Is My Crypto Secure?
FDD's Dr. Samantha Ravich and Retired Admiral Mark Montgomery discuss cybersecurity threats to cryptocurrency, ransomware, Russia, the Biden Administration’s recent Executive Order and much more!
The following is a transcript of today’s Cryptonite episode. Subscribe to the podcast to listen to future episodes in real-time.
0:00:11.2 Rich Goldberg: And welcome back to Cryptonite. I'm your host, Rich Goldberg. A lot's going on in the crypto space since our last episode, so let's dive right into the headlines, shall we? Wall Street Journal headline, "US Agency Links North Korea Crime Ring to $540 Million Axie Infinity Crypto Hack." Lazarus group has allegedly stolen nearly $2 billion of crypto since 2017. I think we're going to talk a little bit about this issue with our guest today. More to come on that later. Fox Business. "Biden administration moves on taxing, regulating cryptocurrency." The Biden administration has targeted digital assets in its federal budget proposal and separate executive order. The Biden administration's proposed budget for fiscal year 2023 would increase IRS reporting requirements on digital assets, and change tax laws for cryptocurrency dealers and traders, to net an estimated $11 billion in revenue from 2023 through 2032.
0:01:07.5 RG: Cointelegraph: "Brazilian Senate announces incoming approval of the Bitcoin law." The law will allow the president of Brazil to designate or create a regulatory agency to oversee the crypto market. The bill regulating the cryptocurrency market in Brazil is expected to be approved by the National Congress in the first half of this year, according to Cointelegraph Brazil. CBS Sports. "Cowboys' Jerry Jones announces first-ever NFL partnership with cryptocurrency company." "Blockchain is one of the oldest and most trusted digital asset platforms in the world, has easy-to-use products and remains relentlessly focused on customers," Jones said, via press release ahead of a press conference to announce the partnership. It does? They are bringing Wall Street to Main Street by making digital assets available to anyone, anywhere in the world, and that's a touchdown for our millions of global fans. We take pride in being the first team in the NFL to sign an official cryptocurrency partnership, and are proud to venture into this innovative business with blockchain.com.
0:02:13.9 RG: That definitely provokes a big, "Hmm" from me on that one. I don't see the connection, but wonderful. Perhaps Jerry Jones or the Cowboys will come on the podcast and we'll learn more about this incredible partnership between an NFL team and a cryptocurrency company. Here's a headline. Wikipedia community votes to stop accepting cryptocurrency donations. More than 200 longtime Wikipedia editors have requested that the Wikimedia Foundation stop accepting cryptocurrency donations. The foundation received crypto donations worth about $130,000 in the most recent fiscal year, less than 0.1% of the foundation's revenue, which topped $150 million last year. Reuters. "The Manhattan District Attorney's Office has charged a New York man with operating dozens of unlicensed Bitcoin ATMs, saying he promised anonymity to customers who exchanged $5.6 million for the cryptocurrency between 2017 and 2018."
0:03:12.2 RG: This from Bitcoin Magazine. "KuCoin, a leading cryptocurrency exchange, recently released a report titled 'Into The Cryptoverse' where they discussed the penetration of Bitcoin and other cryptocurrencies into populations of varying countries. Most notable among them is Nigeria, 35%, 33.4 million of its adults aged 18-60 owned or traded bitcoin or some form of cryptocurrency in the last six months. That is interesting.
0:03:42.3 RG: NBC News with a feature on restaurants around the country taking crypto. And the most hilarious headline I've seen so far comes from, you guessed it, the New York Post. "Bitcoin fans are psychopaths who don't care about anyone, study shows." Real headline. "The average Bitcoin investor is a calculating psychopath with an inflated ego, according to scientists. A team of experts recently surveyed more than 500 people to uncover the personality traits that are the most common among crypto nuts. They identified that many investors exhibit signs, a group of four unsavory traits made up of narcissism, Machiavellianism, psychopathy, and sadism." Wow. In plain English, that means they have an inflated sense of self-importance and derive pleasure from the pain of others. This is a real news article in the New York Post, a gift to America. Thank you.
0:04:36.8 RG: And those are the headlines for the week. Now on to our special guests. Dr. Samantha Ravich is the chairman of the Foundation for Defensive of Democracy Center on Cyber and Technology Innovation, and its transformative Cyber Innovation Lab, and the principal investigator on FDD's Cyber-Enabled Economic Warfare project. She is also a senior advisor at FDD, determining on its advisory boards for the Center on Economic and Financial Power, and the Center on Military and Political Power. Samantha serves as a commissioner on the congressionally mandated Cyberspace Solarium Commission, and as a member of the US Secret Service's Cyber Investigation Advisory Board, she was Deputy National Security Advisor for former Vice President Dick Cheney. Following her time at the White House, she was a Republican co-chair of the congressionally mandated National Commission for Review of Research and Development Programs in the United States Intelligence Community. Most recently served as a vice chair of the President's Intelligence Advisory Board and co-chair of the artificial intelligence Working Group of the Secretary of Energy Advisory Board. This goes on. Very impressive. Great to have Dr. Ravich with us today.
0:05:44.6 RG: And Mark Montgomery, retired admiral, serves as senior director of the Center on Cyber and Technology Innovation at the Foundation for Defense of Democracies as well, where he leads FDD's efforts to advance US prosperity and security through technology, innovation while countering cyber threats that seek to diminish them. He also directs CSC 2.0, an initiative that works to implement the recommendations of the congressionally mandated Cyberspace Solarium Commission, where he served as the commission's executive director. Previously, he was policy director for the Senate Armed Services Committee under Senator John McCain, coordinating policy efforts on national security strategy. He served 32 years in the US Navy as a nuclear-trained Surface Warfare Officer, retiring as a rear admiral in 2017. His flag officer assignments included Director of Operations J3 at US Pacific Command PACOM, Commander of Carrier Strike Group 5, embarked on the USS George Washington station in Japan, and Deputy Director for Plans, Policy, and Strategy J5 at US European Command.
0:06:53.5 RG: Dr. Ravich, Samantha, Admiral Montgomery, Mark, welcome to Cryptonite. So as our listeners know, I like to start with the basics to make sure we're all on the same page on some of the concepts here. There is a policy debate going on obviously about data privacy and security in this increasingly digital age and enter cryptocurrency proponents and they'll say, "Listen, this is the most secure you're going to have for transactions. The blockchain technology," etcetera. Move into cryptocurrency. One of the arguments is for security. How do you view the safety, the security of cryptocurrencies right now, given all the cybersecurity threats you've been focused on?
0:07:34.6 Dr. Samantha Ravich: I don't think very highly of it, right? When you see $2 billion of cryptocurrency stolen over the last year from exchanges, and it's ticking up as there's more money sloshing around in the system. What's that famous... Willy Sutton, right? Why did he rob banks, because that's where the money is. Well, that's why the focus on crypto platforms. And look, Rich, there's a few things... I think there's a lot of confusion out there that people equate somewhat of anonymity of being able to use these platforms with some more security, and that's kind of a false assumption. The same type of security and cybersecurity risks that happen in any other digital type of platform happen on crypto exchanges, right?
0:08:26.1 DR: So, you have your software and software at the platform level, software at the wallet level, some hardware as well, vulnerabilities, all the things that your listeners read about in the press for whether it's a healthcare company that got hacked or a critical infrastructure hardware and software still have vulnerabilities. Same as on the platforms and the human element. So the same human elements that create lots of vulnerabilities, every other aspect, create them there on a crypto platforms. So a couple of things to think about that really I think, drive home this point. So there was a recent, one of the big recent hacks of a cryptocurrency platform, Ronin, right? It happened a couple of weeks ago, a month ago, whatever it was a kind of a play to earn, a game, but it had a cryptocurrency element to it. And they got a big influx of users. And so, what did the platform do?
0:09:35.4 DR: Well, it was getting slowed down by this huge influx of users on the platform, and so they made their security less rigorous, right? Because that sped up the platform. [chuckle] And that's when the hackers came in. So, it was a human decision on this cryptocurrency platform that then led to $625 million of crypto being stolen. So, we can dig into more examples if you like, but the crypto platforms are not really regulated. They're often set up very quickly, there's over a thousand cryptocurrencies available today, no real oversight, no real standards, kind of a get rich quick mentality and look, once you get hacked, it's really hard to get your money back, right? And we'll talk about the tracking...
0:10:28.2 RG: Yeah. And I want to talk about that for sure.
0:10:31.2 DR: Yeah. Yeah.
0:10:31.9 RG: But this is really intriguing to me because I do see... We start our shows with headlines, and a lot of our headlines have been these hacks of wallets and big seizures that are being reported, a lot of money being stolen. And I don't see that kind of headline or maybe I'm just not looking at it, I've never been afraid that my Chase account is about to be hacked or my bank... I feel like the big banks have invested so much in cybersecurity, absolutely, they're always facing attacks, etcetera, and you know this better than I do, but are we almost more vulnerable right now on the cryptocurrency exchanges and wallet just because it's newer and they haven't started investing in cybersecurity tools?
0:11:10.7 Mark Montgomery: I first want to stipulate that you're right. That of our national critical infrastructure, Financial Services and very specifically the top seven or eight banks have made significant investments in cybersecurity. And most of those top seven or eight banks, it's almost a billion dollars a year in cybersecurity. Now, that doesn't guarantee security, but it does mean they've made the investments you expect to see. In fact, you go in their op-centers and it's like a three or four-star op-center, kind of makes you blush as a military officer to see how well they look and run. But that does not mean they're completely safe, and the reason they've made these investments are, it was a risk management decision, or risk mitigation decision, because they were penetrated in the past. And I believe they're still penetrated. So there is risk there.
0:12:01.2 MM: Now, on the good side, you are in those banks, you have the protections afforded to you normally under banking insurance, your normal banking insurance policies and regulations. But on top of it, they're usually not going after the individual accounts in these steps, they're taking money as it moves around broadly within the larger banks. I don't think that the cryptocurrencies are necessarily less secure than the big banks, I just think it's a different type of... It's a security plus the insurance, plus the backing of the bank that I think gives you some level of comfort with having your money in the bank, that probably in total means you're managing your risk a little better. But the banks are making investments. By the way, they are the exception. Dr. Ravich and I have written a lot on different infrastructures that are absolutely not protected, like our major banks. Whether we're talking about water, pipelines, healthcare, the list goes on, maritime transportation security sector.
0:13:06.9 MM: I mean, there's a lot of areas that aren't as well protected as the banks, but I do think the banks do a good job, but they're not perfect, and there are penetrations of banks, and I believe there's theft inside those banks. I just don't think it's at the level that the criminals would want.
0:13:21.9 RG: We've talked a lot in past episodes on the discussion that the Fed has now jumped into the digital dollar, much like other governments we're seeing probing, testing out the Central Bank digital currency approach. What would a cybersecurity risk look like in moving towards the "digital dollar?" I know we already have a digital dollar, but the digital dollar that is envisioned by a Central Bank digital currency approach.
0:13:50.0 DR: They're taking baby steps towards it, right? We don't want your audience to think that the Central Bank digital currency is standing up tomorrow. The Boston Fed did its pilot on it, and it did pretty well in terms of the number, and I can't recall the exact number of transactions per second, they were able to show that they were able to do it, but did a really good job, but that was a very, very limited time pilot. It was not millions, tens of millions of transactions every second of every hour of every day of every year. Even the Boston Fed will say there's a lot more work to be done on that.
0:14:31.4 DR: Are they using cyber-informed engineering to actually create the platform? I think they're thinking about it, but right now, I'm not sure that's where the focus is. The focus is, can it handle the pace of transactions and do it to what the government needs in terms of visibility and allowing the players and the banks to adequately comply for compliance purposes, but I think there really is a hard question on cyber-informed engineering for a new Central Bank digital currency that I just don't think it's getting as much of the intention as it needs in these very nascent steps that the Fed is taking.
0:15:18.3 RG: Yeah, we had Michael Greenwald on a few episodes ago. He's gone on now to lead digital asset strategy for Amazon as they're looking at the cloud and its role as cryptocurrencies become larger and larger and the potential for Central Bank digital currencies as well. I would imagine cloud security, a big issue, obviously across the board, but obviously even more now. As he put it, cryptocurrency isn't currency, it's data.
0:15:44.9 MM: We are becoming very concerned about this. Look, a lot of SolarWinds was executed from cloud service providers, in other words, the command and control utilized cloud service providers. In fairness, cloud service providers would tell you, we provide the exact security our customers pay for, we offer a range of security. The problem is the floor of the range of security is pretty low. In other words, you can buy a low level of security. So if someone cuts corners by not paying for a high level of security in their cloud service provider, you're going to expose yourself to risk. And so, to get to the broader question, we probably need... And I don't know if it's regulation or if it's an industry-led standardization but we have to establish a floor for a cloud service... The security inside the cloud, and if we do that, everyone will benefit, including whether you're a cryptocurrency, a small or medium-sized business, whatever it is, but if we don't set that floor high enough, then the adversary will be taking advantage and the cloud service providers need to have better security of their own systems, and then they need to offer better security to their customers.
0:16:55.0 RG: I want to shift a little bit to ransomware attacks and the actual hacks that we're talking about. From a one-on-one perspective, what's ransomware? What is a ransomware attack?
0:17:06.6 MM: Ransomware is effectively... It's the monetization of data. What happened originally, if you went back 25 years ago, almost all the criminal activity was against companies that had money, that had something, money maintained in an electronic status so that you could conduct cyber malicious activity to steal it. What's happened since then is that the criminals, they're an innovative creative group, have figured out, "Hey, we can monetize data and we can do it four different... I know of at least four different ways. The first is, they can go in and take control of your business operations, and we'll talk about what take control means in a minute, but take control of your business operations, in other words, your ability to send a payment out, your ability to inform one part of a company what another part of the company's done. That's what happened at Colonial Pipeline.
0:18:02.3 MM: The second piece of ransomware is, a second level of effort ransomware, is to take control of your field operations. I could take control of your electrical power grid, open breakers, shutter breaker, or give some kind of command signal. Or maybe I could give a command signal to start all your pumps and shut all your valves on a pipeline. That would not be good, because the relief valve would lift and lots of propane or oil or whatever is in that pipeline will spill. A third thing I could do is I could grab the PP... The personal, private, the data, the credit card billing data and everything from your customers and threaten to sell that online. And of course, the fourth thing I could do is I could go into the emails of your CEO and his general counsel or her general counsel and reveal all the embarrassing information that the two of you pass back and forth to each other about upcoming issues in your company, so reputational damage.
0:18:50.4 MM: So ransomware, any of those four different things are exploits that could happen through ransomware, and ransomware is affected by criminal actors, and this is what's so scary, it doesn't have to be the gifted malicious cyber actor, and an average cyber actor can get a tool from a ransomware as a service provider, which is a company that basically you pay for the use of their malware, which they then give you and you utilize against the company. It's usually exploiting a known flaw in a software product used by that company, and then you penetrate the system, or if it requires a phishing tool, you send emails out to employees with a link to allow you access to the network. That is in I think 46%, so nearly half the cases that we know of in ransomware that we've done the forensics on a human, an employee initiated through response to a phishing email from the criminal. And they penetrate the system and take control and then block the access of your IT administrators to that part of your system. And again, it could be your business operations, your field operations, your financial data, or your email systems, or it could be all with them.
0:20:12.0 RG: So there are these people, they're... Where are they? They're on the dark web selling this stuff? These are the initial access brokers, the middle men of the attacks, that are selling the ransomware as a service.
0:20:23.6 MM: Yeah, the ransomware as a service providers are, that's where they're operating in the dark web, and they're providing these tools to cyber malicious actors who then utilize them to penetrate your system. Just so you know, where they're physically located, they could be in the United States. I think we've identified, our law enforcement, 150, and I use this term loosely, families... I don't want to make them sound like the mob, but that's the term they use, the most famous of which happened to be in Russia, and that's not by accident. First of all, if I was a ransomware as a service provider, I'd definitely be in a country that doesn't have good extradition agreements with Interpol countries or the United States. Just so in case I do something, I'm not going to be extradited too quickly.
0:21:05.3 MM: The ones in Russia are either enabled or assisted or directed or supported. It depends on each case, and it depend... It's temporal. But by the Russian government. So on occasion they do the bidding of the Russian government. On most occasions, they do the bidding of their own cryptocurrency wallet, they do this for money, but on occasion they do... They're certainly harbored and sheltered by the Russian government. The degree to which they're provided assistance or do the bidding depends on a case-by case basis. So that's who they are and what they do, and that's why they're hard for us to knock out. It doesn't mean we haven't done things to them. I believe we have. There's direct corollary between dark side and our evil to the larger groups going offline after conducting activities where the United States said, "We're going to do something about this." And then shortly thereafter, they're offline for periods of time. So I think we did something about it, but generally speaking, they're sheltered and harbored.
0:22:01.9 RG: And that pertains the ability to track people in some way, and I guess this is sort of the what do you do about this, how do you find out who's behind it, how do you track them down, and then how do you ultimately hold them accountable? Or is that not possible?
0:22:18.5 DR: It's possible. It has been done. Tracking is very hard, and it's very frustrating for people who have had... Let's go back to cryptocurrency, have had their money stolen out of their wallets and literally are seeing their money go from transaction to transaction and wallet to wallet, and they can't do anything about it. They're literally watching their stolen funds move. It's hard to track, but I think law enforcement and the intelligence community is getting better at it, and certainly as it comes offline, that last step, there's been some breakthrough technologies and breakthrough ways to get into the middle of it, but we're way behind the curve.
0:23:07.4 DR: And when you think about everything that Mark just said in terms of all the different ways that ransomware occurs, we go back to... We're thinking in our head, "Oh, it's just like ransom. It's just like somebody got taken hostage, and we're paying money to get that person back," but it's not a person that we're trying to get back. Oftentimes it's the device that is locked up. What we'd like to get to, and we have a program that explores this at the transformative Cyber Innovation Lab, through CCTI at the Foundation for Defense of Democracies about securing the data not the device. We'd like to get to a world where if your device got locked up, got taken hostage, you can take that, you can take your own device out in the back and shoot it.
0:24:00.9 DR: You wouldn't want to do that if it was a person. And your data is protected, not the device. And so how would that actually occur? How can we get one way to get ahead of what's going on right now in ransomware, and having your data and device held hostage. So what we did is look at how to promote post-attack resiliency, so you have to assume this is going to happen, bad guys are going to get into your system, they're going to get into your devices and they're going to be able to hold your data hostage. What we looked at is if you had a decentralized file system, so imagine instead of storing files and data on a central server that may become a single point of failure for an entire network, for an entire ransomware attack, you have a decentralized file storage system, so all the data is broken up into tiny little pieces.
0:25:05.3 DR: Thousands, millions, whatever it is, hashes, each little piece is encrypted and it only comes back together. And the fragments are stored in multiple locations. It only comes back together when you, the authorized user brings it back together to work on. That can happen in real time. So if your device, your computer, your whatever is held hostage, you shoot it, the data is not lost. So that's where we think one pathway to move towards is to secure the data not the device.
0:25:39.9 RG: A couple other actors that have emerged in this field that's almost becoming a cottage industry for some very entrepreneurial, we've seen data recovery services that will come out and say, "Hey listen, I can get your data back. Don't pay the ransom. Pay me, and we can work on getting your data back." Now, a lot of reports say that's all a scam potentially, and they're just taking the money and paying off the ransomers and then giving it back. Are you looking at any of those types of services? Is that something for people to be wary of or are some of those actually legit?
0:26:13.6 MM: First of all, Samantha, for the last three years has been arguing that we actually have to do an aggressive system of data backups where you are routinely on a daily or more frequently basis, if not perpetually updating a complete backup system. For critical infrastructures particularly, like the grids and pipelines and water distribution networks, that's critical. It costs money. That's kind of left of boom investment. First of all, if you've done that, then we don't even have to have this right of boom recovery discussion. But let's say you didn't do it, now you're right of boom and you're trying to do recovery, the first thing I'll tell you is the cost... I think it was IBM said that the average cost of a recovery event was five times the average ransomware payment.
0:27:08.3 MM: So even after you make your ransomware payment, there's a significant cost of recovery, so that's going to happen, and you have to prepare yourself for that, and you have to build that into your risk mitigation and management model. And routinely, even after you've been given... I think it's 30% of the time after you've paid the ransom, you don't actually get your data back. Sometimes because they just choose not to give it to you, which is a bad business model for them as criminals, and sometimes because they give it to you incorrectly, and sometimes because you take action with the codes too rapidly. But in any case, this idea of digital recovery after the fact is something you have to look into. I will tell you it's... I'm not going to say it's specious, I'm going to say it's very difficult to imagine it being cost-effective and successful, and I'd much rather people made the left of boom investment and backup, which in the end will be much cheaper than the right of boom investment in attempted data recovery.
0:28:07.4 DR: Yeah, I would absolutely agree with Mark. Mark has really been on the forefront and also just a hero in pushing smart ideas on data breach notification. What we don't want is all this happening in the private sector and to individuals, and the government doesn't have a full handle on what is going on. We can talk about Colonial Pipeline in a second if you want, but where things... There's been ransomware attacks, there's been payments tried to be made, there's data being trying to recovered, and we're not aggregating the attacks to learn from them, to break up networks of the bad actors that are doing it, to build technology and make us all more resilient because people don't want to notify, and don't think they have to notify.
0:29:00.3 DR: It's one of the things that the Cyber Solarium Commission looked at is data breach notification. How do you make sure that it's right-sized for the right type of critical infrastructure, and the data is going back to the government so that the government can understand and make us as a society and an economy stronger without punishing the victim? Unless the victim is completely negligent, in which case, maybe you want to punish the victim so they won't be so negligent in the future, at least if you're talking about corporate entities.
0:29:32.4 RG: I do want to talk about Colonial Pipeline in just a second, because I think that's a great case study to talk about what we saw, what we learned, and are we adapting, but you said something earlier that I thought was really interesting about the technologies that we are rapidly trying to develop to be able to track some of these attackers, to disrupt some of these attacks, or at least go after them after the fact. And to the extent that that can be talked about publicly, I don't know how much of that is classified versus unclassified, but we see that 98% of ransomware payments have been Bitcoin accounts, at least till now. Are we going to see that shifting towards privacy coins? Are we already seeing that? Is the technology helpful that is being developed by law enforcement or the private sector helpful towards certain kinds of coins or exchanges and not others?
0:30:25.5 DR: I think it's too nascent to know if it's really going to be helpful, but why would criminals want their payment in something that can be tracked, certainly tracked by law enforcement. So that seems unlikely that the cryptocurrency in ransomware attacks is going to move to more stable coins that have more compliance and more ability for government to track and break up networks. But another interesting thing on this, and there have been real cases broken like this, the coders have signatures. Code from North Korea looks a bit different than code developed in China and code developed in Russia. It's one of the markers that at least you can start to figure out, as Mark was talking about before, the families, the clans that were involved in the attack in the first place. And so it's as much about going after the digital trail as it is the people trail, because at the end of the day, there is a person involved in it, or people, or people sponsored by hostile governments.
0:31:34.6 RG: It would seem to me, Mark has done this as well. If we know that a lot of people are hanging out in Russia conducting these attacks, or another country like Russia, then we should really be holding the state accountable. If Vladimir Putin doesn't crack down, if his law enforcement isn't cracking down, if he's in fact investing in it, if he's making money off of it, if he's sponsoring it, then this should be a major foreign policy national security issue for the United States vis-a-vis other states I would think.
0:32:05.1 MM: Well, first I agree, and to some degree, the Biden Administration agrees with you. They've definitely been trying to hold ransomware as a service providers accountable, despite the fact it requires us to penetrate Russian cyberspace. They have not been limited in their efforts to do that. There's been clawback of cryptocurrency, there's been mysterious pauses in the performance, in the availabilities. But ransomware as a service providers, I believe they've been doing something called persistent engagement or defend forward for some period of time. That only holds ransomware as a service providers accountable, although it does piss off the Russians that we penetrate through their system.
0:32:42.4 MM: In terms of holding President Putin accountable, back if you remember last June when they spoke, he kind of famously held up... President Biden held up the 16 protocol instructions, which I promise you is an unclassified document, don't worry, and said, "If you attack these things, I'm going to hold you accountable." They've continued to be attacked. There was a temporary pause, the Administration kind of squirmed. If you watched them on the Hill, some of them would say, "Well, we're not sure we're seeing any new Russian activity," and then others, particularly the FBI, would be much more direct and say, "Yes, we're saying returned Russian support and enabling of these ransomware as a service providers.
0:33:19.4 MM: So I don't think we held them accountable. Ironically, right before the invasion, Putin did a small favor, and I believe it allowed one or two people to be arrested that we had accused of being ransomware as a service providers, but I don't know what their case is. They certainly haven't been extradited. The confronting of Russia has not been a strong suit for the last four administrations, and surprisingly, in this area, it has not been successful either. I do think you're going to see a slightly more aggressive tone post the February invasion of Ukraine and how we deal with Russia on this, but I think that that reflects more on the change in our Russia policy and less than the concerted thinking about how to deal with ransomware and Russian enablement of it.
0:34:07.1 MM: And I want to say one other thing. Russia is not an isolated case. There's a reasonable argument that the North Korean government is basically a criminal cyber gang masquerading as a government. They get a significant portion of their usable international funds through cyber malicious activity. Some of it's ransomware, some of it's thievery, but they are full in on this, and we're working against them as well, but obviously, again, the North Korean government has not been helpful. In fact, I'll say this, that when we indict a North Korean military officer for militia cyber activity in our country, not only does he not get extradited, I'm pretty sure the next thing is a visit to the presidential palace and the awarding of a medal, not any kind of punishment. So there's a number of nation states, and China's complicit in this as well. Basically, the normal series of bad guys, and Iran has a little bit of it going on only because they're copycats of the Russians.
0:35:06.3 DR: On the China side, and this is more data theft than ransomware, but of course, as Mark is, I'm sure maybe you too, Rich, I'm still pissed about the OPM hack from years ago, and we dug ourselves into a hole over this last decade or so in thinking about, "Well, if the Chinese steal my data, it's just a privacy breach," and somehow I have to prove damages that I was damaged by the Chinese stealing my data, but my data is my property. If we actually did more... And I think actually, this is where the Biden Administration and their executive order might be going down that path. If we really started always to think about a data theft, whether it's ransomware or a different type of breach, my data is my property, company's data is their property. You don't have to prove damages if your property is stolen. That's what it is, your property has been stolen. At least we have to get our thinking right. Would that change the minds of the North Koreans or the Chinese or the Russians? No, but at least we may as a society not stand for certain things that we have stood for for too long.
0:36:22.9 RG: There is a market out there for cyber insurance right now, and they market to the idea of that you may suffer a ransomware attack and you should have cyber insurance. You may have other sort of cyber security attacks and you need cyber insurance. There's been some commentary back and forth of the value of that, or whether or not it signals to cyber attackers, "Come on, they're insured. Go ahead and attack." Do you have a view on that? Is it simply prudent to have cyber insurance at this point because it's a reality of the world, or is it a bad signal?
0:36:54.5 MM: Listen, cyber insurance is an important market. It needs to be better, it needs better data, it needs better trained actuarial specialists. The models are being altered as we speak now. It needs to be further matured and developed, but it's absolutely necessary. And so we came out in the Cyberspace Solarium Commission as fully supportive of having a robust, successful cyber insurance market in the United States. There's important issues we have to address. After 9/11, we created something called the Terrorism Reinsurance Act to account for what is the proper response, what is the government's role in back-stopping insurance companies in a major terrorism incident like happened at 9/11. Probably have to look in the insurance market to see, how does it work when it's clearly done or embedded by a foreign state, whether it's a proxy like a ransomware insurance provider or it's the actual GRU... Believe me, the GRU, the Russian military and intelligence agencies and their Chinese counterparts and their Iranian and North Korean counterparts all participate in malicious cyber activity. These are, in those cases, state-sponsored efforts.
0:38:07.8 MM: And we have to determine what's the culpability and responsibility of a company or its insurer in making good on claims when the attack is perpetrated by nation states. We have to get proper rulings on that. We have to get proper systems, processes set up for data sharing and data aggregation, so we have good statistics. Samantha and I have been advocating for Bureau of Cyber Statistics to do just that and the insurance companies are thinking about that on their own. So the short answer is, yes, we need an insurance market, a cyber insurance market, and yes, companies should have it.
0:38:44.3 DR: And especially for... Can I just add in? And especially for kind of the smaller middle-sized companies, cyber insurance plays an important role. The first, frankly, the insurers are oftentimes the ones helping small, medium-sized companies become more cyber secure, right? Just like with my house insurance, when the guy from Allstate comes out and says, "Trim these trees near your house, they're fire risk or whatever," I wouldn't know and I wouldn't do it unless the insurance guy told me to do it. And so they can play an incredibly important role on that. We also found when we start looking at what about small, medium-sized companies that do work for the federal government, if you're a defense contract or small one or medium-sized one and you get a breach, you may get told, "Pencils down, we're not paying you until it's investigated." Cyber insurance can provide business continuity money to basically keep these companies alive and functioning while the breach is being investigated. So in that sense, it plays a very important role as well.
0:39:56.2 RG: Colonial Pipeline attack, we've referenced it a couple times. I want to hear from you sort of what you saw, what you learned from it. And I think it bleeds into the sort of big, big questions and take it as you will, is America ready for this? And sort of a follow-up is, what would it mean to be ready for this?
0:40:14.1 MM: I'll go first and say that what I saw in Colonial was, first of all, I was surprised at the poor cybersecurity. And then I was even more surprised at the poor federal oversight. We had been working closely with water at that point, and we knew that the EPA was a dumpster fire of water cybersecurity oversight. I was a little surprised to see the Transportation Safety Security Agency, TSA also, which in a weird world of pipeline of government who's responsible for what, is the sector risk management agency for the pipelines. And then there was poor... Look, the company notified the government late. They only notified because it was becoming obvious. It was going to have an impact on actual infrastructure in the United States. There were going to be delays and deliveries of fuel I think to Atlanta Hartsfield and other major airports that was going to have an impact.
0:41:08.3 MM: So they felt they had to make a report. I don't think they made a report because they felt that they were compelled to by any existing law, but they felt that they desired law enforcement or federal agency assistance, initially. It was only when they knew it was going to be this kind of press thing. And maybe I'm speaking poorly of the company, but that's my assessment of it. I also think the federal government didn't do well responding in the sense that individual agencies said I'll be responsible for this. There wasn't a single point of access for the company to work with the government. They had to work with Department of Energy, Department of Transportation, Department of Homeland Security and Law Enforcement, the FBI. So, I mean, that was a lot of... That is not an organized government response.
0:41:48.9 MM: So it kind of exposed our lack of an integrated public private partnership on the government side. It exposed poor investments in cybersecurity on the private sector side. And this is a critical infrastructure. This is one that's critical to national security, economic stability and public health and safety. It hits all three. And we were not doing a good job. And much like water, it's indicative of where we're getting a D or an F in cybersecurity and critical infrastructure protection by say the really big banks where we might have a slightly higher grade. And the final thing I'll say is it did expose again that we haven't talked through, as a government and as a kind of government business mix, the, what is our opinion on the paying of ransom? What is the national policy on this? And it kind of exposed that our policy is basically, because there's not much we can do to help you, you can go ahead and pay the ransom. And it kind of puts the marker down that the government needs to be a more proactive partner so that we can eventually say, "Hey, this paying of ransomware is actually encouraging more ransomware and it needs to stop, but we'll provide you the assistance that's necessary so that you don't feel required to pay them."
0:43:07.9 DR: And as for your other question on, are we ready for this? No, no, we're absolutely not ready for, if there was a major cyber attack that rippled through the economy and numerous types of critical infrastructure, so it hit the banks and the energy sector and the water sector, transportation, food distribution, all at the same time, which very well could be because the same software components are rummaging around all of these critical infrastructures. It's why one of the top recommendations for the Cyberspace Solarium Commission was on continuity of the economy, which then became the law of the land for the executive branch to do planning. It was in the National Defense Authorization Act a year and a half ago. The executive branch has done very, very little to start the planning of continuity of the economy if we were hit with rolling integrated cyber attacks. There's work to be done. There's prioritization that has to be made. Not everybody's going to be happy with what a plan eventually looks like, but if you can't make the decisions on how and who you're going to protect of the most critical infrastructure and who gets what first, no one's going to be protected. So, no, we're not. There are steps we can take to get us down that path and there's law in the land that says the executive branch has to start to get there.
0:44:30.4 RG: Final question before we move to the lightning round. We've referenced the President's executive order on cryptocurrency, there's various elements there, directives to different committees and task forces and different aspects, both domestic, foreign policy, national security. What are you looking to see as far as government regulation or actions that you're recommending, coming out of that executive order, particularly in this space of cybersecurity, of ransomware attacks, things that we should be demanding from exchanges or wallet providers, things that we should be doing as a government?
0:45:07.1 MM: The executive order is very comprehensive. It has, much like the executive orders from last-gen cybersecurity, it has completely unrealistic timelines of within 90, within 120, within 180, especially when you start talking to people who have a regulatory hook like SEC. They can't just make something happen rapidly. They come up with rule proposals, they have open comment periods. If there is a disagreement with... I think they right now have four chairmen, you can... Or four commissioners. You can frequency at 2-2 tie. Executives orders tend to ignore that, they're written in a vacuum in the White House. I've written a few of them myself that way. But now it's easy for me to criticize from out here. You can't always just write regulation from the executive branch only. Sometimes you need legislative permissions and authorities to do some of the things.
0:45:58.3 MM: So you have to go through each step of this, and so some of these are going to require some legislative, if not authorizations, at least codification, so that they can be appropriately used. And it'll certainly give them a much better chance of surviving appeal with the third leg of the government, the third branch of the government, the judiciary. And finally, I will say the SEC is getting some task in here, and we, I think as a commission are very happy with the SEC and chairman against those work over the last nine months on cybersecurity. His team took a hard look at our recommendations on Sarbanes-Oxley reform, and as we put it out in our report, you could fix it through rule-making and you can fix it through the law. In this case, there was an existing leverage off of. And he put out some great rule-making proposals less than a month ago, and after an open comment period, I expect them to go into place. And they will have a measurable, useful, effective impact on cybersecurity of publicly traded companies.
0:46:54.9 DR: We all know executive orders are big hand-waving exercises, "We're going to do this and this and this and this," they're often unwieldy, often never implemented. Obviously, it made sense the Treasury was tasked to take the lead on ensuring responsible development of digital assets and in collaboration with other agencies. But there's a lot of technology involved in this, right? It's not just the rule-making. There's a lot of technology on the cyber security side, technological developments that I would hope that Treasury aligned with the R&D elements across our government, whether it's research and development in the Department of Defense, in the intelligence community, in the Department of Energy, in other places, is really brought to bear, again, to build in cyber-informed to engineering right at the beginning for financial market security as digital assets, if and when they really roll into becoming a major asset class to counter money laundering risk and so on and so forth. It's not just writing a policy, it's actually having the technology to do what you say you want to do.
0:48:04.2 RG: Okay, lightning round, either of you can jump in. We can take our turns. Cryptocurrency, opportunity or threat?
0:48:10.9 DR: I don't have any. I don't hold any. It is not where my head space is. For me, it seems the risk outweighs the benefit. No, I don't hold it.
0:48:23.2 RG: More regulation or less?
0:48:25.2 MM: Look, we're going to need regulation if we can't get effective, useful, industry-led standard setting. And they have a choice. The water industry setting doing it that way. I think cloud service providers, cryptocurrency, they need to start thinking this way. They're going to end up at regulation because I don't think that they have the wherewithal to self-regulate.
0:48:46.3 RG: And finally, do either of you know who Satoshi is?
0:48:49.5 MM: I'm 100% no.
[laughter]
0:48:52.3 DR: Yeah, but I really wish, right? And if he, they, she want to reach out to me, I've got a great bourbon, I will share with them if they make themselves known.
0:49:02.5 RG: But it's not either of you, you're saying.
0:49:06.0 DR: I can't vouch for Mark. It might be Mark. It's not me.
0:49:08.4 RG: That's possible.
0:49:08.6 MM: It's more likely my son than me, but yeah.
[chuckle]
0:49:12.5 RG: Dr. Ravich, Admiral Montgomery, thanks so much for joining Cryptonite. Well, if you like our show, please help us get the word out, subscribe on your favorite podcast app, leave us a five-star review, and most importantly, tell your friends because that's the best recommendation we will ever get. Until next time, I'm Rich Goldberg. This is Cryptonite.