Proof of Concept: How Can We Improve Industry Collaboration?Also: Federal Agencies Rolling Out EDR; Stablecoins and Cryptocurrency Regulation Anna Delaney (annamadeline) • May 23, 2022
In the latest "Proof of Concept," Ari Redbord, head of legal and government affairs, TRM Labs, and Grant Schneider, senior director for cyber security services, Venable LLP, and former federal CISO, join editors at Information Security Media Group to discuss the challenges that lie ahead for the U.S. government as it plans to roll out EDR deployments at more than half of federal agencies this year, how stable the stablecoin economy really is and how to mature our approach to industry collaboration.
Anna Delaney, director, productions; Tom Field, vice president, editorial; Ari Redbord, head of legal and government affairs, TRM; and Grant Schneider, senior director for cyber security services, Venable LLP; discuss:
- The potential challenges ahead as EDR deployments will be underway at more than half of federal civilian agencies by the end of September;
- The state of the stablecoin economy and cryptocurrency regulation today;
- How we as an industry can improve collaboration and information sharing.
Prior to joining TRM, Redbord was senior adviser to the deputy secretary and the undersecretary for terrorism and financial intelligence at the U.S. Department of the Treasury.
Prior to joining Venable, Schneider served as the U.S. deputy federal CISO and the U.S. federal CISO and as senior director for cybersecurity policy on the White House National Security Council. Before that, he served for seven years as chief information officer for the Defense Intelligence Agency.
"Proof of Concept" runs semimonthly. Don't miss our previous installments, including the May 12 edition on crypto as a new national security threat and the May 16 edition on how some Big Tech companies are backing the move to passwordless.
Anna Delaney: Hello, and welcome to Proof of Concept, the ISMG talk show where we analyze today's and tomorrow's cybersecurity challenges with experts in the field and discuss how we can potentially solve them. We are your hosts. I'm Anna Delaney, director of productions here at ISMG.
Tom Field: I'm Tom Field. I'm senior vice president of editorial at ISMG. Anna, always a pleasure.
Delaney: Always a pleasure. So Tom, what is on your mind this week?
Field: Mardi Gras! Not Louisiana Mardi Gras, not New Orleans, but San Francisco and RSA Conference in the return of RSA conference to San Francisco after a two-year absence. That's about two weeks away, Anna, and we're both going to be there for it.
Delaney: We are! Marathon schedule ahead, I think. But I'm curious as to what the atmosphere will be like this year. I don't know if it was the same in the US, but definitely in the UK, there was a period of conference fatigue, and a bit of groaning when people had that thought of large conferences. Maybe this year, there'll be excitement and an appreciation of in-person events again. The world looks very different now as well, post-COVID, a pandemic which accelerated home working, and cloud adoption, and then of course, a war in Ukraine, which is sort of another geopolitical tension, which is really destabilizing the cyber structure. And what else have we got? Tom, have I missed anything? Oh, yes, ransomware! Ransomware attacks are now declared a national security threat. So there's a lot going on. I wonder how these will shape conversations?
Field: Well, it's interesting, because if you look at our own events, they're a microcosm of what's happening in the world. You and I have both been to some of our summits or conferences. We've hosted live roundtable discussions. And you see that people after two years of quarantine are very eager to get together again in groups and discuss these issues. At the same time, every one of these events is a first for somebody. It's the first time they've gotten out of their home office in two plus years to see such people. There's still some people tentative about that, given that the pandemic continues to rage and pockets around this. But I think there's so much to come and talk about in terms of the geopolitical situation, ransomware-as-a-service, software supply chain security. We still haven't gotten all together yet to talk about SolarWinds, Kaseya, Colonial Pipeline, and Log4j. Here's the opportunity upcoming. I think people are ready. I think it's going to be a lively event. And I think, it's going to set the tone for our conversations for the remainder of the year.
Delaney: Tom, is an RSA veteran. What are your survival tips?
Field: Comfortable shoes.
Delaney: And maybe Paracetamol.
Field: This is not the place you break in a new pair of shoes.
Delaney: Yeah, I would agree on that point. Having found that out last time, that we'll be doing a lot of sitting I presume, because we're interviewing a series of people. Who are you looking forward to the interview?
Field: I am so excited because we do have two studios that we are going to be going for four days. We have one on Broadcast Alley as people walk into Moscone West and go into the showroom there. We'll have our traditional ESPN-style setting, I always call it at the Marriott Marquis. And we are filling the slots for four days right now. We'll be doing a lot of sitting and talking. I'm always excited to bring in individuals and panels. And I think we have a great opportunity to create some unique programming. The slots are filling up right now. It's going to be exciting. That's all I can say.
Delaney: Looking back over the years, how have you made the most out of your experience there?
Field: Very little sleep and a lot of talking. We have the opportunity to talk with the cybersecurity leaders in the world. People from government, people from industry, people from every one of the sectors that we deal with. It's just a great opportunity to find out what is Top of Mind with the key decision makers globally in cybersecurity. It is overwhelming. And you need to come away with it and have some time to think and parse your thoughts and determine what are the key overall themes you're hearing. But I will say this, 18-hour days, dozens of conversations over a course of a day, events to go to go in the evening. It fills your time, it fills your mind. It sucks your soul to some extent but you always come away with a sense of what the most important themes are now and for the next six to 12 months going forward. So it always is a great opportunity to reconnect with the cybersecurity world.
Delaney: Yes, very well put. Well, I am looking forward to it. I want to bring on stage, someone who has told me he will be there too. Grant Schneider, are you there?
Field: Are you at RSA now?
Grant Schneider: I'm not at RSA yet.
Delaney: But soon, Grant. For those who don't know, you are the senior director of the cybersecurity services at Venable LLP and the former federal CISO. Hello, thanks so much for joining us, Grant.
Schneider: Thank you. Great to be here, Anna and Tom. Good to see you guys again. I look forward to seeing you in person.
Delaney: Yes. Grant, we've just passed the first anniversary of Biden’s cybersecurity EO. Are we where we need to be? Because I say this, I asked this, your colleague, Jeremy Grant told us recently on an episode of Proof of Concept, that whilst progress has been made, the challenge is in translating policy decrees into result. And that will take time. Do you agree? What are your thoughts?
Schneider: Yeah, I completely agree with that statement. I think that if you look at where we are a year into the EO, I think the administration hit most of the deadlines that were publicly available over the last 12 months, and there was a lot of actions and a lot of things that had to happen. A lot of those actions don't generate the outcomes, or the results that he mentioned that we want to get to. A lot of them were plans, and they were developing and getting things started. But all of those kicked off activities that agencies need to take to achieve the desired cybersecurity enhancement outcomes that we'd like to see. So definitely, more work to do. But I think it has galvanized the agencies and focused them on cybersecurity in a great way.
Delaney: It's been a busy week for government. News, also this week, that endpoint detection and response to appointments will be underway, and more than half of federal civilian agencies by the end of September. Now that's not too far away. You're well aware of how government operates, what is your perspective on this? And what potential challenges do you foresee?
Schneider: It’s getting underway. That's a great phrase, when you're in government. I'm going to be started on things, as opposed to necessarily complete with things. And so I think that's an achievable goal to get underway. And I think it's great. I think long journey starts with the first step, and I think this is about getting those first steps taken at a number of different agencies, rolling things out in one environment is a challenge, rolling it out across agencies is a whole bunch more challenges. And so, I think that is an achievable target. I would love to see and maybe it's the end of this fiscal year, calendar year, but kind of where our agencies right there started, but where are they in their implementation? And are they leveraging the value of EDR, where you match that up with other sensors in your environment, the other things in your extended detection and response environment, if you will, to be able to have better situational awareness and then be able to react more quickly to malicious activity.
Delaney: So often we hear that having adequate resources at the government level is a challenge. Do you see that shifting in any way?
Schneider: Agencies are building the 2024 budget. They just got their 2022 budget, the 2023 budget is with Congress. And hopefully, that will come this fall, we'll see. But agencies are getting their first opportunity since SolarWinds, which drove the executive order to ask for new money or make significant realignments to their cybersecurity and technology dollars. Everything they've been doing so far, they're kind of taking out a hide the word, some SolarWinds dollars, and the 2022 appropriations for a handful of agencies. But in general, agencies are definitely strapped. They came out of the pandemic that you mentioned, where they had to shift to work from home. They shifted to cloud capabilities. They did a lot of things there. And so I think they've already been strapped. And this is an additional challenge. And I think agencies are going to have to make hard tradeoffs on how they're investing not just their cyber dollars, but their technology dollars writ large, which is typically a much bigger pot of money than their cybersecurity dollars to be sure that they're meeting their critical requirements.
Delaney: This week cybersecurity agencies from across five eyes countries have published a joint report on the most common methods and techniques used by threat actors to gain an initial foothold into corporate and government networks. What did you make of the findings? Because it's not really about sophisticated, sexy zero days, is it?
Schneider: No, it's not. A friend of mine years ago said that cybersecurity is like working at a brewery. It sounds all exciting and sexy. But working in a brewery is about cleaning stuff. It's about sanitization, and cybersecurity is about the basics and the fundamentals. And I think that's reflected in the guidance. I think that the guidance is great. It's great to have all of that in one location. And industries should certainly look to that. That's the types of things that I tell my clients to focus on multi-factor authentication, patching your systems, updating your software, following basic hygiene, so I don't think there was anything terribly new in it. However, it's always good to have a resource in one place, it's good to get some additional media, more people like us talking about it, so that more companies pay attention. A lot of companies and entities haven't implemented multi-factor authentication or phishing-resistant multi-factor authentication, where they need to move to. So, great sets of actions in there. I think every organization should benchmark themselves against what would send that alert.
Delaney: That's great. Grant, we said that you're going to RSA. How are you going to make the most of this experience?
Schneider: The first thing I would say is disable all your wireless connections on your phone when you get to San Francisco. So that's step one. I agree with Tom on uncomfortable shoes, but it is about the engagements and the meetings, and to me, a lot of that are the sidebars. The sidebars that you have with people, sometimes that are impromptu because you run into them on the street and you just haven't seen them in a few years. I think that's going to be the case again this year. Reconnecting with people, understanding where they're at in their cybersecurity journey and see what you can learn from them and see how we can help each other. It's about sharing and helping each other at the conference.
Delaney: Excellent advice. Well grown. I'll see you there. But in the meantime, I'm passing the baton over to Tom to introduce our next guest.
Field: Excellent, terrific time to talk about this. In the past weeks, we have seen volatility in the marketplace. We have seen essentially, the crypto exchange hack of the week. It is the crypto Mardi Gras. Here to talk about that with us is Captain Crypto. He is the crypto Blue Devil from Duke University, head of Legal and Government Affairs with TRM Labs. Introducing Ari Redbord. Ari, how's that for a sports introduction?
Ari Redbord: I love everything about that introduction. All we need is cool, entering the arena type of music, which we'll work on for the next one for sure.
Field: Ari, last week, we got a stark reminder of the volatility of cryptocurrencies. Bitcoin plummeted to its lowest value in 16 months. So, raises a question: is the stablecoin economy stable as we'd like it to be?
Redbord: I think what we're seeing here is a reminder that we're still day one when it comes to building this new crypto economy. And there are just myriad projects across the landscape, more stable for lack of better description than others, some more volatile. And I think what you're seeing here is a winning or winnowing out of the crypto economy as we build. Janet Yellen, Treasury secretary, came out and said, I don't see a systemic risk here. There's no question that these are the types of events that could spread. I think what we've seen is it did not, but we saw a lot of the warnings around stablecoin runs and volatility and systemic risks play out a little bit last week. Again, in a contained way. But what we will likely see is a continued push, although I'm not sure how much more you can push because there's already been a lot of discussions about how to regulate the stablecoin space. And while I'm not betting on clear regulation, clear legal frameworks, clear legislation for crypto, over the course of the next several months or a year or so, we may see action on stablecoins. But I think that would have been true even before this latest market volatility.
Field: Fair point, because as stablecoins were typically lightly regulated, which is a nice way of saying; sometimes not regulated at all. What do you see is the state of crypto regulation today? What trends are you for seeing?
Redbord: I think it's an exciting moment. You see the price of bitcoin. But the price of bitcoin does not determine the state of crypto. We had never seen a US President talk about cryptocurrency. Now we have an executive order on it. That executive order didn't just talk about the risks, which is typical document like that. It talked about the need for US leadership in the world. The importance of looking hard and studying a central bank digital currency. I think what we've seen is regulators and policymakers globally continue that message, that clarion call for leadership in the space. A couple of weeks ago, we saw a handful of UK regulators come out and say, this summer, the Royal Mint is going to mint in NFT. We want to lead in the regulatory space, in the stablecoin space and the CBDCs. I think we're seeing more and more of this need for leadership and call for leadership in this space. I think we've gone past this business about, we should ban crypto to stop ransomware and other bad things from happening. We need thoughtful, sound regulation, and responsible innovation. I think that's a really kind of good place for the overall crypto economy to be.
Field: I liked that you mentioned the executive order, because as Anna said, it's been a year since the cybersecurity executive order from President Biden. It's been about two months now, since the cryptocurrency executive order was released. I know, it's still early days. But I know you've got great sources in government as well. What progress do you see so far?
Redbord: Yeah, the executive order basically tasks tasked to federal agencies, across the interagency, with coming up with reports and guidance in the crypto space. Admittedly, a lot of them had already done that. We heard a speech from Janet Yellen, a few weeks ago. We've heard a lot of comments by Gary Gensler, the SEC chair. We've seen CFTC come out and make statements. I think we're going to see those come out in sort of reports, but what we've already heard is a preview. And a lot of it echoes the EO. And that is call for leadership, and the space and what that looks like. But I can tell you, talking to folks at DOJ and Treasury that work was quickly spun up, those teams were quickly put together. And they are definitely working on it. In the meantime, we've seen cyberattacks continue. I know, you were talking about that in the last segment with Grant, but a lot of those attacks are on cryptocurrency businesses. Because in the age of crypto, an attack could mean you can steal money directly to fund weapons proliferation, destabilizing activity. And we've seen that, but we've also seen regulators start to take action in real time in response to these types of attacks. And that's an only crypto type story, where a regulator can be following the flow of funds in a cyberattack, and start bringing sanctions actions in real time. And it's an interesting development that shows sort of the paradox of cryptocurrency. You can steal a lot of money, and you can move it faster. But law enforcement also has tools that we never had before. It's an interesting moment in the regulatory, in the law enforcement, and across the crypto verse.
Field: I guess the news is with blockchain and cryptocurrency, everyone knows you're a dog. Ari, as you said, we're in the age of crypto, we're going to be talking about this a lot. Thank you so much for being here with us today.
Redbord: Love it. Always a pleasure. Thank you so much for having me.
Field: Anna, want some fun with our guests.
Delaney: I want to start this conversation around collaboration. How we can improve as an industry on that front because we all know it's important, but I feel sometimes it's given a bit of a superficial brushstroke. Ari, at TRM Labs, you look at blockchain analytics to follow the money. It's definitely part of the cybercrime puzzle. But it's not the complete picture, is it? I just want to know how you collaborate with law enforcement, with other data analytics companies and other companies?
Redbord: Yeah, it's a great question. And to me collaboration is everything. It's something that's easy to say, and I get that it's harder to do. But I've seen this from both sides. And I know, Grant has as well. When I was in the government, particularly at Treasury, there was a huge effort at the Office of Terrorism and Financial Intelligence to provide guidance and advisory to private sector. And it was a critical part of what we did. We hoped that every enforcement action was something that the private sector would read and understand, because that was a preview of the guidance that was coming down the road. That's what we do at TRM. We are a tool that is used by law enforcement and regulators to track and trace the flow of funds, to make licensing determinations when it comes to a crypto business. Those partnerships are absolutely critical to the process. Tools are very powerful, particularly in crypto, where you have sort of open blockchains. And you can follow the flow of funds. At the end of the day, these investigations, whether it's BitFenix, or Ronin, or Colonial Pipeline, come down to great investigators. Using just this is one of many tools in their toolbox. Coordination and collaboration is so critical.
Delaney: That's great. Grant, I'd love your perspective on how we can improve? Where can we close the gaps?
Schneider: I agree with you, and I agree with Ari that it's absolutely critical. It is hard. It’s the new version of information sharing. For years, it was: we need more information sharing. And that became a throwaway term, and I don't think it is. But I think with collaboration and with information sharing, to be successful, what do you want to collaborate about and on? What are the outcomes that you're trying to achieve? I think the more specific you can get, the better ability you have to create the right partnership with the right partners, and be able to build that trust, because both with information sharing and with collaboration. It really is successful when you can create a safe space that you can toss out ideas that maybe seem a little silly or don't seem quite right. But spark other people's imagination to help, whether it's an investigator, a forensics person, or to help figure out what's actually happening. I think getting specific about what you want to collaborate about, who you want to collaborate with, and then how do you create that safe environment so that everyone can completely bring their complete capabilities to the engagement.
Field: Anna, if I may, I've hosted a number of roundtable discussions on this topic recently. I know that talking to CISOs, there was a hunger for this. I think that they are ready now to be able to share their information and threat intelligence in order to receive that and certainly desire to do it with the public sector. Now credit where credit's due. I hosted this discussion with Michael Ehrlich. He's the former CTO with IronNet Cybersecurity. I thought he described the mentality perfectly when he called it a kindergarten mentality between the public and private sectors. There's a desire that I would like to have you share your toys, but I'm kind of reluctant to share my own. But he also described a good end game, which he described as the ways app of cybersecurity. If we can get a way to be able to share information about the car wreck or the construction up ahead, or even that there's a police officer looking for speeders up ahead and be able to do that anonymously in real time, that's a place that we need to go and I think increasingly, there's a desire and capability to get there.
Redbord: Tom, it's interesting. Yesterday, we released something called Chain Abuse, which is in collaboration with five or six other leading industry groups, including Circle and Binance and others, and it is a free website where we crowdsource hacks and scams and fraud and crypto. It is a place where people could go to share a hack or a scam that they have been a victim of, so that it doesn't happen to other people and I think that part of the ethos of crypto is obviously sort of this democratization of finance. But there's also an understanding that you have to have controls in place. But if the community can come together and do that together, at least in part, outside of law enforcement, and I think that is some of the power and promise there. But yeah, I think I could not agree more on that ways analogy, and that's what we've essentially been trying to build.
Field: There you go, Anna!
Delaney: Totally, I was just going say in our roundtable yesterday as well, that came up. The kindergarten approach, some are eager to take and not to share.
Redbord: It's hard. Having been in government and having been on the other side, there's a lot you can share, and I know Grant does too. So I usually try to be a giver. Give freely, just love, because you're not going to get a ton in return. It's important. I do understand why it isn't always a two-way street, and I try to be as supportive as possible.
Delaney: Are we ending on that note, Tom?
Field: I think it's a terrific place to wrap things up.
Schneider: Be supportive.
Redbord: Be a lover.
Delaney: That was absolutely fantastic. I enjoyed this discussion. Ari Redbord and Grant Schneider, thank you for joining us.
Redbord: Thank you so much.
Delaney: Thanks so much for watching. Until next time!