WEBVTT 1 00:00:00.000 --> 00:00:02.850 Anna Delaney: Hello, this is the ISMG Editors' Panel. Thank you 2 00:00:02.850 --> 00:00:05.460 very much for joining us. I am Anna Delaney and this is a 3 00:00:05.460 --> 00:00:08.250 weekly discussion of what's happening in the world of data 4 00:00:08.400 --> 00:00:11.820 and information security. And this week, I'm delighted to be 5 00:00:11.820 --> 00:00:14.880 joined by Marianne Kolbasuk McGee, executive editor for 6 00:00:14.880 --> 00:00:18.450 HealthcareInfoSecurity, Mathew Schwartz, executive editor for 7 00:00:18.450 --> 00:00:21.930 DataBreachToday and Europe, and welcoming for the first time, 8 00:00:22.020 --> 00:00:27.270 editorial director for ISMG news, David Perera. Dave, 9 00:00:27.270 --> 00:00:28.950 welcome. Thanks for joining us. 10 00:00:29.310 --> 00:00:30.840 David Perera: Oh, thank you so much. My pleasure. 11 00:00:31.380 --> 00:00:33.150 Anna Delaney: And it's wonderful to see you all. So, Matt, why 12 00:00:33.150 --> 00:00:34.800 don't you start us off? Where are you today? 13 00:00:35.400 --> 00:00:38.190 Mathew Schwartz: I am at the edge of the ocean here. This is 14 00:00:38.190 --> 00:00:43.170 over in Broughty Ferry, which is near Dundee at the North Sea. 15 00:00:43.410 --> 00:00:47.160 So, it's kind of an arty take. There's a little boundary marker 16 00:00:47.160 --> 00:00:50.700 at the edge of the water here at low tide. So it's really 17 00:00:50.700 --> 00:00:54.090 beautiful. Lots of sands, lots of wind because we're in 18 00:00:54.090 --> 00:00:57.930 Scotland, always lovely to have a wander around the coast. 19 00:00:58.170 --> 00:01:01.500 Anna Delaney: Very beautiful, indeed. Very moody, mysterious. 20 00:01:02.040 --> 00:01:04.500 Marianne, you're outdoors as well. Tell us? 21 00:01:04.770 --> 00:01:09.150 Marianne McGee: Yeah, I am in the Boston Common. My husband 22 00:01:09.150 --> 00:01:12.360 and I went there a few weeks ago on one of the rare occasions 23 00:01:12.360 --> 00:01:17.670 this summer where the heat index was not 150 degrees. We spent 24 00:01:17.670 --> 00:01:20.010 the day walking around. It's been a hot summer. 25 00:01:20.310 --> 00:01:25.590 Anna Delaney: Yes, indeed, even in the UK. So, Dave, stunning 26 00:01:25.800 --> 00:01:27.990 sight behind you. Tell us more? 27 00:01:28.890 --> 00:01:33.090 David Perera: Well, thanks. It's a nighttime picture of Rosslyn 28 00:01:33.090 --> 00:01:37.890 taking from a park in Washington, DC. So we're looking 29 00:01:37.890 --> 00:01:44.580 at the Potomac River and all the skyscrapers on the Virginia side 30 00:01:44.940 --> 00:01:49.680 of the metro DC region. So, Washington DC has a little quirk 31 00:01:49.710 --> 00:01:53.460 in that is the buildings inside the city have a height 32 00:01:53.460 --> 00:01:58.020 restriction. So, all of the big skyscrapers, relatively 33 00:01:58.020 --> 00:02:02.430 speaking, can't be in the city. So you're just on the other side 34 00:02:02.790 --> 00:02:06.570 of the river in Virginia, where the height restrictions are not 35 00:02:06.570 --> 00:02:07.200 in effect. 36 00:02:08.340 --> 00:02:10.980 Anna Delaney: That is a good fact. I've got to say. They'll 37 00:02:10.980 --> 00:02:16.170 always get around that rule, right? And I'm in Valencia. This 38 00:02:16.170 --> 00:02:20.070 was taken a few months ago, back when it was very cold, but I'm 39 00:02:20.070 --> 00:02:23.280 feeling warm and summery. So I thought it'd be a good shot to 40 00:02:23.640 --> 00:02:26.970 show you the city full of lemon and orange trees, which 41 00:02:26.970 --> 00:02:32.100 complement the old architecture. So Matt, you're brandishing your 42 00:02:32.130 --> 00:02:36.540 data breach sword today. What happened with Twilio this week? 43 00:02:36.960 --> 00:02:39.480 Mathew Schwartz: That's right, I get to return to my data breach 44 00:02:39.480 --> 00:02:44.460 routes, as it were, one of our core ISMG sites. Ransomware has 45 00:02:44.460 --> 00:02:48.090 been competing for my hearts. But there's been a big bad 46 00:02:48.120 --> 00:02:52.950 breach story yet again. We have a company called Twilio, which 47 00:02:52.950 --> 00:02:56.880 is a customer engagement platform. For breach purposes, 48 00:02:56.880 --> 00:03:01.410 that's alarming because it works with thousands of companies, 49 00:03:01.560 --> 00:03:06.570 which work with thousands of end users. And because it's engaging 50 00:03:06.570 --> 00:03:10.680 with these customers, it keeps a lot of the communications and a 51 00:03:10.680 --> 00:03:14.190 lot of the information not just on Twilio's customers but of 52 00:03:14.190 --> 00:03:18.030 other customers of Twilio's customers. So you could see from 53 00:03:18.030 --> 00:03:22.470 a breach standpoint why this would be a juicy target. Now, 54 00:03:22.500 --> 00:03:26.100 I'm not trying to name and shame here. But it's interesting to 55 00:03:26.100 --> 00:03:32.520 look at the breach report that Twilio put out on Sunday. They 56 00:03:32.520 --> 00:03:35.700 discovered this attack on Thursday. It's not clear to me 57 00:03:35.700 --> 00:03:38.610 that Twilio discovered it itself. They didn't want to give 58 00:03:38.610 --> 00:03:41.160 me any more information beyond what they put out saying that 59 00:03:41.190 --> 00:03:44.160 the investigation is ongoing. I'll get to why we think that 60 00:03:44.160 --> 00:03:48.030 maybe Twilio didn't discover it itself. But fascinating to look 61 00:03:48.060 --> 00:03:52.230 at the particulars and I think anytime a breach or an attack 62 00:03:52.350 --> 00:03:56.610 comes to light, organizations should be studying this. Again, 63 00:03:56.610 --> 00:04:01.680 not to cast blame or aspersions, but to say, "Could we fall for 64 00:04:01.680 --> 00:04:06.750 the same thing?" What happened here? It was a phishing attack, 65 00:04:06.930 --> 00:04:12.960 unusually via SMS messages. Employees received to their 66 00:04:13.080 --> 00:04:17.400 phone numbers an SMS message that said, "Your password's 67 00:04:17.400 --> 00:04:19.890 expired. This is the IT department contacting you. You 68 00:04:19.890 --> 00:04:22.290 need to click this link and reset your password right away." 69 00:04:23.010 --> 00:04:27.750 The link led to a phishing page using a lookalike domain. I 70 00:04:27.750 --> 00:04:32.070 don't remember what it is, but Twilio/ITdepartment.com or 71 00:04:32.070 --> 00:04:36.990 something. And at that lookalike domain, it looked like the login 72 00:04:36.990 --> 00:04:40.380 screen, where they would enter their password and also their 73 00:04:40.410 --> 00:04:45.570 one-time code. Apparently, enough users entered their 74 00:04:45.570 --> 00:04:48.810 password and their one-time code and the attackers were able, 75 00:04:49.260 --> 00:04:53.250 probably in real time, to take this information and to log in 76 00:04:53.280 --> 00:04:56.310 as if they were the user. So this is notable because you 77 00:04:56.310 --> 00:04:59.130 think about multifactor authentication making it 78 00:05:00.480 --> 00:05:04.110 hopefully impossible for attackers to log in. So what do 79 00:05:04.110 --> 00:05:07.470 they do? They trick people into giving them the multifactor 80 00:05:07.470 --> 00:05:11.700 authentication code in real time and the attackers use it before 81 00:05:11.700 --> 00:05:17.040 it expires to log in. So, a fascinating attack. Fascinating 82 00:05:17.040 --> 00:05:21.510 that people fell for something sent via SMS. And the coda to 83 00:05:21.510 --> 00:05:25.710 this story is that Cloudflare says that it too was targeted 84 00:05:25.950 --> 00:05:31.350 and that three of its employees also fell victim, also fell for 85 00:05:31.350 --> 00:05:35.070 this SMS message that says, "Alert: your Cloudflare schedule 86 00:05:35.070 --> 00:05:37.230 has been updated. Please tap Cloudflare/okta.com to view your 87 00:05:37.230 --> 00:05:38.550 changes." Users did this. They entered their password, they 88 00:05:38.550 --> 00:05:39.660 entered their one-time code. Cloudflare says it got lucky 89 00:05:39.660 --> 00:05:44.220 though. It doesn't use one-time codes in the way that Twilio 90 00:05:44.220 --> 00:05:56.700 does. They've issued, instead, a Cloudflare security key and 91 00:05:56.700 --> 00:05:59.490 there are certain restrictions on the security key on how it 92 00:05:59.490 --> 00:06:03.840 can be used. So they got lucky. Talk about defense in depth, 93 00:06:03.990 --> 00:06:08.580 they had another piece of depth, if you will, that foiled this 94 00:06:08.610 --> 00:06:14.220 attack. So, memo to CISOs: Look at Twilio's report on this, look 95 00:06:14.220 --> 00:06:16.770 at Cloudflare's report on this and how they almost fell victim 96 00:06:16.770 --> 00:06:20.880 too, and generate some takeaways to make sure that if you get hit 97 00:06:20.940 --> 00:06:24.090 tomorrow, you can't fall victim to the same attack. 98 00:06:24.990 --> 00:06:27.030 Anna Delaney: And Matt, do you think it would have been a 99 00:06:27.030 --> 00:06:30.570 different story for Cloudflare had they relied on this one-time 100 00:06:30.570 --> 00:06:32.160 password authentication? 101 00:06:32.700 --> 00:06:34.680 Mathew Schwartz: Definitely. And they're very clear about that. 102 00:06:34.680 --> 00:06:38.130 And they're not blaming anybody either. They said, "Luckily for 103 00:06:38.130 --> 00:06:41.760 us, we don't use these kinds of one-time passwords that are 104 00:06:41.760 --> 00:06:45.810 generated, for example, by an authentication app." We all use 105 00:06:45.810 --> 00:06:48.990 them. They got 30 or 60 seconds before they expire, or the 106 00:06:48.990 --> 00:06:52.860 one-time codes that get sent via text message. Any of those, the 107 00:06:52.860 --> 00:06:56.070 attackers would have been in. And then another code into the 108 00:06:56.070 --> 00:07:00.960 Coda is Cloudflare says the attacker has also pushed remote 109 00:07:00.960 --> 00:07:05.610 access software to end users so that if they had installed this 110 00:07:05.610 --> 00:07:09.090 package - it wasn't advertised as malware - if they installed 111 00:07:09.090 --> 00:07:12.870 this package, probably branded as IT department needs immediate 112 00:07:12.870 --> 00:07:15.210 access to your system, installed this remote viewing software for 113 00:07:15.210 --> 00:07:17.850 us, then the attackers would have had another way to get in 114 00:07:18.270 --> 00:07:22.200 Cloudflare says, "Again, thankfully, three users didn't 115 00:07:22.230 --> 00:07:25.740 install this". And there's other controls and checks they have in 116 00:07:25.740 --> 00:07:29.760 place. They have a service that looks for fake domain names 117 00:07:29.790 --> 00:07:33.540 registered in Cloudflare's name. It says the service works great, 118 00:07:33.540 --> 00:07:37.020 but there's a lag time between when it gets registered and when 119 00:07:37.020 --> 00:07:40.740 the alert goes off. And the attacker struck in that lag 120 00:07:40.740 --> 00:07:44.460 time, they registered it and they attacked right away before 121 00:07:44.460 --> 00:07:47.940 this other check and balance could be brought in. So, a 122 00:07:47.940 --> 00:07:52.140 fascinating well-planned attack. I don't think Twilio is going to 123 00:07:52.140 --> 00:07:56.160 be the only organization that's fallen victim. Twilio said this 124 00:07:56.160 --> 00:07:59.520 was part of a bigger campaign. I expect we're going to see much 125 00:07:59.520 --> 00:08:01.980 more than just Cloudflare saying they were targeted too. 126 00:08:01.000 --> 00:08:05.800 Anna Delaney: And this could potentially get quite messy with 127 00:08:05.800 --> 00:08:11.170 fines, GDPR perhaps. How would you rate Twilio's response 128 00:08:11.170 --> 00:08:13.450 because you're very good at assessing how do they 129 00:08:13.450 --> 00:08:15.730 communicate with the customers, how they communicate to the 130 00:08:15.730 --> 00:08:19.450 wider world? What number, what score would you give them? 131 00:08:19.720 --> 00:08:22.720 Mathew Schwartz: Well, I don't want to score. I will say in 132 00:08:22.720 --> 00:08:25.390 Twilio's favor, they came out quickly. They learned of the 133 00:08:25.390 --> 00:08:29.290 attack on Thursday, possibly from Cloudflare, and they put 134 00:08:29.290 --> 00:08:32.950 out their breach notification on Sunday. So, most of the time, 135 00:08:32.950 --> 00:08:35.800 you see organizations take a little bit longer. We're going 136 00:08:35.800 --> 00:08:39.340 to see what happens. I asked Twilio if they informed EU 137 00:08:39.340 --> 00:08:43.060 authorities, if any Europeans' personal information was exposed 138 00:08:43.060 --> 00:08:48.070 in this attack, they declined to comment. So, I suspect that 139 00:08:48.070 --> 00:08:53.560 there was GDPR-covered data in this. I suspect. So, I think 140 00:08:53.560 --> 00:08:56.350 this is going to get real messy, not just for Twilio. 141 00:08:57.800 --> 00:08:59.780 Anna Delaney: Wait to see what happens next. Thank you, Matt. 142 00:09:00.020 --> 00:09:03.770 Fascinating coverage. Marianne, you've been covering an 143 00:09:03.770 --> 00:09:07.550 institution in the UK this week: The National Health Service. 144 00:09:07.550 --> 00:09:09.110 Tell us more on what's been happening. 145 00:09:09.480 --> 00:09:14.580 Marianne McGee: Or the NHS recently, late last week 146 00:09:14.580 --> 00:09:19.800 actually, it first experienced an outage of its IT, certain 147 00:09:19.800 --> 00:09:25.170 applications but predominantly on its 111 service, which, among 148 00:09:25.170 --> 00:09:29.100 other things, helps individuals set up appointments for urgent 149 00:09:29.100 --> 00:09:35.460 care and for other assistance. The outage was caused by a 150 00:09:35.490 --> 00:09:41.910 cyberattack on one of its, on one of NHS's key IT and services 151 00:09:41.910 --> 00:09:47.490 vendors advanced. And as a result, NHS 111 call handlers 152 00:09:47.490 --> 00:09:51.330 had to resort to pen and paper and other manual processes to 153 00:09:51.330 --> 00:09:55.260 help individuals seeking care, which resulted in some delays 154 00:09:55.260 --> 00:10:00.510 and backlogs. But that incident sort of highlighted the trend 155 00:10:00.540 --> 00:10:03.510 that it's not just this year, it's been going on for years, 156 00:10:03.510 --> 00:10:07.440 but it just seems to be getting worse this year in terms of 157 00:10:07.470 --> 00:10:11.910 vendor incidents that affect healthcare entities. In the US, 158 00:10:11.940 --> 00:10:15.360 business associates that handle HIPAA-protected health 159 00:10:15.360 --> 00:10:18.300 information have been implicated in some of the largest breaches 160 00:10:18.300 --> 00:10:22.740 so far this year, including hacking incidents involving Eye 161 00:10:22.740 --> 00:10:25.920 Care Leaders, which is a cloud-based electronic health 162 00:10:25.920 --> 00:10:30.090 records vendor, MCG Health, which is a company that provides 163 00:10:30.090 --> 00:10:33.750 clinical guidelines to healthcare entities and also 164 00:10:33.750 --> 00:10:37.260 Professional Finance Company, which is an accounts receivable 165 00:10:37.260 --> 00:10:43.470 services firm. Combined, those incidents in the US have alone, 166 00:10:43.470 --> 00:10:47.940 just with those three, affected hundreds of healthcare entities 167 00:10:47.970 --> 00:10:52.740 and millions of their patients. And of course, we've seen other 168 00:10:52.740 --> 00:10:55.410 big vendor breaches in the past, as I've mentioned, you know, 169 00:10:55.410 --> 00:10:59.130 we've seen a big hacking incident on a medical debt 170 00:10:59.130 --> 00:11:03.810 collection agency a few years back that affected dozens of 171 00:11:03.810 --> 00:11:09.360 healthcare entities and multiple millions of patients. We saw a 172 00:11:09.360 --> 00:11:13.230 ransomware incident a few years ago on a fundraising software 173 00:11:13.230 --> 00:11:16.650 vendor Blackboard, which affected dozens of healthcare 174 00:11:16.650 --> 00:11:20.340 entities as well as coins and other sectors such as education. 175 00:11:21.060 --> 00:11:25.050 So, the range of compromises that can happen involving the 176 00:11:25.050 --> 00:11:28.530 assortment of different third parties that provide services to 177 00:11:28.530 --> 00:11:32.340 healthcare entities is pretty astounding and seems to be 178 00:11:32.340 --> 00:11:35.910 growing. And one of the reasons is that these vendors handle a 179 00:11:35.910 --> 00:11:40.230 lot of different clients' patients' data, which makes them 180 00:11:40.260 --> 00:11:44.040 attractive targets for cybercrime, such as ransomware 181 00:11:44.040 --> 00:11:48.990 and extortion of other kinds. But in the healthcare sector, in 182 00:11:48.990 --> 00:11:52.320 general, these entities deal with such a wide range of 183 00:11:52.320 --> 00:11:56.880 specialty vendors that this potential target, or these 184 00:11:56.880 --> 00:11:59.970 targets, just seem to be growing. For instance, just with 185 00:11:59.970 --> 00:12:03.180 medical devices, healthcare entities may be dealing with 186 00:12:03.180 --> 00:12:06.570 hundreds of different third parties who supplied very 187 00:12:06.570 --> 00:12:10.470 specialized services and equipment, often the services 188 00:12:10.470 --> 00:12:14.970 are also reliant on cloud. So, it's putting not only patient 189 00:12:15.000 --> 00:12:18.960 data privacy at risk, it's also putting patient safety at risk. 190 00:12:19.770 --> 00:12:25.290 And experts are saying that these incidents are sort of a 191 00:12:25.290 --> 00:12:28.620 good reminder to these healthcare sector entities that 192 00:12:28.620 --> 00:12:31.560 rely heavily on business associates and other vendors 193 00:12:31.890 --> 00:12:35.220 that they really need to obtain assurances from these third 194 00:12:35.220 --> 00:12:38.580 parties that these companies are really doing what they said they 195 00:12:38.580 --> 00:12:44.580 should be doing, or not, and also sort of verify every so 196 00:12:44.580 --> 00:12:49.350 often that these third parties have security practices and 197 00:12:49.410 --> 00:12:54.300 protocols in place that not only protect patient data, but also 198 00:12:54.660 --> 00:12:58.800 can give an alert real fast to these healthcare entities that 199 00:12:58.800 --> 00:13:02.820 are affected. But also from a regulatory standpoint, for 200 00:13:02.850 --> 00:13:06.450 HIPAA-covered entities, it's critical that healthcare 201 00:13:06.450 --> 00:13:11.580 entities have these business associate agreements in place 202 00:13:11.580 --> 00:13:15.390 and that their third parties also have business. So, 203 00:13:15.420 --> 00:13:18.450 associated agreements with their subcontractors, because this 204 00:13:18.450 --> 00:13:21.600 could also translate to regulatory problems down the 205 00:13:21.600 --> 00:13:25.560 line. So, as I said, these incidents are good reminders 206 00:13:25.590 --> 00:13:30.540 that the third parties that are putting healthcare entities and 207 00:13:30.540 --> 00:13:33.000 their patients data at risk just seem to be growing. 208 00:13:33.900 --> 00:13:35.700 Anna Delaney: That's a huge problem. I think one of the 209 00:13:35.700 --> 00:13:40.020 experts you interviewed in a recent article said or 210 00:13:40.020 --> 00:13:43.620 highlighted the importance for healthcare organizations to 211 00:13:43.620 --> 00:13:47.880 really know their vendors and partners. What's your advice to 212 00:13:47.880 --> 00:13:50.790 healthcare organizations to actually know the not knowing 213 00:13:50.790 --> 00:13:54.030 part, because as you said, the chain is big? 214 00:13:54.990 --> 00:13:56.790 Marianne McGee: Well, that's true because, you know, you have 215 00:13:56.790 --> 00:14:01.230 different departments within healthcare organizations that 216 00:14:01.230 --> 00:14:04.860 they might be doing business with, a supplier that, you know, 217 00:14:04.860 --> 00:14:08.310 was handling protected health information, but the IT people 218 00:14:08.310 --> 00:14:10.740 might not be aware of this, the security people might not be 219 00:14:10.740 --> 00:14:13.050 aware of this. And these can, you know, we're not talking 220 00:14:13.050 --> 00:14:14.970 about dozens, we're talking about hundreds or potentially 221 00:14:14.970 --> 00:14:18.900 thousands of vendors that provide services to healthcare 222 00:14:18.900 --> 00:14:22.320 entities, everything from, you know, the medical equipment to 223 00:14:22.320 --> 00:14:30.150 the hFax, to the cafeteria, the billing, the diagnostic experts 224 00:14:30.150 --> 00:14:34.020 offshore, there's so many places where things could go wrong. 225 00:14:34.410 --> 00:14:37.470 And, you know, a lot of these breaches, just the little ones 226 00:14:37.470 --> 00:14:40.350 I've mentioned - not little, but they're big - but just a small 227 00:14:40.350 --> 00:14:44.250 handful are just, you know, sort of rapid representation of 228 00:14:44.520 --> 00:14:45.810 things that go wrong. 229 00:14:47.460 --> 00:14:50.340 Anna Delaney: As our previous story, the story continues, 230 00:14:50.340 --> 00:14:54.780 doesn't it? Thanks so much, Marianne. So Dave, it seems that 231 00:14:54.780 --> 00:14:58.410 cryptocurrencies or at least the illicit use of them, illicit 232 00:14:58.410 --> 00:15:01.920 cryptoactivity, is keeping the US Treasury very busy these 233 00:15:01.920 --> 00:15:02.340 days. 234 00:15:03.980 --> 00:15:08.210 David Perera: US Treasury, US Justice. There's actually been 235 00:15:08.480 --> 00:15:12.590 quite a crackdown on illicit uses of cryptocurrency over the 236 00:15:12.620 --> 00:15:17.930 past month. The newest example of which was sanctions levied by 237 00:15:17.930 --> 00:15:20.810 the Department of Treasury, Office of Foreign Asset Control, 238 00:15:22.280 --> 00:15:29.420 sanctions on Tornado Cash, which is a cryptocurrency mixer. It's 239 00:15:29.510 --> 00:15:35.870 putatively just for privacy reasons. If you have currency 240 00:15:35.930 --> 00:15:41.060 and you want some more privacy on some of the transactions 241 00:15:41.060 --> 00:15:44.750 you're doing on the blockchain, you can send it to a mixer in 242 00:15:44.750 --> 00:15:47.990 which your cash, your cryptocurrency is mixed with 243 00:15:47.990 --> 00:15:50.960 other cryptocurrency and randomly spat out to a 244 00:15:50.960 --> 00:15:57.230 destination wallet. In reality, one of the biggest users of at 245 00:15:57.230 --> 00:16:01.760 least Tornado Cash and other cryptocurrency mixtures are 246 00:16:02.300 --> 00:16:06.650 criminals who are trying to obfuscate the trail of their 247 00:16:06.680 --> 00:16:11.690 stolen currency. And not the least of which, among the cyber 248 00:16:11.690 --> 00:16:16.790 criminals ranks, is North Korea, which has just fallen in love 249 00:16:17.090 --> 00:16:22.670 with stealing cryptocurrency because they figured out that 250 00:16:22.670 --> 00:16:28.190 it's a fairly easy way to fuel their weapons of mass 251 00:16:28.190 --> 00:16:32.180 destruction program. North Korea has a history of just 252 00:16:32.180 --> 00:16:37.100 cybertheft, in general, but robbing banks, say the SWIFT 253 00:16:37.100 --> 00:16:42.860 system, as it did a few years ago, is a very complex and 254 00:16:42.860 --> 00:16:46.310 multi-tiered affair. It requires a lot of work, a lot of 255 00:16:46.310 --> 00:16:50.330 coordination across the globe, whereas just exploiting some of 256 00:16:50.330 --> 00:16:54.890 these poorly secured cryptocurrency bridges or other 257 00:16:54.890 --> 00:16:59.780 platforms is a relatively easy thing for them to do. So, the 258 00:16:59.780 --> 00:17:04.040 Treasury Department basically decided that there was too much 259 00:17:04.190 --> 00:17:08.180 illicit use of this cryptocurrency mixer Tornado 260 00:17:08.180 --> 00:17:12.440 Cash, and it put it under a sanction, which means that no US 261 00:17:12.440 --> 00:17:19.640 person can legally do business with it. Now, there has been 262 00:17:19.670 --> 00:17:24.530 some backlash by people in the cryptocurrency world saying that 263 00:17:24.860 --> 00:17:30.200 mixers are neutral tools and Treasury shouldn't be in the 264 00:17:30.200 --> 00:17:35.450 business of sanctioning a tool that can be used for privacy or 265 00:17:35.570 --> 00:17:40.850 for criminal purposes but Treasury's perspective and the 266 00:17:40.850 --> 00:17:45.500 perspective of other people that I've spoken with is that the 267 00:17:45.500 --> 00:17:50.810 extent to which Tornado Cash was facilitating illicit 268 00:17:50.810 --> 00:17:55.610 transactions was simply too large to ignore. And you can 269 00:17:55.610 --> 00:17:59.930 have a cryptocurrency mixer that still takes steps to try to 270 00:17:59.930 --> 00:18:04.190 prevent transactions from reaching known wallets 271 00:18:04.220 --> 00:18:10.970 associated with illicit actors. So it's not so much that the 272 00:18:11.390 --> 00:18:17.300 tool is neutral, it is that the tool was being allowed to be 273 00:18:17.300 --> 00:18:20.540 used to illegal ends. 274 00:18:20.000 --> 00:18:24.440 Anna Delaney: And, Dave, do we know just how much of an 275 00:18:24.440 --> 00:18:28.100 inconvenience this will be to the criminals - removing Tornado 276 00:18:28.070 --> 00:18:32.222 David Perera: To be determined. As one person I spoke with said, 277 00:18:28.100 --> 00:18:28.580 Cash? 278 00:18:32.305 --> 00:18:37.455 maybe a run-of-the-mill criminal will be avoiding Tornado Cash 279 00:18:37.538 --> 00:18:42.854 just because they know that the eyes of the US government are on 280 00:18:42.937 --> 00:18:47.837 what's going on with Tornado Cash. Maybe North Korean cyber 281 00:18:47.920 --> 00:18:53.152 criminals will test the waters to see if they can get away with 282 00:18:53.236 --> 00:18:58.385 still shoveling large amounts of stolen cryptocurrency through 283 00:18:58.468 --> 00:19:02.040 the mixer and see what happens if they try. 284 00:19:03.380 --> 00:19:06.350 Anna Delaney: ISMG speaks with our good friend, Ari Redbord 285 00:19:06.530 --> 00:19:11.180 from TRM Labs, who call this the largest, most impactful action 286 00:19:11.180 --> 00:19:18.140 to date in cryptoland. Do you agree? I mean, it seems like the 287 00:19:18.140 --> 00:19:21.800 US Treasury is taking more of an aggressive approach. 288 00:19:23.040 --> 00:19:29.190 David Perera: Yes, I mean, there are lots of firsts to be had 289 00:19:29.310 --> 00:19:34.200 when it comes to the US government enforcing rules like 290 00:19:34.380 --> 00:19:39.930 anti-money laundering, anti-insider trading, a whole 291 00:19:39.930 --> 00:19:44.430 raft of regulations and rules that apply to criminal activity 292 00:19:44.490 --> 00:19:49.170 in the normal securities world to the cryptocurrency world. So, 293 00:19:49.200 --> 00:19:52.200 yes, indeed, it was a very significant action. But on the 294 00:19:52.200 --> 00:19:57.090 other hand, like I said, we're in sort of a green field of law 295 00:19:57.090 --> 00:20:02.160 enforcement action against cryptocurrency in which there's 296 00:20:02.160 --> 00:20:05.400 going to be a lot of firsts for the foreseeable future. 297 00:20:05.000 --> 00:20:10.400 Anna Delaney: For sure. Oh, thanks, Dave. So finally, is 298 00:20:10.400 --> 00:20:14.810 there a tweet or thread, as they call them now, or LinkedIn posts 299 00:20:14.810 --> 00:20:17.810 that you've recently come across that you found particularly 300 00:20:17.840 --> 00:20:19.280 informative or interesting? 301 00:20:21.280 --> 00:20:24.640 Mathew Schwartz: Definitely. I'll just jump in here. There 302 00:20:24.640 --> 00:20:28.270 was a little story the other day about how a chess robot had 303 00:20:28.270 --> 00:20:32.590 grabbed and broken the finger of a seven-year-old opponent. And 304 00:20:32.590 --> 00:20:35.710 there was a wonderful observation by a security 305 00:20:35.710 --> 00:20:39.640 researcher, an offensive security researcher I followed 306 00:20:39.640 --> 00:20:44.050 for years - you see him speak at major events - Rob Graham of 307 00:20:44.050 --> 00:20:48.070 Errata Security. And his response was, "Well, obviously, 308 00:20:48.070 --> 00:20:51.220 we need more ethics in AI to teach robots that this is not 309 00:20:51.220 --> 00:20:54.730 acceptable behavior, that even though they can win chess games 310 00:20:54.730 --> 00:20:57.130 with physical violence, they should not." 311 00:20:59.700 --> 00:21:03.870 Anna Delaney: Very good. Very good. I like that. Dave? 312 00:21:02.640 --> 00:21:06.092 David Perera: Well, let me just say one thing piggybacking on 313 00:21:06.166 --> 00:21:10.353 what Matt just said. And that is, I recall reading a book 314 00:21:10.426 --> 00:21:14.687 about AI in which there was a AI program, it was trying to 315 00:21:14.760 --> 00:21:19.535 optimize the landing of aircraft on aircraft carriers. And the AI 316 00:21:19.609 --> 00:21:23.723 actually figured out that the best way to get a aircraft 317 00:21:23.796 --> 00:21:28.204 carrier in airplane to make contact with an aircraft carrier 318 00:21:28.277 --> 00:21:29.600 was to crash them. 319 00:21:29.000 --> 00:21:39.710 Anna Delaney: Lesson learned. What did you come across, Dave? 320 00:21:39.390 --> 00:21:44.030 David Perera: Oh, what did I come across? So, I come across a 321 00:21:44.129 --> 00:21:49.855 very interesting New York Times article, talking about how 322 00:21:49.954 --> 00:21:55.779 occupied areas of Ukraine, are the internet connectivity is 323 00:21:55.878 --> 00:22:01.802 being redirected away from Kyiv to Moscow, where things like 324 00:22:01.901 --> 00:22:07.529 controls on content can be imposed. So it's a reminder to 325 00:22:07.627 --> 00:22:13.946 me that the internet today - it never was a neutral, simply just 326 00:22:14.045 --> 00:22:19.081 a neutral carrier of information. But it highlights 327 00:22:19.179 --> 00:22:24.906 for me how urgent it is for authorities, for power figures 328 00:22:25.005 --> 00:22:31.225 to grab control of the internet, even as that same authority is 329 00:22:31.324 --> 00:22:33.990 busy invading its neighbor. 330 00:22:35.850 --> 00:22:37.410 Anna Delaney: Thanks for that. Marianne? 331 00:22:37.000 --> 00:22:42.100 Marianne McGee: I'm not one particular post. But I've 332 00:22:42.130 --> 00:22:46.540 noticed sort of a trend on LinkedIn this year. A lot of 333 00:22:47.590 --> 00:22:52.090 healthcare CISOs, I would say CIOs too, for that matter, you 334 00:22:52.090 --> 00:22:55.450 know, I've known for years or have been aware of for years, 335 00:22:55.450 --> 00:22:58.780 they've been changing jobs, many of them leaving healthcare, 336 00:22:59.080 --> 00:23:02.650 going to other sectors. So, I don't know if that's really a 337 00:23:02.650 --> 00:23:06.460 trend. It's just something I happen to notice. But, you know, 338 00:23:06.460 --> 00:23:09.700 it would make sense, I guess, to some extent that the healthcare 339 00:23:09.700 --> 00:23:14.020 sector has really been under assault with COVID. But now 340 00:23:14.020 --> 00:23:18.820 also, with all the cyberattacks and breaches and I think maybe 341 00:23:18.820 --> 00:23:22.060 at some point, these people were saying, "Well, I'll try my hand 342 00:23:22.060 --> 00:23:24.970 somewhere else." There's a demand for this sort of talent 343 00:23:24.970 --> 00:23:27.430 in all sectors, including healthcare. 344 00:23:28.560 --> 00:23:30.510 Anna Delaney: Well, that's pretty depressing as well, 345 00:23:30.510 --> 00:23:33.510 losing all that talent, but hopefully, more will come 346 00:23:33.510 --> 00:23:38.040 through. So I came across Rachel Tobac's tweets, I thought they 347 00:23:38.040 --> 00:23:41.550 were quite interesting on the Twilio Cloudflare incident, and 348 00:23:41.790 --> 00:23:44.670 she's sort of breaking down the attackers' motives and 349 00:23:44.670 --> 00:23:48.780 prevention strategies, as well as our great colleague, Mathew 350 00:23:48.780 --> 00:23:50.520 Schwartz, articles on them as well. 351 00:23:51.330 --> 00:23:52.470 Mathew Schwartz: Plenty to go around. 352 00:23:53.940 --> 00:23:57.300 Anna Delaney: Plenty. So, thank you very much, Marianne, Matt 353 00:23:57.330 --> 00:24:03.060 and Dave, thanks for taking part in this. This party. And thank 354 00:24:03.060 --> 00:24:04.050 you so much for watching.