T-Minus: Space-Cyber Briefing 7.12.26
Ep 715 | 7.12.26

Preparing space for Q-day.

Transcript

Eddy Zervigon: Well, I've got to tell you, I'm a little concerned because I don't see the attention from a security standpoint on some of these big, big space projects that we're seeing. I'm not seeing the level of attention that I'm seeing in other -- call it on the fed side of "fed/civilian" -- in DoW. It's really beholden on us to kind of really stress this and make sure that, especially as satellites are considered critical infrastructure, that they fall under some of the governing bodies -- if you will, the regulatory environments regarding critical infrastructure -- that are really pushing this kind of post-quantum mandate.

Maria Varmazis: Welcome. I'm Maria Varmazis, and you're listening to "T-Minus: Space-Cyber Briefing." In this show, we examine the evolution of cybersecurity in the global and orbital infrastructure that powers, protects, and connects our lives. On June 22, 2026, the Trump administration issued an executive order titled, "Ushering in the Next Frontier of Quantum Innovation." Its goal is to strengthen quantum technology development in key U.S. agencies and industries. Space technology got a specific call-out in the "Quantum EO" as one might shorthand it. In my chat today with Eddy Zervigon, CEO of Quantum Xchange, we focus on space-specific cyber considerations for when we officially enter a post-quantum world, and that day is coming fast. How can an industry that, historically, has not exactly been known for its agility, keep ahead of fast accelerating risk? That Q-day in the mirror is, indeed, closer than it may appear.

Eddy Zervigon: Eddy Zervigon, CEO of Quantum Xchange. I've been in the role for about six years. Prior to that, I was a recovering banker/investor at Morgan Stanley, where I spent the better part of 15 years investing in what I would call "transformational technologies," companies like DigitalGlobe, which became Maxar, which was the first high-resolution, commercially available satellite imaging company. Another company that's been in the news a lot lately, Bloom Energy. I was an original investor back in 2007 when I was with Morgan Stanley investing in the need for distributed power generation, which is now, really, coming full circle as AI data centers take the front page in terms of the need for distributed power. Then when the opportunity about six years ago came about to take over as CEO of a company that I had been previously an investor in, I really jumped at the opportunity, not knowing exactly when the market would materialize, but knowing that it would be the most consequential transformation in the digital economy that, certainly, we've seen in many, many years and excited to be a part of it with what we think is superior technology.

Maria Varmazis: Oh, fantastic. Well, Eddy, I'm so excited to be speaking with you because the timing is just perfect. Given your area of expertise and what's been going on in current events, the executive order that recently came out about quantum was huge, not just on the cybersecurity side, but also on the space side. I'm wondering if you could maybe give me a bit of, given your area of expertise, some context around this EO, and, you know, why now? Why is quantum suddenly getting all of this emphasis? I mean, it's not a brand-new thing, but, you know, why, in this moment, is this happening?

Eddy Zervigon: Well, I think, obviously, 2016 NIST was kind of in charge -- or charged with the task of kind of figuring out the next algorithms that will take us into the post-quantum age. You know, you have to take a step back and realize that it's an incredible technological run that for 50 years, basically everything that we do in the digital world has been secured by, essentially, three algorithms. They have changed a little bit over time, but essentially, there are three algorithms that have kind of underpinned our security in that period of time. It's an extraordinary technological run, but unfortunately, for us, the kind of compute capabilities that quantum brings into the equation now are exactly the compute capabilities that will eviscerate asymmetric encryption, which is what we've relied on. NIST 2016 was in charge with looking at, okay, what are going to be the algorithms that are going to take us into the next generation, if you will, of encryption? The first one was approved in 2024, which was ML-10 -- ML-KEM-1024, and then HQC was added last year. Now you're starting to see the actionable algorithms come into play, right? Prior to that, you couldn't really do anything because there wasn't a NIST-approved algorithm. So as it relates to the federal government, which would be probably closest to understanding the severity of the problem, right, they are now actionable. I think it really took us into overdrive last summer with DeepSeek and the release of DeepSeek, and I guess, the new understanding that maybe the other side of the ledger was much more advanced, if you will, than we had previously given them credit for.

Maria Varmazis: Yeah, yeah, I know I'm jumping around a little bit, but I'd love for you to speak a little bit about that, too, before we get into, sort of, what this all means for space and such. Broadly, the landscape of quantum right now, where are the United States compared to maybe our adversaries? Where are we? Are we about only even playing field, or does it seem like we're falling behind?

Eddy Zervigon: Well, unfortunately, like many problems that have some specific date, this one does not. We don't know where our adversaries are. We just know they're probably a little further advanced than we gave them credit for, and they're also spending a lot of money towards it, right, much more so in the recent past to what we have spent here in the U.S. That combination is not a not a good combination for us. You know, I was listening to Nikesh Arora's earnings call a couple of weeks ago where he talked about Mythos and using Mythos and the realization that 30% of the Mythos false positives, right, from a cyber perspective still require attention. When you think about adversaries, they only have to be right once. On the defense, you've got to be overwhelming in terms of your response. That's created a rather long, long pole in the tent in terms of what we need to solve for, but suffice to say, when the adversary has the capability, they will not be broadcasting it to the world.

Maria Varmazis: Absolutely makes sense, yeah, appreciate that. Let's bring it to the space domain and drill in a little bit there. I imagine for some of my listeners who are maybe less aware of what's going on within the space domain regarding quantum and quantum communications, they might be thinking of space as sort of just a transport layer. Can you give me a sense of the very broad implications of, you know, quantum for space? Let's just start there and then drill into where we're going with this.

Eddy Zervigon: As it relates to the security aspects to it, there are a couple of threat vectors that kind of surface, one is the ability to authenticate the space assets, meaning there are going to be a lot of interspatial communications between satellites, right, inter-satellite communications that need to be authenticated. Are you really talking to who you think you're talking to and not being spoofed, right? That's not even getting to the ground. Then, obviously, the comms between the satellites and the ground station are ripe for an attack. Why? Because we know exactly when the satellite is going to actually do the handshake, if you will, from a cryptographic perspective, because it's when the ground station and the satellite can communicate. Then you have from the ground station in which is also another vulnerability. The biggest issue with space is that unfortunately, like a lot of terrestrial networks, you can't send the Maytag repairman up to fix the encryption. The encryption that's on the satellite when it's launched is what it's going to have. Many of these satellites are long-lived assets that need to be up there for a while, and others are rather short lived, so it's less of an issue. Any meaningful constellation up there has to consider post-quantum crypto and the agility that you're going to need to meet these threats as they come due.

Maria Varmazis: Truly, so, yeah, how do you essentially future proof something like that, that has a lifespan in terms of not just years, but potentially decades?

Eddy Zervigon: Yeah, that's -- you know, it's a really good question because many people throw around the term "crypto agility," and crypto agility means, you know, the ability to handle new not only threats, but new algorithms as they come due. NIST has another -- something like 44 algorithms that are still in review that could be approved. It's clear to me that they don't think this is a one-and-done, set-it-and-forget-it, whatever you want to call it. This -- again, unlike the last 50 years, is going to be an evolving threat that we're going to have to meet head on. Therefore, as I like to articulate not only internally, but with our team, but also as it relates to customers and thought leaders on the subject, this is an architectural problem. It's not a math problem or physics problem, and if you treat it as a math problem, then you're beholden to the algorithm that maybe today works but it might not work tomorrow. Even then, you might have to change. ML-KEM-1024 might become ML-KEM-2048, and what do you do in order to be able to change, but more importantly, be able to do this at scale without bringing down the network? Much of what we talk about is what is and what is not crypto agility? To us, what crypto agility is, is the ability to manage your cryptography without affecting your network. In other words, I like to simplify it by saying what we do is, "in-air refueling of the jet." The jet doesn't have to land in order for it to be refueled and then take off. We can accommodate changes in algorithm, audit, auditability, automation, anything that needs to happen that when you have a management plane, that is now taking over your encryption. That's what we do. We create a management plane by separating key generation and delivery from the data plane and putting in its own control plane, much like we did with identity and access management years ago.

Maria Varmazis: Now that we have a sense of, perhaps, what needs to be done in a post-quantum world for space cybersecurity, let's take a quick break now. When we get back, we'll pick up on policy-wise, what needs to happen next? Stay tuned. [ Music ] And we're back. Let's continue on with my conversation with Eddy Zervigon, CEO of Quantum Xchange. I'm thinking agility is not often a word that we hear in the context of anything space related, which is a shame, and I know people are really working hard to change that, but it's the reality of the years it takes to get a mission into orbit. It's a fascinating challenge of when the on-the-ground reality is changing so fast, how can these systems that take so long to make and stay so long on orbit, how can they possibly keep up? It's certainly not a hopeless situation. I just -- it's a fascinating adaptation that systems that we're all interacting with have to make. I'm wondering, also, about what other unique challenges our space systems are dealing with in the context of quantum that maybe we haven't mentioned? Is there anything else that our listeners should know?

Eddy Zervigon: Well, I think, also, I think what I spend a lot of time in D.C. advocating for is to align budget with the problem, right? I think this problem has come much faster than anyone previously thought, and what I mean by that is I think people are starting to realize that, yeah, sure -- I mean, five, six years ago when I started, I would have a conversation with a CISO, and we'd spend the first half hour of the conversation talking about quantum computers and why the threat, the ability to be able to back into the private key from the public, all that stuff. Now it's not that at all. Now it's, basically, how do you fit into my network exactly?

Maria Varmazis: Right.

Eddy Zervigon: I think a much better conversation to have, and as you get to federal agencies, whether it be civilian, Department of War, it's clear that there's a recognition of the threat that's there. Now we need to align federal budget to it. Given the dysfunctionality in our federal government right now, my worry is -- my biggest worry is not that people understand the problem and are willing to do something about it, but the lack of funding in order to move this forward. I can't see a bigger issue, certainly, with regards to the federal government and soon-to-be critical industries, such as health care, financial services, critical infrastructure, but first, the government, right? They're the closest to the problem. They understand the threat, and so, we need to get money behind the understanding in order to really make this work.

Maria Varmazis: I'm wondering, did you find the executive order to be a heartening sign, or is it just not enough of a concrete move?

Eddy Zervigon: Well, I mean, obviously, executive orders are on the executive side of things, right? They don't control the purse strings. That's up to Congress.

Maria Varmazis: Yeah.

Eddy Zervigon: I think it stresses the severity of the problem. We moved the timeline here from 2035 to 2030. I think that's a pretty good indicator of where they think directionally this is going, so now we just need Congress to match that from a budget perspective. It doesn't take a whole heck of a lot of money, especially if you want to do it right, and you want to do it in a way that gives you, as you mentioned, maximum flexibility in the future, which is everything. The last thing you want is to have to put in place a whole system that needs to be ripped and replaced at some point in the future.

Maria Varmazis: Yeah, absolutely, and I'm wondering, also, the takeaway for folks in the space industry about, essentially, future proofing, if one can really do such a thing, but building in that agility. What do you think that folks in the industry should also know?

Eddy Zervigon: Well, I got to tell you, I'm a little concerned because I don't see the attention from a security standpoint on some of these big, big space projects that we're seeing. I'm not seeing the level of attention that I'm seeing in other, call it on the fed side, "fed/civilian" and DoW. The first thing is we've got to now convince them that, hey, this is something that needs to be done now and then start thinking about our architecture. As I mentioned, once you launch a satellite, it's really tough to correct things because, obviously, you can't get up to the satellite to do the physical changes that need to be made.

Maria Varmazis: That's right.

Eddy Zervigon: I think it's really beholden on us to kind of really stress this and make sure that, especially, as satellites are considered critical infrastructure, that they fall under some of the governing bodies, if you will, in regulatory environments regarding critical infrastructure. They're really pushing this kind of post-quantum mandate.

Maria Varmazis: That's a fascinating, fascinating point there. Eddy, I want to be mindful of your time. If there's anything else you want to leave our audience with before we close out, the floor is yours.

Eddy Zervigon: Yeah, no, I think it's been a great conversation. I really appreciate your taking leadership and ownership on this very, very important issue, especially as it relates to space, because of exactly the points that I make, which is you can't send the Maytag repairman up there to fix it once it's done. It's really, really important that we get it right and we get it done soon because it's not going to be too long before we have this deadly combination of AI and quantum getting together. As I like to call AI, "the brains," and quantum, "the brawn," and really, create a -- wreaking havoc on our digital world. Anything that we can do to further the case that architecture is what ultimately will guide us, I think, is time well spent and money well spent.

Maria Varmazis: Well, Eddy, thank you so much for speaking to me and our whole audience about this. This is an extremely important topic. I greatly appreciate your time and expertise on this, so thank you so much for joining me today.

Eddy Zervigon: Thank you so much, Maria. I really appreciate the time.

Maria Varmazis: That's "T-Minus: Space-Cyber Briefing," brought to you by N2K CyberWire. If you like what you heard today, you will also enjoy our newsletter, Signals and Space. You'll get research and notes pulled together by our producer, Ethan Cook, and me, along with this week's top space cyber news stories. Subscribe by visiting thecyberwire.com/newsletters. We'd love to know what you think of this podcast. Your feedback ensures we deliver the insights that keep you a step ahead in the rapidly changing cybersecurity landscape. If you like our show, please share a rating and review in your podcast app. Please also fill out the survey in the show notes or send an email to space@n2k.com. We are proud that N2K CyberWire is part of the daily routine of the most influential leaders and operators in the public and private sector. From the Fortune 500 to many of the world's preeminent intelligence and law enforcement agencies, N2K helps cybersecurity professionals grow, learn, and stay informed. As the nexus for discovery and connection, we bring you the people, the technology, and the ideas, shaping the future of secure innovation. Learn how at n2k.com. Thanks for listening to "T-Minus." I am your host, Maria Varmazis. This show is produced by Ethan Cook and Liz Stokes. We're mixed by Elliott Peltzman and Tré Hester, with original music by Elliott Peltzman. Our Executive Producer is Jennifer Eiben, with Content Strategy by Ma'ayan Plaut. Peter Kilpe is our Publisher. See you next week.