WEBVTT 1 00:00:00.330 --> 00:00:02.790 Anna Delaney: Hello, I'm Anna Delaney and this is the ISMG 2 00:00:02.820 --> 00:00:05.730 Editors' Panel, a weekly show where we analyze some of the top 3 00:00:05.730 --> 00:00:09.240 stories and interviews of the moment. And this week I am 4 00:00:09.240 --> 00:00:13.020 joined by Tom Field, Senior Vice President of Editorial; Suparna 5 00:00:13.020 --> 00:00:16.740 Goswami, Associate Editor at ISMG Asia; and Matthew Schwartz, 6 00:00:16.800 --> 00:00:19.770 Executive Editor of DataBreachToday and Europe. Very 7 00:00:19.770 --> 00:00:20.670 good to see you all. 8 00:00:21.330 --> 00:00:22.110 Tom Field: Very Good to see you. 9 00:00:22.470 --> 00:00:22.860 Suparna Goswami: Pleasure. 10 00:00:23.940 --> 00:00:24.690 Matthew Schwartz: Great to see you. 11 00:00:25.710 --> 00:00:28.740 Anna Delaney: So, Tom, starting with you, I do worry that you're 12 00:00:28.740 --> 00:00:31.050 right there amidst the rocks. 13 00:00:31.650 --> 00:00:35.580 Tom Field: It is not Stonehenge. This is considered the devil's 14 00:00:35.580 --> 00:00:39.360 footprint. And it's a cemetery not terribly far from where I 15 00:00:39.360 --> 00:00:42.090 live. And the story behind it is when they were building a 16 00:00:42.090 --> 00:00:47.040 meeting house here in the 1700s, a worker encountered a huge rock 17 00:00:47.160 --> 00:00:51.060 that could not be moved by human means. And he swore that he 18 00:00:51.060 --> 00:00:54.420 would sell his soul to the devil for the ability to be able to 19 00:00:54.420 --> 00:00:58.950 move that rock. Well, overnight, the rock magically disappeared. 20 00:00:59.340 --> 00:01:03.270 The man magically disappeared. And in its place, off to the 21 00:01:03.270 --> 00:01:07.020 side, was this rock with the alleged imprint of a cloven 22 00:01:07.020 --> 00:01:07.350 hoof. 23 00:01:09.540 --> 00:01:14.490 Anna Delaney: All in your backyard! That is a story. 24 00:01:14.520 --> 00:01:15.390 Suparna? 25 00:01:17.100 --> 00:01:20.040 Suparna Goswami: Oh yes! This is the cricket stadium in 26 00:01:20.040 --> 00:01:23.340 Bangalore. So after a long, long time, maybe after a gap of five 27 00:01:23.340 --> 00:01:27.510 years, I went to watch a live match. And yes, it was worth the 28 00:01:27.510 --> 00:01:30.930 wait. What a fantastic day of cricket it was! Got to see both 29 00:01:30.960 --> 00:01:34.110 batting and bowling. Yes, and completely enjoyed it. 30 00:01:34.890 --> 00:01:36.570 Electrifying atmosphere out there. 31 00:01:37.740 --> 00:01:40.470 Anna Delaney: That is brilliant. And Matthew, you went to another 32 00:01:40.470 --> 00:01:41.010 graveyard? 33 00:01:42.000 --> 00:01:43.710 Matthew Schwartz: Yes, I was going to continue the graveyard 34 00:01:43.710 --> 00:01:46.620 link. Like it is, in fact, a graveyard. You can't see all the 35 00:01:46.620 --> 00:01:50.100 way down to the ground but this is just down the road from me. 36 00:01:50.100 --> 00:01:54.270 It's an old church. And I've added a little bit of scratchy 37 00:01:54.270 --> 00:01:58.680 sort of character to the image. But it is a foggy evening, here 38 00:01:58.680 --> 00:01:59.490 in Scotland. 39 00:02:00.120 --> 00:02:02.130 Anna Delaney: There's a lot of character indeed. Well, I am at 40 00:02:02.130 --> 00:02:06.030 a gig earlier this week that I attended. A French band doing 41 00:02:06.030 --> 00:02:10.680 their 2020 tour. So a few cancellations later, it was good 42 00:02:10.680 --> 00:02:15.090 to see them live. But starting with Matthew this week, the war 43 00:02:15.120 --> 00:02:19.170 in Ukraine obviously, continues, unfortunately. And earlier this 44 00:02:19.170 --> 00:02:21.930 week, you wrote a very interesting article about the 45 00:02:21.960 --> 00:02:25.710 ethics of paying ransomware payments to Russian criminals at 46 00:02:25.710 --> 00:02:29.520 this time. Now to pay or not to pay has always been a divisive 47 00:02:29.520 --> 00:02:34.230 question. How has Russia's war further complicated the debate? 48 00:02:35.080 --> 00:02:38.890 Matthew Schwartz: Yes. So big ethical challenge here. Do you 49 00:02:38.890 --> 00:02:43.360 pay a ransom? Or don't you pay a ransom? And unfortunately, I 50 00:02:43.360 --> 00:02:47.380 think where crime is concerned, ethics doesn't usually factor 51 00:02:47.410 --> 00:02:50.320 into the discussion. I mean, maybe if you're a government 52 00:02:50.320 --> 00:02:54.910 agency, yes, or somebody else who's got some level of public 53 00:02:54.910 --> 00:02:59.200 accountability. But experts say that it really remains a 54 00:02:59.200 --> 00:03:02.650 business decision, whether you pay or don't pay. And you can 55 00:03:02.650 --> 00:03:07.780 see why this would be the case. If you are a CEO, however many 56 00:03:07.780 --> 00:03:10.870 employees you have, you're in charge of the company, your 57 00:03:10.870 --> 00:03:13.780 responsibility. And if you don't pay, and you end up going 58 00:03:13.780 --> 00:03:16.840 bankrupt, and the company goes out of business, that's 59 00:03:17.200 --> 00:03:22.570 obviously not going to be as good of an option as potentially 60 00:03:22.600 --> 00:03:26.620 paying. And a lot of companies that we see get breached, hit 61 00:03:26.620 --> 00:03:30.760 with ransomware, have cyber insurance. And so a lot of times 62 00:03:30.790 --> 00:03:34.120 they can also pay without it being too much of an imposition 63 00:03:34.240 --> 00:03:38.380 on the ability of the firm to keep functioning long term. So a 64 00:03:38.560 --> 00:03:42.310 bit of background there, obviously. But the big question 65 00:03:42.340 --> 00:03:46.960 I've had with the increased number of attacks that we've 66 00:03:46.960 --> 00:03:52.930 seen recently meets the Russian war is, are we going to see more 67 00:03:52.930 --> 00:03:57.520 payments perhaps or fewer payments? Because the optics of 68 00:03:57.520 --> 00:04:00.760 paying Russian cyber criminals right now, one would think, 69 00:04:00.790 --> 00:04:04.750 wouldn't be great. There have been some other questions around 70 00:04:04.750 --> 00:04:09.130 this as well. I was presenting at a data breaches summit this 71 00:04:09.130 --> 00:04:13.180 week, and one of the audience members asked me, in regards to 72 00:04:13.210 --> 00:04:16.720 Russia's invasion, did I think that we would see an increase in 73 00:04:16.720 --> 00:04:21.520 ransomware attacks as a way to potentially funnel money to the 74 00:04:21.520 --> 00:04:26.170 Russian government to help basically keep the lights on? So 75 00:04:26.170 --> 00:04:29.530 that's another question that we've been seeing. Another one 76 00:04:29.590 --> 00:04:34.900 is whether or not paying now is something that might come back 77 00:04:34.900 --> 00:04:38.440 to haunt businesses later. We see a lot of these ransom 78 00:04:38.440 --> 00:04:43.120 payments happening on the sly, and a lot of organizations seem 79 00:04:43.120 --> 00:04:47.590 to be driven to pay because they don't want their name to come 80 00:04:47.590 --> 00:04:52.840 out publicly. So you might think that the war would keep people 81 00:04:52.840 --> 00:04:55.660 from wanting to pay, but on the other hand, it could also force 82 00:04:55.660 --> 00:04:58.630 some people to pay more quickly because they might not want 83 00:04:58.630 --> 00:05:01.330 their name to show up on a data leak site, getting named and 84 00:05:01.330 --> 00:05:03.940 shamed in the course of events. But they think they're going to 85 00:05:03.940 --> 00:05:07.510 have to pay, they might be driven to pay more quickly. So a 86 00:05:07.510 --> 00:05:11.440 lot of kind of competing factors here in terms of what might or 87 00:05:11.440 --> 00:05:14.860 might not happen. So just really briefly on the cryptocurrency 88 00:05:14.860 --> 00:05:17.410 front, I don't think we're going to see ransomware gangs 89 00:05:17.470 --> 00:05:20.110 funneling their money to Moscow to help keep the lights on. 90 00:05:21.160 --> 00:05:24.310 Experts I have spoken to said, the amount that ransomware gangs 91 00:05:24.310 --> 00:05:28.930 are getting, while it's a lot, is nowhere near enough to 92 00:05:28.960 --> 00:05:32.800 correct the kinds of sanctions that are being levied against 93 00:05:33.280 --> 00:05:37.060 Putin and his friends and the other oligarchs. So just to put 94 00:05:37.060 --> 00:05:40.690 that one thing out of the way. Now, are businesses going to be 95 00:05:40.690 --> 00:05:43.420 more or less likely to pay? Some of the experts I've spoken to 96 00:05:43.420 --> 00:05:47.440 said, they actually don't think it's going to have an impact. So 97 00:05:47.590 --> 00:05:50.710 I think we maybe have been seeing slightly fewer ransomware 98 00:05:50.710 --> 00:05:54.310 attacks recently, I don't know if that's going to, you know, 99 00:05:54.340 --> 00:05:57.100 bear out. Maybe they're just not coming to light because more 100 00:05:57.100 --> 00:05:59.140 people are paying more quickly, and it's keeping it off the 101 00:05:59.140 --> 00:06:04.510 radar. But I think when you add it all up, at the end of the 102 00:06:04.510 --> 00:06:08.290 day, a lot of businesses are still looking at this as a 103 00:06:08.290 --> 00:06:11.470 business question. You know, they're doing a cost benefit 104 00:06:11.500 --> 00:06:14.890 analysis. Do we need to pay to get our operations back up and 105 00:06:14.890 --> 00:06:17.890 running? And do we think that by paying, we will be able to do 106 00:06:17.890 --> 00:06:21.550 this? So that is the short, that's the TLDR to all this 107 00:06:21.550 --> 00:06:23.770 that's been going on. But there's a lot of outstanding 108 00:06:23.770 --> 00:06:26.770 questions still. And it's been fascinating to keep track of 109 00:06:26.770 --> 00:06:27.820 where this is all going. 110 00:06:28.180 --> 00:06:32.230 Anna Delaney: Great insight, Matt. And about Conti ransomware 111 00:06:32.230 --> 00:06:35.710 gang leak that happened a few weeks back, do we know any more 112 00:06:35.710 --> 00:06:36.970 about the impact on the group? 113 00:06:38.320 --> 00:06:40.180 Matthew Schwartz: So I think we're going to see some reports 114 00:06:40.180 --> 00:06:45.580 coming out soon, from security firms that have been analyzing 115 00:06:45.580 --> 00:06:49.810 these Russian language Java chat logs, and the source code also 116 00:06:49.810 --> 00:06:53.380 got leaked for Conti. And a lot of experts were hoping this 117 00:06:53.380 --> 00:06:57.010 might put a dent in Conti's operations. Because together 118 00:06:57.010 --> 00:07:01.900 with LockBit, Conti has been one of the most prevalent groups as 119 00:07:01.900 --> 00:07:06.760 ranked by known victims. So anything that can disrupt that 120 00:07:06.970 --> 00:07:10.090 is great. And it would be wonderful if they were forced to 121 00:07:10.090 --> 00:07:15.070 at least pause and maybe reboot with a new name. Unfortunately, 122 00:07:15.340 --> 00:07:18.400 we haven't seen that happen. So we have gotten some interesting 123 00:07:18.400 --> 00:07:22.510 insights to how Conti works. But we already knew that it was very 124 00:07:22.510 --> 00:07:25.900 effective. I don't know if there's any secrets in terms of 125 00:07:25.900 --> 00:07:29.440 its business model that have come to light. It has been 126 00:07:29.440 --> 00:07:32.920 interesting to see though just the degree of organization they 127 00:07:32.920 --> 00:07:37.060 have. I think about 100 employees, and their goal is to 128 00:07:37.060 --> 00:07:41.410 steal money from organizations using ransomware. And obviously, 129 00:07:41.410 --> 00:07:42.640 they've been quite effective at that. 130 00:07:44.170 --> 00:07:46.240 Tom Field: Adding a truth to the rumors that the oligarchs are 131 00:07:46.240 --> 00:07:49.720 applying for jobs with Conti and the other ransomware groups. 132 00:07:51.040 --> 00:07:52.870 Matthew Schwartz: I couldn't possibly comment. 133 00:07:54.460 --> 00:07:56.680 Anna Delaney: Well, that is excellent. Thank you, Matt. 134 00:07:57.220 --> 00:08:01.450 Let's see how things develop. Tom, there is a new executive 135 00:08:01.450 --> 00:08:03.220 order in town, is there not? 136 00:08:03.660 --> 00:08:05.760 Tom Field: There is and it kind of snuck in with everything 137 00:08:05.760 --> 00:08:09.390 that's going on with Russia and Ukraine and in other events 138 00:08:09.390 --> 00:08:13.650 going on in the world. Big news: Last week, President Biden 139 00:08:13.680 --> 00:08:18.990 issued a first ever executive order related to cryptocurrency 140 00:08:18.990 --> 00:08:21.150 and it does relate to what Matt's talking about because it 141 00:08:21.150 --> 00:08:24.540 does deal with illicit funds. But it also deals with, you 142 00:08:24.540 --> 00:08:28.380 know, cryptocurrency regulation. Just brings to head lots of 143 00:08:28.380 --> 00:08:31.680 things that have been happening behind the scenes over the years 144 00:08:31.680 --> 00:08:35.490 and put some urgency to it. I had the chance to speak with one 145 00:08:35.490 --> 00:08:39.270 of our contributors and a frequent guest of ours here, Ari 146 00:08:39.270 --> 00:08:42.840 Redbord, who called this a clarion call. And I don't think 147 00:08:42.840 --> 00:08:45.600 he's wrong in saying that. So I've had a chance to sit with 148 00:08:45.600 --> 00:08:48.540 him and talk about the significance of it. He was so 149 00:08:48.540 --> 00:08:51.660 excited about this that it had just been issued to the point 150 00:08:51.780 --> 00:08:55.200 where even his printer paper was still warm, because he just got 151 00:08:55.200 --> 00:08:58.410 done printing it off and was reading through it. But I asked 152 00:08:58.410 --> 00:09:01.320 him about the significance of this. And I want to share with 153 00:09:01.320 --> 00:09:03.150 you a clip of my conversation with him. 154 00:09:03.750 --> 00:09:06.570 Ari Redbord: One kind of like, really important point to make 155 00:09:06.810 --> 00:09:10.380 on this executive order is, you know, it's not all about the 156 00:09:10.380 --> 00:09:14.250 risks. And I think that typically, when we're talking 157 00:09:14.250 --> 00:09:17.730 about regulators, a lot of what is discussed is what are the 158 00:09:17.730 --> 00:09:21.330 risks here? What are the challenges? Well, this executive 159 00:09:21.330 --> 00:09:25.410 order really starts off talking about the power and promise of 160 00:09:25.410 --> 00:09:28.290 cryptocurrency and I feel like it's worth kind of just reading 161 00:09:28.290 --> 00:09:32.130 here for a second. It talks, digital assets, including 162 00:09:32.130 --> 00:09:35.190 cryptocurrencies, have seen explosive growth in recent 163 00:09:35.190 --> 00:09:39.060 years, and goes on to say the rise of digital assets creates 164 00:09:39.060 --> 00:09:42.540 an opportunity to reinforce American leadership in the 165 00:09:42.540 --> 00:09:46.290 global financial system and at the technological frontier. So 166 00:09:46.290 --> 00:09:51.150 much of this EO is dedicated. It's really a clarion call for 167 00:09:51.150 --> 00:09:56.910 the US to be a leader in the cryptocurrency space. And I 168 00:09:56.910 --> 00:09:59.550 think it's a really exciting moment and, you know, 169 00:09:59.550 --> 00:10:01.890 potentially very different than like, what it ultimately could 170 00:10:01.890 --> 00:10:02.250 have been. 171 00:10:02.680 --> 00:10:05.200 Tom Field: He uses the words clarion call. But I think it's 172 00:10:05.200 --> 00:10:08.680 an important point about American leadership as well. I 173 00:10:08.680 --> 00:10:11.770 won't say that the US has missed the boat on other things on 174 00:10:11.800 --> 00:10:14.590 cryptocurrency-related but maybe they didn't get the first boat. 175 00:10:15.520 --> 00:10:19.780 And I think this is a great point to be made here by the 176 00:10:19.780 --> 00:10:23.590 President in addressing this issue. And I think you have to 177 00:10:23.590 --> 00:10:27.550 say about this administration, I don't know of any political 178 00:10:27.550 --> 00:10:32.410 regime in the world that has been as progressive with 179 00:10:32.410 --> 00:10:36.130 cybersecurity policy, as the Biden administration has from 180 00:10:36.130 --> 00:10:39.700 day one, despite establishing its leadership at the top. Now, 181 00:10:39.940 --> 00:10:44.830 policy has to result in execution. And we haven't seen 182 00:10:44.830 --> 00:10:47.950 execution in every area. But something to watch. I think 183 00:10:47.950 --> 00:10:50.590 we're off to a particularly good start and this cryptocurrency 184 00:10:50.590 --> 00:10:53.680 executive order is a great next step. 185 00:10:54.520 --> 00:10:57.010 Anna Delaney: And the turn is right. Interesting to read the 186 00:10:57.010 --> 00:11:00.430 news this morning. Europe's lawmakers have moved ahead with 187 00:11:00.430 --> 00:11:04.540 their proposed cryptocurrency regulations, having ditched a 188 00:11:04.540 --> 00:11:07.840 rule that might have banned financial services using and 189 00:11:07.840 --> 00:11:12.400 dealing in Bitcoin and Ethereum. So there's a shift happening 190 00:11:12.400 --> 00:11:17.290 perhaps among regulators, how regulators view these digital 191 00:11:17.560 --> 00:11:18.250 assets. 192 00:11:18.490 --> 00:11:21.730 Tom Field: It cannot be ignored, it must be understood. 193 00:11:23.280 --> 00:11:26.910 Matthew Schwartz: And we saw as well this week in Britain, the 194 00:11:26.940 --> 00:11:31.710 Financial Conduct Authority, which regulates banks, has said 195 00:11:31.710 --> 00:11:34.530 that you may not use cryptocurrency to evade 196 00:11:34.560 --> 00:11:38.310 sanctions, including US sanctions. So I think you're 197 00:11:38.310 --> 00:11:42.660 right, Tom. I think we've seen the US get out ahead here when 198 00:11:42.660 --> 00:11:46.050 it comes to talking cryptocurrency and Ari has been 199 00:11:46.050 --> 00:11:50.070 very clear in past interviews that this is an imperative when 200 00:11:50.070 --> 00:11:54.000 it comes to cryptocurrency. Most cryptocurrency use is not 201 00:11:54.090 --> 00:11:59.400 illicit, but they're attempting to have the foundation and the 202 00:11:59.550 --> 00:12:02.610 sorts of regulations you would already be applying to know your 203 00:12:02.610 --> 00:12:05.940 customer. Anti-money laundering brought to bear on 204 00:12:05.940 --> 00:12:09.600 cryptocurrency, in order to help prevent its use as a money 205 00:12:09.600 --> 00:12:14.010 laundering tool or for terrorism, or for evading US 206 00:12:14.010 --> 00:12:18.240 sanctions. So it's fascinating to see how existing approaches 207 00:12:18.240 --> 00:12:21.690 to regulation are now being I think, largely successfully 208 00:12:21.690 --> 00:12:24.780 extended to the cryptocurrency realm. 209 00:12:25.210 --> 00:12:28.180 Tom Field: Right? I don't think that's an overstatement. Sorry, 210 00:12:28.180 --> 00:12:28.660 Suparna. 211 00:12:29.140 --> 00:12:31.900 Suparna Goswami: No, Ari must be a happy man. Because as Matt 212 00:12:31.900 --> 00:12:35.380 said, he always cringed the fact that we always associated 213 00:12:35.380 --> 00:12:38.800 cryptocurrencies with money laundering, with something bad. 214 00:12:39.010 --> 00:12:41.020 And he always said that there's so much more with 215 00:12:41.020 --> 00:12:43.300 cryptocurrencies that can be done. So it's good to hear that 216 00:12:43.300 --> 00:12:45.730 Biden administration is acknowledging that. 217 00:12:47.320 --> 00:12:49.750 Anna Delaney: Now, Suparna, speaking of executive orders, 218 00:12:49.750 --> 00:12:52.270 the US government says it's putting out a new executive 219 00:12:52.270 --> 00:12:56.230 order to further its combat campaign in combating criminal 220 00:12:56.230 --> 00:13:00.160 and identity fraud. And I know you conducted a panel recently, 221 00:13:00.160 --> 00:13:03.070 and you spoke with experts, and they gave you their opinions on 222 00:13:03.070 --> 00:13:04.690 updates. So tell us more. 223 00:13:05.890 --> 00:13:08.290 Suparna Goswami: Yeah, so hats off to Biden administration, 224 00:13:08.290 --> 00:13:11.110 again, which announced a couple of weeks back that it will come 225 00:13:11.110 --> 00:13:14.140 out with an executive order to control identity theft and 226 00:13:14.140 --> 00:13:18.520 identity fraud in the public benefit programs. So I had a 227 00:13:18.520 --> 00:13:20.530 panel of three experts, and I asked them on their 228 00:13:20.530 --> 00:13:23.410 recommendations to the government. Now we all know the 229 00:13:23.410 --> 00:13:27.310 states had relaxed default controls, because there was an 230 00:13:27.340 --> 00:13:33.640 urgency to deliver the benefits program. And anytime you have a 231 00:13:33.640 --> 00:13:37.690 situation where there is, you say a desperation, there will be 232 00:13:37.690 --> 00:13:41.230 messiness. So unfortunately, we learned after the various 233 00:13:41.230 --> 00:13:45.430 benefits program was rolled out. And one recommendation was to 234 00:13:45.430 --> 00:13:49.270 make it mandatory not to relax fraud controls even if the money 235 00:13:49.270 --> 00:13:51.970 needs to go out first, that was the first recommendation of the 236 00:13:51.970 --> 00:13:56.380 panel. The second recommendation was budget. The states 237 00:13:56.380 --> 00:13:59.470 definitely need more budgets to implement the various solutions 238 00:13:59.470 --> 00:14:02.530 in the market. Now, when it comes to identity, we know there 239 00:14:02.530 --> 00:14:05.170 are lovely solutions out there in the market, because there are 240 00:14:05.170 --> 00:14:09.790 many vendors out there who are investing a lot in identity. But 241 00:14:10.690 --> 00:14:13.870 what happens is the state invariably tends to invest in 242 00:14:13.870 --> 00:14:18.160 one kind of technology and I think the panelists were 243 00:14:18.160 --> 00:14:25.240 referring to the IRS and the ID.me scandal that happened. So 244 00:14:25.240 --> 00:14:28.930 they said that states should invest in multiple technologies 245 00:14:28.960 --> 00:14:31.570 and should have a layered approach. And for that they 246 00:14:31.570 --> 00:14:34.750 would need the budget. So with multiple technologies, they said 247 00:14:34.750 --> 00:14:38.500 they should have behavioral analytics, they should have, you 248 00:14:38.500 --> 00:14:41.140 know, telephony data analytics, because there's so much data out 249 00:14:41.140 --> 00:14:45.010 there which can be easily leveraged. And pattern 250 00:14:45.010 --> 00:14:47.680 recognition on the patterns of fraud without being focused on 251 00:14:47.680 --> 00:14:50.650 one kind of fraud. That's what they recommended. And the third 252 00:14:50.680 --> 00:14:57.940 point that they recommended was not to put or what do I say, 253 00:14:57.940 --> 00:15:01.210 there was this over reliance on standard that was not proven 254 00:15:01.210 --> 00:15:08.410 before. So when benefits program was rolled out, the government 255 00:15:08.470 --> 00:15:13.690 said, we will roll out NIST 863. And that talks about remote 256 00:15:13.720 --> 00:15:16.990 identity proofing. The expectation was that there would 257 00:15:16.990 --> 00:15:19.840 be some fraud controls that were in place. The fraud controls 258 00:15:19.840 --> 00:15:23.230 were in place, like if somebody had applied for employment 259 00:15:23.260 --> 00:15:28.330 insurance, how it worked before was the state would ask the 260 00:15:28.330 --> 00:15:33.490 employer if this was valid or not. But this was not the case 261 00:15:33.490 --> 00:15:35.710 during the benefits program, because sort of companies shut 262 00:15:35.710 --> 00:15:40.600 down. So this was not tested before. And they just rolled out 263 00:15:40.630 --> 00:15:44.020 and tried to scale it up, but it was complete disaster. So they 264 00:15:44.020 --> 00:15:48.370 said that test all these things before rolling out. So that was 265 00:15:48.370 --> 00:15:51.310 the third recommendation. And the fourth recommendation was, 266 00:15:51.610 --> 00:15:55.030 get the balance right. So they said government tends to, you 267 00:15:55.030 --> 00:15:58.000 know, when it comes to putting the fraud controls, it sometimes 268 00:15:58.000 --> 00:16:01.480 impacts the good customers out there. So they need to achieve 269 00:16:01.480 --> 00:16:04.390 the balance. And they said the best industry they can learn it 270 00:16:04.390 --> 00:16:07.570 from is the financial industry, which has been doing this for a 271 00:16:07.570 --> 00:16:10.660 long, long time. So they can take a cue or two from the 272 00:16:10.660 --> 00:16:13.150 financial industry. Yeah, these were three/four recommendations 273 00:16:13.150 --> 00:16:14.170 and it was a lovely panel. 274 00:16:15.460 --> 00:16:16.840 Anna Delaney: It was great. Great panel. 275 00:16:16.000 --> 00:16:19.360 Tom Field: Let me highlight that this just went up on our sites 276 00:16:19.360 --> 00:16:22.030 today. This is a terrific panel and very thoughtful getting out 277 00:16:22.030 --> 00:16:24.790 ahead of this executive order. No one really asserted on the 278 00:16:24.790 --> 00:16:27.370 timing of this on when it might come out. Suparna brought 279 00:16:25.480 --> 00:16:35.560 Anna Delaney: And Suparna, I wanted to pick up on this theme 280 00:16:27.370 --> 00:16:29.680 together some really good thought leaders and had a very 281 00:16:29.680 --> 00:16:32.590 thoughtful discussion. So check it out, if you haven't already. 282 00:16:35.560 --> 00:16:40.090 of the lack of resources because I spoke with Jeremy Grant of the 283 00:16:40.090 --> 00:16:43.840 Better Identity Coalition this week on the upcoming EO and he 284 00:16:43.840 --> 00:16:46.450 gave us really interesting example that in the State of 285 00:16:46.450 --> 00:16:50.830 California, to investigate a homicide it takes maybe 40 or 50 286 00:16:50.830 --> 00:16:54.430 hours to really find out what happened and bring about 287 00:16:54.430 --> 00:17:00.010 charges. An identity theft case takes closer to 200 hours. So 288 00:17:00.820 --> 00:17:05.560 because of this inability to prosecute quickly, criminals are 289 00:17:05.560 --> 00:17:09.310 having a ball, aren't they? They're going without impunity 290 00:17:09.310 --> 00:17:13.030 and acting like that. So he hopes that this executive order 291 00:17:13.030 --> 00:17:16.510 will bring about change and in terms of resources, but also 292 00:17:16.540 --> 00:17:21.070 hopefully, there is this push for punishing crimes. So 293 00:17:21.070 --> 00:17:23.380 hopefully, to prevent them in the first place. 294 00:17:24.580 --> 00:17:27.700 Suparna Goswami: And John brought up the same point. John 295 00:17:27.700 --> 00:17:31.210 Buzzard from Javelin Research and Strategy. So he said that no 296 00:17:31.210 --> 00:17:33.580 matter what technology you put, if you don't have the right 297 00:17:33.580 --> 00:17:37.090 people who know how to use the technology, there's no point in 298 00:17:37.090 --> 00:17:40.720 putting the technologies in place. And right technology for 299 00:17:40.720 --> 00:17:44.380 the right fraud, because there is often a confusion of, you 300 00:17:44.380 --> 00:17:48.340 know, putting everything as identity fraud. There's so much 301 00:17:48.340 --> 00:17:50.710 more happening out there. That's what he said, you should 302 00:17:50.740 --> 00:17:52.450 understand the right kind of fraud and put the right 303 00:17:52.450 --> 00:17:54.970 technologies to it. But yes, valid point. 304 00:17:55.780 --> 00:17:58.480 Matthew Schwartz: Yes, Suparna, is scale is a big issue here? I 305 00:17:58.480 --> 00:18:01.330 mean, we're talking about a whole government program, you 306 00:18:01.330 --> 00:18:06.280 know, and the IRS, for example, has a huge number of, I won't 307 00:18:06.280 --> 00:18:09.790 call them customers, because as an American taxpayer, I don't 308 00:18:09.790 --> 00:18:13.750 really have any other option. But you know, I mean, to what 309 00:18:13.750 --> 00:18:15.850 extent do you think that complicates the picture? And 310 00:18:15.850 --> 00:18:19.060 there's just so many people that they're trying to verify and 311 00:18:19.150 --> 00:18:20.440 prevent fraud for. 312 00:18:21.560 --> 00:18:23.390 Suparna Goswami: Oh, yes. I asked the same question that 313 00:18:23.390 --> 00:18:26.090 it's easy for us to sit here and comment that, you know, you 314 00:18:26.090 --> 00:18:29.090 should test out all these things. And they did give the 315 00:18:29.120 --> 00:18:31.460 benefit of doubt to the government. But they said, okay, 316 00:18:31.460 --> 00:18:36.890 fine, we have learned a lesson. See what problem they had was 317 00:18:37.160 --> 00:18:41.810 IRS always had these issues of, you know, not being able to 318 00:18:41.810 --> 00:18:47.360 verify properly. But they said, so why did they allow IRS to 319 00:18:47.360 --> 00:18:51.260 collaborate closely with the states when it comes to, you 320 00:18:51.260 --> 00:18:56.420 know, collaborating with ID.me? Because they knew IRS was having 321 00:18:56.420 --> 00:18:58.970 this issue then why did government go ahead and allow 322 00:18:58.970 --> 00:19:02.450 the states to collaborate with the IRS and get ID.me. So that 323 00:19:02.450 --> 00:19:04.220 was a problem they had. They said there was this 324 00:19:04.220 --> 00:19:06.740 short-sightedness when they knew there was an issue with the IRS 325 00:19:06.740 --> 00:19:11.780 even before the pandemic was there. Why did they ask states 326 00:19:11.780 --> 00:19:13.760 also to come together and collaborate with the same 327 00:19:13.760 --> 00:19:16.520 vendor? So yes, that was the issue maybe. 328 00:19:18.430 --> 00:19:20.710 Anna Delaney: It was a great panel, Suparna. Thank you very 329 00:19:20.710 --> 00:19:25.450 much for sharing. Okay, well, finally, last question. Da da 330 00:19:25.450 --> 00:19:30.760 da! Who would you cast to play as the star, the lead, in the 331 00:19:30.760 --> 00:19:33.250 next blockbuster cybersecurity movie? 332 00:19:34.510 --> 00:19:35.050 Tom Field: I have two. 333 00:19:36.040 --> 00:19:37.540 Anna Delaney: Yeah, I got three. 334 00:19:38.680 --> 00:19:40.270 Tom Field: Ricky Gervais and Stephen Merchant. 335 00:19:40.660 --> 00:19:45.040 Anna Delaney: Oh, wow. An English stunt. Very good. But 336 00:19:45.040 --> 00:19:48.520 very funny. Suparna? 337 00:19:50.680 --> 00:19:52.300 Suparna Goswami: When you asked me this question, I could not 338 00:19:52.300 --> 00:19:54.910 think of any other name apart from maybe Keanu Reeves. Because 339 00:19:54.910 --> 00:19:58.900 whenever I think of him, I think of the Matrix, and I thought at 340 00:19:58.900 --> 00:20:02.230 that point in time for me that was an entire...So I think is if 341 00:20:02.230 --> 00:20:05.890 there is a cybersecurity movie out there, I would cast him. I 342 00:20:05.890 --> 00:20:09.280 mean, instantly my name just stuck. Keanu Reeves. 343 00:20:09.310 --> 00:20:12.430 Anna Delaney: Keanu would do a good job, I'm sure. Matthew? 344 00:20:12.970 --> 00:20:15.520 Matthew Schwartz: You know, I'm going to totally shamelessly rip 345 00:20:15.520 --> 00:20:20.080 off Suparna there because I had the same problem. I thought back 346 00:20:20.080 --> 00:20:23.470 to some kind of classics of the cyberpunk genre like Johnny 347 00:20:23.470 --> 00:20:27.040 Mnemonic. That was Keanu. There's something about the way 348 00:20:27.040 --> 00:20:31.630 that he does like, I don't know, is it blank? Not really. Whoa, 349 00:20:31.660 --> 00:20:36.010 hey! You know, it's like he has this ability to kind of reflect. 350 00:20:36.250 --> 00:20:39.610 You sometimes like nonsensical sorts of ideas that are 351 00:20:39.610 --> 00:20:43.210 projected onto him that for some reason works so well in a 352 00:20:43.210 --> 00:20:46.510 cybersecurity context. We've seen horrible examples. I won't 353 00:20:46.510 --> 00:20:50.470 go into those but Keanu consistently delivers. So I'd 354 00:20:50.470 --> 00:20:51.580 put my money on him. 355 00:20:52.440 --> 00:20:55.050 Anna Delaney: Hopefully Keanu is watching right now. You have a 356 00:20:55.050 --> 00:21:00.600 role here or two. I was thinking maybe Samuel L. Jackson, 357 00:21:00.600 --> 00:21:06.720 Jennifer Lawrence. Bit of Javier Bardem, perhaps. There you go. 358 00:21:06.750 --> 00:21:11.520 There's my team. So look forward to watching these movies. Well, 359 00:21:11.520 --> 00:21:14.460 thank you very much, Tom, Suparna, and Matthew. It's been 360 00:21:14.460 --> 00:21:15.390 great as always. 361 00:21:15.600 --> 00:21:16.380 Tom Field: Always. Thank you. 362 00:21:17.130 --> 00:21:18.840 Suparna Goswami: Thank you, Anna. Thank you so much. 363 00:21:18.960 --> 00:21:20.190 Matthew Schwartz: Don't stop dancing, Anna. 364 00:21:20.910 --> 00:21:22.800 Anna Delaney: No way. And thank you very much for watching. 365 00:21:22.890 --> 00:21:23.700 Until next time.