Security Strategy for the Blockchain

Steve King 00:13

Good day everyone, I’m Steve King, the managing director at CyberTheory. Today’s episode is going to focus on crypto and blockchain and what you need to know from a cybersecurity point of view. Joining me today is Ari Redbord, the head of legal and Government Affairs at TRM labs, the leading blockchain intelligence company in the space. Prior to joining TRM. Ari was the senior adviser to the deputy secretary and the undersecretary for Terrorism and Financial Intelligence at the US Treasury. In that position, Ari worked with teams from the Office of Foreign Affairs control, and Financial Crimes Enforcement Network, and other Treasury components to use sanctions and other regulatory tools effectively to safeguard the financial system from illicit use by terrorists finance years, weapons of mass destruction proliferators, drug kingpins and other rogue actors including Iran, Syria, North Korea and Venezuela. In addition, are you work closely with regulators, the hill and the interagency on issues related to Bank Secrecy Act, cryptocurrency and anti money laundering strategies. Prior to Treasury, our he was an Assistant US Attorney for the District of Columbia for 11 years where he investigated and prosecuted terrorism espionage, threat finance, cryptocurrency export control, child exploitation, and human trafficking cases. So welcome, Ari. I’m glad you could join me today.

Ari Redbord 02:06

Hey, Steve, thanks so much for having me. I love what you do, and really excited to be a part of it today and to to a great conversation. So so thank you so much.

Steve King 02:14

Thank you. And wow, what a background you have.

Ari Redbord 02:18

It’s nice. I’m old. It just, yeah, yeah, I

Steve King 02:23

hear that. Tell us about the forensics bridge to blockchain intelligence.

Ari Redbord 02:28

Yeah, no, absolutely. You know, it’s interesting sort of people, you know, all the time, I’ll talk to folks and I’ll say, you know, after 15 years in the government, essentially, you know, I’ve gone to a, you know, cryptocurrency startup, and they sort of look at me cross eyed, you know, like, it’s like this extraordinary leap. And in some ways it is. But really, you know, I’ve spent my career on a mission to build a safer financial system for billions of people. And that’s our mission at TRM. So what we do is we work with very closely with law enforcement, and we’re essentially a tracing tool. So what we do is we have a software product at TRM. That helps law enforcement trace cryptocurrency transactions. And I know we’ll dig into this in a moment. But say, you know, for example of ransomware case, like Colonial Pipeline, we are able to trace the flow of funds from the payment, the ransom payment, ultimately to, to the illicit actor in the wallet in which they hold those funds, potentially trying to off ramp them into fiat currency. We also work with regulators to help them understand sort of, what are the typologies of money laundering, what should they be looking out for in their regulated ecosystems. And then we work very closely with large financial institutions and cryptocurrency businesses as the transaction monitoring or wallet screening component of their cryptocurrency compliance stack. In other words, if you are a would FATF, which is the Financial Action Task Force calls a vast a virtual asset service provider, or what FinCEN calls a money service business and you touch crypto, you are required to have these types of risk based compliance controls like transaction monitoring, like blockchain analytics in place to make sure that illicit actors aren’t taking advantage of your infrastructure of your of your institution.

Steve King 04:09

In the case of colonial for example, then we’re your tracing capabilities. Part of the reason why law enforcement was able to kind of claw back whatever it was 2.3 million I think of the 5 million paid.

Ari Redbord 04:24

Well, you know, it’s interesting, you know, all the time, sort of, you know, folks ask about blockchain analytics and what are the capabilities around them? You know, law enforcement has become really you know, when you look around the federal government, you have IRS, CIA, HSI, FBI all doing really, really extraordinary work in the cryptocurrency investigation space using Blockchain analytics, like TRM labs, but essentially we are a software product we’re a tracing tool for for forensic investigators to use and ultimately, they were able to follow the flow of funds in the Colonial Pipeline attack to a wallet that the FBI was ultimately able to seize But you know, Blockchain analytics itself is limited to sort of following and tracing and tracking financial flows on the blockchain. We do not seize cryptocurrency wallets or or cryptocurrency itself. And and you know people ask all the time sort of what did i What do I think happened there and really I chalked it up to great police work, I think this was essentially, again, we’re just a software tracing tool we help, we’re one tool that these investigators have in a much larger toolbox to go after illicit actors in the cryptocurrency space. And ultimately, you know, they use the they use blockchain analytics to trace the flow of funds to a destination. And they were able to use great police work to seize it, whether it was signals intelligence, whether it was human intelligence, they were ultimately able to use information that they had gotten, ultimately seize back those funds, and repatriate them. I think, you know, one other interesting piece that I think people miss, and a lot of this is because things move so quickly, we just assume that sort of, you know, this is the first time that you know, law enforcement is getting involved in a case like this. And really, you know, if you probably look back years of, you know, the FBI and HSI and IRS CI and others, building out networks of ransomware variants, understanding sort of how where these people are based and how they do their work. That is really what allowed the FBI to ultimately move so quickly, in the Colonial Pipeline case, there’s probably years of work building out these networks and understanding sort of where the touch points are, where the pain points are. And it was extraordinary result. But blockchain Analytics was just really one tool in a much larger toolbox of this great investigative work.

Steve King 06:32

Yeah, and law enforcement doesn’t get anywhere near enough credit.

Ari Redbord 06:36

You know, that’s why I say that, you know, whenever I can, because again, like, I think oftentimes, they’ll look to these blockchain analytics companies and say, hey, look, they seize the funds, or they traced the funds, it’s no, it’s great investigators, great police work. These are software tools that these terrific investigators are using.

Steve King 06:51

Yeah, I’m particularly these days. And what they do is they keep us right on the edge of, of civility on a global level. Without that, God knows what we would look like. So, you know, God bless them. That brings me to confusion about blockchain and crypto in the marketplace, you know, there most CISOs that I know anyway, will say they you know, they understand both topics, they got a handle on risk and opportunity, yada, yada, yada. I’m not sure I believe any of that. Can you paint a picture of kind of both domains as they relate to cyber and identify the greatest threat exposures in each one?

Ari Redbord 07:33

Sure. And maybe backing up a minute is helpful, too. So you know, I mean, Steve, you’ve been in this space for a long time. And I think that you sort of have developed, obviously, extraordinary expertise around cyber and, and these these topics, but I think, you know, look, I spent the majority or I would say, actually my entire career in law enforcement, living in a post 911 world where the focus was international terrorism, extremism, and sort of the threat of terrorist financing. When you talk about sort of anti money laundering, terrorist financing related issues. That’s really what what we’ve been thinking about as a nation and as a world when we’re talking about mitigating the risks out there. And I think really over the course of this year, and I think may 7, when Colonial Pipeline attack was attacked. I think it was really a watershed. I think it was the first sort of post a post 911 moment where we started to realize that, you know, our national security has shifted to a digital battlefield. It’s a very different threat landscape than what we were facing before when we were talking about sort of terrorist financing, you know, terrorism cases. What we’ve seen since May 7, is a steady drumbeat from the Biden administration from you know, the hill from the private sector. Right on how do we address this new emerging threat? When shortly after a couple weeks after the Colonial Pipeline attack, Chris Rea, the FBI Director compared the colonial attack to 911. I was taken aback by that comparison. But at the same time, it said to me, Wow, this is a moment where really the focus of our national security has shifted, and we hadn’t seen that happen in over 20 years. And I think it was really extraordinary moment. And since then, we’ve seen you know, DOJ coordinate at the highest levels around things like ransomware, cyberattacks, cryptocurrency investigations, we’ve seen the Department of Justice stand up a national cryptocurrency enforcement team, taking prosecutors from the computer crime section and the money laundering section and pairing them with, you know, Assistant US Attorneys all over the country with this type of cyber cryptocurrency expertise. We have seen the White House engaged private sector, I think in unprecedented ways of providing recommendations for hardening cybersecurity and improving cyber hygiene, which to me is really the tip of the spear when it comes to stopping these types of attacks. And then we’ve seen the administration also start to take proactive measures in the space. For example, the Office of Foreign Assets Control OFAC which is The sanctions regulator within the US Treasury Department a couple of weeks ago, took its first action ever against a cryptocurrency business, a cryptocurrency exchange called su X for facilitating ransomware payments. You know, interestingly, you know, Sue X did not have the compliance controls in place to stop illicit actors from using it to facilitate whether it’s ransomware payments or other illicit activity. And that was a way for the administration to sort of say, hey, look, there’s this underbelly of illicit finance going on in the crypto space that is facilitating bad actors. And we’re going to take proactive measures in a very sort of scalpel like manner, to take those illicit actors out of the overwhelmingly illicit crypto ecosystem. So I think, you know, that was a little rambling. So I apologize there. But I feel like it’s really important to kind of set this moment. And I think what we’re doing to your question, Steve, is we are really taking a whole of government approach there, you know, you’re seeing the hill start to act around ransomware hold hearings, you’re seeing the private sector fully engaged on the topic. And you’re really seeing you’re seeing the administration, whether it’s treasury, whether it’s DOJ, whether it’s a National Security Council, whether it’s CIS a really start to take proactive measures. And I think it’s a really extraordinary moment in our national security space.

Steve King 11:18

No kidding. I notice, you know, during and we’re like midway through the NFL season, and we have you know, we’re in the middle of the World Series, and you notice that we’ve got celebrity athletes promoting their own crypto exchanges, with big pappy and Tom Brady, you know, when Tom Brady says something’s gold, you know, pretty much assured that it’s gold.

Ari Redbord 11:42

I think what’s so interesting, and I was lucky enough to teach a class last night actually in Charlottesville at the University of Virginia, on emerging threats, sort of in the national security space. But the students themselves were so interested in sort of the pop culture aspects of crypto and like asking all kinds of great questions about NF T’s but yeah, no, Tom Brady’s cryptocurrency his NFT project is called autograph. And it’s really interesting. It’s sort of building a community around, you know, athletes and interesting sort of collectibles and potentially experiences. But really what my point is, what’s why I think why crypto is so interesting, it’s really grown so quickly is that there is a national security aspect to it, right, there’s a financial, there’s a regulatory aspect to it when you have the SEC and others engaged. And then you have this really cool pop culture moment around NF T’s where I don’t think we’ve even scratched the surface of the potential there, but sort of going back to our conversation, but all of that will lead to greater and greater illicit finance risks as that crypto ecosystem grows. And it will have an illicit actors and terrorist financiers and cyber criminals, nation state actors, like DPRK will have sort of a larger and larger playing field, if you will, as the crypto economy grows, that’s very important. And again, like like the regular financial system, the Viet financial system, it will over be overwhelmingly licit. But like any good financial system, illicit actors are going to want to take advantage of it. And that’s what we’re going to continue to see. And we need tools like DRM and we need, you know, training from from agents and we need a full whole of government approach to make sure that bad guys do not take advantage of this new financial system.

Steve King 13:13

Yeah. And that was, that was the gist of my question was we just, it feels like we’re in the process of rapidly expanding the threat landscape here. And NF T’s remind me a little bit of credit default swaps, you know, back in the sevens, when people were, you know, trading with enthusiasm. They’re two four on scene before in, in securitized assets, they had no idea what was, what was in them is, do you feel there’s a little bit of that going on here as well.

Ari Redbord 13:54

You know, it’s interesting, you know, the NFT space to me is really, really fascinating. And it’s really extraordinary technology. I mean, what non fungible tokens allow for is they sort of have a lot of the attributes of cryptocurrency, but they are unique, you know, each one has a unique identifier hash to the blockchain, which allowed them to do kind of really different things. So I mean, right now the use case or the sort of art and collectibles, I love it all. I think it’s I think it’s a fascinating space really interesting. My 10 year old son and I we collect NBA Top Shot together, you know, we were always digging through packs for Zion Williamson moment, you know, dunk. And it’s so cool. And it’s sort of a way for me to teach him about blockchain also, but I will say then you have this sort of illicit underbelly there too. For example, there’s this very popular show on Netflix that my wife and I have started watching called squid games, which is actually a really fascinating, yeah, and our kids on Saturday, Friday or Saturday of last week, you know, some scammers issued something called squid coin that you were able to buy but not sell. And ultimately I want to say yesterday, there was a rug poll in which you know, after they had sold a bunch of These coins, they went ahead and just stole all the money and ran off with it. So you know what the hype, the hype is leading to this sort of FOMO, right? Where people are Fear Of Missing Out where people are worried about getting involved in this stuff. And then you have scammers and cyber criminals who are going to ultimately take advantage of that exuberance, I think, to your initial question. This is the very beginning, right? Where people are just kind of starting to understand how to engage with this new financial system? And is it going to be the sort of meme Gamestop culture where people are, you know, looking for fads and trends? Or is this going to be sort of more akin to the way people are? You know, I think thinking more about Bitcoin, where there is really true this new currency that will hedge against inflation. And then also like, what I’m really excited about is the use cases. I mean, yesterday, the President’s working group, came out with a really interesting paper on stable coins, literally yesterday afternoon, at three o’clock, that is a really critical read for anyone in this space. But it talks about sort of how stable coin issuer should be regulated, like financial institutions, like money service businesses, essentially, not just by FinCEN, for financial crime, but you know, by regulators to make sure that they are these stable coins are backed one to one, and make sure that there’s stability baked into the system that will allow people to use stable clients at scale to buy things. That’s the moment that I’m really excited about when people start when I could walk into Starbucks, and use my USDC to buy a cup of coffee. But again, like keep going back to it, the larger the financial system becomes an FATF said this, in recent guidance that came out last week, the White House or Treasury ended up reading and writing again this week. As the system grows, there’s going to be more and more illicit activity inevitably, and more more vulnerabilities in the national security space. And we make, we just need to make sure that we have the tools and training to kind of meet those threats.

Steve King 16:48

Great news for people like you and me and Human Nature never changes. So I’m sure you know, the future is

Ari Redbord 16:57

wide. Yeah, yeah.

Steve King 16:59

Right. I want to talk to you a little bit about the whole hack back thing a little bit if I can. Many folks in the cybersecurity space are frustrated with our inability to monetize our laws regarding cybercrime, and our inability to go after thieves even when we’ve caught them in their tracks. Well, do you see that we’ll ever see a transformation there? And what are the barriers to modernizing those laws?

Ari Redbord 17:32

I think from a cyber perspective, there are a lot of there are authorities in place for law enforcement to go after bad actors. I think one of the limitations that we have is just sort of jurisdictional at the end of the day, right. Like when I was a prosecutor, you know, engaged in any kind of case where you’re talking about foreign actors, and a lot of these are foreign actors. It is very hard to ultimately get extradition of people who are in places like North Korea and Iran and Russia and China. I think that’s always going to be a challenge. And that’s not a cyber issue. That’s not a cryptocurrency issue. That’s just an issue that we face forever. I mean, so you end up in this sort of, you know, whack a mole type of situation where you’re going after illicit actors, and you’re going after shell companies, and then they’re creating another shell company. And I think you see the same thing in crypto, where people are spinning up crypto wallets once they are designated by OFAC or or indicted by the Department of Justice. So I think that’s just kind of a baseline issue. I will say that in the cryptocurrency space, certainly around anti money laundering, which to me is a really important piece of the national security puzzle. You are just starting to see the hill engage on sort of how do we create a, you know, broad legal framework for cryptocurrency and again, like AML, cyber ransomware, those will be part of an ultimately a comprehensive plan. But right now the regulator’s are leading this charge, and you’ve seen great work out of the Financial Crimes Enforcement Network FinCEN, who has really been sort of, you know, look, every exchange every cryptocurrency exchange that touches the United States, United States citizen is regulated by FinCEN today, you know, people often ask me like, When are the cryptocurrency exchanges going to get regulated? And I said, they’ve been regulated for years they are required if you are a crypto Exchange, or cryptocurrency business broker custody, digital assets, you are required to do certain things. And essentially, what that means is you are required to build a risk based compliance program. That likely includes things like transaction monitoring, which CRM does, policies and procedures are required to file suspicious suspicious activity reports, or SARS within sin, you’re required to respond to subpoenas engage with law enforcement, you’re required to have the tools and the training necessary, you know, senior management, buy in all the things that you need to have risk based compliance in a large financial institution or any financial institution you’re required to have in crypto. So I think the in the regulatory space you’re already Seeing a lot of this, you’re always gonna see these kind of non compliant su X’s of the world, the exchange based in Russia that was designated by OFAC, just like you see, you know how walas and non compliant unlicensed money service transmitters in in Fiat, I think it’s just our job to make sure that the compliant exchanges, the the exchanges, like by Nance and Coinbase, and Gemini and FTX have the tools in place to so that illicit actors like su X or non compliant exchanges don’t take advantage of their of their infrastructure in order to move money.

Steve King 20:36

Do we have enough resources at the federal law enforcement level to do what needs to be done here?

Ari Redbord 20:42

Yeah, I think I think that’s sort of a great question. And I look, I think that right now, we’re, we’re really early days. And from a cryptocurrency standpoint, we are seeing a community of law enforcement and compliance professionals develop that expertise and get the tools and the training they need. I mean, at TRM, we are incredibly focused on sort of working with the public sector to get them the tools and training that they need to do their investigations. Because what I often say is like, look, you know, there are cryptocurrency squads within law enforcement. I’ve heard something called cryptocurrency crimes. And I think the bottom line is there are no cryptocurrency crimes. cryptocurrency is the means of payment in any number of crimes predicate offenses, including child exploitation, human trafficking, drugs, narcotics trafficking, dark net activity. And again in in your world, Steve ransomware. Cyber attacks, you know, nation state actors like North Korea, kind of in the national security set. So what we need to do is we need to get every agent, the tools and training that they need in order to trace and understand the flow of funds in crypto, because while we’ve never had more visibility on a financial system, you know, that visibility does not have a whole lot of meaning unless you have the right people with the right skills to really sort of do those sophisticated financial crime investigations.

Steve King 21:54

Right. You know, as you and I have discussed several times here, we see all of this activity within the current administration around around cybersecurity and crypto, its blockchain, etc. We all you know, we agree this is a terrific thing. It’s long overdue. It’s unprecedented. You know, all of that is terrific. You spent a lot of years at the federal level in that public sector. Do you think we’ve got the ability to actually pull off and execute what needs to be done here?

Ari Redbord 22:26

Yeah, no, it’s a great question. And I think we’ve discussed this before, Steve. I mean, I think you and I are both optimists. But you know, hope is not a strategy. I think that the, the important thing is that we are seeing that steady drumbeat, what I what I’ve described before is like a really a shock and awe campaign right now, against ransomware. I think what we’re gonna see over the next few months is more proactive action from the administration against sort of those in that ransomware ecosystem, that are either wittingly or unwittingly facilitating ransomware payments, I think we’re gonna continue to see outreach to the private sector, because as you know, ransomware attacks are not hacks. They’re not, you know, backdoor attacks, they use human engineering, in order to go walk right in the front door. So they’re sending spam and phishing emails to, you know, compliance professionals and others. And they’re very, very sophisticated, right? People asked me recently, hey, are they just sending like hundreds of phishing emails or 1000s, of phishing emails hoping to catch something? And the answer is really not. They are targeted, sophisticated approach, where they’re going after specific individuals that they’ve identified as potentially vulnerable. And they send emails, for example, you know, it’ll be from somebody’s boss, that will say, hey, I need you to respond to this Google Doc, in the next three minutes. This was all you’re overdue on this and something to sort of build anxiety in that person, right? And then you could click on that link, and it’s malware, and you have a ransomware attack on your hands. So I think that part of really what we’re seeing is the administration doing a full court press with the private sector. You know, a couple weeks ago, we saw OFAC push out some really sort of good a great brochure, which I highly recommend anyone in the space to read on how cryptocurrency businesses should be thinking about sanctions risk, you know, sanctions vulnerability, we’ve seen FinCEN come out with very, very similar types of types of papers. And then we saw the White House come out with a letter to the private sector a few weeks ago on sort of what steps you should take to make sure that you harden your cyber defenses. So look, I think we’re doing the right things. I think you’re going to see even more and more of this sort of steady drumbeat over the next, you know, several months, or potentially longer because again, like we’re in this new world, where we see terrorist financing in Bitcoin, you know, cyber attacks against cryptocurrency exchanges by North Korea, and ransomware attacks by cyber criminal groups. We’re in a brave new world. We’re going to have to continue really this campaign to make sure that we have the tools that we need in place and the training to meet this new threat.

Steve King 24:53

Yeah, and I don’t want to press you too hard on your personal view. Here versus your professional view? Because we all have both of those. Yeah,

Ari Redbord 25:07

I think my I tried to make mine pretty aligned. But yeah, let’s go for it. I’m now I’m on the edge of my seat. All right, what are we going to ask here?

Steve King 25:12

Yeah. Well, so there are multiple paths here, right? There’s multiple things going on, we’ve got non a, we’ve got the inability to extradite bad guys from several big countries, who are several big adversaries, and they’ll continue to do what they’ve been doing, there’s no reason for them to stop. We have a ransomware industry, which is very formalized, the affiliate marketing, part of that is a whole, you know, marketplace unto itself, with all of the appropriate bells and whistles as if it were legitimate, and encourages everybody that wants to make a quick million or two, for doing virtually nothing to you know, participate. And then we got through the whole, you know, law enforcement component and tracing components or track all of this, you know, new currency, if you will, in processes, a lot of moving parts, how are we going to? I mean, do we have enough time number one, ransomware is not going away, it’s just going to keep getting bigger and bigger, and more sophisticated as you to earlier point. And secondly, the bad guys are, you know, generally as untouchable as they had been. And we’ve got the whole attribution problem, all the rest of that, how are we going to win this war?

Ari Redbord 26:28

Now, it’s a it’s a great question, though. I think my personal and professional views are pretty aligned here. And that is, look, I do agree with the administration that hardening cyber defenses is the first line of defense here. And that that is something we can certainly do. Right, we need to do it across the federal government, we need to do it in state and local governments critical infrastructure, we need to really do everything we can to make sure that we’re thinking about this and the people that I talked to in the space, the insurance carriers, the the response, the incident response companies, the threat intelligence companies, Blockchain analytics providers, like DRM, we are all working really closely with clients who are financial institutions and businesses, to sort of work on this, this piece, we are a lot more maybe sophisticated than than we think around sort of being able to take proactive cyber measures, offensive cyber measures against bad actors. And I think we’ve seen some examples of that over the last few weeks, even with us going after, or with our, you know, intelligence community and law enforcement going after these ransomware variants. So I think that, you know, look, this sort of scary thing about this digital battlefield is it’s a lot more in a lot more of an even playing field for countries like North Korea that could never compete in the conventional war. They are uniquely situated with professional hacking teens, like Lazarus group. But I also believe that we will ultimately have the tools, the training and the capabilities in place to mitigate the threat.

Steve King 27:53

I’m willing to believe alongside you. Thank you, sir. We’re out of time today. I know you got a hard stop already. And I want to thank you again, for taking time out of your schedule to join me and what I hope was a pretty interesting exchange. I thought so anyway,

Ari Redbord 28:09

I had a great time yet really, again, thank you so much for the invitation. It was a pleasure to join you to talk a little bit today.

Steve King 28:14

Great. And thank you to our listeners for joining us in another one of cyber theories unplugged reviews of the complex and frightening world of cybersecurity technology in our new digital reality. Until next time, I’m your host, Steve King, signing out.