Sandbox began life as a secretive division of Google parent company Alphabet in 2016, and in March 2022 became a company in its own right, Sandbox AQ. The A is for artificial intelligence, and the Q is for quantum, says CEO Jack Hidary.\n\nThe company plans to apply those technologies in the development of software-as-a-service products for the enterprise, tackling problems such as cybersecurity, navigation, and drug discovery.\n\nHidary, an energetic figure, is a serial entrepreneur. With his brother, he co-founded web design firm EarthWeb, leading the company through its acquisition of job site Dice.com and an IPO, and co-founded financial research firm Vista Research and solar panel installer SambaEnergy. He has also sat on a number of boards.\n\nIn his current role at Sandbox AQ, he has also found time to become a published author: His 2019 introductory guide, Quantum Computing: An Applied Approach, is now in its second edition.\n\nOne of the applications of quantum computing that he discusses in that book is Shor\u2019s Algorithm, which \u2014 if you have access to a working quantum computer \u2014 makes it possible to crack many of today\u2019s encryption algorithms, finding private keys in seconds rather than (billions of) years. It may only be a few years before quantum computers up to the task are on the market, so the threat to enterprise data is imminent.\n\nUnder Hidary\u2019s leadership, Sandbox AQ will be taking an applied approach to using quantum technologies in enterprise IT. Shortly after the company\u2019s creation, Hidary spoke to CIO.com about his plans. Here are edited highlights of that conversation.\n\nCIO.com: What enterprise problems will Sandbox AQ focus on?\n\nJack Hidary: The primary focus right now is post-quantum cryptography. That\u2019s because of the urgency around cybersecurity in general, which I know that your readers are very familiar with. But specifically, there is an open war in cybersecurity on theft of IP [intellectual property]: The store-now-decrypt-later attack that is happening now.\n\nCompanies across the western world are being attacked, and data that is encrypted is being exfiltrated. That\u2019s the \u201cstore now\u201d part. The \u201cdecrypt later\u201d part is that when sufficient computing capabilities are available to those adversaries, they will decrypt it and have access to it.\n\nThink about IP in terms of chemical formulas at consumer-packaged goods or chemicals companies. Or of formulas and know-how and trade secrets at pharmaceutical and biotech companies. Not just the pharma products that are on the market: Almost as important or as critical are the thousands of compounds that every biotech is working on in development. It takes 10 or 15 years to develop some of these drugs, so if you have access to the IP of Novartis or Roche or Pfizer or Merck, you know these, this is very, very valuable, even if it takes you a few years to decrypt it when you have sufficient computing power.\n\nWe also have to think about sensitive financial records. We have to think about HIPAA. The definition of HIPAA will have to change because we need to keep medical records around for years, and right now they are RSA encrypted, but unfortunately, RSA is vulnerable to quantum attack and the same thing with elliptic curve cryptography and with Diffie\u2013Hellman key exchange.\n\nThe core encryption algorithms that we use for data in motion and data at rest are vulnerable to quantum attack and specifically, and this I want to emphasize, right now to store now decrypt later. You know, CIOs sometimes ask us, do I need to act now? Can I just wait until we\u2019re at the precipice of an RSA cracker? And the answer is unfortunately, one has to act now because of store-now-decrypt-later or hack-now-decrypt-later attacks.\n\nIf quantum computers can crack today\u2019s encryption algorithms, will all our data be vulnerable?\n\nHidary: The good news is that the cyber community came together about six years ago \u2014 multiple countries, Western and Eastern European countries, the US, Canada, other leading countries in cybersecurity came together and formed the NIST process to examine, validate, and test a series of protocols that could replace RSA. Over 60 protocols were accepted into round one. The NIST process worked its way through, on an international multi-stakeholder basis, an open process, open to all, on the NIST website. It came out after three rounds with the finalists and indicated just last week that in the next two weeks, we\u2019re going to see the specs on the first protocols that we can use.\n\n(Hidary spoke to CIO.com in late March 2022, but participants in the NIST process continued to make tweaks to the encryption algorithms through April, and at time of writing, NIST had reached no conclusions.)\n\nWhat do CIOs need to do to prepare?\n\nHidary: The timing is propitious for the migration now from RSA to post-RSA encryption. Had we tried to do this three or four years ago, what would we have used? What would the new protocol have been? The good news now is that there\u2019s a software fix. One does not have to buy new hardware.\n\nThe first step though, as we put ourselves in the shoes of a CIO, would be discovery, encryption discovery. We know that large enterprises, no matter how hard they try to avoid it, are ad-hoc patchworks of multiple networks, M&A transactions that happened over the years of the company, so there\u2019s encryption all over the place both for data at rest, and as well as in payment hubs, transaction hubs, and other points of data in motion.\n\nWhat is needed in every large enterprise is a discovery process, a piece of software that crawls over the network, finds all the places where one is using RSA or elliptic curve or other vulnerable protocols, catalogs it, inventories it, presents it to the CISO, presents it to the CIO, and then makes recommendations for migration plans. It takes years to migrate a large enterprise, and so one needs a plan to do so.\n\nWhat we\u2019re seeing now is governments kicking in various rulings, various compliance calendars and milestones: The Jan. 19, 2022, national security memo from the US federal government enjoins the sensitive agencies of the United States to start moving from RSA towards post-RSA. The SEC proposed a cybersecurity compliance ruling on March 9, 2022, to take effect within 60 days. ANSSI, the French national cybersecurity agency, issued a post-RSA communique on Jan. 4, 2022. The UK government has issued its communiques. This is a global effort, a multi-stakeholder effort to bring the entire world from RSA to post-RSA. There are 20 billion physical devices that will need software upgraded: 7 to 8 billion phones, billions of laptops and servers, billions of IoT devices, all will need software upgrades.\n\nSo, the software service that you are offering is the scanning and the advising?\n\nHidary: Exactly. We have three pieces of this. One is the scanner, Sandbox AQ Discovery Tools. Many of our customers want to keep that information to themselves, so we don\u2019t run it as a service. We license it to the companies where they can run it and see the results themselves. We don\u2019t need their internal results. \n\nSecond is the migration planning tool. Once you get the inventory and assessment, let\u2019s put it all in a massive Gantt-chart-like piece of software that we have, a module for migration planning. That also is a compliance report output module, which allows you to hit a button, output a compliance report that you file with the appropriate regulatory bodies.\n\nThe third piece is the set of KEM [key encapsulation mechanisms] and encryption modules that instantiate and represent the protocols that came out of the open multi-country multinational stakeholder process known as the NIST process. The good news is we did not have to invent any new algorithms. That was done by the cryptography community, the mathematicians, the cryptanalysts, over a 25-year period since Peter Shor\u2019s paper came out. They did their work brilliantly.\n\nSo, the third piece of what Sandbox AQ offers are these actual encryption APIs and SDKs. Let\u2019s say, for example, you\u2019re a large bank and you have your banking apps for your customers to do online banking, mobile banking, mobile brokerage, and so forth. Those apps need upgrading right away. If we\u2019re going to protect that transactional data, that customer data, we need to update the SDK that\u2019s in the app, and then update it on the app stores so that further communication will happen via post-RSA encryption.\n\nIf these are open algorithms, what is the added value that you offer here? What can you offer that other companies cannot? \n\nHidary: Firstly, it\u2019s a strength that the algorithms are open. There\u2019s no source code out there. It\u2019s not open source, but it\u2019s open algorithms and that\u2019s the strength of the cyber community now: We only trust open algorithms, the ones that have been validated and tested by the open community.\n\nThe value-add we offer is the following: The discovery tool and the encryption modules all have our machine learning modules in them. Why machine learning? Is it just pixie dust we have to add to everything? No. The reason is that, coming out of the NIST process, we don\u2019t have just one protocol: We have multiple valid post-RSA protocols.\n\nFor a large enterprise architecture, we need a control plane and a data plane, and we need to separate the control plane from the data plane. The data plane is the encryption plane. That\u2019s where the encryption happens using the post-RSA protocols. The control plane is where the machine learning sits, to choose in real time the parameters and which protocol to use. Some protocols are faster, some are a bit slower, some offer a bit more security, some sufficient but a bit less. An ML model is necessary to make these real-time choices.\n\nWe offer a lot of value-add with our deep heritage of machine learning and our knowledge and expertise there, suffused with our understanding and deep expertise in quantum-safe cryptography. Bringing these two together, that\u2019s where the value-add is.\n\nTo do the scanning, obviously, one needs some smarts in the system. It can\u2019t just be a dumb scan: You will not be happy with the results with a passive dumb scan. You need a smart scan to do the scan across massive enterprises on premises, in the cloud, on mobile phones. A typical enterprise might have 200,000 mobile phones in the hands of its employees. One has to scan all these devices for what encryption protocols are being used.\n\nLet me further add that another piece of all this is telecoms. One needs to think about inventorying all telecom products that one uses at a large enterprise. An example would be VPN and SD-WAN.\n\nIs that why you are working with Vodafone Business and Softbank Mobile?\n\nHidary: Yes. These entities are moving ahead with post-quantum-cryptography-enabled VPN. This is a critical piece of the new infrastructure for the CIO, for the CISO, and for the network manager in every large global enterprise, to have tool sets so that when one is using a PQC-enabled VPN, one is assured that even if there is an eavesdropper, even if there is infiltration, even if there is exfiltration of that data as the VPN is active, one is assured that there\u2019s not a store-now, decrypt-later vulnerability. That is another piece of what we are offering as value add: not just direct software to the end user business, but also the ability to enable our telco partners, which are critical in the whole communications link, to have PQC-enabled telco products. This is critical to the future of business-to-business telecom, of enterprise telecom.\n\nWith the new investment that came with the spin off, how are you going to stay focused and not get dispersed in a bunch of different projects?\n\nHidary: Well, you know, one has to prioritize. Cybersecurity is the priority right now, and we are focused on that. You can see the initial customers we\u2019ve announced, and we\u2019ll have more no doubt over time, both strategic partners and customers there in cyber. You\u2019ll see that as our core focus externally.\n\nIn terms of the other parts of Sandbox AQ, these are more in development. I think it\u2019s always a healthy balance to have some products that are ready for commercialization, and at the same time having an R&D facility, having the ability to develop products for the future.\n\nWe have security as the lead and commercialized right now and then we have, in development, quantum sensing and quantum simulation. Sensing includes, for example, navigation, includes other kinds of applications of these quantum sensors in development, as we indicated, so we\u2019ll take a number of years to get to market on that.\n\nAnd then of course, we have simulation, which is simulating molecular interactions using quantum equations, but doing so on today\u2019s classical hardware, on GPUs. We have found ways to harness the computing power of the next generation of ASICs and GPUs from Nvidia, from Google, from so many companies, and architect for the hybridized future, the future that I believe will happen in computing, which will be CPU, GPU, QPU. It\u2019s not classical versus quantum computing: It\u2019s hybridized together. The fact that quantum is cloud native, is being launched and birthed on cloud, is so positive because this is how you can integrate and hybridize the computing.\n\nThe enterprise simulation software we have written is to advance drug discovery faster. It takes about 10 to 15 years to develop a single molecule to make it a medicine. A lot of that is because we didn\u2019t have sufficient simulation tools to simulate the molecular interactions of how this compound might interact with a target receptor in the body. And now we\u2019re offering new tools in development to the biotech and pharma sector.\n\nSo, these are two areas more in development at Sandbox AQ, but that I think hold great promise for significant impact. There\u2019s a healthy balance in our company between commercialized products right now in cyber, and then in-development products in sensing and simulation.