WEBVTT 1 00:00:07.170 --> 00:00:10.020 Anna Delaney: Hello and welcome to the ISMG Editors' Panel. I'm 2 00:00:10.020 --> 00:00:13.620 Anna Delaney, and this is our weekly editorial take on ISMG's 3 00:00:13.620 --> 00:00:17.130 top cybersecurity news and interviews. I'm very pleased to 4 00:00:17.130 --> 00:00:20.370 be joined by Tom Field, senior vice president of Editorial; 5 00:00:20.460 --> 00:00:24.540 Suparna Goswami, associate editor at ISMG Asia; and Rashmi 6 00:00:24.540 --> 00:00:28.200 Ramesh, assistant editor, the global news desk. Good to see 7 00:00:28.200 --> 00:00:28.650 you all. 8 00:00:29.130 --> 00:00:29.880 Tom Field: Nice to be seen. 9 00:00:30.750 --> 00:00:32.190 Suparna Goswami: Yes. Always a pleasure. 10 00:00:33.060 --> 00:00:35.310 Anna Delaney: So, Suparna, big news this week. 11 00:00:36.410 --> 00:00:41.480 Suparna Goswami: Oh, yes. Big news! I mean, throughout India, 12 00:00:41.510 --> 00:00:45.800 everybody saw that. So India space agency, ISRO, successfully 13 00:00:45.800 --> 00:00:49.880 landed Chandrayaan-3 thats what is the mission's name lander 14 00:00:49.880 --> 00:00:52.940 model on the moon, south polar region. So what makes it special 15 00:00:52.940 --> 00:00:56.150 is India is the first country to land on the moon's south pole. 16 00:00:56.540 --> 00:00:59.600 So that has not been, none of the other countries have been 17 00:00:59.600 --> 00:01:04.040 able to do that so far. So yes, that's what makes this so 18 00:01:04.040 --> 00:01:10.160 special. So we even broadcasted in our recent summit. So yes, I 19 00:01:10.160 --> 00:01:12.410 thought this is apt for this week. Yeah. 20 00:01:12.410 --> 00:01:14.570 Anna Delaney: Yeah, the whole world is watching as well. So 21 00:01:14.930 --> 00:01:17.930 great news. And Rashmi, I think you're in the woods? 22 00:01:19.790 --> 00:01:24.380 Rashmi Ramesh: Yeah, so it is a banyan tree that's about 400 23 00:01:24.380 --> 00:01:28.790 years old, and spread across about three acres of land. And 24 00:01:28.790 --> 00:01:30.320 this is in Bangalore, so 25 00:01:31.490 --> 00:01:33.530 Anna Delaney: You would have thought, you always keep us 26 00:01:33.530 --> 00:01:34.280 guessing, don't you? 27 00:01:35.330 --> 00:01:36.050 Rashmi Ramesh: From the woods. 28 00:01:36.050 --> 00:01:37.670 Suparna Goswami: I don't know where she gets to see such 29 00:01:37.670 --> 00:01:40.730 lovely places in Bangalore. I need to really go with you and 30 00:01:40.730 --> 00:01:41.480 explore Bangalore. 31 00:01:41.510 --> 00:01:43.160 Rashmi Ramesh: It's actually closer to where you live than 32 00:01:43.160 --> 00:01:43.940 where I live. 33 00:01:44.360 --> 00:01:44.720 Suparna Goswami: Oh! 34 00:01:46.340 --> 00:01:49.040 Anna Delaney: Well, Tom, is looking rocky out there. Tell us 35 00:01:49.040 --> 00:01:49.340 more. 36 00:01:49.660 --> 00:01:51.760 Tom Field: I was actually at the south pole of the moon. I got 37 00:01:51.760 --> 00:01:57.760 there first. No, actually, I was traveling with my family couple 38 00:01:57.760 --> 00:02:01.300 of weeks ago, we visited an Indian Casino in Connecticut, 39 00:02:01.300 --> 00:02:04.330 State of Connecticut. So this is the Mohegan Sun. And you can 40 00:02:04.330 --> 00:02:06.880 appreciate this Anna, you get out somewhere, you're doing 41 00:02:06.880 --> 00:02:08.860 something different. You sit down for a moment, you look 42 00:02:08.860 --> 00:02:12.190 around you say, hey, that's a virtual background for my next 43 00:02:12.190 --> 00:02:14.740 Editors' Panel. That was the situation. 44 00:02:15.470 --> 00:02:17.270 Anna Delaney: That's exactly what I did last week. So I was 45 00:02:17.270 --> 00:02:21.620 in East Sussex in the U.K. for a few days. And this is called the 46 00:02:21.620 --> 00:02:26.030 Mermaid Inn, in the ancient town of Rye. It's one of England's 47 00:02:26.060 --> 00:02:31.850 oldest inns, originating from 1156. And this particular street 48 00:02:31.850 --> 00:02:35.330 and its surrounding streets are quintessentially very English, 49 00:02:35.450 --> 00:02:38.900 cobbled picturesque roads, and you really feel like you're on a 50 00:02:38.960 --> 00:02:39.560 film set. 51 00:02:40.040 --> 00:02:40.820 Tom Field: Awesome, it is beautiful. 52 00:02:41.140 --> 00:02:44.110 Anna Delaney: Yes, it is. Well, going to another film set. Now, 53 00:02:44.110 --> 00:02:49.030 I know, Tom, you were in Las Vegas last week with Eric Decker 54 00:02:49.210 --> 00:02:52.930 of Intermountain Healthcare at Black Hat Conference. It was the 55 00:02:52.930 --> 00:02:55.810 week before actually. And you were talking about cyber 56 00:02:55.810 --> 00:02:58.720 insurance renewal strategy. So tell us more. How are the 57 00:02:58.720 --> 00:03:01.300 dynamics shifting in the cyber insurance space? 58 00:03:01.360 --> 00:03:03.670 Tom Field: Yeah, as you know, this is a topic we follow for 59 00:03:03.670 --> 00:03:06.910 years now, since the advent of cyber insurance. In the past few 60 00:03:06.910 --> 00:03:10.780 years, the storyline has been how expensive it's become to 61 00:03:10.780 --> 00:03:14.740 renew. I mean, you're talking about 100% to 300% increases 62 00:03:14.740 --> 00:03:17.950 sometimes on how much you pay your underwriters, and how hard 63 00:03:17.980 --> 00:03:21.460 it can be to acquire cyber insurance. Eric was telling me, 64 00:03:21.460 --> 00:03:24.820 he's the VP and the CISO of Intermountain Healthcare was 65 00:03:24.820 --> 00:03:28.210 telling me that he's seeing questionnaires of up to 500 66 00:03:28.750 --> 00:03:33.280 questions to be filled out to be able to acquire or reacquire 67 00:03:33.280 --> 00:03:36.070 cyber insurance, become increasingly difficult. Now, why 68 00:03:36.070 --> 00:03:38.770 has it because there have been so many incidents and insurance 69 00:03:38.770 --> 00:03:42.850 companies have had to pay out. And insurance companies don't 70 00:03:42.850 --> 00:03:46.300 have the history with incidents like they do with your home, 71 00:03:46.330 --> 00:03:49.720 with your auto, with your business. Cyber insurance is new 72 00:03:49.720 --> 00:03:53.020 to everybody. And everybody's trying to figure it out. He was 73 00:03:53.020 --> 00:03:57.340 at Black Hat specifically talking about what do you have 74 00:03:57.340 --> 00:04:01.180 to do to qualify to reacquire cyber insurance. And how can you 75 00:04:01.180 --> 00:04:04.900 get the best potential value. One of the points we discussed 76 00:04:04.900 --> 00:04:09.730 was, what are the five critical controls you need to have and 77 00:04:09.730 --> 00:04:12.430 demonstrate to be able to qualify for cyber insurance. So 78 00:04:12.430 --> 00:04:14.920 if you don't mind, I want to share a short excerpt of our 79 00:04:14.920 --> 00:04:17.560 discussion where he talks about exactly what those five controls 80 00:04:17.560 --> 00:04:17.710 are. 81 00:04:18.130 --> 00:04:21.160 Erik Decker: Yeah, so this is based on Marsh. Marsh is one of 82 00:04:21.160 --> 00:04:23.080 the biggest brokers in cyber insurance. And they have 83 00:04:23.200 --> 00:04:28.030 produced a bunch of some very specific requirements on this. 84 00:04:28.390 --> 00:04:31.750 So having endpoint detection and response capabilities in place 85 00:04:31.750 --> 00:04:35.530 that is monitored 24/7, multifactor authentication on 86 00:04:35.530 --> 00:04:38.230 everything that's accessible from the internet, especially 87 00:04:38.230 --> 00:04:41.890 your remote access tools, your VPNs and such. Backups that are 88 00:04:41.890 --> 00:04:46.660 tested and validated with tabletop exercises, having 89 00:04:47.470 --> 00:04:50.080 privileged account management over your most sensitive 90 00:04:50.080 --> 00:04:53.470 accounts, like your domain admin accounts and such. And then the 91 00:04:53.470 --> 00:04:57.010 last one was email protection and web filtering protection. 92 00:04:57.130 --> 00:05:00.400 Those are the basic things. If you don't have them, you might 93 00:05:00.400 --> 00:05:01.300 not be getting insured. 94 00:05:01.570 --> 00:05:03.070 Tom Field: Those are the basic things. You don't have, you 95 00:05:03.070 --> 00:05:05.440 don't get cyber insurance. It seems easy, but there are so 96 00:05:05.440 --> 00:05:08.740 many organizations that struggle just to have those basics 97 00:05:08.770 --> 00:05:09.190 covered. 98 00:05:10.150 --> 00:05:12.940 Anna Delaney: And, Tom, do you get a sense from Eric or other 99 00:05:12.940 --> 00:05:16.270 security leaders that you speak with around how well-prepared 100 00:05:16.930 --> 00:05:19.180 companies are when it comes to understanding the terms and 101 00:05:19.180 --> 00:05:21.550 conditions of the cyber insurance policies? 102 00:05:21.000 --> 00:05:29.970 103 00:05:21.000 --> 00:05:58.950 104 00:05:21.540 --> 00:05:24.564 Tom Field: Well, no, because they're shifting is rapidly as 105 00:05:24.627 --> 00:05:28.030 the regulatory environment beneath them. It's a moving 106 00:05:28.093 --> 00:05:31.873 target. And yet, you can't not have cyber insurance for that 107 00:05:29.970 --> 00:06:12.570 108 00:05:31.936 --> 00:05:35.654 major incident. And when the incident does occur, the cyber 109 00:05:35.717 --> 00:05:39.120 insurer is the one that's they're calling the shots in 110 00:05:39.183 --> 00:05:42.522 terms of who you use for remediation, who you use for 111 00:05:42.585 --> 00:05:46.555 your immediate breach response, and who the subcontractors you 112 00:05:46.618 --> 00:05:50.272 bring in. We have the privilege, I guess you could say, of 113 00:05:50.336 --> 00:05:54.053 watching this industry come together. As we watch, but it's 114 00:05:54.116 --> 00:05:56.070 not necessarily a pretty scene. 115 00:05:58.950 --> 00:06:02.340 Anna Delaney: Suparna, I know that you were part of the team that hosted the ISMG Summit in Delhi this week. How do 116 00:06:02.340 --> 00:06:05.760 conversations around cyber insurance compare there? 117 00:06:12.600 --> 00:06:15.720 Suparna Goswami: Anna, yes, the topic did come up. Though, there was no exclusive session on this particular topic. But in the topic where we discussed about ransomware, of course, this 118 00:06:15.750 --> 00:06:20.790 topic did come up on cyber insurance and how companies are 119 00:06:21.090 --> 00:06:25.620 adapting to it. But the hard fact and hard truth is that most 120 00:06:25.620 --> 00:06:29.910 of the companies with the panelists said was most of us do 121 00:06:29.910 --> 00:06:33.030 not really understand the nuances of it. And we just 122 00:06:33.030 --> 00:06:36.900 probably, and even insurers are selling because there is a lack 123 00:06:36.900 --> 00:06:40.290 of understanding of the market. So they are just selling it. And 124 00:06:40.350 --> 00:06:45.450 but because it's so expensive, not many companies are able to 125 00:06:45.450 --> 00:06:48.930 afford it. Those who are, the bigger ones, they are going for 126 00:06:48.930 --> 00:06:52.830 it. But again, the finer nuances, none of them are able 127 00:06:52.830 --> 00:06:56.100 to understand or comprehend it completely. But what was 128 00:06:56.100 --> 00:07:00.300 accepted was that, yes, cyber insurance to a large extent, 129 00:07:00.450 --> 00:07:04.500 goes a long way in tightening the security controls of the 130 00:07:04.500 --> 00:07:07.380 organization. But again, the argument was that if the bigger 131 00:07:07.380 --> 00:07:10.440 companies are going for cyber insurance, they would anyway be, 132 00:07:11.010 --> 00:07:13.680 you're assuming that they would have those basic security 133 00:07:13.680 --> 00:07:17.490 controls in place. But yes, they will make that extra effort to 134 00:07:17.490 --> 00:07:22.080 put those but not for the medium and small companies. They are 135 00:07:22.080 --> 00:07:22.830 not nowhere there. 136 00:07:25.260 --> 00:07:27.930 Anna Delaney: Well, moving on. Thank you, Tom. Suparna, you 137 00:07:27.930 --> 00:07:30.750 recently conducted a panel discussion comparing the privacy 138 00:07:30.750 --> 00:07:34.080 landscape in APAC to other regions such as the EU and the 139 00:07:34.110 --> 00:07:35.760 U.S. What did you learn? 140 00:07:36.750 --> 00:07:39.990 Suparna Goswami: Oh, yes, I did a panel with panelists from 141 00:07:40.020 --> 00:07:46.080 Indonesia, as well as Singapore, and considerable DPOs, CISOs as 142 00:07:46.080 --> 00:07:49.020 well as legal experts. So first thing I was very curious, 143 00:07:49.020 --> 00:07:52.530 because there was so much talk around happening around a 144 00:07:52.530 --> 00:07:56.760 privacy in APAC these days. So I thought, why not ask them that 145 00:07:56.760 --> 00:08:00.750 how privacy, the approach toward privacy is different. And 146 00:08:00.750 --> 00:08:05.700 whether it is different or not. So as you know, in EU, privacy 147 00:08:05.700 --> 00:08:08.190 has always been a fundamental right. In fact, some of the 148 00:08:08.190 --> 00:08:13.770 first laws that came around data privacy dates back to 1914. So 149 00:08:14.220 --> 00:08:17.880 obviously, people understand the context of privacy, people 150 00:08:17.910 --> 00:08:21.600 respect privacy of an individual in the same manner that they 151 00:08:21.600 --> 00:08:25.230 would expect to be treated for themselves. On the other hand, 152 00:08:25.380 --> 00:08:29.820 privacy is a very new concept in APAC. It is and because it's a 153 00:08:29.820 --> 00:08:34.680 new concept, it is more inclined toward security side of things. 154 00:08:34.680 --> 00:08:37.800 You ask any CISO, and he will say that if he has to choose between 155 00:08:37.800 --> 00:08:41.820 security of data, or users' rights, they will always choose 156 00:08:41.820 --> 00:08:45.360 security of data and talking about security, they'll say, 157 00:08:45.450 --> 00:08:49.740 fine, if the data is secured, you are taking care of privacy. 158 00:08:49.740 --> 00:08:55.290 But nobody really talks about individual rights of individuals 159 00:08:55.620 --> 00:08:58.860 that, unfortunately, is missing. And even I find that even true 160 00:08:58.860 --> 00:09:01.890 for India as well. None of them really speak about individual 161 00:09:01.890 --> 00:09:06.210 rights. And then I said, and now this was EU. I asked them about 162 00:09:06.210 --> 00:09:09.420 the privacy culture in the U.S. Now the panelists felt that in 163 00:09:09.420 --> 00:09:12.930 the U.S. the right of privacy tends to get associated 164 00:09:12.930 --> 00:09:17.310 with commerce. So they say that cases are usually being filed by 165 00:09:17.580 --> 00:09:21.240 at individual levels by people. People probably will file, sue 166 00:09:21.240 --> 00:09:25.860 companies, but not at a larger government level. And privacy, 167 00:09:26.100 --> 00:09:28.710 you can see that because privacy is really managed by the Federal 168 00:09:28.710 --> 00:09:32.460 Trade Commission. And it says there is no proper or exclusive 169 00:09:32.460 --> 00:09:36.690 data protection authority that we have in the EU or even APAC 170 00:09:36.750 --> 00:09:39.930 most of the countries are planning to have now. But U.S. 171 00:09:39.930 --> 00:09:43.560 doesn't have that. And so I asked him the other differences. 172 00:09:43.560 --> 00:09:46.830 Other differences of course how legislature legislations are 173 00:09:46.830 --> 00:09:50.640 structured. So in EU as we all know, it is entirely governed by 174 00:09:50.760 --> 00:09:54.870 GDPR. Whereas in APAC it is pretty fragmented. So each 175 00:09:54.870 --> 00:09:59.640 country has its own legislation. Culturally also, you know, APAC 176 00:09:59.730 --> 00:10:03.090 each country differs a lot. So if you compare China's privacy 177 00:10:03.090 --> 00:10:06.390 law with that of India and India and China being neighbors, 178 00:10:06.420 --> 00:10:09.480 there's a huge difference. So it's a difference in terms of a 179 00:10:09.480 --> 00:10:12.330 culturally also, it's concerned, there's a huge difference 180 00:10:12.330 --> 00:10:16.050 in the two laws. And this also creates, unfortunately, a lot of 181 00:10:16.050 --> 00:10:21.690 problems for your CIOs or CISOs or DPOs, because most businesses 182 00:10:21.720 --> 00:10:26.460 work in multiple jurisdictions these days. So keeping up with 183 00:10:26.460 --> 00:10:30.810 all policies in the region can get tough. And since, you know, 184 00:10:30.810 --> 00:10:35.640 APAC is probably the hub for BPO companies. So you will have 185 00:10:36.600 --> 00:10:39.360 companies here following GDPR, you will have companies here 186 00:10:39.360 --> 00:10:42.570 following probably the CCPA. There are sectoral laws, and 187 00:10:42.570 --> 00:10:46.470 there are individual laws, privacy laws of each country 188 00:10:46.470 --> 00:10:50.400 here. So it creates a huge problem. So I asked one of the 189 00:10:50.400 --> 00:10:53.760 CISOs, who had joined that, what do you do? So he says that he 190 00:10:53.760 --> 00:10:56.640 probably follows the strictest law that is there in this 191 00:10:56.640 --> 00:11:01.320 region. So in APAC, it would probably be South Korea or 192 00:11:01.320 --> 00:11:04.260 China. So if a business can comply with the strictest law, 193 00:11:04.260 --> 00:11:06.780 then it has just to take into account the minor differences 194 00:11:06.780 --> 00:11:11.730 between our jurisdictional requirements. But yes, that's 195 00:11:11.730 --> 00:11:15.060 what he said that he probably follows the law that is there in 196 00:11:15.060 --> 00:11:18.420 South Korea or China, at least for APAC, and then he knows that 197 00:11:18.420 --> 00:11:21.240 more or less that takes care of the laws in the other region. 198 00:11:23.010 --> 00:11:25.620 Anna Delaney: Well, that's very clear. So how are these regions 199 00:11:25.620 --> 00:11:28.410 thinking about regulations around emerging technologies, 200 00:11:28.410 --> 00:11:33.270 you've got AI, biometrics, IoT? Are there stark differences in 201 00:11:33.270 --> 00:11:37.200 how APAC is approaching these compared to the U.S. and EU? 202 00:11:37.980 --> 00:11:40.350 Suparna Goswami: So as I said, you know APAC, it's in the last 203 00:11:40.350 --> 00:11:44.850 three-four years that privacy discussion has taken by such a 204 00:11:44.850 --> 00:11:50.580 storm. There are talks around regulations around say IoT and 205 00:11:50.610 --> 00:11:54.000 AI, but most of the governments here have taken a lighter 206 00:11:54.000 --> 00:11:57.150 approach. So Singapore, which you probably will expect that it 207 00:11:57.150 --> 00:12:01.710 has probably the more mature the most mature privacy law in APAC 208 00:12:02.220 --> 00:12:05.400 has taken the light approach, as it does not want to stifle 209 00:12:05.400 --> 00:12:09.150 innovation. India, I know, has opted out of from regulating AI. 210 00:12:09.690 --> 00:12:13.530 Government has said we are not going to regulate AI let the the 211 00:12:13.530 --> 00:12:18.060 industry flourish. But China has taken a rough stand. China has 212 00:12:18.060 --> 00:12:21.270 published your new rules for generative artificial 213 00:12:21.270 --> 00:12:24.090 intelligence, and becoming one of the first countries in the 214 00:12:24.090 --> 00:12:28.200 world to regulate the technology that powers popular services 215 00:12:28.200 --> 00:12:28.650 like ChatGPT. 216 00:12:32.850 --> 00:12:34.440 Tom Field: The leadership is going to come from Asia and from 217 00:12:34.440 --> 00:12:37.710 Europe on this, Suparna. It's not going to happen in the U.S. 218 00:12:37.800 --> 00:12:40.800 Right now, we can't get out of our way politically to be able 219 00:12:40.800 --> 00:12:44.730 to come up with sensible regulation on things such as 220 00:12:44.730 --> 00:12:48.690 data privacy, never mind generative AI or any of the 221 00:12:48.690 --> 00:12:51.420 other issues that come up. Even though these are supposed to be 222 00:12:51.420 --> 00:12:55.350 nonpartisan issues, we can't get over partisan issues to get to 223 00:12:55.350 --> 00:12:57.930 those. So the leadership is going to come in Asia-Pac and 224 00:12:57.930 --> 00:12:58.230 Europe. 225 00:12:58.860 --> 00:13:01.500 Suparna Goswami: And in fact, China, I think only August 15, 226 00:13:02.010 --> 00:13:05.640 the law has been it started being applicable. The 227 00:13:06.030 --> 00:13:08.730 regulation, not the law exactly. But the regulation around AI. 228 00:13:08.730 --> 00:13:13.740 Yes. So it's just been affective from August 15 - two-three weeks 229 00:13:13.740 --> 00:13:14.190 back. Yeah. 230 00:13:15.510 --> 00:13:18.180 Anna Delaney: Thank you so much. Suparna. Well, Rashmi, Tornado 231 00:13:18.180 --> 00:13:21.060 Cash was back in the news this week as the two founders behind 232 00:13:21.060 --> 00:13:24.630 the crypto mixer were charged by U.S. federal agencies. Tell us 233 00:13:24.630 --> 00:13:25.650 about what's been going on. 234 00:13:26.880 --> 00:13:30.120 Rashmi Ramesh: Yeah, always fun to talk about Tornado Cash. So 235 00:13:30.120 --> 00:13:34.320 you're right. So the U.S. charged a Russian national and a 236 00:13:34.350 --> 00:13:39.180 Washington State man, both of them called Roman. One is Storm, 237 00:13:39.180 --> 00:13:43.680 the other one is called Semenov, over creating, operating and 238 00:13:43.680 --> 00:13:47.040 promoting Tornado Cash this week. Now, Tornado Cash was a 239 00:13:47.070 --> 00:13:50.310 crypto mixer, right? That was extensively used by threat 240 00:13:50.310 --> 00:13:55.110 actors like North Korea's Lazarus Group to launder more 241 00:13:55.110 --> 00:13:59.490 than 1 billion during its few years of operation. Now, these 242 00:13:59.490 --> 00:14:03.000 two are charged with conspiracy to commit money laundering, 243 00:14:03.690 --> 00:14:07.830 sanctions violations and operating an unlicensed money 244 00:14:07.830 --> 00:14:11.340 transmitting business. Now the indictment says that they 245 00:14:11.340 --> 00:14:14.730 created the core features of the service, paid for critical 246 00:14:14.730 --> 00:14:18.960 infrastructure to operate it. Advertised it as a service that 247 00:14:18.960 --> 00:14:21.480 allowed anonymous and untraceable financial 248 00:14:21.480 --> 00:14:26.460 transactions, chose not to implement KYC or anti-money 249 00:14:26.460 --> 00:14:31.800 laundering programs, and did not put in controls, despite knowing 250 00:14:31.830 --> 00:14:36.000 that hackers use their platform to launder illicit money. So 251 00:14:36.030 --> 00:14:39.990 they face up to 45 years in prison if convicted on all 252 00:14:39.990 --> 00:14:44.610 charges. We don't know when the sentencing is yet but that is 253 00:14:44.610 --> 00:14:49.410 the maximum prison sentence they can face. Now, Storm's lawyer 254 00:14:49.410 --> 00:14:54.120 later he said in a statement that the case hinged on a novel 255 00:14:54.120 --> 00:14:58.410 legal theory, which can have dangerous implications for all 256 00:14:58.410 --> 00:15:02.850 software developers. So, he said that Storm like Alex Pertsev, 257 00:15:02.880 --> 00:15:05.820 who was another Tornado Cash developer, who was arrested last 258 00:15:05.820 --> 00:15:09.780 year in the Netherlands, and is currently awaiting trial, only 259 00:15:09.780 --> 00:15:13.710 developed the software. And if software developers are liable 260 00:15:13.740 --> 00:15:17.040 for how that software is used, it can have dangerous 261 00:15:17.040 --> 00:15:21.390 implications. So this case is so important for the whole of the 262 00:15:21.420 --> 00:15:25.590 decentralized finance ecosystem, mainly because of this one hook, 263 00:15:25.620 --> 00:15:30.630 in a space where no one entity or person is solely responsible 264 00:15:30.660 --> 00:15:35.220 for owning anything. Do they become liable when the software 265 00:15:35.250 --> 00:15:40.080 or its users violate the law? So we have to also shed light on 266 00:15:40.380 --> 00:15:43.950 who's responsible for putting in place these KYC and anti-money 267 00:15:43.950 --> 00:15:47.040 laundering measures. And the fact that a lot of decentralized 268 00:15:47.040 --> 00:15:51.060 finance software use open source also adds another layer of 269 00:15:51.060 --> 00:15:52.470 complexity to this question. 270 00:15:53.140 --> 00:15:56.770 Anna Delaney: Yeah, fascinating topic. So the Romans have 271 00:15:57.010 --> 00:16:00.790 fallen. What's the status of Tornado Cash itself? Is it 272 00:16:00.790 --> 00:16:02.200 disappeared? What's happening? 273 00:16:03.380 --> 00:16:08.270 Rashmi Ramesh: Um, yeah, both yes and no. So the designation 274 00:16:08.270 --> 00:16:11.540 means that Tornado Cash cannot be used for legitimate purposes 275 00:16:11.540 --> 00:16:15.260 anymore in the U.S. But it's not like hackers really told the law 276 00:16:15.260 --> 00:16:18.770 enforcement line, right? So of course, they still use the 277 00:16:18.770 --> 00:16:22.610 mixer. The only thing is, it's now used mostly by threat 278 00:16:22.610 --> 00:16:26.360 actors. And the whole point of a mixer is that it helps mix 279 00:16:26.360 --> 00:16:29.540 different coins of different denominations, and makes it 280 00:16:29.540 --> 00:16:33.200 harder to be traced. So with all the legitimate transaction 281 00:16:33.200 --> 00:16:36.500 stopping, it's so much easier for law enforcement to track 282 00:16:36.530 --> 00:16:40.280 illicit activity on it. It's always easier to find a needle 283 00:16:40.280 --> 00:16:44.300 in a haystack when it just has a dozen pieces of straw rather 284 00:16:44.300 --> 00:16:48.740 than hundreds, right? And another piece of this puzzle is 285 00:16:48.740 --> 00:16:53.570 that Tornado Cash's code is already out there. So you and I 286 00:16:53.570 --> 00:16:57.230 can set up our own Tornado Cash if we want to. And Sinbad, which 287 00:16:57.230 --> 00:17:00.950 is a shiny new mixer on the block, that's believed to be 288 00:17:00.980 --> 00:17:06.590 Tornado Cash 2.0. So has Tornado Cash disappeared? Yes and no, at 289 00:17:06.590 --> 00:17:07.100 this point. 290 00:17:07.000 --> 00:17:10.720 Anna Delaney: I seem to recall that crypto advocates had 291 00:17:10.720 --> 00:17:14.560 strongly criticized the ban on Tornado Cash as it infringes on 292 00:17:14.560 --> 00:17:17.500 people's expectations of privacy. Does that sentiment 293 00:17:17.500 --> 00:17:18.250 still remain? 294 00:17:19.350 --> 00:17:22.313 Rashmi Ramesh: Um, yes. So this is also a question that six 295 00:17:22.381 --> 00:17:26.018 plaintiffs filed asking the government to withdraw its 296 00:17:26.086 --> 00:17:30.060 sanctions against Tornado Cash. They said that the Treasury 297 00:17:30.127 --> 00:17:33.765 exceeded its authority in sanctioning the crypto mixer 298 00:17:33.832 --> 00:17:37.672 because it's not a person or a property, it is a piece of 299 00:17:37.739 --> 00:17:41.646 software. They said that it violated their First Amendment 300 00:17:41.713 --> 00:17:45.620 right to speech because it did not allow them to privately 301 00:17:45.688 --> 00:17:49.931 donate to social causes. Like, for example, if a Russian wanted 302 00:17:49.999 --> 00:17:54.243 to donate funds to Ukraine and the ongoing war via Tornado Cash 303 00:17:54.310 --> 00:17:58.217 it, they could not because Treasury had sanctioned it. And 304 00:17:58.284 --> 00:18:01.787 this lawsuit was backed by Coinbase. So which is the 305 00:18:01.854 --> 00:18:06.098 largest crypto exchange in the U.S. But this week, a U.S. judge 306 00:18:06.165 --> 00:18:10.275 said that these arguments do not hold any water. He said that 307 00:18:10.342 --> 00:18:14.586 Tornado Cash is an entity that is governed by voting members of 308 00:18:14.653 --> 00:18:18.223 a DAO or a decentralized autonomous organization that 309 00:18:18.290 --> 00:18:21.659 works similar to the stockholders of a corporation 310 00:18:21.726 --> 00:18:26.037 and therefore can be designated for sanctions. He also said that 311 00:18:26.104 --> 00:18:30.348 the mixer does have a property interest in smart contracts that 312 00:18:30.415 --> 00:18:34.255 are designated. And the third argument about the sanction 313 00:18:34.322 --> 00:18:38.162 violating First Amendment rights, the judge said that the 314 00:18:38.229 --> 00:18:42.540 First Amendment does not really protect anyone's right to donate 315 00:18:42.608 --> 00:18:46.650 money to social causes through a specific bank or a service. 316 00:18:47.950 --> 00:18:50.050 Anna Delaney: Well, it's a storm indeed. Rashmi, that was great 317 00:18:50.050 --> 00:18:53.980 analysis. Thank you so much. And finally and just for fun, as we 318 00:18:53.980 --> 00:18:56.800 approach the end of August, I think we can still call it 319 00:18:56.800 --> 00:19:00.700 summer. I'd like you to come up with a fun title for a summer 320 00:19:00.700 --> 00:19:04.360 novel on generative AI. Tom go for it. 321 00:19:04.000 --> 00:19:08.770 Tom Field: I have a prop in honor of one of my favorite 322 00:19:08.770 --> 00:19:12.160 books of all time. It's going to be "Zen and the Art of 323 00:19:12.160 --> 00:19:13.090 Generative AI." 324 00:19:16.810 --> 00:19:20.020 Anna Delaney: Very good. I love it. Suparna? 325 00:19:21.110 --> 00:19:23.420 Suparna Goswami: I thought of, you know, "Jenna in a Bottle: 326 00:19:23.450 --> 00:19:24.500 Who Is the Real Master?" 327 00:19:25.970 --> 00:19:27.140 Rashmi Ramesh: Love that. 328 00:19:28.250 --> 00:19:30.680 Anna Delaney: Love that play on words. That's great. Rashmi? 329 00:19:32.190 --> 00:19:35.670 Rashmi Ramesh: I would go with like scary Jedi stuff make 330 00:19:35.670 --> 00:19:39.660 Stephen King proud. "Everything You Watched on Black Mirror but 331 00:19:39.660 --> 00:19:39.870 Real." 332 00:19:41.250 --> 00:19:44.670 Anna Delaney: Very good. At least one of us is going down 333 00:19:44.910 --> 00:19:48.660 that route. What about this: "Sunlight Synthesis - A Summer 334 00:19:48.660 --> 00:19:57.450 of Generative Wonders." It's a sizzling novel, right? Well, 335 00:19:57.450 --> 00:20:00.300 Suparna, Rashmi, Tom, this has been great fun, excellent. 336 00:20:00.510 --> 00:20:00.660 Tom Field: Indeed. 337 00:20:00.660 --> 00:20:01.470 Anna Delaney: Thank you so much. 338 00:20:01.860 --> 00:20:02.460 Suparna Goswami: Thank you. 339 00:20:02.820 --> 00:20:03.570 Rashmi Ramesh: Thank you, Anna. 340 00:20:03.810 --> 00:20:07.770 Anna Delaney: Thanks so much for watching, until next time.