WEBVTT 1 00:00:00.330 --> 00:00:02.910 Anna Delaney: Hello, welcome to the ISMG Editors' Panel. I'm 2 00:00:02.910 --> 00:00:05.970 Anna Delaney. And here's our weekly roundup of the top news 3 00:00:05.970 --> 00:00:10.080 stories and cybercrime trends. And joining me this week, Tom 4 00:00:10.080 --> 00:00:13.650 Field, senior vice president of editorial, Suparna Goswami, 5 00:00:13.800 --> 00:00:17.010 associate editor for ISMG Asia, and executive editor of 6 00:00:17.040 --> 00:00:20.250 DataBreachToday & Europe, Matthew Schwartz. Great to see 7 00:00:20.250 --> 00:00:20.850 you all. 8 00:00:21.630 --> 00:00:22.260 Tom Field: Nice to be seen. 9 00:00:23.070 --> 00:00:23.820 Mathew Schwartz: Thanks for having us. 10 00:00:25.020 --> 00:00:27.690 Anna Delaney: Suparna, you've got to start us off, because 11 00:00:27.690 --> 00:00:29.340 you've got the most interesting background this week. 12 00:00:30.350 --> 00:00:33.320 Suparna Goswami: Well, yes, we had assumed the Independence Day 13 00:00:33.320 --> 00:00:36.620 earlier this week. So this year what was special was that the 14 00:00:36.620 --> 00:00:40.700 Prime Minister launched a campaign where citizens can now 15 00:00:41.030 --> 00:00:45.530 hoist or display a flag all days of the year. Earlier we were 16 00:00:45.560 --> 00:00:48.650 allowed to hoist the tricolour only on certain occasions and 17 00:00:48.650 --> 00:00:52.520 not residential complexes, but now it is allowed. So that was a 18 00:00:52.580 --> 00:00:56.000 campaign that was launched this year during the Independence Day 19 00:00:56.000 --> 00:00:59.930 and you could take selfie with the flag and all that garnered a 20 00:00:59.930 --> 00:01:02.300 lot of popularity. 21 00:01:02.960 --> 00:01:04.340 Anna Delaney: Okay. Did you take a selfie? 22 00:01:05.390 --> 00:01:07.640 Suparna Goswami: Did not but my kid did. 23 00:01:07.000 --> 00:01:12.010 Tom Field: Can do in this background now is revolutionary. 24 00:01:12.190 --> 00:01:13.390 So congratulations. 25 00:01:14.260 --> 00:01:17.650 Suparna Goswami: Thank you. 26 00:01:15.720 --> 00:01:18.330 Anna Delaney: And Matt, more flags or bunting? 27 00:01:18.000 --> 00:01:20.783 Mathew Schwartz: Bunting, yeah, I'm in Pittenweem in the East 28 00:01:20.846 --> 00:01:24.768 Neuk of Fife for the annual Arts Festival, well, annual before 29 00:01:22.860 --> 00:01:53.430 Anna Delaney: Very nice. Art and community. Love it. Tom, what 30 00:01:24.832 --> 00:01:28.564 the pandemic. So, it was nice to have it back. All bunch of 31 00:01:28.627 --> 00:01:32.739 artists, illustrators, painters, photographers, you name it, take 32 00:01:32.802 --> 00:01:36.661 over the town for about 10 days, garages are filled with art, 33 00:01:36.724 --> 00:01:40.204 houses, all sorts of stuff, beautiful seaside location, 34 00:01:40.267 --> 00:01:43.809 beautiful week that we've been having, before some crazy 35 00:01:43.873 --> 00:01:47.289 thunderstorms. So it was wonderful just to be outdoors 36 00:01:47.352 --> 00:01:49.440 and soaking up some arts as well. 37 00:01:53.430 --> 00:01:55.320 time of day is this? 38 00:01:55.780 --> 00:01:57.280 Tom Field: Sunset on the lake. 39 00:01:57.310 --> 00:01:57.820 Anna Delaney: Okay. 40 00:01:58.090 --> 00:02:00.310 Tom Field: And the reason is because in the month of July, as 41 00:02:00.310 --> 00:02:03.280 I traveled around the United States, I got to see everybody's 42 00:02:03.280 --> 00:02:06.970 heatwave. I was in Chicago, I was in Charlotte, I was in New 43 00:02:06.970 --> 00:02:09.940 York, I was in Washington, DC, hottest week of the year every 44 00:02:09.940 --> 00:02:13.360 time I was there. It was nice to come home and spend a hot night 45 00:02:13.450 --> 00:02:15.940 on the lake. And that's exactly where I took this photo. 46 00:02:15.960 --> 00:02:18.690 Anna Delaney: Very good, well deserved. And I thought it'd be 47 00:02:18.690 --> 00:02:22.860 good to revisit Italy this week. So I'm in the historic city of 48 00:02:22.860 --> 00:02:26.880 Perugia. Back to the present. Tom, I believe you caught up 49 00:02:26.880 --> 00:02:30.000 with one of our CyberEd board CISOs recently. 50 00:02:30.360 --> 00:02:32.160 Tom Field: Absolutely. And of course, that's the fun of our 51 00:02:32.160 --> 00:02:35.280 job as we get to interact with the CyberEd board community. I 52 00:02:35.280 --> 00:02:37.830 mean, we did this virtually for over a year. Now we get to do it 53 00:02:37.830 --> 00:02:40.950 often live at our events. When they come and they visit our 54 00:02:40.950 --> 00:02:43.920 summits, we're able to sit with them. And the conversations 55 00:02:43.920 --> 00:02:47.820 always revolve around challenges and threats and what their 56 00:02:47.820 --> 00:02:51.240 passions are in their careers. And it's a great opportunity to 57 00:02:51.240 --> 00:02:55.050 dive into the making of the CISO. So I had a conversation 58 00:02:55.050 --> 00:02:58.770 with Bruce Phillips, who was the CISO of an insurance company, 59 00:02:58.770 --> 00:03:02.940 WEST, a large organization. And he talked about the evolution of 60 00:03:02.940 --> 00:03:06.960 the CISO role, how he used to be just just that IT guy that knew 61 00:03:06.960 --> 00:03:08.880 a little bit of something about security, and it sort of kept 62 00:03:08.880 --> 00:03:11.820 him at a distance in case he might be dangerous, and how that 63 00:03:11.820 --> 00:03:14.490 evolved to a role where now he's interacting with the board on a 64 00:03:14.490 --> 00:03:17.640 daily basis and advising the business on all matters of 65 00:03:17.640 --> 00:03:23.430 cybersecurity. And so we got into the conversation of what is 66 00:03:23.430 --> 00:03:28.230 the right amount of security for an organization that isn't 67 00:03:28.230 --> 00:03:32.250 primarily focused on security. And so, I want to share with you 68 00:03:32.580 --> 00:03:36.240 a bit of what he told me about how to find that balance. 69 00:03:37.260 --> 00:03:40.140 Bruce Phillips: That's really the good question. And that's 70 00:03:40.200 --> 00:03:44.910 what I talk about most of the time is, you know, what do we 71 00:03:44.910 --> 00:03:51.780 need versus what is the media telling you to do? You know, all 72 00:03:51.780 --> 00:03:56.190 the time I hear from our founder, or president and CEO, 73 00:03:57.030 --> 00:04:01.680 have some new thing that they've heard about, and which is cool. 74 00:04:02.220 --> 00:04:05.010 It's nice that they're reading. But then, we have the 75 00:04:05.010 --> 00:04:08.490 conversation. But do we need this? What is the risk that 76 00:04:08.490 --> 00:04:14.850 we're trying to avoid? And then, what is the impact of adding 77 00:04:14.850 --> 00:04:19.890 this yet another security control into our stock? And 78 00:04:19.920 --> 00:04:23.130 things that now we have to manage it, we have to take care 79 00:04:23.130 --> 00:04:28.050 of it. We have to teach people how to use it and is it really 80 00:04:28.050 --> 00:04:31.860 helping the business? And that's really I think the most 81 00:04:31.860 --> 00:04:35.340 important thing is understand that there's a lot of really 82 00:04:35.340 --> 00:04:39.030 cool tools out there. But do you really need them? 83 00:04:39.870 --> 00:04:42.210 Tom Field: So, it becomes an interesting conversation in so 84 00:04:42.210 --> 00:04:45.360 many ways. You've got organizations everywhere now 85 00:04:45.360 --> 00:04:48.330 trying to rationalize the security stack that they have, 86 00:04:48.600 --> 00:04:51.900 trying to make their legacy technology work as they further 87 00:04:51.900 --> 00:04:56.040 their cloud migration, trying to find ways to consolidate the 88 00:04:56.040 --> 00:04:59.850 number of vendors that they work with to mitigate supply chains, 89 00:04:59.850 --> 00:05:04.200 security risks. Bruce's comments don't come in a vacuum. They're 90 00:05:04.290 --> 00:05:07.320 very common among what I hear these days and just thought it 91 00:05:07.320 --> 00:05:10.080 was a nice slice to be able to share from the conversation that 92 00:05:10.000 --> 00:05:13.600 Anna Delaney: Yeah, very interesting. In fact, I have 93 00:05:10.080 --> 00:05:10.890 we have every day. 94 00:05:13.600 --> 00:05:17.860 this very conversation with the CISO of Canon last week. How do 95 00:05:17.860 --> 00:05:21.010 you know when you've done enough? And he likened it to the 96 00:05:21.010 --> 00:05:24.820 old days of advertising, when you know that 50% of your 97 00:05:24.820 --> 00:05:28.000 advertising spend is actually wasted. But you just don't know 98 00:05:28.030 --> 00:05:32.590 which 50%? And we also talked about benchmarking, but he said, 99 00:05:32.590 --> 00:05:37.540 that's dangerous, too. Because how do your benchmarking peers, 100 00:05:38.020 --> 00:05:42.490 how do they know how much they have is enough? Or how much is 101 00:05:42.490 --> 00:05:48.220 too much? So he, bit like Bruce, he said, "Well, we'll start with 102 00:05:48.220 --> 00:05:52.720 education of stakeholders and ask them, what do they expect? 103 00:05:52.720 --> 00:05:58.990 And then say, well, I can't stop everything. So let's focus on 104 00:05:58.990 --> 00:06:02.920 the essentials, not to be seduced by the shiny tools out 105 00:06:02.920 --> 00:06:03.190 there." 106 00:06:03.660 --> 00:06:06.180 Tom Field: There's a dangerous myth out there, Anna, which is, 107 00:06:06.330 --> 00:06:09.420 you hear this a lot, even in high-profile security events 108 00:06:09.420 --> 00:06:12.630 where people say, "You don't have to outrun the bear, you 109 00:06:12.630 --> 00:06:16.830 have to outrun the guy next to you." And that presumes that the 110 00:06:16.830 --> 00:06:20.280 bear that's hungry for only one meal and in these days of 111 00:06:20.310 --> 00:06:24.870 automated attacks, that's a very hungry bear with, I think, an 112 00:06:24.870 --> 00:06:28.530 inexhaustible appetite. So you better be prepared not to be a 113 00:06:28.000 --> 00:06:33.130 Anna Delaney: Good point. We encourage viewers to watch that 114 00:06:28.530 --> 00:06:28.830 meal. 115 00:06:33.130 --> 00:06:36.190 interview in full. It's great. So, Suparna, you have been 116 00:06:36.190 --> 00:06:41.110 talking with fraud experts about tackling business ID theft. What 117 00:06:41.110 --> 00:06:41.830 do we need to know? 118 00:06:43.340 --> 00:06:45.230 Suparna Goswami: So yes, Anna, thank you so much for that. So, 119 00:06:45.230 --> 00:06:49.580 I had this panel discussion with Andrew La Marca, who is from Dun 120 00:06:49.580 --> 00:06:53.480 & Bradstreet and Ralph Gagliardi, who is from the 121 00:06:53.480 --> 00:06:56.900 Colorado Bureau of Investigation. So before I 122 00:06:56.900 --> 00:07:00.050 start, let me give a bit of background about business ID 123 00:07:00.050 --> 00:07:04.220 theft. So, we generally see an increase in business ID theft 124 00:07:04.250 --> 00:07:07.070 after there is a natural disaster or there's an economic 125 00:07:07.070 --> 00:07:11.510 crisis. As you know, bad actors, they usually tend to take 126 00:07:11.510 --> 00:07:15.890 advantage of business funding programs, or probably gain 127 00:07:15.920 --> 00:07:21.620 access to capital by probably falsely applying for a loan. So, 128 00:07:21.650 --> 00:07:25.970 this time, there has been a 254% increase in business ID theft 129 00:07:25.970 --> 00:07:32.750 last year. And this was a report that has been published by Dun & 130 00:07:32.750 --> 00:07:36.290 Bradstreet because they tackle, they track this field a lot. So 131 00:07:36.290 --> 00:07:39.950 the reason being, one, they said was squeezed in cash flows 132 00:07:39.980 --> 00:07:44.180 because of higher input prices, and low availability of capital 133 00:07:44.210 --> 00:07:47.750 because of which businesses have been applying for loan. And of 134 00:07:47.750 --> 00:07:50.450 course, we all know there have been a major funding program 135 00:07:50.450 --> 00:07:53.750 throughout the past two years, and more of another factor which 136 00:07:53.750 --> 00:07:57.650 contributed to increasing business ID theft has been the 137 00:07:57.650 --> 00:08:01.190 increase in digitization. So now, we have a lot of 138 00:08:01.190 --> 00:08:05.270 information on the website about any business. This helps 139 00:08:05.510 --> 00:08:08.870 fraudsters create synthetic names and register businesses. 140 00:08:09.290 --> 00:08:11.780 So, Andrew from Dun & Bradstreet, he evaluated one of 141 00:08:11.780 --> 00:08:14.870 the government relief programs that happened last year and 142 00:08:14.870 --> 00:08:17.570 identified that roughly 90 million of the 200 million 143 00:08:17.570 --> 00:08:20.960 requested were from bad actors using the stolen business 144 00:08:20.960 --> 00:08:25.430 identity names of officers or using their email IDs. So, it's 145 00:08:25.430 --> 00:08:29.840 very easy. So, essentially, they create a website and use other 146 00:08:29.840 --> 00:08:34.190 legitimate looking systems, they register it, and victim is drawn 147 00:08:34.190 --> 00:08:37.700 through emails. And moreover, the business name also gets 148 00:08:37.700 --> 00:08:41.690 registered with multiple banks. So that doubt, which I had was 149 00:08:41.690 --> 00:08:46.160 essentially that those banks, when they are giving out loans, 150 00:08:46.460 --> 00:08:48.950 don't they do their due diligence on businesses, but 151 00:08:48.950 --> 00:08:52.130 apparently, no. Few are registered with the state. 152 00:08:52.550 --> 00:08:56.150 That's all you need. And banks will give out loans. So there's 153 00:08:56.150 --> 00:08:59.510 no control in place and essentially, see, the entire 154 00:08:59.510 --> 00:09:02.930 thing is to make it easy for the businesses. But there are 155 00:09:02.930 --> 00:09:07.280 technologies that can be leveraged, the panelists said 156 00:09:07.280 --> 00:09:10.070 that can go a long way in controlling this kind of fraud. 157 00:09:10.760 --> 00:09:16.010 And Ralph said that, you know, the Secretary of State wants to 158 00:09:16.010 --> 00:09:18.950 be business friendly and is trying its best from its end, 159 00:09:18.950 --> 00:09:21.980 like it's applying password protection or email 160 00:09:21.980 --> 00:09:26.630 notification. But, as a whole, we need to go as level up and 161 00:09:26.630 --> 00:09:29.930 understand who is this person who is applying for the loan or 162 00:09:29.930 --> 00:09:33.290 who has opened this new business. So here, you know, 163 00:09:33.320 --> 00:09:36.080 technologies like device fingerprinting, to know which 164 00:09:36.080 --> 00:09:37.940 device is being used for registering a particular 165 00:09:37.940 --> 00:09:42.410 business, that will help then or a new request of loan is coming 166 00:09:42.410 --> 00:09:45.230 from which device? Is it the same device in which the 167 00:09:45.260 --> 00:09:48.230 business was registered? Then behavior analytics, that will 168 00:09:48.230 --> 00:09:50.780 also play a huge role that how you're interacting on your 169 00:09:50.780 --> 00:09:53.390 webpage, document authentication, so these are 170 00:09:53.390 --> 00:09:57.170 some of the tools that need to come in place. But yes, business 171 00:09:57.200 --> 00:10:01.340 ID theft has not been spoken about a lot but the past couple 172 00:10:01.340 --> 00:10:03.950 of years have seen a lot of increase in this kind of thing. 173 00:10:05.480 --> 00:10:08.270 Anna Delaney: So, are businesses aware of this threat? 174 00:10:10.010 --> 00:10:12.920 Suparna Goswami: They are aware of this threat. But essentially, 175 00:10:12.950 --> 00:10:17.870 there's nothing because the fraudsters are using synthetic 176 00:10:17.870 --> 00:10:24.050 ID of the various businesses, synthetic ID names. And the 177 00:10:24.050 --> 00:10:26.870 states are also not really doing much about it, because they are 178 00:10:26.870 --> 00:10:29.240 just giving out loans or registering the businesses. So 179 00:10:29.240 --> 00:10:31.850 there's nothing much you can do about these things. So 180 00:10:31.850 --> 00:10:35.360 essentially, the control has to be more from the state side than 181 00:10:35.360 --> 00:10:37.820 from the businesses on their own. 182 00:10:39.880 --> 00:10:42.790 Tom Field: Suparna, related to this as well is just the vast 183 00:10:42.790 --> 00:10:46.030 amount of impersonation that's happening because of fraudsters. 184 00:10:46.270 --> 00:10:48.910 Now, I've had this conversation at some of our roundtables, 185 00:10:49.240 --> 00:10:54.610 talking about to what extent are you monitoring to see that your 186 00:10:55.060 --> 00:10:59.620 business, your executives are being copied on social media or 187 00:10:59.620 --> 00:11:02.500 elsewhere. It comes down to an interesting conversation, 188 00:11:02.830 --> 00:11:05.620 actually heard this from Dave Estlick, he is the CISO of 189 00:11:05.620 --> 00:11:08.590 Chipotle, used to be with Starbucks. And he said, "Yes, 190 00:11:08.620 --> 00:11:12.490 we're out there monitoring for our brand. But where's the line 191 00:11:12.490 --> 00:11:16.750 between monitoring and policing the internet?" And that's 192 00:11:16.750 --> 00:11:19.480 something that CISOs are trying to find a balance for. 193 00:11:19.000 --> 00:11:20.770 Suparna Goswami: Essentially, that's what they said. It is 194 00:11:20.770 --> 00:11:22.450 essential to find that balance, we're not creating too much 195 00:11:22.450 --> 00:11:26.920 friction for the businesses, but at the same time, you know, that 196 00:11:26.920 --> 00:11:32.890 person who has applied for the loan, or who's registering the 197 00:11:32.890 --> 00:11:35.710 business is right, so it's all about finding the right balance. 198 00:11:36.100 --> 00:11:38.740 Anna Delaney: Thank you very much, Suparna. And then, Matt, 199 00:11:38.770 --> 00:11:41.860 Tornado Cash has been in the news again this week. Why is 200 00:11:41.860 --> 00:11:42.280 that? 201 00:11:42.000 --> 00:11:45.279 Mathew Schwartz: It has been in the news. Well, it's fascinating 202 00:11:45.349 --> 00:11:49.535 to see this ongoing crackdown on the cybercrime-as-a-service 203 00:11:49.605 --> 00:11:54.070 economy that helps facilitate so many different kinds of attacks 204 00:11:54.140 --> 00:11:58.466 and illicit activity. And money laundering is a really popular 205 00:11:58.535 --> 00:12:02.861 feature, I guess you can say, of the cryptocurrency ecosystem. 206 00:12:02.931 --> 00:12:07.117 And some of the services that provide this are called mixers 207 00:12:07.187 --> 00:12:11.024 or tumblers. And these are services that will take your 208 00:12:11.094 --> 00:12:15.420 cryptocurrency and promise to give it back after having broken 209 00:12:15.490 --> 00:12:19.885 the chains between where it came from and where it's going. So, 210 00:12:19.955 --> 00:12:24.281 they take the cryptocurrency, throw it into a big pool, mix it 211 00:12:24.351 --> 00:12:28.398 about, and at a later time, you can get it back out again. 212 00:12:28.467 --> 00:12:32.375 Again, hopefully it's been cleaned coins, they sometimes 213 00:12:32.444 --> 00:12:36.770 call it, or white. Now, mixer proponents will say that there's 214 00:12:36.840 --> 00:12:41.166 nothing inherently wrong about using a mixer. Governments have 215 00:12:41.236 --> 00:12:45.143 increasingly, however, been disagreeing with your use of 216 00:12:45.213 --> 00:12:49.259 mixers being legal, if those mixing services don't enforce 217 00:12:49.329 --> 00:12:53.655 anti-money laundering and know your customer requirements. And 218 00:12:53.725 --> 00:12:57.702 they've been cracking down. We've seen two mixer services 219 00:12:57.771 --> 00:13:02.167 sanctioned so far now. The most recent was Tornado Cash earlier 220 00:13:02.237 --> 00:13:06.632 this month. And in the ongoing saga of Tornado Cash, one of the 221 00:13:06.702 --> 00:13:11.098 alleged developers got arrested in the Netherlands earlier this 222 00:13:11.168 --> 00:13:15.284 week. So this is fascinating because they're not just going 223 00:13:15.354 --> 00:13:19.750 after the services, but also the individuals, it seems, who are 224 00:13:19.819 --> 00:13:23.517 helping to power or provide these services. So, Dutch 225 00:13:23.587 --> 00:13:27.983 authorities said the gentleman, who's 29 years old has not been 226 00:13:28.052 --> 00:13:31.401 named, is suspected of involvement in concealing 227 00:13:31.471 --> 00:13:35.518 criminal financial flows and facilitating money laundering 228 00:13:35.588 --> 00:13:38.797 through the mixing of cryptocurrencies via the 229 00:13:38.867 --> 00:13:42.914 decentralized Ethereum mixing service called Tornado Cash. 230 00:13:42.983 --> 00:13:47.100 Now, that's a mouthful. But the basics here is that Tornado 231 00:13:47.170 --> 00:13:51.496 Cash, which is still operating, although it's been sanctioned, 232 00:13:51.565 --> 00:13:56.031 so it's illegal for any American or anybody in the United States 233 00:13:56.101 --> 00:14:00.147 to use it. You face civil and some pretty serious criminal 234 00:14:00.217 --> 00:14:04.682 penalties if you use it, even to get out cash you've already put 235 00:14:04.752 --> 00:14:08.450 in. So don't go there, basically. But it's the theory 236 00:14:08.520 --> 00:14:12.148 of service. So this is interesting, because it's not 237 00:14:12.218 --> 00:14:16.753 clear if authorities can shut it down. The mixing is accomplished 238 00:14:16.823 --> 00:14:21.149 using smart contracts. So, if you want to use the service, you 239 00:14:21.218 --> 00:14:25.405 essentially spool up a smart contract, put your money in. At 240 00:14:25.474 --> 00:14:29.730 some point, it gets crunched through this mixing service, and 241 00:14:29.800 --> 00:14:34.196 then made available to you. You don't need to pull it out right 242 00:14:34.266 --> 00:14:38.382 away. But unfortunately, this sort of thing looks like it's 243 00:14:38.452 --> 00:14:42.778 going to be very difficult for authorities to permanently shut 244 00:14:42.847 --> 00:14:47.173 down because it kind of runs on its own. And certainly, one of 245 00:14:47.243 --> 00:14:51.499 the cofounders of the service has claimed that there's no way 246 00:14:51.569 --> 00:14:55.197 it can ever be taken down. Because, again, it's been 247 00:14:55.267 --> 00:14:59.732 engineered to just do its thing without any human input. I guess 248 00:14:59.802 --> 00:15:04.058 we'll see if that's really going to happen and other ways, of 249 00:15:04.128 --> 00:15:08.384 course, that authorities can track these cryptocurrency flows 250 00:15:08.454 --> 00:15:12.500 and oftentimes trace them back to individuals. So, also in 251 00:15:12.570 --> 00:15:15.710 terms of the flows, interestingly, blockchain 252 00:15:15.780 --> 00:15:19.966 analysis firm Chain Analysis said that from the time Tornado 253 00:15:20.036 --> 00:15:24.152 Cash became active in 2019, until it was sanctioned earlier 254 00:15:24.222 --> 00:15:28.548 this month, it said that it had handled more than $7.6 billion 255 00:15:28.618 --> 00:15:33.013 worth of Ethereum. And a sizable portion of that cryptocurrency 256 00:15:33.083 --> 00:15:36.990 had come from illicit or high-risk sources. North Korea, 257 00:15:37.060 --> 00:15:41.525 in particular, appeared to be an avid user of the service, maybe 258 00:15:41.595 --> 00:15:46.061 almost a fifth of the funds that went across it have so far been 259 00:15:46.130 --> 00:15:50.386 attributed to North Korea or other sanctions evaders. A tenth 260 00:15:50.456 --> 00:15:54.433 of the funds that it handled have also been tied to known 261 00:15:54.503 --> 00:15:58.410 cryptocurrency theft, stolen funds. So, mixer proponents 262 00:15:58.480 --> 00:16:02.666 might say, "Don't hate on the service, hate other people who 263 00:16:02.736 --> 00:16:06.573 are using it incorrectly." Governments had been saying, 264 00:16:06.643 --> 00:16:10.690 "That's nice in theory, but if you don't enforce some very 265 00:16:10.760 --> 00:16:15.155 basic controls, we're going to become an afterthought." They're 266 00:16:15.225 --> 00:16:19.342 just fascinating to see how these crackdowns on the illicit 267 00:16:19.411 --> 00:16:23.040 use of cryptocurrency services have been continuing. 268 00:16:24.300 --> 00:16:27.344 Anna Delaney: And we've got two cases here then. The employee 269 00:16:27.408 --> 00:16:31.165 suspect, allegedly involved in stealing criminal financial 270 00:16:31.230 --> 00:16:35.051 flows. And then of course, you got the sanctions on Tornado 271 00:16:35.115 --> 00:16:38.160 Cash by the OFAC, are they related? Do we know? 272 00:16:39.530 --> 00:16:42.080 Mathew Schwartz: No, we don't know. In particular, if the 273 00:16:42.080 --> 00:16:44.180 developer is being accused of money laundering for 274 00:16:44.180 --> 00:16:47.870 facilitating money laundering, or if they might be tying it 275 00:16:47.870 --> 00:16:52.220 more directly to the developer using it for personal illicit 276 00:16:52.250 --> 00:16:55.160 enrichment, it's one of these press releases that's come out 277 00:16:55.160 --> 00:16:59.210 from the police. It doesn't say a whole lot, it suggests many 278 00:16:59.210 --> 00:17:03.290 things. But it's not extremely technically nuanced, if you 279 00:17:03.290 --> 00:17:06.830 will, about exactly what's being alleged. This, of course, is 280 00:17:06.830 --> 00:17:10.550 common. If the FBI unveils charges against someone, they 281 00:17:10.550 --> 00:17:13.550 don't give the whole case away, they just give you enough of a 282 00:17:13.550 --> 00:17:17.630 flavor to understand what's going on. And the Dutch 283 00:17:17.690 --> 00:17:20.630 authorities have said their probes continuing, there could 284 00:17:20.630 --> 00:17:26.420 very well be more arrests. I'm surprised that this alleged 285 00:17:26.450 --> 00:17:30.260 developer associated with this alleged money laundering 286 00:17:30.410 --> 00:17:34.130 happened to be based in the Netherlands. I would think this 287 00:17:34.160 --> 00:17:37.490 wouldn't be a great move when you're doing something that's so 288 00:17:37.490 --> 00:17:42.380 obviously risky. Again, in theory, mixing services provide 289 00:17:42.380 --> 00:17:47.000 a service. And you don't control who uses it. But the writing's 290 00:17:47.000 --> 00:17:50.360 really been on the wall here about people who aid and abet 291 00:17:50.390 --> 00:17:54.170 these services, which, if you're going to be nice, can be safe to 292 00:17:54.170 --> 00:17:57.320 operate in a gray territory. But obviously, there's a lot of 293 00:17:57.350 --> 00:17:58.640 illicit use as well here. 294 00:17:59.030 --> 00:18:02.330 Suparna Goswami: Yeah, so Matt, you said that probably there are 295 00:18:02.330 --> 00:18:05.630 sanctions on companies who do not adhere to the basic rules, 296 00:18:05.630 --> 00:18:09.590 like if you don't know your customer KYC. So, is there a 297 00:18:09.590 --> 00:18:11.960 particular reason why they don't do or they do, and they don't 298 00:18:11.960 --> 00:18:15.290 follow up, like who is continuing to access their 299 00:18:16.160 --> 00:18:16.730 account? 300 00:18:17.930 --> 00:18:21.200 Mathew Schwartz: I've reached out to Tornado Cash - at least 301 00:18:21.200 --> 00:18:24.710 one of the founders seems to be based in Russia - to ask about 302 00:18:24.710 --> 00:18:30.500 these allegations against it. And the OFAC sanctions saying is 303 00:18:30.950 --> 00:18:33.650 basically they're not doing what they should be doing with AML 304 00:18:33.650 --> 00:18:37.640 and KYC. They have not gotten back to me. So, I couldn't speak 305 00:18:37.640 --> 00:18:41.300 to the thinking about why they have or have not. Certainly, 306 00:18:41.300 --> 00:18:44.240 there's other services that we've seen. There was a case 307 00:18:44.240 --> 00:18:49.160 recently where a service was providing the ability to trade 308 00:18:49.520 --> 00:18:54.140 cryptocurrency and they didn't have AML and KYC in place, but 309 00:18:54.140 --> 00:18:56.870 then they did get it in place. And so, the Feds didn't try to 310 00:18:56.870 --> 00:19:00.770 shut them down. They did find them. But they also acknowledged 311 00:19:00.800 --> 00:19:04.400 the service had gotten compliance. So, it's not the 312 00:19:04.400 --> 00:19:08.810 government wanting to just erase the services from the map. It's 313 00:19:08.810 --> 00:19:12.500 wanting them to do some due diligence. So if they do the due 314 00:19:12.500 --> 00:19:16.790 diligence, it seems that they're allowed to operate. This is 315 00:19:16.850 --> 00:19:19.130 okay, you can provide the service, you've met our basic 316 00:19:19.130 --> 00:19:22.100 requirements. If you don't, they're going to come after you. 317 00:19:22.130 --> 00:19:22.940 They're going to sanction you. 318 00:19:24.260 --> 00:19:24.890 Suparna Goswami: Fair enough. 319 00:19:26.360 --> 00:19:28.490 Anna Delaney: And Matt, what will you be watching closely as 320 00:19:28.490 --> 00:19:32.030 the illicit crypto mixer challenge evolves? 321 00:19:32.300 --> 00:19:33.890 Mathew Schwartz: I'm waiting to see who they try to take down 322 00:19:33.890 --> 00:19:37.400 next. It's fascinating. And these cases, it's important to 323 00:19:37.400 --> 00:19:40.130 remember the cops are never going to identify all the 324 00:19:40.130 --> 00:19:42.860 criminals, they're never going to arrest all the bad guys and 325 00:19:42.860 --> 00:19:48.200 girls. But by arresting people such as this alleged developer 326 00:19:48.200 --> 00:19:51.770 associated with Tornado Cash, they're sending a message, and 327 00:19:51.800 --> 00:19:55.670 that can have a really good disruptive effect. It says, 328 00:19:55.760 --> 00:19:58.970 "Play by the rules or you could be next when it comes to the 329 00:19:58.970 --> 00:20:00.320 cops busted down your door." 330 00:20:00.950 --> 00:20:02.750 Tom Field: Did you know, Anna, crypto has been the story of the 331 00:20:02.750 --> 00:20:04.760 year. Matt's right. Could be another chapter next week. 332 00:20:07.610 --> 00:20:11.180 Anna Delaney: Okay. Yeah, I think you're right. Well, thank 333 00:20:11.180 --> 00:20:15.380 you very much. Matt, final question for you. If you were to 334 00:20:15.380 --> 00:20:19.310 write the next cybersecurity themed musical, what would you 335 00:20:19.310 --> 00:20:21.470 call it? Jazz hands to the ready. 336 00:20:21.620 --> 00:20:23.990 Mathew Schwartz: Jazz hands. I'll jump in there. I would do 337 00:20:23.990 --> 00:20:28.460 an updating of Music Man, because you have a conman who 338 00:20:28.460 --> 00:20:31.190 comes to small town, convinces them that they should spend a 339 00:20:31.190 --> 00:20:33.650 lot of money on something that conman doesn't know anything 340 00:20:33.650 --> 00:20:37.490 about. Or a cybersecurity man maybe, I don't know. The snake 341 00:20:37.490 --> 00:20:42.080 oil salesman who, at the end, finds the light, helps everyone 342 00:20:42.530 --> 00:20:47.330 become secure. I think there's a cybersecurity wrinkle there or 343 00:20:47.330 --> 00:20:51.620 angle, I should say, on the whole conman theme. Yeah, call 344 00:20:51.620 --> 00:20:54.770 me cynical, but I think it could be a really rousing success on 345 00:20:54.770 --> 00:20:55.190 Broadway. 346 00:20:55.340 --> 00:20:57.560 Tom Field: Sounds little bit like John McAfee superstore. 347 00:21:00.140 --> 00:21:00.800 Mathew Schwartz: Double Bill. 348 00:21:03.260 --> 00:21:04.010 Anna Delaney: Suparna? 349 00:21:04.820 --> 00:21:07.280 Suparna Goswami: Yeah, I thought Michael Jackson Smooth Criminal, 350 00:21:07.310 --> 00:21:13.160 I thought that. Because Smooth being one of the jazz thing, a 351 00:21:13.160 --> 00:21:16.820 genre and songs. I thought that would be a very apt name. 352 00:21:17.300 --> 00:21:23.480 Anna Delaney: Thriller! Yeah. Choices. Good with Michael. Tom? 353 00:21:23.900 --> 00:21:26.240 Tom Field: Yeah, you know, for mine, it comes down from talking 354 00:21:26.240 --> 00:21:28.730 to all these incident responders in the past years about 355 00:21:28.730 --> 00:21:33.410 SolarWinds and about Log4J. And they all talk about the 356 00:21:33.410 --> 00:21:37.070 immediate aftermath. And everybody's hair on fire. So the 357 00:21:37.070 --> 00:21:38.690 name of my musical's Hair on Fire. 358 00:21:40.880 --> 00:21:44.360 Anna Delaney: Love it. I was going to go for Les Hacked. Les 359 00:21:44.360 --> 00:21:52.250 Mis' is but I would definitely get a fundraiser for the 360 00:21:52.250 --> 00:21:52.790 musical. 361 00:21:53.540 --> 00:21:56.780 Tom Field: First of mine, Tory Johnson, the old 1940s, 1950s 362 00:21:56.780 --> 00:21:58.730 actor of bad movies. But it could, both could be 363 00:21:58.730 --> 00:21:59.210 interesting. 364 00:21:59.650 --> 00:22:00.190 Mathew Schwartz: Interesting. 365 00:22:02.080 --> 00:22:04.000 Anna Delaney: Yeah. We'll talk about who's going to compose 366 00:22:04.000 --> 00:22:08.410 these musicals next week. For now, thank you very much for a 367 00:22:08.410 --> 00:22:13.330 great discussion. Tom, Suparna and Matt, as always, thank you. 368 00:22:13.690 --> 00:22:15.910 And thanks so much for watching, and until next time.