X-Force

Now You See Me, Now You Don’t: How Regulating Cryptocurrency Might Make It Easier to Unearth Cybercriminals

Play the latest episode
|
Feb 9, 2022
28 minutes

Subscribe

Listen to the Security Intelligence Podcast wherever you get your podcasts.

Now You See Me, Now You Don’t: How Regulating Cryptocurrency Might Make It Easier to Unearth Cybercriminals
February 9, 2022
| |
21 min read

Listen to this podcast on Apple Podcasts, Spotify or wherever you find your favorite audio content.

Cryptocurrency has emerged as the favored payment demanded by ransomware criminals. Cryptocurrency is built on Blockchain, a technology that makes it highly secure but can also make transactions difficult to trace. The combination can provide criminals the ability to cover their trail by obfuscating funds and quickly moving them across national boundaries.

Meanwhile, ransomware is increasingly being acknowledged as a national security threat, with criminals now routinely demanding millions of dollars from victims that often include critical infrastructure, including power operators, hospitals and banks. Regulating the cryptocurrency sector may help assuage the threat by providing law enforcement an easier path to track criminal activity and even recover ransomware funds.

Enter the Institute for Security and Technology (IST) Ransomware Task Force (RTF), a broad coalition of experts in industry, government, law enforcement, civil society and international organizations. Megan Stifel, Chief Strategy Officer for the IST, was part of the task force that issued five recommendations to governments around the world designed to help combat ransomware.

Among the recommendations: closely regulate the cryptocurrency sector and monitor ransomware attacks across it.

In this episode, Megan shares how cryptocurrency is used by cybercriminals to elude law enforcement. She also provides a deeper look at the role regulation might play in helping make it easier to trace criminal activity and ultimately make ransomware less profitable — and more difficult — for threat actors.

Join me, and together we’ll venture Into the Breach.

Listen to the episode: Now You See Me, Now You Don’t: How Cryptocurrency Regulation Can Make it Harder For Cybercriminals to Escape

Transcript:

Mitch: Cryptocurrency: It’s emerged as the favored payment demanded by ransomware criminals, who now routinely ask for millions of dollars to release a victim’s data. The technology behind cryptocurrency is highly secure but can also make transactions difficult to trace.

Criminals use cryptocurrency for that very reason—it’s difficult to track and it provides the added bonus of allowing them to quickly move funds across national borders—a combination that makes finding and prosecuting them a difficult task for law enforcement.

In this episode, we sit down with Megan Stifel, the Chief Strategy Officer at the Institute for Security and Technology. Megan was part of the Institute’s Ransomware Task Force (RTF) that in 2021 issued five recommendations designed to help combat ransomware.

Among the recommendations: closely regulate the cryptocurrency sector.

We’re going to take a closer look at the role regulation might play in helping make it easier to trace criminal activity and ultimately make ransomware less profitable–and more difficult–for threat actors.

I’m Mitch Mayne, and you’re listening to Into the Breach.

So Megan, let’s talk a little bit about cryptocurrency in general, we know that it’s the favored currency of threat actors. And your report talks about at least one of the ways that it can be obfuscated. So how easy is it for threat actors to actually hide funds and cover their trail?

Megan: The short answer is it’s altogether too easy. And the reason for that is that cryptocurrencies are as yet an unregulated space. Of course, if you do small amounts of cash transactions in the US, you can in the early stages, at least to kind of fall below the radar as it were for the regulatory landscape that has evolved for cash as a monetary instrument. In the case of cryptocurrencies, once one reaches, I think it’s $10,000 in deposits or a single deposit of a certain threshold that starts to trigger flags that not only the United States, but other jurisdictions have adopted.

Mitch: And that’s in real money, right? Not necessarily cryptocurrency?

Megan: Yes, in real money, right. So in real money, if you deposit certain amounts within a certain amount of time, or if you reach a certain threshold in a single deposit, you will trigger potentially what’s called a suspicious activity report or other types of reporting requirements that have you evolved to, among other things, but in particular, to advance law enforcement’s ability to ensure public safety by investigating the transfer of monies likely associated with criminal activity because money motivates many criminals and many hackers in the cryptocurrency space. That’s not the case yet. And I think the yet part of the one of the important points that there is not at this point in time a process by which the exchange of cryptocurrencies would trigger a report to a regulatory authority, whether that be the United States Treasury or some like situated organization in another jurisdiction, Ministry of Finance is often the case overseas.

Mitch: So it’s a little bit of the wild wild west out there on the internet when it comes to cryptocurrency in terms of how traceable it is and how easy or difficult it is for folks to cover their trail right or for us to track them in the wake of the colonial attack. And I want to touch upon this a little bit, the FBI had some ability to actually track and recover some of their funds. And now they’ve got some folks up in arms saying, Hey, look at this, cryptocurrency isn’t actually as untraceable as we thought. I’ve done a little bit of investigation into how the FBI actually was able to trace that, but do you have any thoughts there? Is this a repeatable way to track criminals? How is it actually possible for them to get to where they were and recover partial funds?

Megan: Well, you may have found more bits of the trail than I have so far. But overall, I would say is this a repeatable process? Potentially, but certainly not in all cases, and certainly, as I think was the case, here, it wasn’t to the full extent of the funds provided. And the idea roughly would be that there might be a relationship potentially, between law enforcement and a an exchange a cryptocurrency exchange or mixer where these cryptocurrencies pass through on their way from the victim of the ransomware attack to the threat actor or actors who are being paid in order for the victims resources to be unlocked. Of course, there’s always the likelihood that you may pay them and they may not unlock them, or they may steal your data. But that’s a separate conversation.

The challenge, though, is that in not all cases, or in probably in most cases, so far, two things happen. One, there is no relationship and there’s no disclosure to law enforcement, the payment is just made. And maybe you’ve secured the right negotiator who maybe figures out a way to try and recoup the money. But it doesn’t seem that that’s been the case so far, or you do disclose to law enforcement, but they are not in the position that they were in in the colonial case, in order to claw back the monies.

Mitch: Yeah, it looked like from the research that I was able to do that.I think one of the articles that I read was titled something like, ‘follow the digital breadcrumbs’ and it looked like it was kind of a lucky break. We don’t know a lot about it, but it was interesting to see that we actually were able to track it to at least some extent. You were involved with the Institute for Security and Technology, and we’re part of the ransomware task force or the RTF. And as part of that task force, you issued some recommendations that were in a PDF that I gotta tell you, Megan was what I think is really well done. It’s called combating ransomware. It’s available on the public ISD website at security and technology.org. Tell me a little bit about the task force and how it got started.

Megan: The charter was a voluntary one, so to speak. What happened is particularly in 2020, but even before then ransomware became and has now become kind of one of the malware is of choice and kind of the crime as a services of choice of criminals and potentially nation-states who are engaged in what one might call offensive cyber operations, I would at this point, be reluctant to call them cyber conflict. But in any event, particularly as the world began to respond to the pandemic, the scale and scope of ransomware grew exponentially throughout 2020.

Mitch: Yeah, we saw that here to just have an interview with Nick Rossman. And he was explaining the same thing that things just kind of jumped off of the stage when the pandemic hit.

Megan: Yeah, so in response to that, and so you saw things like, there are facts and figures, I don’t know that you want me to cite them. But chapter and verse with we included them in the report, as I mentioned, the scale and scope going in some cases, tripling in terms of the amounts that were being demanded, the amounts being paid, the number of victims and the type of victims going from a while ago, it would just be kind of individuals, and the individual would get this blue screen of death or whatever it was saying, Oh, your computer has been seized, you need to call this number. And actually, when I was at the DOJ, the person who sat across the hall for me was one of the poor people whose phone number was stuck on those notices. So then she would say no, you need to call IC three, which is the Internet Crime Complaint center, while attacks against individuals were occurring earlier in the 1213 2012 2013 phase. It was really, I think, wanna cry that began at forecasts or forebode, where we saw ransomware, going, particularly in 2018-19.

And then especially as 2020, and the pandemic took hold, it was clear that not only were individuals being targeted, but also critical pieces of infrastructure. So we saw schools and hospitals and insurers even being targeted. And in the wake of all this, a number of US leaders at the Institute for Security and Technology came together to say we need to build a coalition of multiple types of stakeholders and make some recommendations to begin to come at all this because we can see where this is going. And again, it’s not just going to be kind of the nuisance of identity theft, it is going to be and has become now a national security threat. And to address those types of threats, particularly because of the way the internet works and who the key players are. It’s not just a government that can make up responses and manage this. And it’s not just the private sector that can manage this. And it’s not just one sector or the private sector that manages we really need a really broad coalition. And so we were able to bring together over 60 experts, we had members of the insurance Community Financial Services, nonprofits, cloud providers, software providers, Microsoft, we had Incident Response companies, organizations, cybersecurity companies like rapid seven Palo Alto, who were involved in this and came together to identify four key recommendations and then a series of priority actions to implement those recommendations in order to make a meaningful impact against the rising national security risk that ransomware poses to not only the US economy, but the global economy.

Mitch: So you guys basically put on your prognosticator hat. And I think you are correct that, you know, with the combination of both the rise in proliferation of attacks with the amount of extortion that was being demanded, and with the targets becoming more and more into the critical infrastructure section that we decided that it might be wise to look at this was a unanimity in your recommendations from the task force, or did you guys have some differing opinions.

Megan: There was, I would say, overall, almost unanimous agreement on the recommendations, the one that we did not make a recommendation on was whether or not payments should be banned. And it has been almost six months since we issued the report, there are debates that one can listen to, and thankfully, we’ve had opportunities to talk about why that was the case. But other than that, and I think that’s what’s so remarkable about this effort not to pat ourselves on the back too much, but really about the community of individuals and organizations that came together was the common recognition and desire to do something about ransomware. And the idea that what needs to be done is not controversial, per se. So you didn’t see this, as I say, unanimous agreement on basically everything. Of course, there is the caveat in the report that these are the you know, not everyone agrees with everything. But having been involved in the process. Overall, there was a high degree of consensus around where we took the report.

Mitch: Well that is pretty remarkable given the amount of people that were involved with the task force. So congratulations on that. You mentioned payments being illegal, didn’t we already have some sort of legislation or some sort of guidance around the legality of payments? I thought they were already pretty much not to be made yet. We still see victims paying the ransom. And like you said, that doesn’t always necessarily mean you’re going to get your data back or your data back in a usable place or usable way.

Megan: So the recommendation by the government, at least in the United States recommendation is the keyword is not to pay for a couple of reasons. First, as we talked About you might not get your money back. But second, by paying we are basically incentivizing additional attacks because if they see monies transmitted or provided in response to an incident here, then why would someone not pay it next time around?

Mitch: Yeah, feeding the monster, basically, so to speak. I think the UK is a bit more out front on that.

Megan: And certainly members of the cybersecurity community sort of officials in the community have expressed opinions that part of their basis for saying this ought to be prohibited is that not only are we paying criminals for conducting criminal behavior, but those monies go to a range of societal ills. And unfortunately, we don’t have a good deal of information. But there is information out there about the types of societal harms that paying ransoms support. And so it’s not that we just don’t want to put money in the hands of criminals if that we don’t want to put money in the hands of criminals who are then potentially supporting other things like and sort of list your parade of horribles but transfer of weapons of mass destruction and human trafficking.

Mitch: Yeah, drug trade, bad, bad things.

Megan: What we essentially decided to do was to leave that question of making payments open. And at the same time, though, I think part of your question is around some of the requirements that have been placed around payments as kind of a first step toward banning payments, which was kind of where we ultimately landed, which was to say, not making an immediate recommendation, but But thinking about a pathway towards banning payments. And that has to do with sanctioning certain entities and ensuring that if an organization is going to make a payment, that they do not pay a sanction density, because then they will find themselves in regulatory Jeopardy.

Mitch: Yeah, and there’s the nuance, right, it’s payment to sanction entities, I think that is currently banned. Your task force came in with a handful of recommendations, and one of which was regulation looking at actually regulating the cryptocurrency market. That’s a rather hotly contested issue with some folks, you know, out there saying that it’s going to damage the market for investors. So how did you guys think about how regulation might work in a way that allows the market for investors to remain but also helps us locate criminal actors,

Megan: There are, you know, a kind of a range, as we talked about, in the report a range of categories of actors in the space from kind of minimally regulated exchanges, and then kind of peer to peer exchanges over the counter types of decentralized exchanges. And the idea being that, as has been the case, in other types of monetary instruments by providing regulation, I would say this is my personal opinion, not necessarily reflective of everyone in the task force. By providing regulation, it’s kind of guardrails that can be actually a supportive measure to enhance this marketplace. If it is, as I think you said a couple of minutes ago, the wild west out there, that can actually be a disincentive for the average citizen or or investors to potentially get involved. That may be actually the reason they want to get involved.

But if we want to see cryptocurrencies become kind of more commonplace and want to see that as a kind of safe way to exchange money, then the idea of thinking about regulatory measures and the application of existing financial regulations to this particular type of currency is a way to do so. So things like anti-money laundering regulations, your customer requirements, you know, the filing of suspicious activity reports around what types of payments can be a first step toward actually providing more confidence in that particular marketplace.

Mitch: So this is more about the applicability of existing financial regulations and how that might be applied to the cryptocurrency market versus coming up with some net new stuff. Because as you mentioned early on, we already have a lot of safeguards in place for the standard currency market, right? So if I take $10,001 and deposit it in the bank of Mitch, then that automatically raises a red flag, and if that’s a clean $10,001, because it’s over the $10,000 clip rate, right, if that’s money that, you know, I got from my grandpa as a gift, and there’s really nothing to worry about, even though that flag may be raised. And that form may be filed, because I don’t have a breadcrumb or a history of transactions like that. They just pretty much are looked at and discarded. Is that correct?

Megan: I think it’s important to be certain not to paint everyone with the same brush, right? There are organizations who are involved in this space who are and want to be on the right side of the issue. So would not be looking to try and kind of abuse gate discard or otherwise necessarily absolve themselves of having been in an exchange of cryptocurrencies, then there are those who would like to kind of remain anonymous. So that’s where we begin to see a large degree of concern as it relates to ransomware.

Mitch: So I think the lesson here is, if you really have nothing to hide, then there’s really nothing to be concerned about.

Megan: Well, that’s how I would think about it. But that’s kind of a little bit too simple, right? I’m sympathetic to the concern to a limited extent that whenever there’s regulation, there’s additional costs because compliance frameworks need to be established. However, as you said a few minutes ago, we’re not necessarily thinking about a new form of regulation. It’s kind of an expansion of existing regulation to cover a new type of currency.

Mitch: Well, let’s talk a minute about blacklisting. Is it easier to just blacklist known accounts that are associated with criminal gangs or criminal gangs? Nation-states rather than try to regulate the entire market is that an option in your eyes?

Megan: It could be an option. But the reality is that a particular part of this process is to pay money to identify wallets kind of like safe houses. In the old days, one didn’t always keep the same safe house, one doesn’t use the same wallet in multiple heists. So it’s a little bit difficult to just say, right, we’ll just block list account XYZ or wallet XYZ because that wallet just was created. And then as soon as the monies are received, the wallet kind of is emptied, there is a limited reuse of these in a way that makes the blacklisting of them less effective than it probably should be.

Mitch: I think your point is a valid one. And I think that is true, it sounds like it would become a game of Whack a Mole. Then we’re tamping down on individual accounts or individual wallets. But it’s super easy for me to go back in and open up hundreds of wallets at the same time. Correct. So it’s like you may hit one or two of them. But then I’ve got 98 left. So is the current administration digs deeper into the cybersecurity as a whole and certainly into the cryptocurrency market? What do you suspect we might see as the first steps towards regulation?

Megan: We’re beginning to see some of the pieces in the Forum. I’m thinking in particular a little bit about the sanctions piece that we already discussed. But there were announcements in October from the treasury, US Treasury lesson around kind of regulatory measures, but further explanation and clarification of actions that can be taken to comply with the recent application and sanctioning of exchanges and actors. And I think, you know, the first thing to watch us to kind of see how whether or not that process expands, though there are additional entities that may be sanctioned, and individuals and then thinking about kind of further guidance from not just Treasury but others in this space, and partly about the SEC, but also importantly, whether we see similar types of actions from us partner, governments, allies and the like. Because if the US is kind of standing alone, the effort won’t be as effective as it could be, obviously, when we have a range of factors, as is the case in the fat of space and elsewhere.

Mitch: That’s sort of like the threat sharing analogy as well. Right? It’s like, together, we’re smarter than we are as individuals. So the same sort of adage holds for looking at the cryptocurrency market. You mentioned the sanctions, those have been coming out. I think there have been a couple of reports in recent months to make it harder for criminal actors and criminal hackers to profit from ransomware. Are sanctions actually effective and why is it being used? And how will it actually work? Do you think it is going to be successful? I guess, is my key question here?

Megan: Well, I think it certainly acts as a deterrent, because of the difficulty that we’ve talked about in the early part of our conversation and the difficulty of not knowing with whom one is doing business. In some cases, organizations who choose to pay are saying, well, we’ve done our due diligence, why will we still be subject to sanctions if we can demonstrate that and that’s actually kind of where the Treasury came out the other day it was Here are additional steps you can take to undertake your due diligence. And if you follow these, we may be affording you some degree of penalty reductions.

One of the points we made in the ransomware taskforce report was that greater clarity needed to be given around organizations that do want to do the right thing if because the payment of ransoms is not yet prohibited, it’s prohibited to pay a sanction entity what counts as sufficient due diligence such that an organization can feel less at risk from having made a payment. And so in October, the Treasury Department, OFAC together with FinCEN gave additional guidance on those steps that can be taken to demonstrate due diligence.

One of the things they also talked about is cooperating with the government and giving notice to the government that a ransom has been demanded and that it is going to be paid. And to the extent that that kind of conversation and that exchange of information and the need to come forward to the government or to be afforded leniency essentially may act itself as a deterrent to payments. So where does that land an organization that’s a tough call, particularly depending on who the victim becomes. But this idea then that an organization that fails to undertake due diligence is the converse of what Treasury has said we’ll be not afforded leniency. And there’s always the making an example of someone that in and of itself may be a deterrent measure against the payments. But how do we then deter the criminals? Well, if there are fewer payments, then their theory goes that if they begin to like to make less money, they will be less inclined to continue to undertake ransomware attacks.

Mitch: There’s, I think, a few voices out there who consider you know, that sort of double punishment for the victim, right? It’s just like, if you pay the ransom, I mean, you’ve already been hit with the victim of one crime. And then the government comes in and punishes you, saying, Well, if you’ve decided to pay the ransom, now you’re going to also get penalized from us. So there are a few folks out there who think that that sort of double jeopardy for a few unfortunate folks, I want to ask you a little bit about we talked some about how easy it is or not easy it is to sort of hide your funds in the cryptocurrency world. What is your knowledge of cryptocurrency mixing services? Because that is from my understanding, one of the key ways that criminals used to cover their trail.

Megan: Well, I would say in the first case, my knowledge is not as extensive As many others, including the experts in the ransomware Task Force, the mixers themselves also add an additional level of difficulty and an additional layer of obfuscation that criminals like and law enforcement and law abiding citizens don’t like, well.

Mitch: This is why I mentioned your report, because it’s so well written, and it’s 81 pages. So for those of you out there who are listening, Don’t roll your eyes at 81 pages, because it’s 81 pages of really well written material, you talk about ransomware, fund obfuscation, and you do mention a couple things like chain hopping and the mixing services. And you do it in a language that’s really crisp and really clear. And it sort of gives the general public as well as lawmakers who may not be technical experts a way to understand this in a sort of a human fashion as opposed to feeling like I have to be a PhD in Engineering in order to get my head around the ransomware market and cryptocurrency as a whole. Let’s talk a little bit about what your vision is. And we can talk a little bit about Megan’s personal vision if you want or the ISD Task Force as well. What would the ideal state for the cryptocurrency sector be in your eyes? And is it achievable?

Megan: Well, I should speak only for myself, because I’m not the expert, I have just had the benefit of hearing a bit of some of the expertise that was shared in the process of developing and writing a report. But from a background in national security over there, I say two decades now. The idea that someone can exchange something of benefit right there, I’m also a lawyer, doesn’t pay for any organization anymore. But in that exchange, and continuing to make money or continue to benefit from it at the end of the day is a societal harm is not something that is sustainable in a global economy, and certainly not in a space where we are where everything is kind of going digital. One might think that whether it’s cryptocurrencies, we’ve obviously been exchanging money through wire transfers in the light for many decades. But there, I think, is a need for regulation in this space. Because without it, what’s to stop the demands from growing even larger 10s of millions into the hundreds of millions of dollars, which we’re already seeing, and what’s to stop the targets from having a more deadly impact.

We’ve seen incidents in hospitals causing delays of services to individuals, which ultimately lead to their death, you know, we can think about the kind of the supply chain implications, just even the summer from the Colonial Pipeline incident. And at the end of the day, this is all fueled by money. And we’re not able to follow the money as well as we can in other spaces, which has been an effective measure in combating, it’s not the only measure. And it’s not a silver bullet, but it is an effective measure in investigating and reducing the societal harm that can come from criminal activity.

So that was a long-winded way of saying, I think we’re coming to the point where regulation needs to happen, I think it can happen. It should happen in a collaborative manner. We’ve already through the taskforce and some of the work following it had very early conversations with those who want to be contributing to both of the marketplace of cryptocurrencies as you identify, but also recognise the risk and provided that it’s done in a thoughtful manner that obviously tries to reduce the kind of compliance burden, but gives the maximum benefit to those who want to do the right thing. I think we need to get there, and we should get there.

Mitch: Can we accomplish that? I think it’s a good goal. I mean, you mentioned societal good. And I’m going to touch on that in a second here. Is it achievable? And if so, how soon do you think we can get there?

Megan: Peace, I think, is one of the challenges. So thinking about the likelihood? Well, I mentioned that I’m a lawyer, I’m not examining this from a legal perspective about whether within the Treasury Department’s existing authorities to regulate currencies, as this isn’t currency, so you can kind of go down that rabbit hole, is there authority? And if there’s not, if there is okay, then we need to work on what the regulations are. If there’s nothing you need to go get additional authority from Congress that, of course, that from Congress part is the likely source of delay. If it’s the latter case, if it’s the former case, then you’re dealing largely with not only kind of working through the interagency process and ensuring that the needs of all parties in the interagency, so the law enforcement entities, the treasuries of the world, but also then kind of working with industry to come to consensus around what’s the right first move. So do I think it’s going to happen in six months? No. Might it happen in the next two years? Maybe? I think it kind of depends on a number of other factors, including what trajectory do we see ransomware on? Is it getting worse? Is it stabilizing? Is it getting any better? And the second factor, I think, is how quickly would industry work with regulators to come to consensus, assuming there is existing authority to do so? Where is the international community if we I think are able and successful in bringing additional partner nations to the table around this and I think the meeting that happened that the White House convened in October with 30 nations is good signal that there is interest in this, we can also look to kind of what happens with the g7 that we might get to at least the first stage within five years, maybe within two years.

Mitch: But I never want to wager on the lifecycle of regulation or legislation or you hear your inner lawyer coming out. I know wagering on the lifecycle and I understand that but you know, in terms of global policy, or at least partial global policy, you know, two years Five years, that’s kind of lightspeed. Right? I mean, that’s not a bad timeline. Hopefully, it’s even sooner than that. You talked about the public good. And what I want to touch upon a little bit is what drives you personally, in this area. In this arena of cybersecurity, I can share what drives me, but I think I have an idea of where your head is at just given your resume. And you’ve spent a lot of your career dedicated towards helping the public good. And you were part of this task force whose aim was to, again, help the public good, what do you like best about working in this industry? And why do you do what you do?

Megan: Well, I would say at least two things, but probably many more. The first is, it’s, as I kind of described with respect to the people in organizations that came together for the task force, it’s a very collaborative community, I think, and not a hacker in the good sense of the word, but work, I know a lot of them and they are a very amazing group of people, all of them in the in the good space, less so and they sort of criminal space, but the true sort of sense. And the original sense of hackers is people who want to be helpful. And so what motivates me is watching them, oftentimes, you know, out of their own sense of commitment and mission, giving their own time to try and help others understand what’s going on to help protect critical resources.

So really kind of doing what I can, from my background and experience to help them be more effective in their work. I think the second thing is I have a family and want my kids to be protected from bad guys, and bad girls, online and elsewhere. And as we touched on a bit, a lot of the world is going digital. So watch the future of what the policy wonks call information and communications technologies to be safer women. So if I can help contribute in any small way to that, but it’s also a motivation, I think, you know, the third thing is, I have a pretty loyal degree of loyalty to democracy in the way that it has evolved in the United States. I think, certainly, some recent examples are not ones that I am proud of. But I think at its core, and at the end of the day, we have a great opportunity in this country and need to continue to exercise it in a manner that is repeatable and for the benefit, not only of people in our country, but for the world.

Mitch: Thank you for sharing that that was a little bit of a glimpse into your personal mind, which I appreciate. And I kind of have the same mindset when it comes to I really enjoy making the world safer and making the world a better place. And as far as your pointing democracy goes, I had a professor once who told me I’m sure this comes from some religious texts, or is it an excerpt from some sort of religious textbook where much is given much as expected, and I feel like that I personally am kind of in that state. I’ve been really blessed in my life. And I think in the United States, we are really, really blessed. And so I think it’s a good thing to pay that forward, I guess, so to speak. Thank you for that, Megan.

Megan: Thank you again for having me. And thanks for working to help enlighten and educate the community around this issue. It’s really essential one that we get our hands around together, where much is given right.

Mitch: A special thanks to our guest Megan Stifel for her time and insight making this episode.

If you want to hear more stories like this, make sure to subscribe to Into the Breach on Apple Podcasts, Google Podcasts, and Spotify.

You’ve been listening to Into the Breach, an IBM Production. This episode was produced by Zach Ortega and Clara Shannon. Our music was composed by Jordain Wallace with audio production by Kieron Banerji. Thanks for venturing Into the Breach.

Mitch Mayne
Editor in Chief, IBM Security X-Force Thought Leadership

Mitch is the Editor in Chief driving IBM Security X-Force thought leadership. He’s also the primary cyber-crisis communication consultant, working directly...
read more

Topic updates

Get email updates and stay ahead of the latest threats to the security landscape, thought leadership and research.
Subscribe today
Press play to continue listening
00:00 00:00