Jun 4, 2024

"Markets Daily" hosts Jennifer Sanasie and Helene Braun sit down with Crypto ISAC Executive Director Justin Bone, Fireblocks founding member Shahar Madar and former Director General of Central Bank of Ecuador Andrés Arauz to discuss their outlook on crypto regulation across the globe.

Video transcript

We're coming to you from the Coin Desk podcast studio presented by Bito, founded in 2013 with the first institutional grade Bitcoin wallet bit Go is the gold standard in custody staking and settlement. Today. Bito supports over 800 coins and processes 20% of all Bitcoin transactions by value. Check them out at Bit go.com. We'll turn now now to our next guest. We're here with Crypto Isaac, executive director, Justine Bone and Fire Blocks, founding member and VP of Security and Trust Shahar Madar Fire Blocks just made a big announcement on stage right here at consensus. They join us now to unpack what this means for the crypto space. Hey, hello. Thank you for having us. Thank you for being here. Now, congratulations on the announcement. Folks have already been talking about it. I know it only happened about an hour ago but just lay a foundation for us. Tell us what you announced here at consensus. Yes. So right here today we launched the crypto is and is a, is an information sharing and analysis center focused on cyber security incidents, concepts, best practices, threat facing our industry. In this case, of course, crypto a lot of folks are surprised that the crypto industry has not had an is a until now actually is a have been around for quite some time focused on different sectors within critical infrastructure. Um bringing together stakeholders of all kinds within that industry to collaborate around cybersecurity challenges. So sharing information such as threat intelligence, allowing us as an industry to respond more effectively when these bad things go down and they do keep happening. Unfortunately. So there's a lot of interest in what we're standing up. Why hasn't there been an Isaac for the industry so far? What were the challenges that led to us not having a group like this for so long? I think it's just a matter of maturity. Um Many of our founding members have very similar sophisticated cybersecurity programs internally, very adept at responding to cybersecurity incidents. But this is sort of taking that one step further where these teams can actually start to come together and work as a sort of a collective defense for industry. So it's, it's really a reflection of the maturing of the crypto industry and the need for us to develop cybersecurity, um you know, processes alongside that. Now, my colleague this morning wrote an article about the announcement and he mentioned that this is pretty much a badge of honor for the crypto industry. What does, what does he mean by that? Well, it's um it's true because it takes an industry reaching a certain maturity for an I A, you know, to be stood up. There's a model around an is a where 501 C six organization with a vetted membership base representing industry. Uh We vet the Threat Intelligence that runs across the platform. We're running a certified platform that's fed ramp ready and meets all the other cybersecurity criteria. So, you know, the the sector if you will has to be at a certain level of maturity. So it's a really great indication that we recognize these challenges in crypto and we're doing something about it. So I wanna get you into the conversation. Fire blocks is part of this group. We have a circle Coinbase, the Solana Foundation. That's just to name a few talk to me about the coordinations amongst all of these companies. Getting everyone on the same page. I'm sure folks are looking um at different challenges and different issues through different lenses. What's that coordinations like? Absolutely. And I think your point is exactly why we joined fairly early as founding members and why this is important, why the Isaac is important for the oil industry, right? Like we see one part of the picture uh coin based consensus, they see another part together we as the larger uh players in the space, we invest tons of resources for security, for securing ourselves, for securing our customers. And we wanna make sure that together as a collective, we're able to raise the bar for Attackers to, to actually hurt someone on the industry. And this is, you know, this is where the is a comes to comes to play, right? You you actually get different perspective. You see people who are more on the business, large enterprises, you see others who are more consumer oriented and retail and together we see everything. And the idea is to to harvest, to leverage the expertise, the knowledge and the visibility of all these key members, key industry players uh to protect literally everyone within the industry. Now, chain analysis estimates that in 2023 approximately $1.7 billion were stolen from hackers uh from crypto platforms. Justine once Isaac, crypto, Isaac is established in a couple of years, fully established. What's that number gonna look like seeing into the future? You know, I I think, I think we are going to make things a lot tougher for these um adversaries that we face. We've come a long way, but we've got a long way to go. There's a lot that we can learn from cybersecurity, best practice and standards and approaches that are have been applied in Web two, that can be a technical application of a solution. It can also be something like a governance strategy within an organization. So we're gonna see these best practices that we've learned the hard way thr through, through, through cyber and Web two and be able to bring that over to web three. So I think that you will see those numbers go down quite significantly as we organize further around these threats. Now, what are some of the next steps that you're gonna take? Are there a certain certifications that still need to be obtained or? So our initial focus is around what we call threat intelligence? So it's information and data vetted so thoroughly analyzed by cyber and crypto experts uh and then shared over a trusted platform. So it's what we call a threat intelligence platform. All of our members no matter their stage, their size have access to this platform and they're able to tap into this information, this threat intelligence, that's basically a dependency. It's vital for an organization to have access to this kind of information, to understand threats and respond to threats. So whether it's a start up or whether it's an institution that we've all heard of, everyone will have access to this data to help secure themselves. And for some of our members, this will be the sole source of threat intelligence for others. Not only will it be source, but they will be contributing to the threat intelligence. But that's where our focus is in our, in our initial stages at the crypto Isac to follow up on Hale's question. When does that happen? You know, so often in this industry, we hear about these lofty goals, we hear about this consortium, folks coming together to solve challenges and then we don't really hear about what happens after that. What is your road map? What are the milestones look like to achieve these goals that you're telling us about? I'll kick off an answer and then I'll pass to Shaha here. We're actually ready to go right now. The threat intelligence platform is up and operational. If anyone here at consensus wants to check it out, we can um we can showcase it. Uh We're starting to onboard information from our members right now. But uh no, we're hitting the ground running and that's one reason why we chose a platform that's already been proven within the I A ecosystem. If you will, it's fully certified, it's already customized for applications and use cases. So yeah, we are ready to go. Do you have something you wanted to, I want to illustrate a win, like what a success would be coming back to the big hacks and how the industry responds today. And I think we can compare the before and after today whenever there's a, there's a huge uh hack, you see everyone trying to come together, right? They're trying to talk to talk, communicate over telegram channels, groups, uh over Twitter and that's partially affected by you see people running, trying to help, trying to figure out what's the right data, what's actually going on and how they can help. And part of that is, you know, when we bring everyone together on, on the on one platform that's vetted, we, you know who you are talking to, but also, you know, everyone wants to engage and everyone wants to help. Uh you can see success stories were even though we didn't have that uh people were managing to block some of the Attackers, some of them follow up money movements that happened after a big hack. And I think we can definitely expedite that in future cases and make that highly more efficient and uh and eventually affect, right. The goal is to block Attackers from getting in but also to block them from being able to, to steal the funds and get them outside of the Blockchain. Let's let's zoom out and talk a little bit about the problem here. Uh I'd love to hear your perspectives. What's the biggest, I guess, threat facing this industry this morning? We spoke a lot about policy, not only in the United States but in different parts of the world. And we touched on illicit finance, anti money laundering. We talked about North Korea. What's the biggest threat um facing the industry that is a can help whittle away at, I think, you know, as a threat actor, the biggest one, the most prominent one is the North Korean regime, right? We see them the most active, but on top of that, we also have tons of smaller, less attributed attacks uh that are involving cyber criminals, right? They make a lot of the of the impact they steal money. That's a business, right? There's North Korean trying to get uh their nuclear program funded and there's cyber criminals who just, that's our business to steal money. Uh I think whenever we look at, at a new project and we see many times you see an extreme hyper growth, right, of someone uh who is working and, and getting amazing adoption. We see that also they don't have the visibility to ever thing that happens in the ecosystem in terms of security threat, intelligence, different attacks and they are often not able to follow up and make sure they are protecting against everything that's going on. Even if you know, there is a different incident, that's really the target really resembles them. They have shared cars square six and, and they should have learned from that, right? But if they don't have access to that information, if they don't have the ability to process threat intelligence, it's not gonna be effective, right? So the Isaac is gonna be tying this together. Now, speaking of visibility, I know the team has met and briefed government officials on this new formation. What did those conversations look like? We're building relationships right now, there's a lot of interest from various government agencies who have been exposed to our planning pre launch, attending our meetings. Um There's a lot of demand for um with a lot of need for a collaboration is a, have always had a strong focus on public private partnership and that's going to be a big part of our program as we grow. Now, I wanna ask a question about cold wallets, which are a popular choice for those looking for more security and self autonomy. But even cold wallets can be subject to hacks. So what can be done to make those safer? I think, you know, it's a combination of, of many different things. One is following security standards, uh, with how, uh, you control the governance of their wallets, how the entire enterprise is built, right? Some people would call something uh cold wallet that actually there are many people who have signing privileges and the so called call machine is actually connected to the internet somehow. Uh I think it's more about governance, operational security for, for the enterprise, for the business who is holding these wallets. And again, it's coming back to you're gonna be building those protocols, those operational security, internal processes based on the intelligence you're seeing, right, based on the best practice of being shared by ideally by your peers. And again, coming back to the information sharing here that's critical and, and we expect the Isaac to be able to both push some of these out in terms of, of uh how we see as an Isaac, uh the entire visibility, but also enable and facilitate peer to peer and channel based communications. So you can have, you know, channel for exchanges or channel for custodians who can share and and see what their, what's happening Right. I wanted to zoom out again a little bit here and look at this from a global perspective for people who aren't familiar with is a, there are a lot of firms that are a part of this group. Uh Some of them with offices, employees headquarters in different jurisdictions, different regions. How uh how does this work with the different regulators, the different governments, the different firms, the different um headquarters, like how does everything work together? Well, we are striving to have a global reach at the crypto is a, however, starting with the U SS focus, we are a US, non pro based nonprofit. Uh but we do anticipate representing stakeholders from across the globe. Um when it comes to regulation and standards and sort of compliance side, the US is already a leader that many other, you know, countries look to to comply with. So that will be a big driver in terms of the um the best practices that we align with but not ignoring other parts of the world that have also embraced crypto, for example, as well as cybersecurity. So it's not a simple undertaking, you're right on. But uh other Isaacs have achieved this. So we can too, let's talk about the fun stuff. Now, we've talked about the announcement of the is a uh we still have two and more than a half days left for consensus 2024. What are you both looking forward to socializing with experts in the field. I think there are many people here who could join the and are now learning about this so hopeful that we come out of this with many potential members and people are signing up and understanding how this could honestly dramatically change the industry in terms of its resilience and its level of security. I'd say that many of our founding members are also presenting elsewhere at consensus. I'm really looking forward to attending those presentations and supporting our founding members. It's nice to give back a little bit because they have been lending so much support to myself and our team at the crypto is a so to be able to reverse that a little bit through the rest of consensus uh and attend those presentations of our founding members. That's, that's one thing I'm looking forward to are either of you going to karate combat. I, I think it conflicts with the Crypto Isaac event actually, unfortunately, if you got to choose, you gotta choose Crypto Isaac, I would say, yeah, no karate combat crypto Isaac. I'm very loyal. It's a good question though. All right, Justine Shahar, thank you so much for joining us. And again, congratulations on the launch. Thank you very much for having us. That was Crypto Isaac, Executive director, Justine Bone and fire Fox VP of Security and trust Shahar Madar. We're joined now by the former Director General for the Central Bank of Ecuador, Andres. Hello. Hi, Jen. How Are you? Hi, good to see you. Here you are. Doing fantastic. How are you doing? Great, great, great. We had a good panel in the morning and now happy to talk to you guys. Yeah, your panel was called OPEC Sanctions Compliance. The good, the bad and the ugly. Tell us I'm going to pick one the bad. What is it? I mean, the bad is what's called over compliance. So many people in the industry, when they see anyone that might even resemble someone on the fa list decide to close relationship with an entire country or an entire sector. And that over compliance is damaging the advancement of the industry, innovation and so forth. Is that what's happening in the US right now? Well, it's all of the world because the thing is the ofac sanctions are on behalf of the US, but they apply globally. So you can be, you know, in the middle of Rwanda or in my country in Ecuador and they still have to comply with the US LIST. And you know, this happens even to small credit unions, small innovators, small web, three developers, they have to all of a sudden apply this big list made in Washington. Uh that really has little to do with the local reality but it becomes troublesome and a burden. What are we going to this? Well, what we think is a solution is to try to have a more of a multilateral arrangement but also in general stop this overreach. You know, there, there are concerns that the country may have but they should apply on their own soil. Uh And uh one of the issues that we had is, you know, if, if, if government really tries to go after someone, government has tools to do that by itself, they don't have to outsource their job to the industry, to the financial players, to the fintech, to the, uh you know, crypto industry in the Blockchain world, they can do that by themselves. They have enough surveillance capacity on the, on that topic. Curious what your thoughts are on both the tornado cash and buy us finance sections. Well, exactly, that was one of the issues that, that came up in the, in the panel. Uh We think that it's wrong that is going after, you know, software developers that were developing a tool basically to preserve a human, right? Uh from scratch and basically showing it to the world all the time. You know, it was published in github all the time. It wasn't a secret, it wasn't a covert operation, it was just a software tool for the entire world to, to use. And uh so we're concerned that uh people are being put into jail just for developing software that's out in the open. Now, is there a way for firms to comply while also maintaining privacy? Of course, that's, that's what we have to do now, you know, the entire industry has to comply, even if we don't like the sanctions, we have to, or else we can get sanctions as well. So we do that, you know, with the technology available, you know, I have to do a lot of network and data analysis and it becomes a burden and it's just the reality of the industry. Nowadays, you have to require KYC to know your customers, uh regulations and standards all over the industry and, and like I said, it's a burden, but it's a burden that nowadays we have to comply with. It's a burden. And it's also tough, I think it's tough to expect anyone to stay on top of everything that's going on and different jurisdictions and try to comply. You know what I what I'm saying? So like how, how would you advise folks to go about trying to maneuver this kind of minefield of regulation and policy? So we have, you know, a short term solution which is basically to, to try to keep yourself updated with the OFAC list, which is sometimes updated multiple times a day. And you know, I have these uh screening mechanisms and so forth. But I think the long term solution is to actually put our brightest minds to develop a technological framework whereby uh privacy, which is a human right is embedded in the technological architecture from the design from the start. Do governments want that though? Are they incentivized to see this come to fruition I mean governments issue uh physical notes and coins, which is exactly that kind of technology which allows for privacy as a human, right? And it's been around for 2000 years. So yeah, I mean the the that technological option is also available. Now, we wanna upscale that same concept into the digital world in the 21st century. And there are initiatives, for example, by congresswoman Rashida who proposed digital cash, which is a little bit different than account based central bank, digital currency. It's actually applying the concept of the physical bank notes or the notes into the digital realm. So I think there are people within government that are thinking about this in this progressive way, privacy preserving way as well. And so hopefully that will prevail now zooming out what is the bigger effect of the sanctions on the overall industry? How much damage can really be done with these? I mean, a lot of damage can be done. You know, when, when you sanction a software developing uh firm, uh what you have is called an over compliance chill effect where people are like, oh, I don't wanna touch that, you know, that that's uh too dangerous. I don't want to get involved. I'm gonna try, you know, simpler innovations uh and, and that, that curtails the development and the innovation in the industry. So that's one issue. Uh the other one is uh how other players in the periphery of, of the world you know, in developing countries and so on, they have really smart people that want to find solutions. But then all of a sudden they have to, you know, fill out Fatca forms, fatca forms are uh these uh mandatory US IRS requirements for any bank or credit union anywhere on the planet. They have to have an account with the IRS and they have to report every single transaction that a US citizen uh can potentially um in that bank or credit union, even if they don't have us uh persons as clients or customers. So they have to deal with this burden. And uh and on the other hand, you know, if they require some information from or from the or from the US in general, the U government is not responsive, they don't reply to emails, they take a long time to give a response or they say we, we don't share that information. So you have to give us that information, but we won't share that information with you, Andres. I wanna turn now to CBD CS because I know that Ecuador was the world's first central bank to roll out digital cash. Curious to hear your perspective on the advancement of CBD CS in certain jurisdictions. And if we even need privacy preserving CBD CS, if we have stable coins that seem to work, right? No, I think stablecoins have shown uh uh a path forward of what can be done with this technology. I think a lot of central banks are scared of what Stablecoins are are uh projecting around the world. You know, the most of the transactional volume in the crypto sphere is in the stable coin uh market. So uh there, there is some fear from central banks as to what is called currency substitution. So they say, oh no, what's gonna happen to our currencies? Everybody starts to use uh stablecoins now. And so that there is a legitimate point uh that central banks can worry about because when Stablecoins uh uh it's basically a US dollar market. So then national currencies of developing countries are gonna become even more weak. And then of course, it impacts the, the development objectives of each country. So that's one of the reasons why developing world countries say no, we need CBD CS with uh just as high tech as stable coins, but with some guarantees and hopefully in a way that can resemble physical cash, which is the, the privacy embedded in the technological design. That's why the offline uh mechanisms of CBD CS or digital cash, the concepts are a bit different is crucial because if you can have offline transactional capabilities, it means that it doesn't necessarily have to be surveilled, right? Uh That's an interesting point. I wonder if you've explored technologies like zero knowledge proofs or zero knowledge to uh apply that kind of privacy preserving element to CBD CS. And if you think that's something that I mean, maybe, you know, if it's already being explored or if you think that's something we'll see a government's explore, definitely, I mean, ZK proof uh technology is uh definitely one of the main pillars of having a privacy enabled uh uh uh currency or, or in general mechanisms. Uh We have uh a paper that uh nim uh put out on incorporating uh zero Knowledge proof technologies in the design of a privacy enabled CBD C. So we already have, have actual proof of concept of this and it works, it can work. The other thing we need is you can even have sort of certain surveillance capacities for law enforcement purposes, but not on the server side of things. You know, where you have these troops and troves of data, but you can have client side surveillance, for example, you suspect that someone is doing something illicit, well, you go to their wallet and see their list of transactions and you don't have to see the entire planet's list of transactions. And just, just before we wrap up, we are asking everyone at the desk here this today, what are you looking forward to over the next three days? I mean, I'm really looking forward to the conversation on, on privacy. Uh and the link to development uh I think uh privacy is a, is a human, right? And uh that has to be embedded in, in technology. I really hope discussion can go forward here at consensus and tomorrow we have a few panels that discuss these issues, the intertwining of the regulatory world, the tax world, the compliance world, and of course privacy enabled those worlds are very intertwined. I look forward to that conversation. Thank you so much for joining us. Thank you, Jen. Thank you.

Learn more about Consensus 2024, CoinDesk’s longest-running and most influential event that brings together all sides of crypto, blockchain and Web3. Head to coindesk.consensus.com to register and buy your pass now.