Anna Delaney: Hello, and welcome to Proof of Concept - the ISMG talk show - where we analyze today's and tomorrow's cybersecurity challenges with experts in the field and discuss how we can potentially solve them. We are your hosts. I'm Anna Delaney, director of productions here at ISMG.
Tom Field: I'm Tom Field, senior vice president of editorial at ISMG.
Delaney: What's top of your mind in the security world this week?
Field: There's so much. Think about just what happened in the last week with the Twitter whistleblowing. But I think the story that's gaining legs by the day is the breach of Twilio and other companies. Twilio had literally scores of customers impacted by the breach. There are other organizations as well, such as Authy, DoorDash, LastPass and Signal.
Delaney: You're right, we're not done. That's the worrying thing. I think it's been referred to as one of the most sophisticated hacks because it's so patient, so targeted and yet so broad.
Field: One of the quotes that got me was someone saying that it was well-planned and executed with surgical precision. The threat actors had private phone numbers of employees, they have more than 169 counterfeit domains mimicking Okta and other security providers. They had the ability to bypass two-factor authentication protections that used one-time passwords. This was not just someone on a block renting a service.
Delaney: Yeah, absolutely! No phishing attack required. It's all through SMS. We'll see how that evolves. But I thought the Twitter story was huge as well. Former head of Twitter has filed this explosive whistleblower disclosure. Have you looked at the list of vulnerabilities? It's an insider threat stream, it seems, to work at Twitter. But let's see. There's the midterms coming up. Security concerns are flashing over right before us.
Field: We're coming into the last third of 2022 right now. I hosted two security roundtable dinners last week. I can tell you that the CISOs and the security leaders in each of those are bracing now for what's going to be the SolarWinds or the Log4j of 2022. They're bracing themselves for even as we speak. And we're not going to get through this last third of the year without some major cybersecurity headlines. I think what we're seeing right now, you talked about Twitter. We've seen part of that story come out and more of that story is going to emerge. With the Twilio breach and similar infiltrations, the news never gets better as the weeks go on and as organizations start to realize just how much more was compromised. I don't think these stories are over by a longshot.
Delaney: Yeah, for sure. I'm sure our guests today will have thoughts and opinions on these stories. Why don't you introduce our first guest?
Field: I'm delighted to. A return visit here from Ari Redbord. He's the head of legal and government affairs with TRM Labs. Ari, welcome back from vacation. There is plenty to talk about.
Ari Redbord: Hey, Tom, thank you so much for having me. Nice to see you, Anna.
Field: Ari, let's start here. Just about a month ago, the U.S. Department of the Treasury's Office of Foreign Assets Control (OFAC) sanctioned virtual currency mixer Tornado Cash, which has been used to launder more than seven billion worth of virtual currency since its creation in 2019. Our audience is certainly aware of some of the key details of the sanctions. But I'd like your take on how did we get here?
Redbord: Sure. I love how you phrased the question because it is important how we got here and what the context is. I'd say for over the last few years, the Treasury Department has been surgically going after illicit actors within the cryptocurrency ecosystem. Darknet mixing services like Helix and Bitcoin Fog, which were conspiring with darknet markets to advertise their services as a way to launder the illicit proceeds of illicit activity. They've gone after non-compliant exchanges, mostly Russia based or exclusively Russia based: Chatex, Suex and Grantex. They've been going after darknet markets like Silk Road, AlphaBay and Hydra, where there's millions of dollars of illicit activity flowing through. I think what changed was the way the U.S. government was approaching this after the hack of the Ronin blockchain. It was basically North Korea stealing over $600 million. The fact that it ultimately was connected to North Korea meant that we moved from this age where hacks were financial crime to a true national security threat. Treasury, the White House, the national security apparatus within the U.S. government started to try to figure out how to deal with this. What they started to do was use sanctions, which has become the go-to tool of foreign policy, national security over the last few years across administrations. They tried to start to understand how North Korea is laundering the proceeds of these hacks. One way was through a mixing service called Blender.io, which Treasury went ahead and sanctioned. The next was Tornado Cash. But Tornado Cash was significantly different than any of those other sanctions that I mentioned earlier, because it is entirely decentralized: meaning, it is a smart contract, it is software, it is not typically the entity or person that were used to Treasury sanctioning before under their authorities. What that meant is, there are a lot of good reasons to go after Tornado Cash potentially, or a mixer that's laundering a billion dollars, according to TRM, of North Korea laundered funds. But it also resulted in a lot of collateral damage of regular users who are using a privacy enhancing tool, where, in a world in which there's open transactions more and more, you want some level of privacy.
Field: Ari, how do you see the Tornado Cash sanctions impacting DeFi broadly?
Redbord: Sanctions has always, in my mind at least, been easy. It's black and white, when it comes to crypto. When Treasury in the past has added an address to its specially designated national (SDN) list, it has been usually associated with terrorist financing. If you are a crypto platform, centralized or decentralized, you want to block a terrorist financier from your platform. You essentially have to, if you are a U.S. person or a U.S. entity. But Tornado Cash is different. To take that a step further, you also probably want to block any addresses that are transacting with that terrorist financier, because that person is probably funding terrorism in one way or another. But Tornado Cash is different because of all the regular users that are also on the platform that are seeing some sanctions exposure, having engaged now with sanctioned addresses. I think that's where the question comes down to for DeFi, for cryptocurrency businesses. Which addresses should we block based on the sanctions, and which addresses should we not block? It seems that they have a choice today. They either can go ahead or block all of the sanctioned addresses because if you are a U.S. person or a U.S. entity, or ties to U.S. persons or U.S. entities, you have to block those addresses. You are prohibited from transacting. The question is do they go a step further, and block addresses that have transacted with those first addresses? What we are doing at TRM is we're providing data to cryptocurrency businesses, exchanges and DeFi protocols, and they are making a decision based on that data on whether or not to block those addresses.
Field: Ari, some have suggested that this move signals a more aggressive posture by the U.S. when it comes to regulating decentralized apps. What do you see is the message from the top?
Redbord: I think that's a big "we'll see." I think this was an extension of things that had been done before. But from my time at Treasury, I can only believe that they were looking at sort of "Alright, look, we need to stop North Korea from laundering funds," because when North Korea launders funds, it's not just about money. It's about weapons proliferation, ballistic missile systems, a launch potentially on Guam or something along those lines. It's real. I think they were trying to do everything they could. Treasury was to stop the ability of North Korea to launder funds. Beyond Tornado Cash, I think there are a lot more questions as to how far you extend going after essentially decentralized protocols. All of that said, I think what we're going to see over the next few weeks is significant guidance from OFAC to say, "Hey, look, if you've transacted with Tornado Cash, incidentally or unintentionally, you are not going to be open to enforcement action or the types of things." I think what they would tell you today is absolutely correct. But I think the industry needs some guidance, because that will also not just help those individuals, but it'll help the companies know who and who not to block. I think we are going to see some guidance. I think that'll probably ultimately speak to your question as well.
Field: As we go into this last third of the year, do you think that guidance is forthcoming?
Redbord: I believe it is. But that is just a best guess. I know, there's been a lot of questions from industry to OFAC. Congressman Emmer's wrote what I thought was a fairly eloquent letter, laying out both sides, but then some very significant questions last week, so they're essentially now going to have to respond to that letter. I do believe so. I also believe that there are probably ways to sort of find a balance here. What we have to do more than anything else is, we have to stop illicit actors from taking advantage of these protocols. I talk about this all the time, it's not just from a national security perspective; take North Korea out. People aren't going to put their funds into DeFi, they're not going to put their funds on a bridge. They're not going to engage with crypto if they think their funds can be hacked and gone in a few days, and one way to stop hacks from happening is to stop the ability to launder funds. But at the same time, as we move into a more and more open financial system, people are going to rightfully need some more degree of privacy. There's a need for services that enhance that privacy. It's finding that balance, and I think we'll do it. I think the technology answers are there. I think there are tools like TRM and others that can help with this. But at the same time, it is balancing and it can't be one way or another.
Field: Ari, I always enjoy our conversations. I'm going turn this back to Anna to now introduce our next guest.
Redbord: Love it. Thanks, Tom.
Delaney: Welcoming to the studio, Grant Schneider, senior director of the cybersecurity services at Venable, and former federal CISO. Very good to see you again, Grant.
Grant Schneider: Anna, great to see you. Thanks for having me.
Delaney: Grant, as I mentioned earlier, news this week, surprisingly or unsurprisingly, is that Twitter might not be as secure as it should be. Given the importance that Twitter has played in elections in recent years, and the fact that we're a mere few weeks away from the U.S. midterm elections, what's your response to the allegations and what they mean for election security?
Schneider: I think it's concerning on a couple of fronts. There's going to be another side to the story. We're going to learn more. But certainly the set of allegations that have come out are pretty significant, and very concerning for any organization, but particularly for Twitter, because to your point, the amount of social influence that platform is able to exert through its individual users, on all sorts of socio and economic things around the world, but particularly on elections. As we get closer to elections, we'll undoubtedly see more and more advertisements around campaigns and paying ability to influence. Twitter is one of the tools that politicians use and anyone that wants to participate in the electoral process use it to influence people. To think that a malicious actor could leverage that in a way to skew potentially or inappropriately influence voters is very concerning. Definitely interested to see what the allegations are and how Twitter reacts to them, because there's a whole bunch of misunderstanding here. But what are they able to do from a security standpoint.
Delaney: Yeah, for sure. This all comes at a time when geopolitical tensions are high. We've got Russia's war in Ukraine. I was speaking with one of the members of the FBI at RSA this year, he said he was genuinely concerned that Russia will launch cyber retaliatory attacks against the United States elections. Infrastructure was one of the sectors he was most concerned about. What's your advice to the sector right now? Where should they focus their efforts over the next few weeks?
Schneider: In general, the sector is probably at a freeze from making real technical or architectural changes to their systems. In the run up, they will usually hit the pause button. They're not going to implement something new between now and the midterms. They need to be focused on threat intelligence. Are they able to understand who is sniffing around their systems right now, because anyone that's looking to do something later is going to be doing preparatory activity today? Can they detect that? Can they understand what it is, and then maybe they're still able to do some red teams or blue team assessments, to understand what vulnerabilities are out there and how they can mitigate them. But it's making sure that their systems are hardened as much as possible right now.
Delaney: Good advice. Nancy Pelosi's recent visits to Taiwan did ruffle some feathers on the international scene. In Thai, Taiwanese authorities said that the event provoked an unprecedented amount of cyberattacks on government websites. Some commentators, however, have said that the attacks were more theater than threat. How far do you agree with this statement?
Schneider: I think the attacks that we see or the attacks that I've seen, and there could be attacks that we don't know about that are more significant, but the DDoS attacks that we saw on the government websites aren't that sophisticated of an approach. It is more particularly for a nation state, it feels more like it was around sending a message. It seems to me that if China were looking to do something more specific, we would know less about it. They would look to do something that's far stealthier than a DDoS attack. Certainly, their reaction in the kinetic world of their military exercises all around the island, coupled with this makes it feel like they definitely wanted this to be a bit of a show. They wanted it to be pretty clear that they have capabilities. Whether these were Chinese nation-state actors, or someone contracted to them, or even Chinese national hacktivists, we don't know. But it definitely feels that this was more about sending messages than gaining access to systems. Unless they did that under the covers at the same time.
Delaney: Very good. Changing angles slightly. An interesting article I read last week, the Justice Department is now filing its most sensitive court documents on paper since January 2021, to avoid any chance of a breach or vulnerability in electronic filing systems. What do you make of this that we've got to this point?
Schneider: A pencil and paper is very secure. It just comes down to who you share it with. From that standpoint, if you have secure items, and you want to just keep them offline, then that is an excellent way to enhance the security. It doesn't guarantee the security. You still have insider threats. You can still have documents misplaced or stolen or other things. The reason we don't see more people operating offline and with in-paper documents is it just doesn't scale. While this might work for some specific and sensitive cases, I don't think it's something that scales more broadly. It's a perfectly acceptable approach for sensitive things. I don't think we're going to see a shift of people away from the internet. You know, either for e-commerce or for doing government functions because it's just impractical for the number of transactions you need to engage in and the number of constituents you need to engage with.
Delaney: I presume they're printing these documents from somewhere, as I'll say there are other security questions.
Schneider: Yes, one would presume they're not handwriting them out. They certainly could be. It could be on a system that is separated from the internet. Although I think historically, we've seen that even in DOD and other organizations, a lot of the systems that are unconnected have a connection someplace. I think if they're doing that, again, logistically, it's going to be hard to do that in any amount of scale. To your point, you're probably starting with a computer document someplace.
Delaney: This has been informative as always. Thank you, Grant, Ari and Tom. Thanks so much for watching. Until next time.