India has witnessed an alarming surge in state-sponsored cyberattacks, with critical sectors like finance and infrastructure facing increasing threats. In addition to this, Cert-In has been issuing alerts urging financial institutions and critical sectors to fortify their cyber defenses. With geopolitical tensions escalating, experts warn of a looming cyberwarfare era that could severely disrupt digitally dependent systems, from airports to banks. In this context, Sunil Gupta, Co-Founder and CEO of QNu Labs, recently spoke to tech Achieve media. QNu Labs, a quantum cybersecurity company supported by the National Quantum Mission (NQM) of India, is redefining how organizations secure their critical data against advanced threats.
A seasoned industry leader with over three decades of experience, Sunil is spearheading the global transition to quantum-safe security. In this conversation, he sheds light on the transformative role of quantum technology in cybersecurity, its potential to render ransomware obsolete, and how it empowers organizations to stay ahead of emerging threats. He also explains why quantum encryption is not just the future but an urgent necessity for securing India’s digital backbone.
TAM: With the rise in cyberattacks and breaches globally, regulatory bodies have introduced updated cybersecurity frameworks. How do these regulations align with the growing need for quantum-safe security solutions?
Sunil Gupta: In today’s hyper-connected digital world, we’ve seen the rise of expansive networks connecting users end-to-end, and not just to private or corporate data centers but also to public clouds and hosted applications. This shift was particularly evident during the COVID-19 pandemic when enterprises were compelled to migrate to the cloud rapidly. It showcased an extreme case of hyper-connectivity, but it also exposed significant vulnerabilities as cyberattacks surged, catching many unprepared.
However, what we witnessed during COVID was merely a trailer or a small-scale problem compared to what could lie ahead. Despite India spending $3.2 billion annually on cybersecurity, organizations across sectors, government, PSUs, and private enterprises, remain deeply concerned. The reason? Current defenses are inadequate against attackers who leverage the same or even better technologies. Most enterprises are using yesterday’s tools to solve today’s problems, akin to deploying outdated MiG-21s in a modern battlefield when the latest Rafales and advanced weaponry are required.
This compliance-driven approach to cybersecurity is problematic. Many organizations lack innovation cells or roles that empower CIOs and CISOs to adopt emerging technologies proactively. This is where QNu Labs recognized an opportunity. Our vision was clear: you can’t win a gunfight with a knife or even a gun. You need a cannon. We aimed to disrupt the conventional approach to cybersecurity by focusing on two areas: advanced technology and a paradigm shift in strategy.
Quantum technology serves as the backbone of this disruption. In 2016, when the threat of quantum computers breaking encryption seemed decades away, we began developing technology that would give defenders a significant advantage. Our solutions created a 5–10-year gap, equipping defenders with tools that attackers wouldn’t have for a decade, which is a historic first in cybersecurity.
The second aspect was our strategic shift. Traditional cybersecurity investments focus on hygiene measures like malware prevention, system patches, and data backups. While necessary, these measures are insufficient because even a single human error, such as clicking on a malicious email link, can compromise an entire system. Instead of solely trying to prevent breaches, we asked a fundamental question: What if we ensure that even if attackers infiltrate the system, they can’t steal the crown jewels?
Quantum technology enables two critical solutions:
- Unbreakable Authentication: Our mechanisms ensure that only true identities can gain access, blocking malicious actors effectively.
- Unbreachable Encryption: Even if attackers penetrate the system, the data remains locked in a vault they cannot break into, removing the incentive to attack in the first place.
By addressing these core challenges, quantum technology not only protects but also shifts the cybersecurity paradigm. It allows us to stay ahead of attackers, secure critical assets, and remain highly relevant in an increasingly interconnected world.
TAM: How do you see quantum-safe solutions transforming enterprise cybersecurity strategies, especially in regulated sectors like banking, and finance?
Sunil Gupta: In regulated industries, technology adoption takes time. When quantum security technology was introduced in India, the first adopters were the defense sector and the Indian government. This focus was deliberate, as these areas house critical digital infrastructure. For instance, a compromised command to infrastructure or adversarial tapping of critical optical fiber networks could have catastrophic consequences. Early efforts prioritized protecting such infrastructure, anticipating that regulated industries would eventually follow.
In banking, while regulations are still evolving, progress is not far off. SEBI issued guidelines last year, and we expect RBI to follow suit within six to twelve months. Leading banks, however, aren’t waiting for regulations. Both national and international banks are stepping forward, recognizing the importance of leading the change. These institutions are exploring two key areas for quantum security:
- Enhanced Authentication: Banks are looking to strengthen digital authentication, currently reliant on digital certificates. They aim to implement quantum-safe digital certificates, which use algorithms that cannot be broken, either now or in the future. This ensures secure, tamper-proof authentication mechanisms.
- Data Protection and Resilience: Quantum-safe encryption is being explored to safeguard sensitive data with a long shelf life, such as customer or computational data. For instance, if ransomware attacks encrypt an organization’s data, quantum-safe encryption ensures the stolen data remains undecipherable. By maintaining encrypted backups, businesses can restore operations quickly without paying ransom, rendering ransomware ineffective.
Banks are also focusing on secure transactions. For example, when a customer uses a mobile banking app, sensitive information like passwords and credit card details flow between the device and the bank’s server. Quantum security ensures this communication channel is fully protected. Additionally, secure data sharing between bank branches and central data centers is being prioritized.
Telecom companies, another regulated industry, are also recognizing the value of quantum security. Many telecom providers have already invested in extensive optical fiber networks. However, with average revenue per user (ARPU) declining annually, they are seeking ways to generate additional revenue from existing infrastructure.
Quantum security offers a solution: telecom providers can introduce “quantum security as a service.” By leveraging their optical fiber networks, they can provide enterprises and banks with quantum-safe networks for securely connecting data centers across cities. This approach requires minimal incremental investment but opens a new revenue stream for telecom providers.
Both banking and telecom sectors are uncovering compelling use cases for quantum security. From secure authentication and ransomware resilience to quantum-safe networking, these innovations provide regulated industries with a robust, future-ready framework for safeguarding critical infrastructure and driving new value propositions.
TAM: India has seen significant regulatory shifts under SEBI and RBI, while Europe emphasizes GDPR compliance. How does QNU Labs address these varied challenges through its solutions?
Sunil Gupta: Quantum security, or cybersecurity in general, does not conflict with any existing regulations. On the contrary, it complements them. For instance, GDPR does not mandate specific tools, technologies, or methodologies. Instead, it advises organizations, particularly banks, to adopt the best available technology to protect sensitive data. If quantum-safe security is available but not being used, regulators could question this, especially as it becomes a standard endorsed by organizations like NIST.
Quantum cybersecurity is an additional tool in the arsenal of enterprises—a means to enhance data protection. For regulations like PCI DSS, which require customer data to be encrypted, we suggest going a step further by implementing quantum encryption. This approach offers an elevated level of security, providing enterprises with an opportunity to adopt cutting-edge technology while maintaining compliance.
For example, in August 2024, NIST released four new quantum-safe algorithms, which we are already implementing for clients in sectors like banking and telecommunications. Although these are currently guidelines, they are expected to become mandatory within 18 to 24 months. This impending change will likely lead to a compliance rush, as organizations race to meet the new standards.
We are actively preparing for this shift, helping enterprises transition to quantum-safe solutions to ensure they are ready for the regulatory mandates we anticipate in the next 12 to 24 months. By doing so, we empower them to stay ahead of compliance requirements while leveraging superior technology for enhanced security.
TAM: How can AI and quantum technologies converge to enhance proactive threat detection and response mechanisms, particularly in the face of advanced persistent threats (APTs)?
Sunil Gupta: AI and quantum security serve distinct yet complementary roles in cybersecurity. Let me explain with an analogy: AI acts as the security guard around your house, detecting and preventing threats like someone tunneling in, snooping, or deploying surveillance drones. It excels in advanced threat detection, intelligence, and prevention. For example, AI can reduce “dwell time”, which is the period malware resides undetected within a system, which typically averages 120 days. By identifying and interrupting the cyber kill chain early, AI can thwart threats before they escalate.
However, AI alone cannot address every advanced threat, especially those leveraging AI itself for malicious purposes. This is where quantum security plays its role as the final barrier. Think of it as the vault inside your house, protecting your most valuable possessions. Even if an attacker bypasses AI defenses, quantum encryption ensures they cannot access your crown jewels.
AI’s ability to detect patterns, especially through advanced models like generative AI, poses a unique challenge. For example, AI can analyze past passwords to predict future ones, exploiting human tendencies to use patterns in password creation. Similarly, AI could potentially identify weaknesses in existing encryption methods, even before quantum computers become mainstream.
This is why adopting quantum-safe encryption today is critical. Waiting for quantum computers to arrive is not an option, as your data could be compromised long before that. By using quantum-safe encryption now, even if your data is stolen, it remains secure and indecipherable. This proactive approach not only protects your assets but also eliminates the worry of legal repercussions or reputational damage caused by data misuse.
One CISO recently shared a common concern: “I can handle a breach, but I’m terrified of my data being sold on the dark web.” Quantum encryption addresses this exact fear. Even if attackers exfiltrate data, it becomes unusable to them. This shift provides CISOs and enterprises with peace of mind and reduces the ever-present stress of cybersecurity threats. With quantum technology, organizations can mitigate these risks and avoid such scenarios altogether.
AI and quantum computing are both potent tools in cybersecurity. When used together strategically, they form a powerful defense. While AI excels at threat detection and prevention, quantum encryption ensures the ultimate safety of critical data. By integrating these technologies in the right way, organizations can significantly reduce risks and secure their future in an increasingly complex threat landscape.
TAM: Recent high-profile breaches across the globe have exposed vulnerabilities even in organizations with robust security protocols. Can you share insights on how quantum cybersecurity can help mitigate such risks and reduce the attack surface for enterprises?
Sunil Gupta: People are using deepfakes to replicate identities, essentially engaging in identity theft. Their goal is to convince others that they are someone else, leveraging this deception to manipulate trust. At its core, cybersecurity is about safeguarding digital trust. Hackers exploit this trust to launch attacks. For instance, we naturally trust family members, colleagues, or even the person we think we’re talking to on a call. Attackers aim to exploit this trust, making us believe we are interacting with someone legitimate when, in reality, it’s someone else.
The modus operandi often involves tricking users into believing they are speaking to a trusted person. This deception allows attackers to steal OTPs, passwords, and credentials, granting them unauthorized access. From there, they exploit this access to cause harm. Quantum technology addresses this issue by significantly reducing the possibility of identity theft. By integrating quantum technology into identity and access management, we can add an extra layer of security—essentially another factor of authentication.
Unlike passwords or fingerprints that could potentially be replicated or guessed by AI, quantum certificates or quantum authentication are nearly impossible to forge. There are currently no quantum computers capable of doing so, and even AI cannot replicate such mechanisms. This approach greatly narrows the attack surface, particularly in the realm of identity theft, which is often the starting point for most cyberattacks.
In addition to identity protection, quantum technology secures data both in transit and at rest. For instance, when a remote user connects to a data center over the internet using a mobile device, they rely on tools that prioritize convenience over security. Mobile phones and the internet are inherently not designed for robust security.
To address this, we deploy a quantum-safe agent or client on the user’s devices, such as laptops or mobile phones, and implement secure quantum protocols for internet communication. This creates a secure tunnel, much like Z-level security protecting a VIP, ensuring that sensitive data travels safely from the user’s device to the data center.
Quantum security acts as a comprehensive shield, reducing vulnerabilities across multiple touchpoints such as identity management, mobile devices, the internet, and even the cloud. It integrates seamlessly into endpoint security, network security, edge security, and cloud security, creating an end-to-end solution that covers the largest possible attack surface. By leveraging quantum technology, we significantly enhance digital trust, protect sensitive information, and fortify cybersecurity defenses across all critical areas.
