Proof of Concept: What CISOs Can Learn From Twitter and UberAlso: Regulating NFTs, Election Security Concerns Anna Delaney (annamadeline) • September 20, 2022
In the latest "Proof of Concept," David Pollino, former CISO of PNC Bank, and Ari Redbord, head of legal and government affairs at TRM Labs, join editors at Information Security Media Group to discuss ethics, cryptocurrency regulations and election security.
Pollino and Redbord join Anna Delaney, director, productions, and Tom Field, senior vice president, editorial, to discuss:
- How the recent security incidents and revelations at Uber and Twitter centering on former CISOs could shape the future of cybersecurity leadership;
- Legal and regulatory considerations for the cryptocurrency firms offering non-fungible tokens;
- Concerns about foreign interference in the U.S. electoral system as the Nov. 8 midterm elections approach.
Pollino has more than 25 years of experience in information security, fraud prevention and risk management. He has focused on financial services for 20 years and was CISO of Bank of the West and a divisional CISO at PNC. He has held multiple leadership positions in security and fraud management at Wells Fargo, Washington Mutual and Charles Schwab and has authored multiple books and white papers on cybersecurity and fraud.
Prior to joining TRM, Redbord was senior adviser to the deputy secretary and the undersecretary for terrorism and financial intelligence at the U.S. Department of the Treasury. He is also an ISMG contributor.
"Proof of Concept" runs semimonthly. Don't miss our previous installments, including the Sept. 5 edition on election security and recent regulatory decisions affecting cryptocurrency and court records and the Sept. 7 edition on findings from a Rockwell Automation research report on cybersecurity preparedness in critical infrastructure.
Anna Delaney: Hello, thanks for joining us for Poof of Concept. This is the ISMG talk show where we analyze today's and tomorrow's cybersecurity challenges with industry experts and discuss how we can potentially solve them. I'm Anna Delaney, director of productions at ISMG.
Tom Field: I'm Tom Field. I'm senior vice president of Editorial with Information Security Media Group. Anna, it's the first time we've had a chance to speak since the regime change in the U.K.
Delaney: Indeed, yes. Big news here.
Field: A new monarch and a new prime minister all in the same week.
Delaney: So I'm glad you've been following the news. And we get an extra bank holiday, Tom.
Field: Yes. That was noted. I was actually surprised we got away with only one.
Delaney: Yeah, well, next year: coronation. But what else is on your mind, Tom?
Field: I'm thinking about what's happening in Ukraine still and Russia's activity. Now in the news, we're watching Ukraine having some success and repelling some of the kinetic attacks. But still, we're seeing and learning more about the repercussions of the cyber attacks. Let me just stop for a second. What are your takeaways from what we've seen over the past six months or so?
Delaney: Well, my worrying takeaway is this is only the beginning. We're seeing the impact in the cybersecurity world, but also on the global supply chain and cost increases and product and food shortages. But then what about the future? What's going to happen to future cooperation on wider, more important issues like arms control, cybersecurity, also climate change and nuclear issues, energy security, the whole political solutions elsewhere in the world? I think the whole diplomatic makeup of the world has changed. And then, well, and then there's China. So Russia is forming ties with China now and in isolation, what will the impact be on cybersecurity there?
Field: It used to be that wiper malware and disinformation attacks and supply chain disruption were the exception. Now they're becoming the rule in this world. And I think what we're getting as a result of what Russia is doing in Ukraine is now these elements of attack are becoming as normalized as the flinging of Molotov cocktails used to be, as localized bombings used to be, the difference being that you can issue wiper malware, do a disinformation campaign, or disrupt a supply chain without any risk of personal harm, maybe even without risk of personal accountability. And so I think what snuck up on us is the exception has now become the rule. And I think this is something we're going to be learning to deal with for quite some time.
Delaney: That's a good way of putting it. It seems chaotic. And I wonder if we got the U.S. midterms coming up, if they'll also be interfered and meddled with as a result of these increasing tensions.
Field: We have to expect it. I think that's just become as much a part of the political process as putting paper signs out on the vacant lot. I think we have to expect that someone is going to try to interfere with someone else's thought process and disrupt the elections one way or another. That's just the landscape now.
Delaney: Well, perhaps our guests today will share some thoughts on what they think will happen there.
Field: They'll solve everything. No high expectation, we just solve everything.
Delaney: Well, this is Proof of Concept. I'm going to introduce our first guest, Tom, Ari Redbord. Please come to the stage. Welcoming, Ari Redbord, head of legal and government affairs at TRM Labs. Always a pleasure, Ari.
Ari Redbord: It's really nice to be here. And I love these opportunities to chat.
Delaney: Let's talk about NFTs. Cybercriminals have stolen over $100 million worth of NFTs over the past year. You conduct many interviews on this topic. So what do you feel is not being addressed? What's not being discussed at the moment that should have more airtime?
Redbord: It's interesting. NFTs are a great example of emerging technology that has tremendous promise and opportunity, but also tremendous risks, like anything else. And regulators are starting to try to understand, try to craft thoughtful regulation for the NFT space. I think the use case has been art and collectibles. But the promise of this technology is this ability to hash anything to an immutable ledger, which means that it's unchangeable, which means it's authentic. And I think that's extraordinary opportunity to hash your health records. And your title to your car or land, document review. So there's so much promise, but at the same time, anything that you can move at the speed of the Internet, cross border, value transfer, come with risks. And I think that's what we're dealing with right now. And at TRM, we trace and track the flow of funds in NFTs or we trace and track NFTs just like cryptocurrency because they also live and move on blockchains. And what we've seen is a number of different typologies develop around that. We've seen these NFT rug pulls, which is this sense where you're creating this excitement or FOMO around an NFT drop. And then, users put money in, and ultimately, the rug is pulled and the funds are essentially stolen. We've seen traditional money laundering, like wash trading in the NFT space. So, just a week or so ago, TRM did an investigation on the use of an NFT by an ISIS supporter - to be clear, not ISIS itself, but a supporter - who was creating an NFT for propaganda purposes. So we see these emerging risks, as well as these great opportunities. So real quickly where regulators are, is trying to figure this out, there's not a lot in the regular NFT regulatory space the way there is in crypto. You can analogize and I think it's helpful. One interesting place to look is the U.S. Treasury Department. About a year ago, wrote a white paper on the risks of money laundering in the traditional art world, the high-value art world. And what they ultimately said was that it is low risk because of just the friction associated with moving a Van Gogh to be a little bit glib, it's very hard to move actual physical art. But interestingly, they spent about, I want to say three or four pages on the risks potentially in the NFT space, because of that ability to transfer value at the speed of the Internet. And what that says to me having spent time at Treasury, specifically FinCEN, which I know is taking a hard look at this, is nothing is in a vacuum. So this first look in a white paper context says to me that the major regulator, at least in the U.S., in this space is taking a look now at NFTs, and we're likely to see more guidance, more regulation. But when you look globally, regulators so far, to date, have mostly took a pass on NFTs, even MiCA, the markets and crypto assets regulation, which is this comprehensive framework out of the EU, where we saw an agreement this summer, still punted on NFTs and we'll see how it all plays out.
Delaney: Any thoughts of your own as to how they might pan out? How this regulation might...?
Redbord: I think what - to get in the anti-money-laundering space, just specifically, there's all kinds of other interesting, I think, conversations around NFTs but kind of in the anti-money-laundering space. Oftentimes, , FATF (Financial Action Task Force), which is the global standard setting body, provides a preview of where regulators are going with this. And what FATF has said is, "Look, if you are an NFT collectible, then you are likely not a virtual asset," which means you don't have to have compliance controls in place. But if you are used as an investment mechanism or payment, or transfer value, then you could be a regulated asset or if you're in a marketplace or an issuer, then you could be a regulated entity. And it's possible that that is a framework. I think the problem with that is, and I actually sat down with the chairs of the virtual asset contact group from FATF, and asked them just this and I said, "The problem is the use case today is as a collectible that you can transfer value or use as an investment, think Bored Apes or crypto punks. So I think that it's going to have to try to figure out what is the primary use case? And how do we regulate? But I think for whatever it's worth, from my crystal ball, we're going to see regulation in this space. I hope that there's a focus on regulation that doesn't stifle innovation, because there's so much potential here. And the technology is so cool that we have to ensure that we're still fostering that continued innovation.
Delaney: I want to revisit a topic now that we've discussed at length, recently. The Tornado Cash sanctions: Now, OFAC this week has issued guidance on how U.S. persons can withdraw their funds from Tornado Cash. Can you just summarize the process because I believe applying for a license is involved?
Redbord: Absolutely. First, what is Tornado Cash? No, I'm just kidding. All right. So really interesting and the cryptocurrency community for the last month since August 8 when the sanctions came out, have been asking for guidance from OFAC. And then this is the response. And I can tell you, having worked closely with extraordinary civil servants at OFAC over the years, I imagine they were heads down really for the last three weeks ensuring that they were able to put something like this out. So I think that it's a good first step, I think there's probably more guidance needed. But this is not different than any other types of sanctions in the traditional world as well. If you want to engage with a sanctioned entity - and it's hard to call Tornado Cash an entity under these circumstances - but if you want to engage with someone on the SDN list, the sanctions list, you need a license, you always have, and what that means is if I need to get my funds out of an Iranian bank or a Russian bank, I need a license from OFAC to do that. And what OFAC is saying here is if you sent funds into Tornado Cash prior to August 8, but you didn't pull them out, you need a license from OFAC to do that. And OFAC provided some contact information to send an email to call a hotline to try to talk to them about getting a license to get your funds out. One important FAQ here is on this idea of dusting after the Tornado Cash sanctions, we saw a number of individuals who inadvertently received funds from Tornado Cash in very small amounts, and we call those dusting attacks, basically people sending tainted funds to taint a wallet address. And a lot of the question in the crypto community has been around how can these people possibly be open to sanctions or our enforcement action. And the answer from OFAC is, "Look, any amount unsolicited or not is a potential violation, but most importantly, because the sanctions regime has strict liability." But most importantly, OFAC is not going to prioritize these cases. And what they're saying when you hear something like that from a regulator is a little bit of a wink wink nod nod like, "Hey, look, we understand that this is not what we're intending to do here, go after regular users or people who have no malicious intent." So what they're really saying here is, "Look, this is not something that we're focused on, this is not something that we're interested in. We don't think this is good that this is happening. It's a potential violation if it's not reported, but this is not going to be a priority." And then, there's a fourth FAQ, which is particularly interesting too, because there's been a lot of criticism around "engaging sometimes with software could be considered speech." And what OFAC is saying here is, "Look, we're not going after speech, we're going after conduct." And they basically lay out ... it's really different than anything I've ever seen from OFAC, they lay out, "These are the ways you can still engage with Tornado Cash." And they specifically said, "You can view the software contract, you can discuss it, you can teach about it. You can include open-source code in written publications, such as textbooks. We understand that this is code, what we're doing is we're sanctioning the conduct that is happening through this software protocol. We are not sanctioning the code itself." It's a complex concept. It's going to be challenged in court. Currently, there's a lawsuit against Treasury by some Coinbase employees and on this exact issue, we're going to be talking about this again, Anna, over the next few months, but I leave you with that. Look, OFAC has provided some guidance. It's helpful. I think we're likely to see more.
Delaney: Complex but a clear explanation. I really appreciate that, Ari. Always brilliant talking with you. Thank you.
Redbord: Great talking to you too. We'll talk soon.
Delaney: So Tom, it's over to you.
Field: I always learn a lot from Dr. Crypto or the Blue Devil, whatever you want to call him today. So I appreciate you bringing Ari on to our stage here. I want to bring back another long-time guest. He's been a figurehead on our stages and on our sites for years now. He's David Pollino. He's the former CISO at PNC Bank. David, always a pleasure to see you.
David Pollino: Good morning. It's great to be here.
Field: David, we have the privilege and the responsibility of living in, as they say, interesting times, and particularly interesting for cybersecurity leadership. On one hand, we've got the former Twitter head of security appear before Congress this week, talking about his explosive whistleblower disclosures which alleged that Twitter has got serious security and privacy vulnerabilities. Same time, we see an upcoming landmark trial where Uber's previous security officer is facing criminal charges in regards to a breach at that organization. CISOs are watching these two cases closely. As the CISO at heart and in DNA, what concerns do you have about these cases?
Pollino: These cases are fascinating to state something up-front, what we know about the whistleblower case is largely one-sided from, the whistleblower from Mudge. And what we know about the Uber cases was largely from the Department of Justice. So we're seeing one side of each story. But it is fascinating to be able to look into these highly respected companies with these highly respected CISOs and see what's going on by reading the information that's been publicly provided. These cases have a lot in common. But they also show that even these highly funded, highly respectable companies have challenges with cybersecurity. And what we can do as CISOs and security professionals is to read through them and say, "How can we learn and apply or potentially, in some cases, avoid making the same mistakes as these companies had," because what you had was, you had very public security issues that were highlighted, and then regulatory action, you had several years to work on those issues. And then you had basically not the anticipated amount of progress, and incidents continue to happen. So how do you highlight those things? How do you use the lessons learned there, and there are a couple of things in there that I think that kind of highlight to the top. And for both of them, I think security culture is one of those key aspects. A CISO, by himself, is not going to be able to keep a company secure. Absolutely not. You need the full support of the board, you need the executive committee to be on with you, and you need to make sure that incentives and behavior are aligned to promote good security practices. We see in the whistleblower report that some of the measurements that were used, that were proxies for how secure or how many bots were on the network, that those were tilted in such a way to promote revenue and earnings. And maybe not necessarily made to find all the bots on the network. And because of the culture of the company that was allowed to be the prevalent attitude, and, as a result, a lot of the initiatives that the CISO wrote about in the whistleblower report, we're not receiving the traction. So learning from these reports is very important. And it's up to us as security professionals to take advantage of this public information.
Field: David, you had the privilege this past week to moderate a CyberEdBoard Community Roundtable. Topic was 'The Future of Cybersecurity Leadership, Board Regulation Ethics'. Now, I realize this was under Chatham House rules, I'm not going to ask you to disclose anything and you shouldn't. But talk about the mood in the room. Where do you see your peers standing regarding the ethical implications for CISOs and cybersecurity leaders?
Pollino: That's an excellent question there. I think what you're seeing here is the stakes are higher than ever, one case you have being called before Congress. And like it or not, Mudge is one of the most respected security people, I've known him for several years, used to work with him. He's probably forgotten more about security than most security people will ever know. Taking this step in his career is life changing for him, so he must have thought through it and understood what he was getting into. And on the flip side, having two felony cases or accounts brought against you by the Department of Justice, that's life changing as well for another well-respected chief information security officer. So what we tried to talk about a little bit is, as this is one of the things that I'm pondering as well is, as you're thinking about where the CISO operates and what level of authority that the CISO has and how the CISO is viewed by the board and even how board members are part of, or not part of, that interview process and what insurance might be appropriate for a CISO, you're getting what in many cases, it used to be that the CISO was not executive committee member. And maybe much of the messages from the CISO were filtered through an executive committee, a CIO or some other executive committee member, now wanting to have direct engagement with the board, wanting to make sure that the CISO is put in the position and if there are real security issues that are found, that they're able to make progress on it, highlight it, and also report on it in a way that makes the CISO feel comfortable. One of the quotes in the whistleblower report is that Mudge said that they had 10 years of unpaid security bills. And if you talk to anyone in that room, everybody has some level of unpaid security or tech debt, you have some companies that are good at encryption, but terrible at patching. Some are good at least privilege and administrative access, and others are bad at education and awareness. So there's always going to be some areas where you're higher or lower than your peers. But I think the key thing that's coming out of this is the "So what can you do about it now? And where does that take you?" If you've been reporting that we're doing well, from a security perspective, and all of a sudden, you're not, what's wrong? What's the disconnect? So I think when it comes to having an accurate measurement of where you are, and where you need to go, and having the authority to be able to push in the right direction is very important. One of the surprising things also that fell out of the whistleblower report had to do with the focus on production and that sometimes, the focus on production outweighed the need for security. So many of the tests were not in a full test environment, they were tested in production, according to that report, and when the September or the January 6th events were happening, and the CISOs, we locked down our production environment. The answer was we can't, we don't know how to do it. So I think there's lots to be thought through for not only what can go wrong, but also what could go right when faced with foreseeable situations. And so there was lots of conversation in the room, we had to cut it short at the hour. The questions were flying, the opinions were on display, but it was a great conversation. And if you haven't dove into both the whistleblower report, watch the C-span coverage of Pietrzak, or read the Department of Justice Report. It's some pretty good reading for your next airplane fly.
Field: They will change our conversation. And it makes a strong point that if the CISO is in a position to be called before Congress and report to Congress, perhaps the CISO is in position to be reporting to senior business management, the board as well. David, as always, appreciate your time, your insight.
Pollino: Absolutely. Thank you.
Field: Anna. So we bring Ari back into the room and wrap up our conversation today.
Delaney: Let's do that. Well, as we mentioned earlier, the November US midterm elections are just two months away. What are your concerns of election interference as we approach the vote?
Redbord: Is that for me?
Delaney: We'll give David a break.
Redbord: Absolutely, this is probably taking my TRM crypto hat off. And when I was a prosecutor, these were issues that we were looking at for a long time, spanned a number of elections at the US Department of Justice. And I think we've only just seen it get more serious. And I think what we saw this week and some reporting is that Russia is using real resources, which are becoming more valuable as the war effort goes on, and all of that, and we're seeing the gains by Ukraine. So, but the reality is, this is still focus. And we're going to continue to see and I think it's that we need to remain vigilant from a social media perspective, we need to remain vigilant when we're even talking about these things and talk really responsibly about them. So I think Tom made a great point in that outset that this is a reality that we are now living with. And we've talked for a long time that wars have moved to a digital battlefield, with exceptions, and this is a prime example like that. And in the age of the Internet, that was more centralized. I think we're seeing it become more decentralized and it becomes harder to get your hands around. So I think the key is remaining vigilant. And yeah, I think it's going to be a tough question, but something we're going to live with for a long time.
Pollino: Yeah, it was a great point, Ari. And I think it's much like the supply chain issues that we've seen over the last couple of years. It's amazing how something, that maybe not that you're not thinking about could impact your ability to deliver to your customers. So in some cases, it was semiconductors or other things that may have been still stuck on the boat are not readily available. So there's no doubt going to be cyber activity related to the election. And much like NotPetya was kind of targeted at one particular area, but the blast area was a lot larger, and what are ways that either misinformation or cybersecurity activity could negatively impact your business. I think it's important for everybody to think about not only the primary areas that they could be impacted, but also the second and third areas to be able to say, what should we be investing in, either from a cyber defense perspective, or monetary perspective. That way, if things get bad, or if activity ratcheted up, how can we do it in such a way that we can continue to deliver to our customer, so I think approaching it first from a tabletop and from an academic perspective will put people in the best position to not be impacted from their businesses and what's going to happen at the election.
Delaney: Yeah, very important perspectives. And I heard that there's a new risk in 2022. And that's physical safety threats to election officials and their families and their workplaces. And I don't think this was so much of an issue or that was discussed as much in 2016, 2018. It seems like yet another way to weaken election infrastructure, I don't know if you've heard the same.
Field: I see some of that down, I would just say that the concerns I have is that we did see what happened 2016, 2018 and 2020 on a large national scale. My personal concern is that 2022 might be the year of small ball. In other words, we've got so many regional elections happening that can reshape Congress in many ways. I wouldn't be surprised to start seeing some of the tactics we saw on a national scale now come down to a smaller scale. And I don't know that states and regions are prepared for that.
Pollino: That's a great point, Tom. Another thing that I like to bring up with some of my clients is around thinking about not only yourself, but also your perimeter, your orbit, when you're thinking about these security issues. So whether it's Daxin, or physical attacks, what information is out there about you, where you are, how you operate? And then you go to the next level. What about my family? What about my kids? How could that be used either against me, or in such a way that if somebody was planning some cyber Daxin-type of attack, or physical attack that they'd be able to do that? I think it's important for everybody to sit down, have a serious conversation with their family, those people who they trust and say, "What are we doing from a security perspective? Are we limiting information sharing? Are we turning on good authentication? Are we staying away from reusing passwords?" And just getting kind of your family, your orbit OPSEC to the level of - if you think that you're a target, and that way that if , as Tom said, if the small ball comes to town, at least you're making yourself and your loved ones much more difficult target by the attackers.
Redbord: Yeah, it's scary. There's absolutely no doubt. I'm going to have David come in and do some OPSEC help for me because I'm terrible at it. And just constantly feeling like a victim of these attacks, thankfully, not many, but we're all getting these text messages these days that say, "Hey, Ari, long time, no talk," and it's just this, you almost feel like you're being attacked so often. And this is an entire Proof of Concept we could do another time. But these are becoming very real. And they affect everyone. I thought David said it really well about ensuring that you have the right OPSEC not just for you, but for your family, especially when you are as out there as so many of us are these days.
Delaney: Well, you are public figures now. So on Twitter all the time, Ari, you got a whole media presence going on. Some people might not agree with you.
Redbord: It might not actually be me, Anna. So don't worry about it.
Field: A deep fake right now.
Delaney: Well, that is, as you say, next episode of Proof of Concept. This has been as always, educational and informative. Thank you so much. Both of you.