Canberra-based cybersecurity firm QuintessenceLabs is on the frontline of a new arms race — against the threat of weaponised computing — using “quantum to fight quantum”.

    Every person with access to a computer is on the front line of the cyber war — and even if they’re careful about how they share data, most expect the organisations they interact with to build protective barriers around data so they can get on with whatever they need to do.

    But those barriers fail. In 2020–21, more than 67,500 cybercrimes were reported to the Australian Cyber Security Centre (ACSC) — that’s one every eight minutes — and many more go unreported or undiscovered.

    “Companies that have had significant breaches often still feel the effects of losing that trust years later, whether it’s on revenue, share price or other metrics,” says Dr Vikram Sharma, founder and CEO of Australian cybersecurity company QuintessenceLabs (QLabs). “As our lives become more and more digitalised, trust and security of our information assets is paramount.”

    Cybersecurity battles can’t be won just by building bigger firewalls around data, he explains, because criminals frequently get past those boundaries, whether by brute force attacks on shields or sneaking in via back doors.

    “Security based only on protecting the perimeter is almost a mediaeval concept,” adds QLabs chair Jon Nicholson — also a non-executive director on the boards of IAG and First Nations not-for-profit Cape York Partnership. “Anyone who has played Dungeons & Dragons knows you just need to find the gateway with only one bloke holding a spear protecting it.”

    If you have played D&D, you’ll also know there’s fun to be had in manipulating clueless citizens of the citadel into telling you the secret password so the bloke with the spear will wave you through, saving you a few hits. Or you might distract him so your raiding party can sneak in. “It’s impossible to keep criminals out of computer systems and they know when they get inside often all the valuable data is lying there, unprotected,” says Nicholson. “You’ve got to lock that sensitive data up by encrypting it. The best encryption will render system breaches irrelevant, because even if someone steals it, the data can’t be read and exploited.”

    Scale-up board insights

    The job involves more than governance

    “When you’ve spent a lot of your life in the big corporate world, joining a small company is like getting into a little sailing boat compared to the ocean liners you’re used to. You don’t have all the protections of a corporate and you do a lot more than governance. Your expertise is needed to help steer the company — and be careful you don’t load up the management team.”

    Jon Nicholson, chair QLabs

    Invest in developing and attracting good talent

    “The federal and academic sectors are investing in attracting more Australians to study tech to meet the skills shortage. Industry also has a role in scaling up people’s expertise. We hire people with good dispositions and basic skills, and invest in training them up. We’ve also invested heavily in a careful blend of people with deep academic expertise — a quarter of our people have PhDs— coupled with people from industry who know how to translate cutting-edge science into real-world products.”

    Dr Vikram Sharma, founder and CEO QLabs

    Monitor market feedback

    “The sales conversion cycle in cybersecurity is very long, not like selling software, so we’re focused on monitoring what the market needs. One strategic challenge we have is accelerating the conversion of the many proofs of concept out there across different verticals to sales orders. But you can’t say ‘yes’ to too many things relative to your resources, so we’ve become reasonably disciplined about which opportunities we pursue.”

    Peeyush Gupta AM FAICD, director QLabs

    Serious encryption

    A unique key for every access authentication is a must. But a short string of supposedly random numbers isn’t enough, because a cybercriminal with sufficient computing power can cycle through guesses until a match is found. Really long numbers are harder to crack, but when quantum computers become viable, their capability for cycling through calculations extremely quickly will be weaponised to break most existing security codes.

    “Governments are starting to say to big corporates: ‘You must get better defences for your data — you need to be ready for quantum computers’,” warns Nicholson. “JP Morgan lost tens of millions of customer records in 2014, and although they’ve caught some of the hackers, the records are probably sitting in a huge data warehouse somewhere being slowly decrypted. Quantum will speed that up.”

    QLabs is pre-empting the threat of weaponised quantum computers by developing a suite of security tools Sharma describes as “using quantum to fight quantum”. These tools are built on a foundational technology called a qStream Quantum Random Number Generator (QRNG), which produces unpredictable random numbers at a rate of one gigabit per second by measuring the state of electrons quantum tunnelling through a diode.

    “Normally, a diode is on or it’s off, it’s a one or a zero,” says Sharma. “However, in a tunneling diode, even when it’s off, some electrons will punch through the barrier and out the other side at complete random, determined by the laws of quantum physics. So we found a way to measure that electron tunnelling and then translate it into true ones and zeros at high speed.”

    These numbers can be used for security applications such as encrypting data and protecting digital signatures. The QLabs’ offering includes a software stack for managing how those numbers are used through an advanced key and data security policy management system. The company is also a pioneer in an emergent technology known as quantum key distribution. Collectively, these products provide the capability to robustly protect data while offering defence against tomorrow’s quantum-enabled adversaries.

    “We are the world’s fastest generator of pure random keys,” says Peeyush Gupta AM FAICD, who helped Sharma establish QLabs and now serves on the board. He’s also a non-executive director of NAB and SBS, among others. “We can generate quantum keys, but you also need a mechanism to distribute them. To do that safely, we apply the Heisenberg [uncertainty] principle, which some people will remember from high school physics — if someone looks at a quantum state, the act of looking at it changes it. So when we transmit potential encryption keys, we can tell if someone eavesdrops.”

    World-leading research in Canberra

    Sharma was working in Canberra, contracting to the federal government, when he was accepted into Stanford University’s Sloan Fellow program, which aims to develop future business leaders and teachers. “There were 48 in my cohort, many of them Fortune 500 company-type people being groomed for CXO roles, plus half a dozen entrepreneurial jokers like myself,” says Sharma. “Actually, it was quite amazing how much these folks from larger organisations, who’d be in charge of

    multibillion dollar-budgets, were intrigued by and respected the entrepreneurial journey.”

    After the Sloan program finished, Sharma sat in on PhD classes for quantum physics at Stanford. The sessions reignited an interest in quantum physics, which he’d briefly studied as an undergraduate. “What intrigued me was the fact we were on the cusp of being able to engineer quantum effects that don’t exist naturally, which could form the basis of new capabilities like quantum computing,” he says. “I started searching online for leading research groups exploring the application of quantum to cybersecurity, and found a group at ANU.”

    Sharma joined a research team at the ANU Department of Physics, headed by Dr Ping Koy Lam — winner of the Eureka Prize in 2003 for his outreach activities on teleportation research — to investigate how the laws of physics could be applied to cryptography. In 2006, the team’s breakthrough in quantum cryptography — using laser beams to transmit secret data keys — won the Eureka.

    Sharma founded and was appointed CEO-elect of the commercial entity seeded by the research, QuintessenceLabs. Quintessence has several meanings. Ancient Greek philosophers coined it to describe the fifth element — a “sublime, pure and perfect substance or energy”. For cosmologists, it is a real form of energy distinct from radiation, normal matter or dark matter, which behaves in novel ways, including being repulsed rather than attracted by gravity, thus accelerating the expansion of the universe.

    Dr Vikram Sharma

    Building a globally-scalable business

    QLabs began commercial operations in 2008 when it secured seed funding of $2m — half from a consortium of investors, plus matched- funding from the Department of Industry. It then formed a board with Peter Shergold AC FAICD as chair (previously Secretary of the Department of Prime Minister and Cabinet), Gupta and Sharma.

    “They say raising capital is all about timing, so it was a particularly difficult time during the GFC,” says Sharma. “We always knew QLabs [was going to be] a global play, so the funding from the Department of Industry was instrumental in supporting our growth ambitions.”

    That seed funding helped QLabs gain an embryonic US presence at NASA’s Ames Research Center — and to hire C-level executives with serious cyber credentials, including CTO John Leiseboer (ex-RSA/ EMC, Boeing and HP), and COO Mark Crowley (who had worked in the US defence industry with Lockheed Martin and General Electric).

    “Starting up with high-quality US talent was a big investment, but it allowed us to build a credible presence in the US, the world’s biggest cybersecurity market,” says Sharma.

    Nicholson was chief strategy officer at Westpac when Sharma was introduced to him as someone who could explain quantum computing. “Instead of talking about quantum, Vikram spoke about his business, because he’s an entrepreneur,” says Nicholson. “He was clearly the real deal. He was talking real science, had a real business idea and the toughness and passion to give it a really good shot.”

    Westpac took a 10.8 per cent stake in QLabs in 2015 — invested on the bank’s own balance sheet rather than through its VC fund, giving Westpac access to security innovations developed by QLabs. Nicholson joined the board as a director that year, becoming chair in 2017, when Westpac increased its stake to 16 per cent. He was subsequently joined on the board by Dave Curran (ex-CIO at Westpac) and David Walker (ex-CTO).

    In September 2021, QLabs raised more than US$20m in a major growth capital round which brought total investment in the company to US$45m. Currently worth around US$218b, the global cybersecurity market is projected to grow to US$345.4b by 2026.

    The QLabs board estimates the company’s total addressable market across three sub-sectors — enterprise key management, quantum random number generation and quantum key distribution — is worth around US$27b, and it could feasibly service an actual addressable market worth about $10b.

    Keeping IP and its value in Australia

    Nicholson admits it’s hard for early movers in an emerging market such as quantum technology when most potential customers have a “wait and see” mindset. “I’m proud of the team’s strength and resilience to build on an idea that’s well ahead of the huge wave coming in quantum,” he says. “We’ve been recognised for that by big flagship customers, including NetDocuments and JP Morgan, and by getting on the approved list for the US Department of Homeland Security. We can see the investment gain of quantum is massive, but it’s only been in the past couple of years that the conversation has moved from ‘never heard of it’ or ‘it’ll be interesting in 20 years’ to ‘we need to get ready for quantum’.”

    Huge investments in quantum computing by tech giants such as Google and IBM help improve awareness, although it irks Sharma that tech companies in Australia often have to relocate overseas to earn their stripes. QLabs deployed a proof of concept of its quantum key distribution network to the Australian Department of Defence in 2019, and Nicholson would like to see more government agencies become early adopters of Australian innovations.

    “If you look at countries that have achieved success in tech, they’ve done it through domestic adoption,” he says. “In Australia, we often see procurement policies favour large international players. We’re not suggesting adoption of inferior technology, but where the tech is fit for purpose and globally competitive, there should be vehicles to allow domestic procurement to occur more easily. The government has good programs to support R&D, which QLabs has been a beneficiary of. It could further help by providing pathways for early adoption of Australian technology.”

    Gupta adds that another challenge for Australian innovators is that the interaction between academia, government and business isn’t as well developed here as it is in the US or the UK. “It makes it a lot harder to commercialise tech out of Australia,” he says. “We’re actually very fortunate to have a relationship with Westpac so we can build solutions in Australia and keep the value here.”

    “We’re proud our R&D occurs in Australia,” adds Sharma. “We’re ideologically driven to build this capability and have the economic benefit captured in our country. Our journey may have taken longer because of that choice, but it has been a conscious choice.”

    Latest news

    This is of of your complimentary pieces of content

    This is exclusive content.

    You have reached your limit for guest contents. The content you are trying to access is exclusive for AICD members. Please become a member for unlimited access.