CyberWire Daily

Preparing space for Q-day. [T-Minus: Space-Cyber Briefing]

22 min
Jul 12, 20266 days ago
Listen to Episode
Summary

This episode examines the urgent cybersecurity challenges facing space infrastructure in the post-quantum era. Eddie Zervigon, CEO of Quantum Exchange, discusses how quantum computing threatens current encryption methods, the implications for satellites and space communications, and why the space industry needs to implement crypto-agile architectures now rather than waiting for quantum computers to fully mature.

Insights
  • Space systems face unique cryptographic challenges because satellites cannot be physically updated post-launch, making pre-launch security decisions permanent for years or decades
  • The quantum threat timeline has accelerated from 2035 to 2030, driven by advances in quantum computing and AI capabilities that adversaries may already possess
  • Crypto agility is an architectural problem, not a mathematical one—it requires separating key generation and delivery from the data plane to enable algorithm updates without network disruption
  • The space industry currently lacks the security attention and regulatory mandates that federal agencies (civilian and DoD) are receiving, creating a critical vulnerability gap
  • Federal budget alignment is the primary bottleneck; the executive order signals intent but Congress must provide funding to make post-quantum migration feasible across government and critical infrastructure
Trends
Acceleration of post-quantum cryptography adoption timelines across federal government and critical infrastructure sectorsGrowing recognition that quantum threats require architectural redesign rather than algorithm-only solutionsIncreased focus on crypto agility as a core requirement for long-lived infrastructure assetsRegulatory pressure to classify satellites as critical infrastructure subject to post-quantum mandatesConvergence of AI and quantum computing as a dual threat requiring immediate defensive actionSpace industry lagging behind federal agencies in quantum-readiness despite equal vulnerabilityNIST-approved post-quantum algorithms (ML-KEM 1024, HQC) enabling actionable federal mandatesShift from theoretical quantum threat discussions to practical network integration conversationsBudget constraints emerging as primary barrier to post-quantum migration in governmentIntersatellite communication authentication becoming critical security vector in mega-constellations
Companies
Quantum Exchange
Eddie Zervigon's company providing crypto-agile solutions for post-quantum cryptography management in networks
Maxar Technologies
Formerly Digital Globe; cited as first high-resolution commercial satellite imaging company, investment example
Bloom Energy
Distributed power generation company; cited as transformational technology investment example from 2007
Morgan Stanley
Eddie Zervigon's former employer where he invested in transformational technologies for 15 years
NIST
National Institute of Standards and Technology; charged with developing post-quantum cryptography algorithms
People
Eddie Zervigon
Guest expert discussing post-quantum cryptography challenges and solutions for space infrastructure
Maria Varmazis
Host of T-Minus Space Cyber Briefing conducting interview on quantum threats to space systems
Nikesh Aurora
Referenced for earnings call discussion on AI false positives and cybersecurity implications
Quotes
"You can't send the Maytag repairman up to fix the encryption. The encryption that's on the satellite when it's launched is what it's going to have."
Eddie ZervigonMid-episode
"This is an architectural problem, not a math problem or a physics problem."
Eddie ZervigonMid-episode
"I'm a little concerned because I don't see the attention from a security standpoint on some of these big, big space projects that we're seeing."
Eddie ZervigonLate episode
"What we do is in-air refueling of the jet. The jet doesn't have to land in order for it to be refueled and then take off."
Eddie ZervigonMid-episode
"My biggest worry is not that people understand the problem or are willing to do something about it, but the lack of funding in order to move this forward."
Eddie ZervigonLate episode
Full Transcript
You're listening to the Cyber Wire Network, powered by N2K. Cyberwire.com for more information. And make sure you stop by the studio and meet the N2K Cyberwire team. We'll see you there. Well, I got to tell you, I'm a little concerned because I don't see the attention from a security standpoint on some of these big, big space projects that we're seeing. I'm not seeing the level of attention that I'm seeing in other, call it on the Fed side, Fed civilian and DOW. It's really beholden on us to kind of really stress this and make sure that, especially as satellites are considered critical infrastructure, that they fall under some of the governing bodies, if you will, in regulatory environment, regarding critical infrastructure that are really pushing this kind of post-quantum mandate. Welcome. I'm Maria Varmazis, and you're listening to T-Minus Space Cyber Briefing. In this show, we examine the evolution of cybersecurity in the global and orbital infrastructure that powers, protects, and connects our lives. On June 22nd, 2026, the Trump administration issued an executive order titled Ushering in the Next Frontier of Quantum Innovation. Its goal is to strengthen quantum technology development in key U.S. agencies and industries. Space technology got a specific call-out in the quantum EO, as one might shorthand it. And in my chat today with Eddie Zervigon, CEO of Quantum Exchange, we focus on space-specific cyber considerations for when we officially enter a post-quantum world. And that day is coming fast. So how can an industry that historically has not exactly been known for its agility keep ahead of fast-accelerating risk? That Q day in the mirror is indeed closer than it may appear. Eddie Zervigand, CEO of Quantum Exchange. I've been in the role for about six years. Prior to that, I was a recovering banker slash investor at Morgan Stanley, where I spent the better part of 15 years investing in what I would call transformational technologies. Companies like Digital Globe, which became Maxar, which was the first high resolution commercially available satellite imaging company. Another company that's been in the news a lot lately, Bloom Energy. So I was an original investor back in 2007 when I was with Morgan Stanley investing in the need for distributed power generation, which is now really coming full circle as AI data centers take the front page in terms of the need for distributed power. And then when the opportunity about six years ago came about to take over as CEO of a company that I had been previously an investor in, I really jumped at the opportunity not knowing exactly when the market would materialize, but knowing that it would be the most consequential transformation in the digital economy that certainly we've seen in many, many years and excited to be a part of it with what we think is superior technology. Oh, fantastic. Well, Eddie, I'm so excited to be speaking with you because the timing is just perfect, given your area of expertise and what's been going on in current events. The executive order that recently came out about quantum was huge, not just on the cybersecurity side, but also on the space side. And I'm wondering if you could maybe give me a bit of, given your area of expertise, some context around this EO. And, you know, why now? Why is quantum suddenly getting all of this emphasis? I mean, it's not a brand new thing, But, you know, why in this moment is this happening? Well, I think obviously 2016, NIST was kind of in charge or charged with the task of kind of figuring out the next algorithms that will take us into the post-quantum age. And, you know, you have to take a step back and realize that it's an incredible technological run that for 50 years, basically everything that we do in the digital world has been secured by essentially three algorithms. And they have changed a little bit over time, but essentially there are three algorithms that have kind of underpinned our security in that period of time. It's an extraordinary technological run. But unfortunately for us, the kind of compute capabilities that quantum brings into the equation now are exactly the compute capabilities that will eviscerate asymmetric encryption which is what we relied on And so NIST 2016 was in charge with looking at okay, what are gonna be the algorithms that are gonna take us into the next generation, if you will, of encryption? And the first one was approved in 2024, which was MLChem 1024, and then HQC was added last year. And so now you're starting to see the actionable algorithms come into play, right? Prior to that, you couldn't really do anything because there wasn't a NIST-approved algorithm. So as it relates to the federal government, which would be probably closest to understanding the severity of the problem, right, they are now actionable. And I think it really took us into overdrive last summer with the DeepSeek and the release of DeepSeek and the, I guess, the new understanding that maybe the other side of the ledger was much more advanced, if you will, than maybe we had previously given them credit for. Yeah, yeah. I know I'm jumping around a little bit, but I'd love for you to speak a little bit about that, too, before we get into sort of what this all means for space and such. Broadly, the landscape of quantum right now, where are the United States compared to maybe our adversaries? Where are we? Are we about on the even playing field or does it seem like we're falling behind? Well, unfortunately, like many problems that have some specific date, this one does not. We don't know where our adversaries are. We just know they're probably a little further advanced than we gave them credit for. And they're also spending a lot of money towards it, right? Much more so in the recent past to what we have spent here in the U.S. So that combination is not a good combination for us. And, you know, I was listening to Nikesh Aurora's earnings call a couple of weeks ago where he talked about mythos and using mythos and the realization that 30 percent of the mythos false positives, right, from a cyber perspective still require attention. And when you think about adversaries, they only have to be right once. On the defense, you've got to be overwhelming in terms of your response. So that's created a rather long poll in the tent in terms of what we need to solve for. But suffice to say, when the adversary has the capability, they will not be broadcasting it to the world. That absolutely makes sense. Yeah, appreciate that. So let's bring it to the space domain and drill in a little bit there. I imagine for some of my listeners who are maybe less aware of what's going on within the space domain regarding quantum and quantum communications, they might be thinking of space as sort of just a transport layer. Can you give me a sense of the very broad implications of quantum for space? And let's just start there and then drill into where we're going with this. So as it relates to the security aspects to it, there are a couple of threat vectors that kind of surface. One is the ability to authenticate the space assets, meaning there are going to be a lot of interspatial communications between satellites, intersatellite communications that need to be authenticated. Are you really talking to who you think you're talking to and not being spoofed? So that's not even getting to the ground. And then obviously the comms between the satellites and the ground station are ripe for an attack. Why? Because we know exactly when the satellite is going to actually do the handshake, if you will, from a cryptographic perspective, because it's when the ground station and the satellite can communicate. And then you have from the ground station in, which is also another vulnerability. The biggest issue with space is that, unfortunately, like a lot of terrestrial networks, you can't send the Maytag repairman up to fix the encryption. The encryption that's on the satellite when it's launched is what it's going to have. And many of these satellites are long-lived assets that need to be up there for a while. And others are rather short-lived, so it's less of an issue. But any meaningful constellation up there has to consider post-quantum crypto and the agility that you're going to need to meet these threats as they come due. Truly. So, yeah, how do you essentially future-proof something like that that, you know, has a lifespan in terms of not just years but potentially decades? Yeah, that's, you know, it's a really good question because many people throw around the term crypto agility. and crypto agility means, you know, the ability to handle new, not only threats, but new algorithms as they come due. There's, NIST has another something like 44 algorithms that are still in review that could be approved. So it's clear to me that they don't think this is a one and done, set it and forget it, whatever you want to call it. This, again, unlike the last 50 years, this is going to be an evolving threat that we're going to have to meet head on. And so therefore as I like to articulate not only internally with our team but also as it relates to customers and thought leaders on the subject this is an architectural problem It not a math problem or a physics problem And if you treat it as a math problem then you beholden to the algorithm that maybe today works but might not work tomorrow. And even then, you might have to change. MLChem 1024 might become MLChem 2048. And what do you do in order to be able to change, But more importantly, be able to do this at scale without bringing down the network. And so much of what we talk about is what is and what is not crypto agility. To us, what crypto agility is, is the ability to manage your cryptography without affecting your network. In other words, I like to simplify it by saying what we do is in-air refueling of the jet. The jet doesn't have to land in order for it to be refueled and then take off. We can accommodate changes in algorithm, audit, auditability, automation, anything that needs to happen that when you have a management plane that is now taking over your encryption. And that's what we do. We create a management plane by separating key generation and delivery from the data plane and putting in its own control plane, much like we did with identity and access management years ago. Now that we have a sense of perhaps what needs to be done in a post-quantum world for space cybersecurity, let's take a quick break now. And when we get back, we'll pick up on policy-wise what needs to happen next. Stay tuned. This episode is supported by Black Hat USA. If you follow the research, you know a lot of it breaks on Black Hat stages. Hundreds of peer-reviewed briefings, more than 100 hands-on trainings, and the largest business hall in Black Hat's history. Six days to learn the skills you'll need tomorrow, August 1st to the 6th. Use code CyberWire for $200 off your briefings pass at BlackHat.com. We'll see you in Vegas. AI is making phishing attacks faster, more convincing, and harder for people to spot, and traditional security awareness and phishing training weren't designed for this level of attack. Hawkshunt helps security teams prepare employees for the attacks they face every day, with personalized phishing training that adapts to each employee and reduces risky behavior over time. For IT and security leaders looking to strengthen their human layer of defense without adding more manual work, visit hawkshunt.com slash cyberwire to learn more. That's H-O-X-H-U-N-T dot com slash cyberwire. And we're back. Let's continue on with my conversation with Eddie Zervigon, CEO of Quantum Exchange. I'm thinking agility is not often a word that we hear in the context of anything space related, which is a shame. And I know people are really working hard to change that, but it's the reality of the years it takes to get a mission into orbit. And it's a fascinating challenge of when the on-the-ground reality is changing so fast, how can these systems that take so long to make and stay so long on orbit, how can they possibly keep up? So it's not a it's certainly not a hopeless situation. I just it's a fascinating adaptation that systems that we're all interacting with have to have to make. And I'm wondering also about what other unique challenges our space systems are dealing with in the context of quantum that maybe we haven't mentioned. Is there is there anything else that that our listeners should know? Well, I think also I think what I spend a lot of time in D.C. advocating for is to align budget with the problem. right i think this problem has come much faster than anyone previously thought and what i mean by that is i think people are starting to realize that yeah sure the quammy you know five six years ago when i started i would have a conversation with a ciso and we'd spend the first half hour of the conversation talking about quantum you know computers and why the threat the ability to the ability to be able to um back into the private key from the public all that stuff now it's not at at all. Now it's basically, how do you fit into my network? Exactly. And I think that's a much better conversation to have. And as you get to federal agencies, whether it be civilian, Department of War, it's clear that there's a recognition of the threat that's there. And now we need to align federal budget to it. And given the dysfunctionality in our federal government right now, my worry is, my biggest worry is not that people understand the problem are willing to do something about it, but the lack of funding in order to move this forward, I can't see of a bigger issue, certainly with regards to the federal government and soon to be the critical industries such as healthcare financial services critical infrastructure But first the government right They the closest to the problem They understand the threat. And so we need to get money behind the understanding in order to really make this work. I'm wondering, did you find the executive order to be a heartening sign? Or is it just not enough of a concrete move? Well, I mean, obviously, executive orders on the on the executive side of things. Right. So they don't don't control the purse strings. That's up to Congress. Yeah. But but I think it stresses the severity of the problem. We moved the timeline in from 2035 to 2030. I think that's that's a pretty good indicator of where they think directionally this is going. So now we just need Congress to match that from a budget perspective. And it doesn't take a whole heck of a lot of money, especially if you want to do it right and you want to do it in a way that gives you, as you mentioned, maximum flexibility in the future, which is everything. The last thing you want is to have to put in place a whole system that needs to be ripped and replaced at some point in the future. Yeah, absolutely. And I'm wondering also the takeaway for folks in the space industry about essentially future-proofing, if one can really do such a thing. But building in that agility, what do you think that folks in the industry should also know? Well, I got to tell you, I'm a little concerned because I don't see the attention from a security standpoint on some of these big, big space projects that we're seeing. I'm not seeing the level of attention that I'm seeing in other, call it on the Fed side, Fed civilian and DOW. And so the first thing is we've got to now convince them that, hey, this is something that needs to be done now. and then start thinking about it architecturally. As I mentioned, once you launch a satellite, it's really tough to correct things because obviously you can't get out the satellite, the physical changes that need to be made. So I think it's really beholden on us to kind of really stress this and make sure that, especially as satellites are considered critical infrastructure, that they fall under some of the governing bodies, if you will, in regulatory environment regarding critical infrastructure that are really pushing this kind of post-quantum mandate. That's a fascinating, fascinating point there. Eddie, I want to be mindful of your time. If there's anything else you want to leave our audience with before we close out, the floor is yours. Yeah, no, I think it's been a great conversation. I really appreciate your taking leadership and ownership on this very, very important issue, especially as it relates to space because of exactly the points that I make, which is you can't send the Maytag repairman up there to fix it once it's done. So it's really, really important that we get it right and we get it done soon because it's not going to be too long before we have this deadly combination of AI and quantum getting together. And as I like to call AI the brains and quantum the brawn and really create a wreaking havoc on our digital world. And so anything that we can do to further the case that architecture is what ultimately will guide us, I think is time well spent and money well spent. Well, Eddie, thank you so much for speaking to me and our whole audience about this. This is an extremely important topic, and I greatly appreciate your time and expertise on this. So thank you so much for joining me today. Thank you so much, Maria. I really appreciate the time. And that's T-Space Cyber Briefing, brought to you by N2K CyberWire. If you like what you heard today, you will also enjoy our newsletter, Signals and Space. You'll get research and notes pulled together by our producer, Ethan Cook, and me, along with this week's top space cyber news stories. Subscribe by visiting thecyberwire.com slash newsletters. We'd love to know what you think of this podcast. Your feedback ensures we deliver the insights that keep you a step ahead in the rapidly changing cybersecurity landscape. If you like our show, please share a rating and review in your podcast app. Please also fill out the survey in the show notes or send an email to space at n2k.com. We are proud that N2K Cyber Wire is part of the daily routine of the most influential leaders and operators in the public and private sector, from the Fortune 500 to many of the world's preeminent intelligence and law enforcement agencies. N2K helps cybersecurity professionals grow, learn, and stay informed. As the Nexus for discovery and connection, we bring you the people, the technology, and the ideas shaping the future of secure innovation. Learn how at ncuk.com. Thanks for listening to T-Minus. I am your host, Maria Vermazis. This show is produced by Ethan Cook and Liz Stokes. We're mixed by Elliot Peltzman and Trey Hester with original music by Elliot Peltzman. Our executive producer is Jennifer Iben with content strategy by Mayan Plaut. Peter Kilpie is our publisher. See you next week. T-minus.