WEBVTT 1 00:00:07.140 --> 00:00:09.930 Anna Delaney: Hi, and welcome to the ISMG Editors Panel. I'm Anna 2 00:00:09.930 --> 00:00:13.260 Delaney, and this is our weekly editorial analysis of the most 3 00:00:13.260 --> 00:00:16.650 important cybersecurity and privacy stories. I'm delighted 4 00:00:16.650 --> 00:00:19.470 to be joined by my excellent colleagues, Marianne Kolbasuk 5 00:00:19.500 --> 00:00:22.980 McGee, executive editor for HealthcareInfoSecurity; we've 6 00:00:22.980 --> 00:00:25.710 got Mathew Schwartz, executive editor of DataBreachToday and 7 00:00:25.710 --> 00:00:28.860 Europe, and Tony Morbin, executive news editor for the 8 00:00:28.860 --> 00:00:31.050 EU. Wonderful to see you all. 9 00:00:33.300 --> 00:00:34.980 Mathew Schwartz: Thanks for having us. Hi to summer here. 10 00:00:35.490 --> 00:00:38.070 Anna Delaney: Oh, yeah. So well, Tony, where are you today? 11 00:00:38.070 --> 00:00:39.330 Something important behind you. 12 00:00:40.140 --> 00:00:42.660 Tony Morbin: Well, I'm going to go over to the Department of 13 00:00:42.660 --> 00:00:44.160 Justice over in the U.S. 14 00:00:45.720 --> 00:00:51.150 Anna Delaney: As you do. To be continued. Marianne, you're out 15 00:00:51.150 --> 00:00:52.860 playing sport, or watching it. 16 00:00:53.610 --> 00:00:57.690 Marianne McGee: Watching it! Fenway Park in Boston. Summer 17 00:00:57.690 --> 00:00:58.650 means baseball. 18 00:00:59.130 --> 00:01:01.140 Anna Delaney: Summer meals baseball. Okay, so do you 19 00:01:01.140 --> 00:01:03.570 support the Boston team? 20 00:01:04.230 --> 00:01:07.530 Marianne McGee: Well, I have to because my whole family does. I 21 00:01:07.530 --> 00:01:11.160 grew up in New York. So, you know, Mets. Yankees. I was never 22 00:01:11.160 --> 00:01:14.400 big baseball fan until I moved up here. So now I'm a Red Sox 23 00:01:14.400 --> 00:01:14.760 fan. 24 00:01:15.140 --> 00:01:16.250 Anna Delaney: Okay, noted. 25 00:01:17.390 --> 00:01:18.560 Marianne McGee: A little arm twisting. 26 00:01:20.030 --> 00:01:22.100 Anna Delaney: I obviously forgot the memo. Because I think Matt 27 00:01:22.100 --> 00:01:23.720 is also in the U.S. today. 28 00:01:24.350 --> 00:01:26.480 Mathew Schwartz: That's right. I'm hailing from the Staten 29 00:01:26.480 --> 00:01:30.500 Island Ferry, on its way from New York to Staten Island; 30 00:01:30.530 --> 00:01:34.760 wonderful, free ride! Great views! So I was just in New York 31 00:01:34.760 --> 00:01:36.230 City on a family trip. 32 00:01:37.110 --> 00:01:39.960 Anna Delaney: Brilliant. Well, I'm in my head, still, I'm in 33 00:01:39.960 --> 00:01:42.900 France for a couple of weeks ago. So I'm sharing this photo 34 00:01:43.320 --> 00:01:47.700 from my trip to Bordeaux. This is not where I stayed. This is a 35 00:01:47.700 --> 00:01:51.300 chateau. But maybe one day, of course. So for now, it just 36 00:01:51.300 --> 00:01:55.350 remains a pretty picture for your all. Well, Matt, starting 37 00:01:55.350 --> 00:01:58.710 with you this week, we return to the MOVEit hacks and the 38 00:01:58.710 --> 00:02:02.250 confirmed number of victims impacted by the clock groups, 39 00:02:02.310 --> 00:02:05.700 supply chain attacks grows even bigger. And just as a reminder, 40 00:02:05.820 --> 00:02:09.390 this is the Clop group's mass exploitation of MOVEit's file 41 00:02:09.390 --> 00:02:12.930 transfer software. So Matt, where are we now with the 42 00:02:12.930 --> 00:02:15.360 incident and what's the extent of the damage? 43 00:02:16.320 --> 00:02:19.230 Mathew Schwartz: Great question! I am hesitant to commit to 44 00:02:19.260 --> 00:02:22.770 numbers because things have a habit of changing hour to hour 45 00:02:22.770 --> 00:02:27.510 still with this attack campaign. But we can say that there are 46 00:02:27.570 --> 00:02:33.660 north of 450 organizations known to have been affected. Now, 47 00:02:33.810 --> 00:02:37.920 about 20%, give or take of those organizations have issued a 48 00:02:37.920 --> 00:02:41.880 public statement, counting the number of individuals whose 49 00:02:41.970 --> 00:02:45.720 personal information was exposed as a result of these attacks. 50 00:02:45.930 --> 00:02:51.870 And so far, we've got 23 million individuals, mostly in the 51 00:02:51.900 --> 00:02:57.900 United States, having been affected by these breaches. So 52 00:02:58.050 --> 00:03:05.340 this is massive, obviously. And it's amazing punching power, if 53 00:03:05.340 --> 00:03:08.790 you will, for what ransomware tracking experts say is a 54 00:03:08.790 --> 00:03:12.720 relatively small group. There is a report that just came out from 55 00:03:12.840 --> 00:03:17.640 ransomware incident response firm Coveware, which estimates 56 00:03:17.670 --> 00:03:23.520 that Clop might clear $75 million to $100 million off of 57 00:03:23.520 --> 00:03:28.530 this single campaign. That is disturbing on a number of 58 00:03:28.530 --> 00:03:32.940 fronts. First of all, because Clop isn't very big. And if a 59 00:03:32.970 --> 00:03:35.760 relatively small number of people can get that much money 60 00:03:35.820 --> 00:03:39.720 off an attack, that's horrifying, especially if others 61 00:03:39.750 --> 00:03:43.350 try to emulate it. There's so many interesting angles here, 62 00:03:43.590 --> 00:03:45.600 speaking somewhat dispassionately about this 63 00:03:45.600 --> 00:03:48.600 attack, especially if you were an individual whose information 64 00:03:48.600 --> 00:03:51.840 was exposed, social security numbers in particular have been 65 00:03:51.840 --> 00:03:55.470 exposed, which is a big problem if you are in the United States, 66 00:03:55.590 --> 00:03:59.790 because it's still used as an attempted unique identifier, 67 00:03:59.850 --> 00:04:02.910 which it was never designed to do. So it puts you at risk of 68 00:04:02.910 --> 00:04:06.090 identity theft. Lots of the organizations that have been 69 00:04:06.120 --> 00:04:09.480 affected when social security numbers have been exposed, are 70 00:04:09.480 --> 00:04:13.470 offering free identity theft monitoring, free credit 71 00:04:13.470 --> 00:04:16.680 monitoring. Now, this doesn't make the problem go away. It 72 00:04:16.680 --> 00:04:20.190 doesn't mean that there isn't time spent by victims trying to 73 00:04:20.190 --> 00:04:24.120 see if their identity has been stolen. So it's not a great 74 00:04:24.120 --> 00:04:27.780 scenario. But if we step back, this attack is really 75 00:04:27.780 --> 00:04:32.430 fascinating because it shows that for cyber criminals, as 76 00:04:32.430 --> 00:04:34.950 with most types of crime, I suppose, but especially to 77 00:04:34.950 --> 00:04:40.410 cybercrime, time is money and the most successful groups, and 78 00:04:40.410 --> 00:04:43.800 I think we need to include Clop in that category, have a way of 79 00:04:44.010 --> 00:04:49.110 innovating in a manner which might befit a Harvard Business 80 00:04:49.110 --> 00:04:53.490 Review case study. What they've done here is instead of trying 81 00:04:53.490 --> 00:04:57.840 to hit a really big victim, hacking into their network, 82 00:04:57.930 --> 00:05:02.310 deploying cryptolocking malware, shaking them down, hoping they'd 83 00:05:02.310 --> 00:05:06.480 pay with all of the incumbent costs associated with that, 84 00:05:06.630 --> 00:05:11.100 buying their way in, bringing in experts in hacking. What they've 85 00:05:11.100 --> 00:05:15.480 done is they have somehow - we don't know how - found this zero 86 00:05:15.480 --> 00:05:20.850 day vulnerability in widely used file transfer software called 87 00:05:20.850 --> 00:05:24.450 MOVEit from Progress Software. And this has allowed them to hit 88 00:05:24.450 --> 00:05:27.090 an unknown number of organizations. But hundreds, 89 00:05:27.480 --> 00:05:30.780 conservatively speaking hundreds of organizations all at once, 90 00:05:30.930 --> 00:05:34.530 over a couple of days. Progress Software, to its credit, when 91 00:05:34.530 --> 00:05:38.790 this attack campaign started, it quickly draft a patch, put out a 92 00:05:38.790 --> 00:05:42.240 security alert, and organizations mostly got that 93 00:05:42.240 --> 00:05:45.750 installed pretty quickly. It's not even clear if Clop was still 94 00:05:45.750 --> 00:05:49.710 attacking people, once this patch came out. It may have done 95 00:05:49.710 --> 00:05:53.880 all the damage it needed to do just in the first 48 hours or so 96 00:05:53.880 --> 00:05:57.630 of the attack. But what it seems to have done is probably gotten 97 00:05:57.630 --> 00:06:01.110 ransom payments from at least a few of the really big victims. 98 00:06:01.710 --> 00:06:05.100 Experts say that it demanded massive ransoms from some of the 99 00:06:05.100 --> 00:06:09.420 big organizations that had hit, and it has probably gotten paid. 100 00:06:09.900 --> 00:06:13.980 So you have all of this, I won't say collateral damage, but extra 101 00:06:13.980 --> 00:06:16.980 damage in the form of all these other organizations that it 102 00:06:16.980 --> 00:06:21.090 managed to hit at the same time. So from a criminal standpoint, 103 00:06:21.210 --> 00:06:24.960 this is very elegant, it's automated, they hit hard, they 104 00:06:24.960 --> 00:06:28.140 hit fast, they hit lots of people, and they seem to have 105 00:06:28.140 --> 00:06:31.980 made a lot of money. When it comes to ransomware, this is not 106 00:06:31.980 --> 00:06:35.490 a direction of travel that we want to see things going in. 107 00:06:37.200 --> 00:06:41.220 And what has this done to MOVEit's reputation? Progress 108 00:06:41.220 --> 00:06:44.430 Software, I mean. Are impacted companies still using them? 109 00:06:44.550 --> 00:06:45.630 Still using the software? 110 00:06:46.320 --> 00:06:49.170 I have not seen any company saying it's going to give up 111 00:06:49.620 --> 00:06:53.220 MOVEit. I have seen them saying that they've put some extra 112 00:06:53.220 --> 00:06:58.110 security controls in place that had been suggested by various 113 00:06:58.230 --> 00:07:02.640 firms. But I think I mean, this is a classic supply chain 114 00:07:02.640 --> 00:07:05.400 attack. This is a widely used piece of software. As I said, 115 00:07:05.400 --> 00:07:07.980 Progress got a patch up very quickly. They were very 116 00:07:07.980 --> 00:07:12.570 transparent and moved. Again, they moved quickly. I can't 117 00:07:12.570 --> 00:07:18.180 really fault them here. I don't think so it's a challenge. It 118 00:07:18.180 --> 00:07:22.830 begs the question of what other pieces of widely used software 119 00:07:22.830 --> 00:07:26.730 Clop or another group hoping to unleash an attack like this 120 00:07:26.880 --> 00:07:30.450 might already have access to or might already be experimenting 121 00:07:30.450 --> 00:07:30.900 with. 122 00:07:31.610 --> 00:07:34.430 Anna Delaney: You said that Clop's success comes despite a 123 00:07:34.430 --> 00:07:37.460 decline in the number of victims who pay a ransom. Just tell us 124 00:07:37.460 --> 00:07:38.240 more about this. 125 00:07:38.720 --> 00:07:41.810 Mathew Schwartz: Yes. So if you look, in the last six months, 126 00:07:41.810 --> 00:07:46.310 say there is a peak of 45%. This is Coveware speaking. Forty-five 127 00:07:46.310 --> 00:07:51.380 percent of organizations hit by ransomware that it worked with 128 00:07:51.710 --> 00:07:55.070 paid a ransom, maybe didn't pay the initial offer, but it paid a 129 00:07:55.070 --> 00:07:59.150 ransom. That's horrible, right? So that has gone down thankfully 130 00:07:59.150 --> 00:08:03.200 to about one in three, which still seems like a lot. But if 131 00:08:03.200 --> 00:08:06.950 you are a ransomware group, as I said, there's a sunk cost, if 132 00:08:06.950 --> 00:08:10.310 you're trying to hack into a large organization that you can 133 00:08:10.310 --> 00:08:14.060 demand a big ransom from, you need to get access, you need to 134 00:08:14.060 --> 00:08:17.450 have highly skilled people that you're paying or working with as 135 00:08:17.450 --> 00:08:22.700 business partners, huge sunk costs. So that cost hasn't gone 136 00:08:22.700 --> 00:08:25.010 down. And as they've been attempting to hit organizations 137 00:08:25.040 --> 00:08:28.820 and getting fewer ransom payments. As you see this pivot 138 00:08:28.820 --> 00:08:32.960 by Clop, which does the classic style of ransom where as well, 139 00:08:33.110 --> 00:08:36.650 but this pivot, I don't know how much they paid for the zero day 140 00:08:36.680 --> 00:08:39.800 or for the expertise that gave it to them. But it's been 141 00:08:39.800 --> 00:08:44.990 extremely lucrative. So you see all these different groups 142 00:08:45.140 --> 00:08:47.840 testing these different innovations to see what gives 143 00:08:47.840 --> 00:08:50.240 them their next really big payday. 144 00:08:51.740 --> 00:08:53.180 Anna Delaney: Wow, that was excellent. Thanks for those 145 00:08:53.240 --> 00:08:56.570 updates. Okay, Marianne, our next story is about sensitive 146 00:08:56.570 --> 00:08:59.720 data and tracking tools. And you've written this week that 147 00:08:59.720 --> 00:09:02.510 the Federal Trade Commission, the Department of Health and 148 00:09:02.510 --> 00:09:06.050 Human Services are jointly warning dozens of hospitals and 149 00:09:06.050 --> 00:09:08.690 telehealth providers for potential data privacy and 150 00:09:08.690 --> 00:09:12.110 security violations involving the use of online tracking 151 00:09:12.110 --> 00:09:15.170 technologies. So can you tell us more about these potential 152 00:09:15.290 --> 00:09:16.130 violations? 153 00:09:16.600 --> 00:09:20.650 Marianne McGee: Sure. As you mentioned, late last week, in a 154 00:09:20.650 --> 00:09:24.940 rare move, the Federal Trade Commission and the US Department 155 00:09:24.940 --> 00:09:28.690 of Health and Human Services announced that they had sent 156 00:09:29.530 --> 00:09:35.560 letters to 130 hospitals and telehealth providers, warning 157 00:09:35.590 --> 00:09:40.060 about their possible use of web tracking tools such as Meta 158 00:09:40.060 --> 00:09:45.910 Pixel and Google Analytics in those companies' websites and 159 00:09:45.910 --> 00:09:50.560 mobile apps. Now, each of these two agencies have previously 160 00:09:50.590 --> 00:09:55.690 publicly advised against the use of online tracking tools due to 161 00:09:55.690 --> 00:09:59.890 serious privacy concerns. But now these warnings from these 162 00:09:59.890 --> 00:10:04.960 two U.S. federal regulating, agencies are getting louder. 163 00:10:04.990 --> 00:10:08.890 They're basically sort of forewarning of pending 164 00:10:08.890 --> 00:10:14.440 enforcement actions. Now, the FTC this week also followed up 165 00:10:14.500 --> 00:10:19.180 the announcement about the letters with its own blog that 166 00:10:19.180 --> 00:10:23.410 kind of dived into the dangers of using web tracking 167 00:10:23.410 --> 00:10:28.540 technology. The regulators say that these tracking tools when 168 00:10:28.540 --> 00:10:32.920 integrated into health related websites and mobile apps to 169 00:10:32.920 --> 00:10:36.880 share consumer and patient data with third parties without the 170 00:10:36.880 --> 00:10:40.420 individual's knowledge or consent could amount to 171 00:10:40.420 --> 00:10:43.900 violations of laws and regulations, including the FTC 172 00:10:43.900 --> 00:10:48.010 Act, the FTC Health Breach Notification Rule and HIPAA. 173 00:10:49.000 --> 00:10:53.290 Now, among the concerns, the agencies say that these tracking 174 00:10:53.320 --> 00:10:58.000 technologies on webpages generally have access to users 175 00:10:58.030 --> 00:11:01.630 sensitive information, including protected health information, 176 00:11:01.630 --> 00:11:06.010 such as an individual's IP address, medical record number, 177 00:11:06.010 --> 00:11:11.680 home or email addresses, on location of where they're 178 00:11:11.680 --> 00:11:17.770 seeking treatments, diagnosis, treatment, sort of data and 179 00:11:17.770 --> 00:11:22.360 other sorts of details that could provide insights into a 180 00:11:22.360 --> 00:11:27.130 person's medical conditions. So now in the aftermath of the U.S. 181 00:11:27.130 --> 00:11:31.330 Supreme Court, overturning Roe v. Wade last year, ending the 182 00:11:31.330 --> 00:11:34.840 nationwide right to an abortion in the U.S, the agencies are 183 00:11:34.840 --> 00:11:39.040 concerned that an individual's tracking information when shared 184 00:11:39.040 --> 00:11:44.380 with third parties could be used or misused for stalking and 185 00:11:44.380 --> 00:11:49.000 harassment and even potentially to launch criminal 186 00:11:49.060 --> 00:11:52.720 investigations into the medical care that a patient has sought 187 00:11:52.720 --> 00:11:56.800 information about. But even aside from the reproductive 188 00:11:56.800 --> 00:12:00.700 health care service concerns, the tracking tools can also 189 00:12:00.700 --> 00:12:04.120 collect sensitive information that conveys other insights into 190 00:12:04.120 --> 00:12:07.930 a person's private health issues. For example, one of the 191 00:12:07.930 --> 00:12:11.830 examples that the FTC uses is that the tracking tools can 192 00:12:11.830 --> 00:12:16.810 collect and share consumers' location data, such as repeated 193 00:12:16.810 --> 00:12:21.730 trips to a cancer treatment center, which would potentially 194 00:12:21.760 --> 00:12:25.570 reveal highly sensitive information about that person's 195 00:12:25.570 --> 00:12:30.430 health status. Now, aside from these targeted letters that the 196 00:12:30.430 --> 00:12:35.170 agencies sent last week, in the bigger picture, the FTC and the 197 00:12:35.200 --> 00:12:39.970 HHS OCR have also been sending an overall strong message to 198 00:12:39.970 --> 00:12:44.590 other companies hinting of imminent enforcement actions 199 00:12:44.620 --> 00:12:48.820 involving the use of these trackers. Now the FTC in recent 200 00:12:48.820 --> 00:12:52.930 months has already taken a few enforcement actions against 201 00:12:52.930 --> 00:12:56.710 health care providers, directory telehealth providers, including 202 00:12:56.740 --> 00:13:02.320 BetterHelp and good RX plus a mobile fertility app vendor 203 00:13:02.320 --> 00:13:07.540 called Premom in cases involving those companies using tracking 204 00:13:07.540 --> 00:13:11.170 tools that allegedly shared consumers information with 205 00:13:11.170 --> 00:13:15.100 third-party analytics and social media firms without the 206 00:13:15.100 --> 00:13:20.950 individual's consent. Meanwhile, as of right now, HHS OCR has not 207 00:13:20.950 --> 00:13:25.030 yet taken a HIPAA enforcement action involving the use of 208 00:13:25.030 --> 00:13:29.530 these online trackers. But the agency's leadership, including 209 00:13:29.530 --> 00:13:33.850 an official from HHS OCR that spoke at our ISMG Healthcare 210 00:13:33.850 --> 00:13:38.740 Summit last week, said that HHS is very busy right now 211 00:13:38.740 --> 00:13:42.760 investigating such cases, and that enforcement actions likely 212 00:13:42.760 --> 00:13:48.310 will be coming soon. HHS OCR last December also issued 213 00:13:48.310 --> 00:13:52.600 guidance about the use of online tracking tools, warning that 214 00:13:52.600 --> 00:13:55.780 HIPAA regulated entities that use these tools are not 215 00:13:55.780 --> 00:14:00.970 permitted to implement them and use them for impermissible 216 00:14:00.970 --> 00:14:05.170 disclosures of protected health information to third parties or 217 00:14:05.170 --> 00:14:08.740 for any other sort of violations of the HIPAA roles. There have 218 00:14:08.740 --> 00:14:11.770 already been several U.S. hospital systems that have 219 00:14:11.770 --> 00:14:16.420 walked reported large HIPAA breaches to HHS OCR in recent 220 00:14:16.420 --> 00:14:20.740 months following the agency's guidance last December warning 221 00:14:20.770 --> 00:14:25.150 about the use of the tracking tools. Now, for the FTC 222 00:14:25.150 --> 00:14:31.270 violations involving the FTC Act or the Health Breach 223 00:14:31.270 --> 00:14:36.190 Notification Rule have already been enforced with financial 224 00:14:36.190 --> 00:14:38.560 penalties for these companies, the couple of companies that 225 00:14:38.560 --> 00:14:43.300 have had these, you know, citations against them. But for 226 00:14:43.300 --> 00:14:46.900 HIPAA violations potentially there are also potential 227 00:14:46.930 --> 00:14:50.830 monetary fines. And in rare cases, there are criminal 228 00:14:50.830 --> 00:14:56.500 prosecution that is, you know, accessible to regulators to you 229 00:14:56.500 --> 00:15:00.670 know, to go after. So we'll see if these recent warnings from 230 00:15:00.670 --> 00:15:04.360 the FTC and HHS are signs of aggressive new enforcement 231 00:15:04.360 --> 00:15:08.830 actions by the agencies. But in general, you know, researchers 232 00:15:08.830 --> 00:15:12.160 have found that these tracking tools are in thousands of 233 00:15:12.160 --> 00:15:16.090 websites. So, you know, there's a lot of potential violations 234 00:15:16.090 --> 00:15:19.330 out there that, you know, could happen, that probably won't 235 00:15:19.330 --> 00:15:22.870 happen. But I think that the warnings are basically to get 236 00:15:22.870 --> 00:15:26.230 these companies that use these tools to sort of reevaluate how 237 00:15:26.230 --> 00:15:27.190 they're using them. 238 00:15:28.360 --> 00:15:30.340 Anna Delaney: And what do you think will be the impact on 239 00:15:30.760 --> 00:15:34.180 consumer trust in these online health tools, Marianne? 240 00:15:34.540 --> 00:15:38.590 Marianne McGee: Well, you know, I think consumers, you know, I 241 00:15:38.590 --> 00:15:40.720 think everyone's been in the situation where you do research 242 00:15:40.720 --> 00:15:43.270 on something, then all of a sudden, you're getting messages 243 00:15:43.270 --> 00:15:48.400 about a product or type of product that you looked at, and, 244 00:15:48.430 --> 00:15:50.890 you know, I think that makes people feel creeped out. But 245 00:15:50.890 --> 00:15:53.650 when it comes to, you know, details about the kind of 246 00:15:53.650 --> 00:15:56.890 medical care that someone might have been searching for on a 247 00:15:56.920 --> 00:16:01.390 hospital's website, you know, that really creeps them out 248 00:16:01.390 --> 00:16:05.080 because it is potentially revealing things that may or may 249 00:16:05.080 --> 00:16:08.740 not be true about that person. But, you know, who wants other 250 00:16:08.740 --> 00:16:11.890 people to know, you know, their business when it comes to health 251 00:16:12.190 --> 00:16:15.310 issues? And yeah, that's the thing that the agencies are most 252 00:16:15.310 --> 00:16:18.220 concerned about right now, how this information could be 253 00:16:18.220 --> 00:16:19.810 misused by third parties. 254 00:16:21.010 --> 00:16:24.010 Anna Delaney: Well, thanks. Thanks so much, Marianne. Tony, 255 00:16:24.040 --> 00:16:27.250 the U.S. Department of Justice is reorganizing units and 256 00:16:27.250 --> 00:16:30.580 expanding its whole of government approach to better 257 00:16:30.580 --> 00:16:33.070 fight ransomware tell us about this new approach. 258 00:16:34.170 --> 00:16:37.083 Tony Morbin: Now, when Bitcoin launched, cryptocurrencies were 259 00:16:37.142 --> 00:16:40.115 meant to be the future of money, but their primary 260 00:16:40.174 --> 00:16:44.039 characteristic, the anonymity of ownership, kind of made them the 261 00:16:44.099 --> 00:16:47.666 future of crime. Now, every aspect of the ecosystem, and its 262 00:16:47.725 --> 00:16:51.411 development has been peopled by dodgy operators and scams. And 263 00:16:51.471 --> 00:16:54.325 while many of its biggest adopters, and its most 264 00:16:54.384 --> 00:16:57.892 widespread use case, young getting rich, quick speculation, 265 00:16:57.952 --> 00:17:01.638 has been payment for crime. So we've had rug pulls by new coin 266 00:17:01.697 --> 00:17:05.146 issuers, we've had borrowing of the assets of investors by 267 00:17:05.205 --> 00:17:09.010 issuers, potential investors go into fake sites to invest actual 268 00:17:09.070 --> 00:17:12.696 investors being tricked into giving access to their wallet or 269 00:17:12.756 --> 00:17:16.502 transferring funds to criminals, attacks on the infrastructure, 270 00:17:16.561 --> 00:17:19.772 especially crypto bridges, tumblers and exchange sites 271 00:17:19.831 --> 00:17:23.458 accused of facilitating money laundering. And then of course, 272 00:17:23.517 --> 00:17:26.787 the main one, as Matt was talking about, cryptocurrency 273 00:17:26.847 --> 00:17:30.474 being literally the currency of crime online, most especially 274 00:17:30.533 --> 00:17:34.160 ransomware payments. Now, that's not to say that there aren't 275 00:17:34.219 --> 00:17:37.727 legal scenarios for the future of decentralized finance, in 276 00:17:37.787 --> 00:17:41.235 which there are benefits for society and individual users, 277 00:17:41.294 --> 00:17:44.327 but it's currently such a freefall, but it's almost 278 00:17:44.386 --> 00:17:47.953 inextricably linked to online crime. And that linkage is now 279 00:17:48.013 --> 00:17:51.640 explicitly recognized in the U.S. with the DOJ is merging its 280 00:17:51.699 --> 00:17:55.504 cryptocurrency, and its computer crimes investigation units. Due 281 00:17:55.564 --> 00:17:59.309 to their central role of digital assets in ransomware hacks and 282 00:17:59.369 --> 00:18:02.817 other online crime. Criminal cryptocurrency work and cyber 283 00:18:02.877 --> 00:18:06.503 prosecutions are intertwined, and it will become even more so 284 00:18:06.563 --> 00:18:10.071 in the future, says Nicole Argentieri, the principal deputy 285 00:18:10.130 --> 00:18:13.519 attorney general, adding that the merger is going to make 286 00:18:13.579 --> 00:18:17.146 cryptocurrency cases equal in status to computer crimes. The 287 00:18:17.205 --> 00:18:20.297 movie is part of an ongoing increase in targeting of 288 00:18:20.356 --> 00:18:24.043 ransomware operators that really ramped up in the aftermath of 289 00:18:24.102 --> 00:18:27.669 the Colonial Pipeline attack in May 2021. And as Matt's been 290 00:18:27.729 --> 00:18:31.356 describing their targeting of supply chains. In fact, earlier 291 00:18:31.415 --> 00:18:34.269 this year, the Biden administration declared the 292 00:18:34.328 --> 00:18:38.193 under its National Cybersecurity Strategy ransomware is now being 293 00:18:38.252 --> 00:18:41.701 specifically targeted as a threat to national security and 294 00:18:41.760 --> 00:18:44.911 public safety. So putting the National Cryptocurrency 295 00:18:44.971 --> 00:18:48.657 Enforcement Team under the same roof as the computer crime and 296 00:18:48.717 --> 00:18:52.581 intellectual property section is reported to more than double the 297 00:18:52.641 --> 00:18:56.148 number of federal prosecutors that are actually going to be 298 00:18:56.208 --> 00:18:59.240 authorized to handle cryptocurrency criminal cases. 299 00:18:59.300 --> 00:19:03.105 And that seems to be the biggest outcome. The Computer Crime and 300 00:19:03.164 --> 00:19:06.375 Intellectual Property Section experts will continue to 301 00:19:06.434 --> 00:19:09.704 investigate and prosecute ransomware attacks. While the 302 00:19:09.764 --> 00:19:12.974 national cryptocurrency enforcement team investigators 303 00:19:13.034 --> 00:19:16.482 will track and pursue the ransomware payments with the aim 304 00:19:16.542 --> 00:19:19.930 of freezing and seizing them before they go to Russia and 305 00:19:19.990 --> 00:19:23.319 other ransomware hotspots. Separately, we've just seen a 306 00:19:23.379 --> 00:19:26.887 congressional committee is set to vote this week on several 307 00:19:26.946 --> 00:19:30.514 bills to develop a regulatory framework for cryptocurrencies 308 00:19:30.573 --> 00:19:34.081 in further bits of reigning the more lawless aspects of the 309 00:19:34.140 --> 00:19:37.589 crypto wild west. Okay, nobody is saying that any of these 310 00:19:37.648 --> 00:19:41.394 moves are the complete solution, but they are tightening of the 311 00:19:41.453 --> 00:19:44.307 screw. And ironically cryptocurrency use so long 312 00:19:44.367 --> 00:19:48.053 ransomware operators ace in the hole is now potentially a weak 313 00:19:48.112 --> 00:19:51.204 spot due to the immutable blockchain ledger allowing 314 00:19:51.263 --> 00:19:54.831 tracing of transactions. And going off the money is always a 315 00:19:54.890 --> 00:19:58.339 smart move in any financially motivated crime. So assuming 316 00:19:58.398 --> 00:20:01.668 this development proves successful, it's one that other 317 00:20:01.727 --> 00:20:03.690 jurisdictions are likely to copy. 318 00:20:05.670 --> 00:20:07.530 Anna Delaney: Very good. Well, Tony, this is positive news. 319 00:20:07.560 --> 00:20:10.800 Thank you very much. And finally, and just for fun, I'd 320 00:20:10.800 --> 00:20:15.420 like you to share a recent quote you love from an interview or 321 00:20:15.450 --> 00:20:17.730 expert in the field. What have you had recently? 322 00:20:22.340 --> 00:20:24.440 Mathew Schwartz: Okay, should we battle it out? 323 00:20:25.910 --> 00:20:27.140 Marianne McGee: Not recent, but go ahead. 324 00:20:27.870 --> 00:20:30.937 Mathew Schwartz: Sure. So, one recent thing we saw was the 325 00:20:31.012 --> 00:20:34.978 Norwegian government getting taken down by a zero day 326 00:20:35.053 --> 00:20:38.869 vulnerability in its Ivanti endpoint manager mobile 327 00:20:38.944 --> 00:20:43.209 software, formerly known as MobileIron Core. Got all that 328 00:20:43.284 --> 00:20:47.698 out of the way. So the quote I have is from Kevin Beaumont, 329 00:20:47.773 --> 00:20:51.964 he's an outspoken British cybersecurity professional. He 330 00:20:52.038 --> 00:20:56.528 posts online a lot under the moniker GossiTheDog, and he was 331 00:20:56.603 --> 00:21:00.718 urging others to pivot to transparency when it comes to 332 00:21:00.793 --> 00:21:05.582 being forthright about a breach. This was a criticism of Ivanti, 333 00:21:05.657 --> 00:21:10.146 which he said originally tried to hide information about the 334 00:21:10.221 --> 00:21:15.085 breach on its a customer service portal, and you had to log in to 335 00:21:15.160 --> 00:21:19.574 get details of it. And it wasn't necessarily flagged on the 336 00:21:19.649 --> 00:21:24.288 Ivanti sites as being a problem. And it was a huge problem. He 337 00:21:24.363 --> 00:21:28.928 said, it's trivial to exploit this flaw. And that should have 338 00:21:29.002 --> 00:21:33.268 been something they were trumpeting and say we're working 339 00:21:33.342 --> 00:21:38.880 overtime to fix this. Instead, he's accused them of not being transparent. 340 00:21:40.290 --> 00:21:43.530 Anna Delaney: Great, great quote. Marianne, do you want to 341 00:21:43.530 --> 00:21:43.980 go for it? 342 00:21:45.550 --> 00:21:48.529 Marianne McGee: Sure, mine is not a recent quote. But it's one 343 00:21:48.594 --> 00:21:52.286 that sort of, you know, I've always remembered. Years and 344 00:21:52.351 --> 00:21:56.173 years ago, I attended, I don't even know what the reception 345 00:21:56.238 --> 00:22:00.124 was, but it was a reception at the Boston Computer Museum. I 346 00:22:00.189 --> 00:22:04.205 think that's been long gone. But one of the speakers there was 347 00:22:04.270 --> 00:22:07.898 rear admiral Grace Hopper, who was a pioneering computer 348 00:22:07.962 --> 00:22:11.590 programmer and a U.S. Navy officer. And I don't remember 349 00:22:11.655 --> 00:22:15.282 exactly what her speech was about. But one of the things 350 00:22:15.347 --> 00:22:19.298 that she said, and she's also often requoted saying that it's 351 00:22:19.363 --> 00:22:23.315 easier to ask forgiveness than it is to get permission. And I 352 00:22:23.379 --> 00:22:27.136 think what she was saying was that when it comes to trying 353 00:22:27.201 --> 00:22:31.023 new, innovative things, you know, try them out. And then if 354 00:22:31.088 --> 00:22:35.169 people don't want you to do it, then you know, just say, you're 355 00:22:35.234 --> 00:22:39.314 sorry, but at least you got to try. And I think that, you know, 356 00:22:39.379 --> 00:22:43.331 there's some merit to that, but I think for computer security 357 00:22:43.395 --> 00:22:47.476 people that could be something that's very worrisome. You know, 358 00:22:47.541 --> 00:22:51.363 people in your organization forging ahead with new AI sorts 359 00:22:51.428 --> 00:22:55.574 of tools and not telling anybody about it until, you know, geez, 360 00:22:55.638 --> 00:22:59.525 there's a problem. Well, that could be a problem. So I think 361 00:22:59.590 --> 00:23:03.606 even though it's an old quote, I think it still resonates, you 362 00:23:03.671 --> 00:23:06.910 know, especially when it comes to security issues. 363 00:23:07.870 --> 00:23:09.310 Anna Delaney: Very good. And Tony? 364 00:23:09.780 --> 00:23:12.420 Tony Morbin: Well, I'll certainly live by that quote 365 00:23:12.450 --> 00:23:17.220 that Marianne just said, I think it's a great one. I'm going to 366 00:23:17.220 --> 00:23:20.760 quote Bridget Kenyon. CISO at Shared Services Connected, who I 367 00:23:20.760 --> 00:23:25.800 interviewed at InfoSec, just the other month, here in London. And 368 00:23:25.800 --> 00:23:29.670 we were talking about bias in AI, errors or hallucinations or 369 00:23:29.670 --> 00:23:35.100 misuse. And, you know, where we can actually, you know, what are 370 00:23:35.100 --> 00:23:37.860 the benefits and the minuses of using AI and she just came up 371 00:23:37.860 --> 00:23:40.650 with - AI is just like us, but faster. 372 00:23:40.000 --> 00:23:43.560 Anna Delaney: Very true, very true. Great quote from Bridget. 373 00:23:43.636 --> 00:23:47.878 I just wanted to share something I found online from Tim 374 00:23:47.954 --> 00:23:52.273 Leberecht, head of all the conferences in Vegas, upcoming 375 00:23:52.348 --> 00:23:56.894 conferences like Blackhat. What happens in Vegas, ends up on 376 00:23:56.970 --> 00:24:00.909 YouTube. Well, thank you, everybody, Tony, Marianne, 377 00:24:00.985 --> 00:24:03.940 Mathew. It's been a pleasure as always. 378 00:24:04.360 --> 00:24:05.590 Mathew Schwartz: Thanks for having us on. 379 00:24:06.190 --> 00:24:06.610 Anna Delaney: Thank you. 380 00:24:06.880 --> 00:24:08.950 Tony Morbin: I'm just thinking that Marianne's quote ties in 381 00:24:08.950 --> 00:24:11.200 with yours. That's where you go asking for forgiveness. 382 00:24:13.900 --> 00:24:17.110 Anna Delaney: We're all linked. And thanks so much for watching. 383 00:24:17.170 --> 00:24:17.890 Until next time!