Security Strategy for the Blockchain

This episode has been automatically transcribed by AI, please excuse any typos or grammatical errors. 

Steve King: [00:13]

Good day, everyone. I’m Steve King, the managing director of CyberTheory. Today’s episode is going to focus on crypto and blockchain and what you need to know from a cybersecurity point of view. Joining me today is Ari Redbord, the head of legal and government affairs at TRM Labs – the leading blockchain intelligence company in the space. Prior to joining TRM, Ari was the senior adviser to the deputy secretary and the undersecretary for terrorism and financial intelligence at the U.S. Treasury. In that position, Ari worked with teams from the Office of Foreign Affairs Control and Financial Crimes Enforcement Network and other Treasury components to use sanctions and other regulatory tools effectively to safeguard the financial system from illicit use by terrorist financiers, weapons of mass destruction proliferators, drug kingpins and other rogue actors, including Iran, Syria, North Korea and Venezuela. In addition, Ari you work closely with regulators, The Hill and the interagency on issues related to Bank Secrecy Act, cryptocurrency and anti-money laundering strategies. Prior to Treasury, Ari was an assistant U.S. attorney for the District of Columbia for 11 years where he investigated and prosecuted terrorism espionage, threat finance, cryptocurrency, export control, child exploitation and human trafficking cases. Welcome, Ari. I’m glad you could join me today.

Ari Redbord: [02:06]

Hey, Steve, thanks so much for having me. I love what you do, and excited to be a part of it today and to a great conversation. So thank you so much.

Steve King: [02:14]

Thank you. And wow, what a background do you have!

Ari Redbord: [02:18]

It just made me old.

Steve King: [02:23]

I hear that. Tell us about the forensics bridge to blockchain intelligence.

Ari Redbord: [02:29]

Absolutely. It’s interesting! All the time, I talk to folks and I say, after 15 years in the government, essentially, I’ve gone to a cryptocurrency startup, and they look at me cross-eyed like this is extraordinary leap and in some ways it is. But I’ve spent my career on a mission to build a safer financial system for billions of people. That’s our mission at TRM. What we do is we work very closely with law enforcement, and we’re essentially a tracing tool. We have a software product at TRM that helps law enforcement trace cryptocurrency transactions. I know we’ll dig into this in a moment. For example a ransomware case like Colonial Pipeline – we are able to trace the flow of funds from the ransom payment ultimately to the illicit actor in the wallet in which they hold those funds, potentially trying to off ramp them into fiat currency. We also work with regulators to help them understand what the typologies of money are laundering, what they should be looking out for in their regulated ecosystems. We work very closely with large financial institutions and cryptocurrency businesses as the transaction monitoring or wallet screening component of their cryptocurrency compliance stack. In other words, if you are a FATF, which is the Financial Action Task Force, calls a vast virtual asset service provider, or what FinCEN calls a money service business and you touch crypto, you are required to have these types of risk-based compliance controls like transaction monitoring, blockchain analytics in place to make sure that illicit actors aren’t taking advantage of your infrastructure or of your institution.

Steve King: [04:09]

In the case of Colonial, for example, then were your tracing capabilities part of the reason why law enforcement was able to claw back the $2.3 million, I think, of the $5 million paid.

Ari Redbord: [04:23]

It’s interesting. All the time folks ask about blockchain analytics and what are the capabilities around them. Law enforcement has become, when you look around the federal government, you have IRS-CI, HSI, FBI all doing extraordinary work in the cryptocurrency investigation space using blockchain analytics, like TRM labs, but essentially we are a software product we’re a tracing tool for forensic investigators to use and ultimately, they were able to follow the flow of funds in the Colonial Pipeline attack to a wallet that the FBI was ultimately able to seize. But blockchain analytics itself is limited to following and tracing and tracking financial flows on the blockchain. We do not seize cryptocurrency wallets or cryptocurrency itself. People ask all the time, what do I think happened there? I chalk it up to great police work. We’re just a software tracing tool. We help with one tool that these investigators have in a much larger toolbox to go after illicit actors in the cryptocurrency space. Ultimately they use blockchain analytics to trace the flow of funds to a destination, they were able to use great police work to seize it, whether it was signals intelligence or whether it’s human intelligence, they were ultimately able to use information that they had gotten, ultimately seize back those funds and repatriate them. I think, one other interesting piece that I think people miss in a lot of this is because things move so quickly – we just assume that this is the first time that law enforcement is getting involved in a case like this. If you probably look back years of the FBI, HSI and IRS-CI and others building out networks of ransomware variants, understanding where these people are based and how they do their work. That is what allowed the FBI to ultimately move so quickly in the Colonial Pipeline case. It was probably years of work, building out these networks and understanding where the touch points are and where the pain points are. It was extraordinary result. But blockchain analytics was just one tool in a much larger toolbox of this great investigative work.

Steve King: [06:32] Law enforcement doesn’t get anywhere near-enough credit.

Ari Redbord: [06:36]

That’s why I say that, whenever I can, because I think oftentimes they’ll look to these blockchain analytics companies and say, “Hey, look, they seized the funds or they traced the funds.” No, it’s great investigators, great police work. These are software tools that these terrific investigators are using.

Steve King: [06:51] In particularly these days and what they do is they keep us right on the edge of civility on a global level. Without that, God knows what we would look like. God bless them. That brings me to confusion about blockchain and crypto in the marketplace. Most CISOs that I know anyway will say that they understand both topics. They got a handle on risk and opportunity. I’m not sure I believe any of that. Can you paint a picture of both domains as they relate to cyber and identify the greatest threat exposures in each one?

Ari Redbord: [07:33]

Sure. Maybe backing up a minute is helpful, too. Steve, you’ve been in this space for a long time. I think that you have developed extraordinary expertise around cyber and, and these topics, but I spent the majority or I would say, my entire career in law enforcement, living in a post 9/11 world where the focus was international terrorism, extremism, and the threat of terrorist financing, when you talk about anti-money laundering or terrorist financing-related issues. That’s what we’ve been thinking about as a nation and as a world when we’re talking about mitigating the risks out there. I think over the course of this year, and May 7, when Colonial Pipeline was attacked, it was really a watershed. I think it was the first post-9/11 moment where we started to realize that our national security has shifted to a digital battlefield. It’s a very different threat landscape than what we were facing before when we were talking about just terrorist financing or terrorism cases. What we’ve seen since May 7 is a steady drumbeat from the Biden administration, The Hill and the private sector on how do we address this new emerging threat? When a couple weeks after the Colonial Pipeline attack, Chris Wray, the FBI Director, compared the Colonial attack to 9/11. I was taken aback by that comparison. But at the same time, it said to me, “This is a moment where the focus of our national security has shifted,” and we hadn’t seen that happen in over 20 years. I think it was an extraordinary moment. Since then, we’ve seen Department of Justice (DOJ) coordinate at the highest levels around things like ransomware, cyberattacks and cryptocurrency investigations. We’ve seen the DOJ stand up a national cryptocurrency enforcement team, taking prosecutors from the computer crime section and the money laundering section and pairing them with assistant U.S. attorneys all over the country with this type of cyber cryptocurrency expertise. We have seen the White House engage private sector, I think, in unprecedented ways of providing recommendations for hardening cybersecurity and improving cyber hygiene, which to me is the tip of the spear when it comes to stopping these types of attacks. We’ve seen the administration also start to take proactive measures in the space. For example, the Office of Foreign Assets Control (OFAC), which is the sanctions regulator within the U.S. Treasury Department, couple of weeks ago, took his first action ever against a cryptocurrency business – a cryptocurrency exchange called Suex for facilitating ransomware payments. Interestingly, Suex did not have the compliance controls in place to stop illicit actors from using it to facilitate whether it’s ransomware payments or other illicit activity. That was a way for the administration to say, “Hey, look, there’s this underbelly of illicit finance going on in the crypto space that is facilitating bad actors and we’re going to take proactive measures in a scalpel-like manner to take those illicit actors out of the overwhelmingly illicit crypto ecosystem.” That was a little rambling. So I apologize there. But I feel like it’s important to set this moment. I think what we’re doing to your question, Steve, is we are taking a whole of government approach there. You’re seeing The Hill start to act around ransomware hold hearings, you’re seeing the private sector fully engaged on the topic and you’re seeing the administration, whether it’s Treasury, DOJ, National Security Council, CISA, start to take proactive measures, and I think it’s an extraordinary moment in our national security space.

Steve King: [11:17]

No kidding. I noticed during and midway through the NFL season World Series that we’ve got celebrity athletes promoting their own crypto exchanges, with Big Papi and Tom Brady. Tom Brady says, something’s gold, pretty much assured that it’s gold.

Ari Redbord: [11:42]

I think what’s so interesting, and I was lucky enough to teach a class last night in Charlottesville at the University of Virginia, on emerging threats in the national security space. But the students themselves were so interested in the pop culture aspects of crypto and asking all kinds of great questions about NFTs but Tom Brady’s cryptocurrency, his NFT project is called Autograph. It’s interesting. It’s building a community around athletes and interest in collectibles and potentially experiences. But what my point is, I think why crypto is so interesting, it’s grown so quickly is that there is a national security aspect to it. There’s a regulatory aspect to it when you’d have the SEC and others engage and then you have this cool pop culture moment around NFTs where I don’t think we’ve even scratched the surface of the potential there. But going back to our conversation, all of that will lead to greater and greater illicit finance risks as that crypto ecosystem grows. It will have an illicit actors, terrorist financiers, cybercriminals and nation-state actors, like DPRK, who will have a larger and larger playing field, if you will, as the crypto economy grows. That’s very important. Again, like the regular financial system, the fiat financial system, will be overwhelmingly licit. But like any good financial system, illicit actors are going to want to take advantage of it. That’s what we’re going to continue to see. We need tools like TRM and we need training from agents and we need a full whole of government approach to make sure that bad guys do not take advantage of this new financial system.

Steve King: [13:13]

That was the gist of my question. It feels like we’re in the process of rapidly expanding the threat landscape here. NFTs remind me a little bit of credit default swaps, back in the 2007, when people were trading with enthusiasm. There are two-four on scene before and securitized assets. They had no idea what was in them. Do you feel that there’s a little bit of that going on here as well?

Ari Redbord: [13:55]

The NFT space to me is fascinating. It’s extraordinary technology. What non-fungible tokens allow for is they have a lot of the attributes of cryptocurrency, but they are unique. Each one has a unique identifier hash to the blockchain, which allow them to do different things. Right now the use case or the art and collectibles, I love it all. I think it’s a fascinating space. Interesting. My 10-year old son and I collect NBA Top Shot together. We were always digging through packs for Zion Williamson moment, a dunk. It’s so cool. It’s a way for me to teach him about blockchain also, but I will say then you have this illicit underbelly there too. For example, there’s this popular show on Netflix that my wife and I have started watching, called Squid Games, which is fascinating.

Steve King: [14:44]

No kidding.

Ari Redbord: [14:45]

On Friday or Saturday of last week, some scammers issued something called Squid coin that you were able to buy but not sell. Ultimately I want to say, yesterday, there was a rug pull in which after they had sold a bunch of these coins, they went ahead and stole all the money and ran off with it. What the hype is leading to is this FOMO or fear of missing out, where people are worried about getting involved in this stuff and then you have scammers and cybercriminals who are going to ultimately take advantage of that exuberance. I think, to your initial question, this is the very beginning, where people are starting to understand how to engage with this new financial system. Is it going to be this meme GameStop culture where people are looking for fads and trends? Or is this going to be more akin to the way people are thinking more about Bitcoin, where there is this new currency that will hedge against inflation? What I’m excited about is the use cases. Yesterday, the President’s working group came out with an interesting paper on stablecoins that is a critical read for anyone in this space. But it talks about how stablecoin issue should be regulated, like financial institutions, like money service businesses, essentially, not just by FinCEN for financial crime, but by regulators to make sure that these stablecoins are backed one to one, and make sure that there’s stability baked into the system. That will allow people to use stablecoins at scale to buy things. That’s the moment that I’m excited about – when I can walk into Starbucks and use my USDC to buy a cup of coffee. But again, I keep going back to it. In recent guidance that came out last week, the White House or Treasury ended up reading and writing again this week. As the system grows, there’s going to be more and more illicit activity inevitably and more vulnerabilities in the national security space. We just need to make sure that we have the tools and training to meet those threats.

Steve King: [16:48]

Great news for people like you and me, and human nature never changes. So I’m sure you know, the future is bright. I want to talk to you about the whole hack back thing, if I can. Many folks in the cybersecurity space are frustrated with our inability to monetize our laws regarding cybercrime, and our inability to go after thieves even when we’ve caught them in their tracks. Do you see that we’ll ever see a transformation there? What are the barriers to modernizing those laws?

Ari Redbord: [17:32]

I think from a cyber perspective, there are a lot of authorities in place for law enforcement to go after bad actors. I think one of the limitations that we have is jurisdictional at the end of the day. When I was a prosecutor engaged in any kind of case where you’re talking about foreign actors, and a lot of these are foreign actors, it is very hard to ultimately get extradition of people who are in places like North Korea, Iran, Russia and China. I think that’s always going to be a challenge. That’s not a cyber issue. That’s not a cryptocurrency issue. That’s just an issue that we faced forever. You end up in this whack-a-mole type of situation where you’re going after illicit actors, and you’re going after shell companies, and then they’re creating another shell company. I think you see the same thing in crypto, where people are spinning up crypto wallets once they are designated by OFAC or indicted by the Department of Justice. I think that’s just kind of a baseline issue. I will say that in the cryptocurrency space, certainly around anti-money laundering, which to me is an important piece of the national security puzzle, you are just starting to see The Hill engage on how do we create a broad legal framework for cryptocurrency and again, like AML, cyber ransomware, those will be part of an ultimately a comprehensive plan. But right now the regulators are leading this charge, and you’ve seen great work out of the Financial Crimes Enforcement Network (FinCEN). Every cryptocurrency exchange that touches the United States citizen is regulated by FinCEN today. People often ask me, when are the cryptocurrency exchanges going to get regulated? I say, they’ve been regulated for years. If you are a crypto exchange or cryptocurrency business broker custody digital assets, you are required to do certain things. Essentially, what that means is you are required to build a risk-based compliance program that likely includes things like transaction monitoring, which TRM does. Policies and Procedures are required to file suspicious activity reports or SARs. With FinCEN, you’re required to respond to subpoenas and engage with law enforcement. You’re required to have the tools and the training necessary, senior management buy-in, all the things that you need to have risk-based compliance in a large financial institution or any financial institution that you’re required to have in crypto. I think in the regulatory space you’re already seeing a lot of this. You’re always going to see these kinds of non-compliant Suexes of the world, the exchange-based in Russia that was designated by OFAC, just like you see Hawalas and non-compliant, unlicensed money service transmitters in fiat. I think it’s our job to make sure that the compliance exchanges, the exchanges like Binance, Coinbase, Gemini and FTX have the tools in place so that illicit actors like Suex or non-compliant exchanges don’t take advantage of their infrastructure in order to move money.

Steve King: [20:36]

Do we have enough resources at the federal law enforcement level to do what needs to be done here?

Ari Redbord: [20:42]

I think that’s a great question. I think that right now we’re in early days. From a cryptocurrency standpoint, we are seeing a community of law enforcement and compliance professionals develop that expertise and get the tools and the training they need. At TRM, we are incredibly focused on working with the public sector to get them the tools and training that they need to do their investigations. What I often say is, there are cryptocurrency squads within law enforcement. I’ve heard something called cryptocurrency crimes. I think the bottom line is there are no cryptocurrency crimes. Cryptocurrency is the means of payment in any number of crimes, predicate offenses, including child exploitation, human trafficking, drugs, narcotics trafficking, darknet activity. In your world, Steve, ransomware, cyberattacks, nation-state actors like North Korea, or in the national security set. What we need to do is we need to get every agent the tools and training that they need in order to trace and understand the flow of funds in crypto, because while we’ve never had more visibility on a financial system, that visibility does not have a whole lot of meaning unless you have the right people with the right skills to do those sophisticated financial crime investigations.

Steve King: [21:55]

As you and I have discussed several times here, we see all of this activity within the current administration around cybersecurity, crypto, blockchain, etc. We all agree this is a terrific thing. It’s long overdue. It’s unprecedented. You spent a lot of years at the federal level in that public sector. Do you think we’ve got the ability to pull off and execute what needs to be done here?

Ari Redbord: [22:26]

It’s a great question. I think we’ve discussed this before, Steve. I think you and I are both optimists. But hope is not a strategy. I think that the important thing is that we are seeing that steady drumbeat. What I’ve described before is a shock and awe campaign right now, against ransomware. I think what we’re going to see over the next few months is more proactive action from the administration against those in that ransomware ecosystem that are either wittingly or unwittingly facilitating ransomware payments. I think we’re going to continue to see outreach to the private sector, because ransomware attacks are not hacks. They’re not backdoor attacks. They use human engineering, in order to go walk right in the front door. They’re sending spam and phishing emails to compliance professionals and others. They’re very sophisticated. People asked me recently, “Hey, are they just sending hundreds of phishing emails or thousands of phishing emails hoping to catch something?” And the answer is, “Really not.” They are targeted, sophisticated approach, where they’re going after specific individuals that they’ve identified as potentially vulnerable. They send emails. For example, it’ll be from somebody’s boss that will say, “Hey, I need you to respond to this Google Doc, in the next three minutes. You’re overdue on this.” Something to build anxiety in that person. Then you could click on that link and it’s malware, and you have a ransomware attack on your hands. I think that part of what we’re seeing is the administration doing a full court press with the private sector. A couple of weeks ago, we saw OFAC push out some great brochure, which I highly recommend anyone in the space to read on how cryptocurrency businesses should be thinking about sanctions risk, sanctions vulnerability. We’ve seen FinCEN come out with very similar types of papers. Then we saw the White House come out with a letter to the private sector a few weeks ago on what steps you should take to make sure that you harden your cyber defenses. I think we’re doing the right things. I think you’re going to see even more and more of this steady drumbeat over the next several months or potentially longer because we’re in this new world, where we see terrorist financing and Bitcoin, cyberattacks against cryptocurrency exchanges by North Korea and ransomware attacks by cybercriminal groups. We’re in a brave new world. We’re going to have to continue this campaign to make sure that we have the tools that we need in place and the training to meet this new threat.

Steve King: [24:54]

I don’t want to press you too hard on your personal view here versus your professional view. Because we all have both of those.

Ari Redbord: [25:05]

I don’t know, I think I tried to make mine pretty aligned. But yeah, let’s go for it. I’m now on the edge of my seat. All right, what are we going to ask you?

Steve King: [25:12]

There are multiple paths here. There’s multiple things going on. We’ve got non-aid, we’ve got the inability to extradite bad guys from several big countries, who are several big adversaries and they’ll continue to do what they’ve been doing. There’s no reason for them to stop. We have a ransomware industry, which is very formalized. The affiliate marketing, part of that is a whole marketplace unto itself, with all of the appropriate bells and whistles as if it were legitimate, and encourages everybody that wants to make a quick million or two, for doing virtually nothing to participate. Then we got through the whole law enforcement component and tracing components to track all of this new currency, if you will, and processes. There’s a lot of moving parts. Do we have enough time? Ransomware is not going away, it’s just going to keep getting bigger and bigger, and more sophisticated, to your earlier point. Secondly, the bad guys are generally as untouchable as they had been. We’ve got the whole attribution problem and all the rest of that. How are we going to win this war?

Ari Redbord: [26:28]

It’s a great question, though. I think my personal and professional views are pretty aligned here. I do agree with the administration that hardening cyber defenses is the first line of defense here. That is something we can certainly do. We need to do it across the federal government. We need to do it in state and local governments’ critical infrastructure. We need to do everything we can to make sure that we’re thinking about this and the people that I talked to in the space, the insurance carriers, the incident response companies, the threat intelligence companies, blockchain analytics providers, like TRM, we are all working closely with clients who are financial institutions and businesses to work on this piece. We are a lot more maybe sophisticated than we think around being able to take proactive cyber measures, offensive cyber measures against bad actors. I think we’ve seen some examples of that over the last few weeks, even with us going with our intelligence community and law enforcement going after these ransomware variants. I think the scary thing about this digital battlefield is it’s a lot more of an even playing field for countries like North Korea that could never compete in a conventional war. They are uniquely situated with professional hacking teams like Lazarus group. But I also believe that we will ultimately have the tools, the training and the capabilities in place to mitigate the threat.

Steve King: [27:53]

I’m willing to believe alongside you. Thank you, Ari, for taking time out of your schedule to join me in what I hope was a pretty interesting exchange.

Ari Redbord: [28:07]

I had a great time. Thank you so much for the invitation. It was a pleasure to join you to talk a little bit today.

Steve King: [28:14]

Great. Thank you to our listeners for joining us in another one of CyberTheory’s Unplugged reviews of the complex and frightening world of cybersecurity technology and our new digital reality. Until next time. I’m your host, Steve King, signing out.