefit of our readers, how would you define a critical industrial system? Can you please explain with some examples?
Critical industrial are the systems that support some of the most vital needs we have as a society. A few examples of critical industrial systems include the power grid and energy systems, transportation systems, communications systems, food and agriculture, water systems, defense systems and many others.
Can you share some examples of recent and notable attacks against critical industrial systems? Why do you think these attacks were so significant?
The first example that comes to mind is the Colonial Pipeline attack in 2021. It’s an example of a ransomware attack that resulted in the shutdown of the largest fuel pipeline in the United States. The result was a significant fuel shortage on the East Coast of the U.S. and it all stemmed from the theft of a single password.
Why are critical industrial systems particularly vulnerable to attack?
In my experience, there are two reasons why critical industrial systems are particularly vulnerable to cyber threats. First, many of these systems are based on legacy technology that requires constant updating and maintenance — making it easier for attackers to exploit new vulnerabilities as they emerge. Second, the technology systems for managing critical industrial are incredibly complex with a variety of integrations to ensure that systems remain up-and-running at all times. These complexities are a gift and a curse. Sometimes they can slow down an attacker, but they can also lead to cascading vulnerabilities that present a significant threat.
What makes critical industrial systems such an attractive target for bad actors?
Critical industrial systems are the keys to the kingdom. An attacker who’s able to breach these systems can cause significant disruption and severe, life-threatening consequences. Think about having the ability to shut down power across the entire Eastern seaboard of the United States. That could mean medical facilities without power backups need to transfer patients. That would mean traffic lights not functioning properly. That would mean alarm systems that are not on a battery backup are vulnerable. And that would mean a significant interruption in communications and business across the board. Those are the kinds of threats that can have dire consequences and these attackers can use their illegal access for political and financial gain.
Who has to be most concerned about cyber attacks? Is it primarily businesses or even private individuals?
Enterprises and governments responsible for protecting our critical industrial systems need to be concerned about the threats of today, but they also need to be thinking about what’s around the corner. As quantum computers become more powerful — as they do each year — the threat to traditional encryption escalates in turn. With access to a fault-tolerant quantum computer, an attacker will likely be able to break the RSA encryption algorithm that safeguards much of the world’s most sensitive systems and information — particularly that of critical industrial systems. In fact, our research has shown that using a heuristic algorithm like VQF could compromise security schemes using NISQ devices that are only a couple years away.
Who should be called first after one is aware that they are the victim of a cyber attack? The local police? The FBI? A cybersecurity expert?
If we are talking about critical industrial systems, it’s important to contact the federal authorities as quickly as possible. Time is of the essence, and chances are that the attacker has had access to those systems for longer than you think. A forensic investigation led by the authorities will help the technical teams get a better understanding of what happened, what was accessed and how to manage the situation.
What are the most common data security and cybersecurity mistakes you have seen companies make that make them vulnerable to ransomware attacks?
It’s an old saying, but it holds true here: Failing to prepare is preparing to fail. Enterprises and those responsible for protecting critical industrial systems need to think ahead about the implications of quantum computing when it comes to critical infrastructure protection. Quantum computers present one of the most existential threats across the cybersecurity industry — and for good reason. If quantum machines are capable of breaking the core of our encryption systems, it means that the entire industry needs to rethink how we protect sensitive information in motion and at rest.
One misconception some leaders have made is to assume that the threat will arrive when quantum computers reach maturity. As I indicated previously, that’s incorrect. We’re seeing a wave of attackers setting the foundation now for information theft later — a strategy dubbed “harvest now, decrypt later.” Shoring up any and all encryption vulnerabilities as well as keeping close tabs on perimeter defenses now will be critical leading up the day that quantum computers are fully functional and available.
What would you recommend for the government or for tech leaders to do to help limit the frequency and severity of these attacks?
The time to start preparing for a quantum computing future is now. The sheer volume of network and technology updates and modifications necessary to get ready for the next generation of computing power is daunting to say the least. The standards for encryption are about to change, and IT and security professionals need to audit and assess their systems to determine where they’ll be most vulnerable. Then they need to shore up their defenses.
To remain agile when it comes to cryptography, leaders must have a plan to research, assess, test and verify that their systems have mitigated cybersecurity risk.
Ok, thank you. Here is the main question of our interview. What are the “5 Things We Must Do To Protect Critical Industrial Systems From Cyber Attacks” and why?
I think there’s an immense need to focus across the industry, so I wouldn’t suggest IT and security professionals split their attention across five different priorities at once. Instead, I think focusing on the threat that presents the biggest risk (and security professionals can get ahead of) is paramount. And that threat is the vulnerability of our encryption foundation when quantum computers come online. So, you could consider that the first thing and then I would add the four steps I just mentioned: research, assess, test and verify.
You are a person of enormous influence. If you could inspire a movement that would bring the most amount of good to the most amount of people, what would that be? You never know what your idea can trigger. :-)
If I could start a movement, it would be to help more people transition from classical computer science into quantum. Like I said before, this industry is growing quickly and the demand for talent in the space is aggressive. Quantum is an exciting field with tremendous opportunity and the transition from classical computer science to quantum won’t happen overnight. It needs support and a lot of hard work. We’re consistently looking for ways to shepherd the next generation of quantum talent into the industry and I’m excited about where we’re headed. But there’s still much to be done to get there!
How can our readers further follow your work online?
Readers should check out our recent blog post regarding PQC, research and methods related to PQC or follow us on Twitter and LinkedIn for the latest updates on Post-Quantum Cryptography.
This was very inspiring and informative. Thank you so much for the time you spent with this interview!
About The Interviewer: David Leichner is a veteran of the Israeli high-tech industry with significant experience in the areas of cyber and security, enterprise software and communications. At Cybellum, a leading provider of Product Security Lifecycle Management, David is responsible for creating and executing the marketing strategy and managing the global marketing team that forms the foundation for Cybellum’s product and market penetration. Prior to Cybellum, David was CMO at SQream and VP Sales and Marketing at endpoint protection vendor, Cynet. David is a member of the Board of Trustees of the Jerusalem Technology College. He holds a BA in Information Systems Management and an MBA in International Business from the City University of New York.
