A major cyberattack brought critical systems across the City of St. Paul to a halt this week, prompting Governor Tim Walz to take the rare step of activating the Minnesota National Guard’s 177th Cyber Protection Team through Executive Order 24-25. The breach, which has yet to be fully disclosed in technical detail, forced the shutdown of municipal networks, libraries, payment systems, and internal applications—raising alarms about the fragility of local government infrastructure in the digital age.
This crisis has not only impacted operations but also exposed deeper vulnerabilities—from disruption of city services to potential legal and evidentiary breakdowns, especially concerning the chain of custody for digital evidence and sensitive case management platforms used by law enforcement and legal teams.
“The cyberattack… has resulted in a disruption of city services and operations, and the city has requested assistance from the State of Minnesota in the form of technical expertise and personnel,” Gov. Walz stated in the executive order. “The incident poses a threat to the delivery of critical government services.” (Walz, 2025)
Legal and Infrastructure Ramifications:
One often overlooked consequence of cyberattacks on public systems is the risk to legal integrity. City governments often store digital evidence for court cases, police body cam footage, and case records within networked systems. When such systems are compromised or taken offline, the chain of custody—a legal requirement for maintaining the integrity of evidence—may be broken. This could lead to dismissed charges, delayed court proceedings, or contested verdicts.
Beyond the courts, St. Paul’s systems underpin essential infrastructure. From 911 backend operations to building permits, utility management, and emergency communications, these disruptions ripple into residents’ lives and civic trust. Any delay in fire dispatch systems, real-time weather alerts, or even payroll processing for emergency responders can escalate into broader crisis.
Why Public-Private Partnerships Are Essential:
The attack illustrates the need for stronger collaboration between public entities and private cybersecurity firms. Municipalities often operate with limited budgets, aging infrastructure, and insufficient security staff. In contrast, private-sector vendors—ranging from cloud security providers to endpoint monitoring specialists—offer scalable defenses and expertise that cities can’t always sustain in-house.
Governor Walz’s executive order underscores this reality, stating:
“Cooperation between the Minnesota Department of Information Technology Services (MNIT), the National Guard, and other partners is necessary to protect public assets and respond to cybersecurity threats.” (Walz, 2025)
This partnership must also extend beyond technical vendors. Insurance carriers, legal risk consultants, and incident response firms should be part of proactive city planning, not just post-breach triage.
The Human Factor: Employee Training Matters:
While technical systems are critical, human error remains the top vector for cyberattacks, especially through phishing and social engineering. A well-crafted phishing email clicked by a single city employee can introduce malware into core systems.
St. Paul’s situation shows how cybersecurity education is no longer optional. Ongoing staff training—including:
Simulated phishing attacks
Clear escalation protocols
“Stop and verify” culture for email attachments and access requests
…is essential. Cities should treat their staff as the first line of defense, not just passive users.
The Road Ahead: What Cities Must Do Now:
The cyberattack on St. Paul should serve as a regional and national inflection point. Other cities must take this as a cue to reassess their cyber posture through the following:
Strategic Priorities:
Zero Trust Implementation Limit internal access and require constant authentication, even for trusted users.
Third-Party Risk Audits Review vendors, contractors, and outsourced services for security gaps.
Resilient Backup and Recovery Ensure data is stored offsite and tested regularly for recovery readiness.
Legal and Digital Forensics Planning Build frameworks for protecting the chain of custody in case of breach.
Integrated Public-Private Playbooks Define shared roles between city staff, Guard units, and private partners in cyber response drills.
Community Transparency Proactively inform the public about risks, responses, and what’s being done to rebuild digital trust.
Final Thoughts:
The breach in St. Paul is not just a local IT issue—it is a civic security event that affects courts, emergency services, legal integrity, and public confidence. Governor Walz’s activation of the National Guard is a bold signal that digital defense is now a matter of public safety.
“Immediate action is necessary to provide technical support and ensure continuity of operations,” reads Executive Order 24-25 (Walz, 2025).
Moving forward, public-private partnerships, cybersecurity training, and legal readiness must become foundational to how cities govern in the digital era. The stakes are no longer theoretical—they are real, operational, and deeply human.
Jeremy Swenson is a disruptive-thinking security entrepreneur, futurist/researcher, and senior management tech risk consultant. Over 17 years, he has held progressive roles at many banks, insurance companies, retailers, healthcare organizations, and even government entities. Organizations appreciate his talent for bridging gaps, uncovering hidden risk management solutions, and simultaneously enhancing processes. He is a frequent speaker, podcaster, and a published writer – CISA Magazine and the ISSA Journal, among others. He holds a certificate in Media Technology from Oxford University’s Media Policy Summer Institute, an MBA from Saint Mary’s University of MN, an MSST (Master of Science in Security Technologies) degree from the University of Minnesota, and a BA in political science from the University of Wisconsin Eau Claire. He is an alum of the Cyber Security Summit Think Tank , the Federal Reserve Secure Payment Task Force, the Crystal, Robbinsdale and New Hope Citizens Police Academy, and the Minneapolis FBI Citizens Academy. He also has certifications from Intel and the Department of Homeland Security.
Fig. 1. Hedge Fund Infographic, Generic Rights Free, 2025.
Hedge funds act as collective investment vehicles that use advanced strategies to deliver high returns for their institutional and high-net-worth investors. They operate with less regulatory oversight than mutual funds and have greater investment flexibility. Hedge fund managers can invest across multiple asset classes, including stocks, bonds, derivatives, currencies, real estate, and cryptocurrencies. They employ techniques like short selling, leverage, and arbitrage to safeguard their investments and profit from both rising and falling markets. Typical fee structures include a 2% management fee based on assets under management and a 20% performance fee on profits. Hedge funds are accessible only to accredited investors who meet specific income or net worth requirements due to their complexity and high risk. Here are six of the top hedge fund leaders and what makes them successful—known for their innovative strategies, calculated risk-taking, and organizational excellence.
1. Bill Ackman
After Harvard, Ackman co‑founded Gotham Partners before launching Pershing Square in 2004 with $54 million. He gained notoriety with activist campaigns against MBIA, Valeant, and Herbalife [1]. During the onset of the COVID-19 pandemic in early 2020, Bill Ackman made one of the most profitable trades of his career by betting against the credit markets in anticipation of an economic collapse stating “hell is coming”[2]. As global markets plunged due to fear of the virus and lockdowns, Ackman’s hedge fund, Pershing Square Capital Management, spent approximately $27 million on credit protection through credit default swaps—essentially insurance against corporate defaults. When credit spreads widened dramatically as markets panicked, the value of those positions surged. In less than a month, Pershing Square turned that $27 million into $2.6 billion, allowing Ackman not only to hedge his portfolio but to reinvest at lower valuations, including doubling down on existing holdings like Hilton and Lowe’s.$1.25 billion by trading on inflation forecasts [2][3]. Despite steep losses involving Valeant and J.C. Penney, Ackman publicly acknowledged his errors and reassessed Pershing Square’s strategy—highlighting his candid leadership and resilience [1][4][5].
2. Ken Griffin
From trading convertible bonds in his Harvard dorm room, Griffin founded Citadel in 1990. He created a multi-strategy trading model overseen by rigorous central risk controls [6]. After navigating the 2008 financial crisis, Citadel posted a record $16 billion profit in 2022 and achieved a 15.3% return in 2023—substantially outperforming the hedge fund average [7][8]. Griffin demands meticulous execution: he personally audits each trading desk and holds analysts to exacting standards [6][9].
3. Kyle Bass
Kyle Bass built his reputation as a Bear Stearns broker before founding Hayman Capital in 2005 with $33 million [10]. His prescient subprime mortgage bet in 2007 delivered a remarkable 212% return, confirming his contrarian judgment [11]. Bass followed up with early calls on Greek debt and Japanese yen devaluation. Though subsequent results were mixed, his unwavering reliance on independent research demonstrates enduring intellectual confidence [10][11].
4. Israel “Izzy” Englander
Using $1 million seed money, Englander founded Millennium Management in 1989. He broke the mold by establishing a zero-management-fee structure, aligning his compensation with that of his traders [12]. Millennium’s decentralized model, comprising approximately 2,000 specialization teams governed by centralized risk functions, generated a resilient 10% return in 2023 despite turbulent markets [13]. Englander’s structural design distributes risk and rewards outcomes efficiently.
5. Steve Cohen
Cohen entered the business world at Gruntal & Co. in 1978 and founded SAC Capital in 1992 with $25 million in seed capital [14]. Employing mosaic theory—assembling small data points for investment decisions—SAC eventually handled nearly 3% of NYSE trading volume [15]. Even after a $1.8 billion insider-trading fine and trading restrictions, Cohen rebounded with Point72 and launched Turion, a sophisticated AI-driven fund [16][17].
6. David Tepper
Tepper left Goldman Sachs to create Appaloosa Management in 1993, targeting distressed debt and special situations [18]. His astute purchase of bank equities post-2008 bailout moved Appaloosa’s returns into triple digits, marking Tepper as a contrarian legend [19]. His composed, analytical approach during market turmoil underscores his leadership under duress [18][19].
Common Threads That Elevate Them
Strategic Audacity Anchored in Analysis: Each manager made bold, counter-consensus bets—on credit defaults, distressed assets, and activist positions—based on rigorous, data-driven analysis [1][3][7][11][13][19].
Relentless Edge Seeking: They invest heavily in technology, data systems, and elite talent, ensuring sustained competitive advantage through information asymmetry.
Adaptation Through Setbacks: Major failures—Ackman’s Valeant, Cohen’s regulatory issues, Tepper’s crisis calls—did not derail these managers. Instead, they rebuilt stronger by learning from mistakes.
Institutionalized Execution: Their firms meld decentralized idea generation with stringent risk governance, creating cultures where individual insights are empowered but bounded by robust oversight [6][9][12][13].
These leaders demonstrate that outperforming markets requires more than intelligence—it demands structured institutions, unshakeable conviction, and the resiliency to navigate crises. Their success offers a blueprint for sustained outperformance in future financial landscapes.
References
Ackman, B. (2004). Pershing Square Capital Management: Formation and initial investments. Gotham Partners Archive.
Ackman, B. (2020, March). “Hell is coming” and COVID‑19 credit default swap bets. Vanity Fair.
Fig. 1. Bill Ackman Auto Tariff Infographic, 2025, Jeremy Swenson.
Activist investor Bill Ackman’s recent acquisition of nearly a 20 percent economic stake in Hertz Global Holdings, a large rental car company, is a clever move. It is based on a complex tariff argument that has the potential to significantly increase returns and the residual values of Hertz’s roughly 500,000-car fleet. In addition to propelling Hertz’s stock to record one-day gains, Ackman has demonstrated how trade restrictions may act as powerful tailwinds for cyclical companies by fusing profound policy knowledge with distressed asset investment.
Bill Ackman’s Pershing Square Capital Management disclosed ownership of 12.7 million shares of Hertz—costing about $46.5 million—which equates to a 4.1 percent direct equity stake in the company.(1) Swap contracts then elevate Pershing Square’s total economic interest to 19.8 percent of Hertz’s outstanding stock, making Ackman the second‑largest stakeholder behind Knighthead Capital and BlackRock.(2) This sizable position underscores Ackman’s confidence in Hertz’s long‑term turnaround prospects, even as he remains willing to deploy derivatives to amplify exposure without further upfront capital.(3)
The market’s response was swift and dramatic: Hertz shares surged 56.4 percent in regular trading—closing at $5.71—immediately after the SEC filing disclosure, then leapt 33.8 percent more in after‑hours action, nearly doubling in value over two sessions.(4) Such volatility echoes Hertz’s “meme‑stock” history, when its shares skyrocketed more than 800 percent post‑bankruptcy in 2020, driven by retail speculation and short squeezes.(5)
Beyond conventional value metrics, Ackman highlighted that U.S. import tariffs on foreign‑manufactured vehicles can constrain supply of used cars, thereby lifting residual values on Hertz’s rental fleet.(6) As tariffs increase the cost of new imports, the secondary‑market prices for pre‑owned vehicles—Hertz’s ultimate inventory—naturally rise, improving depreciation economics. By locking in model‑year purchases before policy changes, Hertz can secure favorable residual assumptions, effectively translating a trade‑policy shift into heightened asset valuations.(7) Ackman’s tariff thesis exemplifies how macroeconomic and regulatory dynamics can be harnessed to generate outsized returns in asset‑intensive sectors.(8)
Hertz’s dramatic rebound belies underlying challenges. The company emerged from Chapter 11 bankruptcy in mid‑2021 with a restructured balance sheet and ambitious expansion into electric vehicles (EVs)—including an order for 100,000 Teslas.(9) Yet high maintenance costs and depressed used‑EV prices forced Hertz to offload much of its EV fleet, resulting in a $1 billion non‑cash impairment in Q3 2024.(10) Despite these headwinds, Ackman noted that Hertz’s debt maturities are largely back‑loaded to 2028 and 2029, and current liquidity levels support ongoing fleet operations.(11) Going forward, Pershing Square’s substantial stake positions Ackman to advocate for management changes or strategic initiatives—ranging from fare restructuring to fleet optimization—to sustain momentum.(12)
The daring investment in Hertz by Bill Ackman exemplifies the changing arsenal of activist investors, who increasingly combine traditional fundamental research with in-depth policy analysis to find hidden potential. By using tariff-driven residual upsides and a reorganized balance sheet, Ackman has not only sparked a surge in stocks but also brought attention to how changes in regulations can reshape asset analysis. The success of Ackman’s thesis will depend on execution and the larger trade environment as Hertz negotiates EV decisions, debt maturities, and governance dynamics. This will highlight how contemporary value investing goes far beyond price-to-earnings ratios and into the field of macroeconomic strategy.
About the Author:
Jeremy Swenson is a disruptive-thinking security entrepreneur, futurist/researcher, and senior management tech risk consultant. Over 17 years, he has held progressive roles at many banks, insurance companies, retailers, healthcare organizations, and even government entities. Organizations appreciate his talent for bridging gaps, uncovering hidden risk management solutions, and simultaneously enhancing processes. He is a frequent speaker, podcaster, and a published writer – CISA Magazine and the ISSA Journal, among others. He holds a certificate in Media Technology from Oxford University’s Media Policy Summer Institute, an MBA from Saint Mary’s University of MN, an MSST (Master of Science in Security Technologies) degree from the University of Minnesota, and a BA in political science from the University of Wisconsin Eau Claire. He is an alum of the Cyber Security Summit Think Tank , the Federal Reserve Secure Payment Task Force, the Crystal, Robbinsdale and New Hope Citizens Police Academy, and the Minneapolis FBI Citizens Academy. He also has certifications from Intel and the Department of Homeland Security.
Fig. 1. DeepSeek and Global AI Change Infographic, Jeremy Swenson, 2025.
Minneapolis—
DeepSeek, the Chinese artificial intelligence company founded by Liang Wenfeng and backed by High-Flyer, has continued to redefine the AI landscape since the explosive launch of its R1 model in late January 2025. Emerging from a background in quantitative trading and rapidly evolving into a pioneer in open-source LLMs, DeepSeek now stands as a formidable competitor to established systems like OpenAI’s ChatGPT and Microsoft’s proprietary models available on Azure AI. This article provides an expanded analysis of DeepSeek R1’s technical innovations, detailed comparisons with ChatGPT and Microsoft Azure AI offerings, and the broader economic, cybersecurity, and geopolitical implications of its emergence.
Technical Innovations and Architectural Advances:
Novel Training Methodologies DeepSeek R1 leverages a cutting-edge combination of pure reinforcement learning and chain-of-thought prompting to achieve human-like reasoning in tasks such as advanced mathematics and code generation. Unlike traditional LLMs that rely heavily on supervised fine-tuning, DeepSeek’s R1 is engineered to autonomously refine its reasoning steps, resulting in greater clarity and efficiency. In early benchmarking tests, R1 demonstrated the ability to solve multi-step arithmetic problems in approximately three minutes—substantially faster than ChatGPT’s o1 model, which typically required five minutes (Sayegh, 2025).
Cloud Integration and Open-Source Deployment One of R1’s key strengths lies in its open-source availability under an MIT license, a stark contrast to the closed ecosystems of its Western counterparts. Major cloud platforms have rapidly integrated R1: Amazon has deployed it via the Bedrock Marketplace and SageMaker, and Microsoft has incorporated it into its Azure AI Foundry and GitHub model catalog. This wide accessibility not only allows for extensive external scrutiny and customization but also enables enterprises to deploy the model locally, ensuring that sensitive data remains under domestic control (Yun, 2025; Sharma, 2025).
Detailed Comparison with ChatGPT:
Performance and Reasoning Clarity ChatGPT’s o1 model has been widely recognized for its robust reasoning capabilities; however, its closed-source nature limits transparency. In direct comparisons, DeepSeek R1 has shown parity—and in some cases superiority—with respect to reasoning clarity. Independent tests by developers indicate that R1’s intermediate reasoning steps are more comprehensible, facilitating easier debugging and iterative query refinement. For example, in complex multi-step problem-solving scenarios, R1 not only delivered correct solutions more rapidly but also provided detailed, human-like explanations of its thought process (Sayegh, 2025).
Cost Efficiency and Accessibility While premium access to ChatGPT’s capabilities can cost users upwards of $200 per month, DeepSeek R1 offers its advanced functionalities free of charge. This dramatic reduction in cost is achieved through efficient use of computational resources. DeepSeek reportedly trained R1 using only 2,048 Nvidia H800 GPUs at an estimated cost of $5.6 million—an expenditure that is a fraction of the resources typically required by U.S. competitors (Waters, 2025). Such cost efficiency democratizes access to high-performance AI, providing significant advantages for startups, academic institutions, and small businesses.
Detailed Comparison with Microsoft Azure AI:
Integration with Enterprise Platforms Microsoft has long been a leader in providing enterprise-grade AI solutions via Azure AI. Recently, Microsoft integrated DeepSeek R1 into its Azure AI Foundry, offering customers an additional open-source option that complements its proprietary models. This integration allows organizations to leverage R1’s powerful reasoning capabilities while enjoying the benefits of Azure’s robust security, compliance, and scalability. Unlike some closed-source models that require extensive licensing fees, R1’s open-access nature under Azure enables organizations to tailor the model to their specific needs, maintaining data sovereignty and reducing operational costs (Sharma, 2025).
Performance in Real-World Applications In practical applications, users on Azure have reported that DeepSeek R1 not only matches but sometimes exceeds the performance of traditional models in complex reasoning and mathematical problem-solving tasks. By deploying R1 locally via Azure, enterprises can ensure that sensitive computations are performed in-house, thereby addressing critical data privacy concerns. This localized approach is particularly valuable in regulated industries, where strict data governance is paramount (FT, 2025).
Market Reactions and Economic Implications:
Immediate Market Response and Stock Volatility The initial launch of DeepSeek R1 triggered a significant market reaction, most notably an 18% plunge in Nvidia’s stock as investors reassessed the cost structures underlying AI development. The disruption led to a combined market value wipeout of nearly $1 trillion across tech stocks, reflecting widespread concern over the implications of achieving top-tier AI performance with significantly lower computational expenditure (Waters, 2025).
Long-Term Investment Perspectives Despite the short-term volatility, many analysts view the current market corrections as a temporary disruption and a potential buying opportunity. The cost-efficient and open-source nature of R1 is expected to drive broader adoption of advanced AI technologies across various industries, ultimately spurring innovation and generating new revenue streams. Major U.S. technology firms, in response, are accelerating initiatives like the Stargate Project to bolster domestic AI infrastructure and maintain global competitiveness (FT, 2025).
Cybersecurity, Data Privacy, and Regulatory Reactions:
Governmental Bans and Regulatory Scrutiny DeepSeek’s practice of storing user data on servers in China and its adherence to local censorship policies have raised significant cybersecurity and privacy concerns. In response, U.S. lawmakers have proposed bipartisan legislation to ban DeepSeek’s software on government devices. Similar regulatory actions have been taken in Australia, South Korea, and Canada, reflecting a global trend of caution toward technologies with potential national security risks (Scroxton, 2025).
Security Vulnerabilities and Red-Teaming Results Independent cybersecurity tests have revealed that R1 is more prone to generating insecure code and harmful outputs compared to some Western models. These findings have prompted calls for more rigorous red-teaming and continuous monitoring to ensure that the model can be safely deployed at scale. The vulnerabilities underscore the necessity for both DeepSeek and its adopters to implement robust safety protocols to mitigate potential misuse (Agarwal, 2025).
Geopolitical and Strategic Implications:
Challenging U.S. AI Dominance DeepSeek R1’s emergence is a clear signal that high-performance AI can be developed without the massive resource investments traditionally associated with U.S. models. This development challenges the long-standing assumption of American technological supremacy and has prompted a strategic reevaluation among U.S. policymakers and industry leaders. In response, initiatives such as Microsoft’s Stargate Project are being accelerated to ensure that the U.S. maintains its competitive edge in the global AI arena (Karaian & Rennison, 2025).
Localized AI Ecosystems and Data Sovereignty To mitigate cybersecurity risks, several U.S. companies are now repackaging R1 for localized deployment. By ensuring that sensitive data remains on domestic servers, these firms are not only addressing privacy concerns but also paving the way for the creation of robust, localized AI ecosystems. This trend could ultimately reshape global data governance practices and alter the balance of technological power between the U.S. and China (von Werra, 2025).
Conclusion and Future Outlook:
DeepSeek R1 represents a watershed moment in the global AI race. Its technical innovations, cost efficiency, and open-source approach challenge entrenched assumptions about the necessity of massive compute power and proprietary control. In direct comparisons with systems like ChatGPT’s o1 and Microsoft’s Azure AI offerings, R1 demonstrates superior transparency and operational speed, while also offering unprecedented accessibility. Despite ongoing cybersecurity and regulatory challenges, the disruptive impact of R1 is catalyzing a broader realignment in AI development strategies. As both U.S. and Chinese technology ecosystems adapt to these shifts, the future of AI appears poised for a more democratized, competitively diverse, and strategically complex evolution.
About The Author:
Jeremy A. Swenson is a disruptive-thinking security entrepreneur, futurist/researcher, and seasoned senior management tech risk and digital strategy consultant. He is a frequent speaker, published writer, podcaster, and even does some pro bono consulting in these areas. He holds a certificate in Media Technology from Oxford University’s Media Policy Summer Institute, an MSST (Master of Science in Security Technologies) degree from the University of Minnesota’s Technological Leadership Institute, an MBA from Saint Mary’s University of Minnesota, and a BA in political science from the University of Wisconsin Eau Claire. He is an alum of the Federal Reserve Secure Payment Task Force, the Crystal, Robbinsdale, and New Hope Community Police Academy (MN), and the Minneapolis FBI Citizens Academy. You can follow him on LinkedIn and Twitter.
As the 2024 U.S. general election nears, the FBI and CISA have issued a public service announcement to alert the public about foreign disinformation campaigns.[1] These campaigns, led by foreign adversaries, aim to undermine voter confidence by spreading false narratives before, during, and after Election Day. Despite these efforts, the FBI and CISA confirm that there is no evidence of malicious cyber activity compromising U.S. election infrastructure, including voter registration systems, ballots, or vote-counting processes.
Evolving Disinformation Tactics with AI:
The disinformation campaigns have become more sophisticated due to the use of generative AI tools, which allow foreign actors to create convincing fake content, such as AI-generated articles, deepfake videos, and synthetic media.[2] These false narratives are then spread across multiple platforms, both in the U.S. and abroad. By lowering the barrier for creating and distributing disinformation, AI has made it easier for foreign actors to mislead the public and erode trust in the election process.
Disinformation Campaigns from Russia and Iran:
Russia and Iran are identified as the primary foreign actors behind many of these disinformation efforts. Russian operatives have set up AI-enhanced social media bot farms and cybersquatted on domains mimicking legitimate news websites, such as “washingtonpost.pm” and “foxnews.in,” to disseminate propaganda. The DOJ responded by seizing over 30 of these domains and indicting individuals linked to Russian government-controlled media outlets that covertly funded U.S. influence campaigns.
Iran, too, has engaged in similar efforts, with recent DOJ charges against Iranian nationals accused of hacking and leaking U.S. campaign materials to manipulate the election outcome.
Public Recommendations:
To help combat the spread of disinformation, FBI and CISA urge the public to:
Educate themselves about foreign influence operations, especially AI-generated content.
Rely on trusted sources, such as state and local election officials, to verify election-related claims.
Understand AI-generated content by looking for clues that content may be doctored or synthetic.
Report suspicious activity or disinformation attempts to the FBI.
Election Security Efforts:
Federal, state, and local authorities are collaborating to safeguard U.S. elections. The FBI investigates election crimes and foreign influence campaigns, while CISA works to secure election infrastructure. Jen Easterly, director of CISA, has reassured voters that the systems are more secure than ever, with robust cybersecurity measures in place, including paper ballot records that verify vote counts in 97% of jurisdictions.
Easterly emphasized that, although foreign adversaries will continue to attempt to influence U.S. elections, they will not be able to alter the final outcome. She also encouraged patience as election results may take time to finalize and urged the public to trust official sources. Being an election judge is not a bad idea either.
Conclusion:
As Election Day approaches, foreign disinformation campaigns remain a threat, but significant efforts have been made to secure the election process. With the support of informed voters and coordinated efforts from election officials, the integrity of U.S. elections can be maintained. We in the private sector need to share and support these efforts, as CISA, and the FBI cannot be everywhere.
About the Author:
Jeremy A. Swenson is a disruptive-thinking security entrepreneur, futurist/researcher, and seasoned senior management tech risk and digital strategy consultant. He is a frequent speaker, published writer, podcaster, and even does some pro bono consulting in these areas. He holds a certificate in Media Technology from Oxford University’s Media Policy Summer Institute, an MSST (Master of Science in Security Technologies) degree from the University of Minnesota’s Technological Leadership Institute, an MBA from Saint Mary’s University of Minnesota, and a BA in political science from the University of Wisconsin Eau Claire. He is an alum of the Federal Reserve Secure Payment Task Force, the Crystal, Robbinsdale, and New Hope Community Police Academy (MN), and the Minneapolis FBI Citizens Academy. You can follow him on LinkedIn and Twitter.
The California Department of Financial Protection closed Silicon Valley Bank (SVB) on Fri 03/10/23 and the FDIC took control of and seized its deposits in the largest U.S. banking failure since the 2008 to 2012 mortgage financial crisis, and the second largest ever. Although SVB was well known in San Francisco and Boston where they had all of their 17 branches; they were little to known to the wider public. SVB specialized in financing start-ups and had become the 16th largest U.S. bank by assets. Their numbers at the end of 2022 were impressive with $209 billion in assets and approximately $175.4 billion in deposits.
As a precursor to their failure, SVB recorded six straight quarterly losses as economic conditions turned unfavorable. Then on Mon 02/27/23 their CEO Greg Becker sold $3.6 million of stock in a pre-arraigned 10b5-1 plan designed to reduce conflict of interest, yet it’s still potentially questionable due to the gain he got and the odd timing weeks before their collapse. Yet other executives that sold in recent weeks may not have the protection of the 10b5-1 and that would be a worse example of conflict of interest.
Some degree of support is needed for SVB because most there are not to blame; but so too is criticism so that the financial system can get better and innovate in the free market. You cannot just blindly support people (mostly sr. mgmt.) and organizations (crypto tie in) who are largely responsible for startup failures, frozen loans and payrolls, huge job loss, loss of deposited money over 250k, and great economic downturn – all the while the SVB mgmt. team gets very rich.
Obviously, the competencies and character of some of the SVB mgmt. team was not as good as other community banks and credit unions who aggressively avoided and overcame such failings. They likely put in more work with a deeper concern for the community, clients, and regulatory compliance – generally speaking. These many small community banks and credit unions are often 90 or 100 plus years old and did not grow at as fast a pace as SVB – super fast growth equals fast failure. Conversely, SVB is only 40 years young and most of its growth happened in the later part of that period. This coming from a guy who has consulted/worked at more than 10 financial institutions among other things including bank launch, tech risk, product, and compliance.
The company’s downward spiral blew up by late Weds 03/08/23, when it surprised investors with news that it needed to raise $2.25 billion to strengthen its balance sheet. This was influenced significantly by the Fed rate increases which forced the bank to raise lending rates, and that in turn made it hard for startups and medium-sized businesses to find approved funding. SVB also locked too much of their capital away in low-interest bonds. To strengthen their balance sheet in a slightly silly and desperate move, SVB sold $21 billion in securities at a large $1.8 billion loss. The details, timing, and governance of this make little sense, since the bank knew regulators were already watching closely. As a result, their stock fell 60% Thurs to $106.04 following the restructuring news.
As would be expected this fueled a higher level of deposit outflows from SVB; a $25 billion decline in deposits in the final three quarters of 2022. This spooked a lot of people, including CFOs, founders, VCs, and some unnamed tech celebrities — most of who started talking about the need to withdraw their money from SVB. SVB had almost 90% of its deposits uninsured by the FDIC which is far out of line with what traditional banks have. This is because the FDIC only covers deposits up to $250k. In contrast, Bank of America has about 32% of its deposits not insured by the FDIC – an enormous difference of 58%.
Crypto firm Circle revealed in a tweet late Fri 03/10/23 that it held $3.3 billion with the bank. Roblox corp. held 5% of its $3 billion in cash ($150 million) at the bank. Video streamer Roku held an estimated $487 million at SVB, representing approximately 26% of the company’s cash and cash equivalents as of Fri. Crypto exchange platform BlockFi — who filed for bankruptcy in November — listed $227 million in uninsured holdings at the bank. Some other SVB customers included Ziprecruiter, Pinterest, Shopify, and CrowdStrike. VCs like Y. Combinator regularly referred startups to them.
Yet after these initial outflows people start talking negatively, the perception became greater than reality. It did not matter whether the bank had a liquidity crisis or not. Heard psychology created a snowball effect in that no one wanted to be the last depositor at a bank — observing the lessons learned from prior banking mortgage crisis from 2008 to 2012 where Washington Mutual failed.
In sum, customers withdrew a massive $42 billion of deposits by the end of Thurs 03/09/23, according to a California regulatory filing. As a result, SIVB stock continued to plummet down another 65% before premarket trading was halted early Fri by regulators.
“All insured depositors will have full access to their insured deposits no later than Monday morning, March 13, 2023. The FDIC will pay uninsured depositors an advance dividend within the next week. Uninsured depositors will receive a receivership certificate for the remaining amount of their uninsured funds. As the FDIC sells the assets of Silicon Valley Bank, future dividend payments may be made to uninsured depositors.
Silicon Valley Bank had 17 branches in California and Massachusetts. The main office and all branches of Silicon Valley Bank will reopen on Monday, March 13, 2023. The DINB will maintain Silicon Valley Bank’s normal business hours. Banking activities will resume no later than Monday, March 13, including on-line banking and other services. Silicon Valley Bank’s official checks will continue to clear. Under the Federal Deposit Insurance Act, the FDIC may create a DINB to ensure that customers have continued access to their insured funds.”
That’s largely a bank run, and it is really bad news for SVB and many startups and medium businesses. SVB has been a foundational piece of the tech startup ecosystem. It was also known to industry commentators and tech risk researchers that SVB struggled with tech risk compliance, overall governance, and even had no chief risk officer in the eight months prior.
With reasoning and no direct evidence, only circumstantial evidence — as I had a couple of interviews with them and was less than impressed with their competency and trajectory — I speculate that crypto ties were a significant negative factor here because many of the companies and tech sub-domains SVB served are entangled with crypto and crypto-related entitles. Examples of this include their dealings with Circle — it manages part of the USDC stablecoin reserve of the American Circle, which confirmed to have a little more than $3 billion dollars of reserve blocked with SVB.
A Fri 03/10/23 Tweet from reporter Lauren Hirsch described BlockFi’s risky crypto entanglements with SVB this way: “Per new bankruptcy filing, BlockFi has $227m in Silicon Valley Bank. The bankruptcy trustee warned them on Mon that bc those funds are in a money market mutual fund, they’re not FDIC secured — which could be a prblm w/ keeping in compliance of bankruptcy law”.
Crypto compliance and insight for a big bank is very complex, undefined, and risk prone. The biggest tech venture bank has to be involved with a few crypto related failings and controversies, and the above are just a few examples but I am sure there are more. I just don’t have the data to back that up now, but I am sure it’s being investigated and/or litigated.
Note * This is a complex, evolving, and new development — some info may be incomplete and/or out of date at the time you view this.
About the Author:
Jeremy Swenson is a disruptive-thinking security entrepreneur, futurist/researcher, and senior management tech risk consultant. Over 17 years he has held progressive roles at many banks, insurance companies, retailers, healthcare orgs, and even governments including being a member of the Federal Reserve Secure Payment Task Force. Organizations relish in his ability to bridge gaps and flesh out hidden risk management solutions while at the same time improving processes. He is a frequent speaker, published writer, podcaster, and even does some pro bono consulting in these areas. As a futurist, his writings on digital currency, the Target data breach, and Google combining Google + video chat with Google Hangouts video chat have been validated by many. He holds an MBA from St. Mary’s University of MN, an MSST (Master of Science in Security Technologies) degree from the University of Minnesota, and a BA in political science from the University of Wisconsin Eau Claire.
1) Educate Employees About Cyber Threats and Hold Them Accountable:
Educate your employees about online threats and how to protect your business’s data, including safe use of social networking sites. Depending on the nature of your business, employees might be introducing competitors to sensitive details about your firm’s internal business. Employees should be informed about how to post online in a way that does not reveal any trade secrets to the public or competing businesses. Use games with training and hold everyone accountable to security policies and procedures. This needs to be embedded in the culture of your company. Register for free DHS cyber training here and/or use the free DHS SMB cyber resource toolkit. Most importantly, sign up for DHS CISA e-mail alerts specific to your company and industry needs and review the alerts – Sign up here. Use the free DHS developed CSET (Cybersecurity Evaluation Tool) to assess your security posture – High, Med, or Low. CSET is downloadable here.
2) Protect Against Viruses, Spyware, and Other Malicious Code:
Make sure each of your business’s computers are equipped with antivirus software and antispyware and updated regularly. Such software is readily available online from a variety of vendors. All software vendors regularly provide patches and updates to their products to correct security problems and improve functionality. Configure all software to install updates automatically. Especially watch out for freeware that contains malvertising. Make sure submission forms can block spam and can block code execution (cross-side scripting attacks).
3) Secure Your Networks:
Safeguard your Internet connection by using a firewall and encrypting information. If you have a Wi-Fi network, make sure it is secure and hidden – not publicly broadcasted. To hide your Wi-Fi network, set up your wireless access point or router so it does not broadcast the network name, known as the Service Set Identifier (SSID). Also, have a secure strong password to protect access to the router. (xbeithyg18695843%&*&RELxu75IGO) — example. Lastly, use a VPN (virtual private network) to encrypt data in transit, especially when working from home.
4) Control Physical Access to Computers and Network Components:
Prevent access or use of business computers by unauthorized individuals. Laptops can be particularly easy targets for theft or can be lost, so lock them up when unattended. Make sure a separate user account is created for each employee and require strong passwords. Administrative privileges should only be given to trusted IT staff and key personnel — with approval records.
5) Create A Mobile Device Protection Plan:
Require users to password-protect their devices, encrypt their data, and install security apps to prevent criminals from stealing information while the phone is on public networks. Use a containerization application to separate personal data from company data. Be sure to set reporting procedures for lost or stolen equipment.
6) Establish Security Practices and Policies to Protect Sensitive Information:
Establish policies on how employees should handle and protect personally identifiable information and other sensitive data. Clearly outline the consequences of violating your business’s cybersecurity policies and who is accountable. Base your security strategy significantly on the NIST Cybersecurity Framework 1.1: Identify, Detect Defend, Respond, and Recover — a respected standard that easy to understand (Fig. 1).The NIST Cybersecurity Framework Small Business Resources are linked here.
Fig. 2. NIST CSF Domains and Sub Areas, NIST, 2022.
7) Employ Best Practices on Payment Cards:
Work with your banks or card processors to ensure the most trusted and validated tools and anti-fraud services are being used. You may also have additional security obligations related to agreements with your bank or processor. Isolate payment systems from other, less secure programs and do not use the same computer to process payments and surf the internet. Outsource some or all of it and know where your risk responsibility ends.
8) Make Backup Copies of Important Business Data and Use Encryption When Possible:
Regularly backup the data on all computers. Critical data includes word processing documents, electronic spreadsheets, databases, financial files, human resources files, and accounts receivable/payable files. Back up data automatically if possible, or at least weekly, and store the copies either offsite or on the cloud. Having all key files backed up via the 3-2-1 rule — three copies of files in two different media forms with one offsite — thus reducing ransomware attack damage.
9) Use A Password Management Tool and Strong Passwords:
Another way to stay safe is by setting passwords that are longer, complex, and thus hard to guess. Additionally, they can be stored and encrypted for safekeeping using a well-regarded password vault and management tool. This tool can also help you to set strong passwords and can auto-fill them with each login — if you select that option. Yet using just the password vaulting tool is all that is recommended. Doing these two things makes it difficult for hackers to steal passwords or access your accounts.
10) Use Only Whitelisted Sites Not Blacklisted Ones or Ones Found Via the Dark Web:
Use only approved whitelisted platforms and sites that do not expose you to data leakages or intrusion on your privacy. Whitelisting is the practice of explicitly allowing some identified websites access to a particular privilege, service, or access. Backlisting is blocking certain sites or privileges. If a site does not assure your privacy, do not even sign up let alone participate.
About the Author:
Jeremy Swenson is a disruptive-thinking security entrepreneur, futurist/researcher, and senior management tech risk consultant. Over 17 years he has held progressive roles at many banks, insurance companies, retailers, healthcare orgs, and even governments including being a member of the Federal Reserve Secure Payment Task Force. Organizations relish in his ability to bridge gaps and flesh out hidden risk management solutions while at the same time improving processes. He is a frequent speaker, published writer, podcaster, and even does some pro bono consulting in these areas. As a futurist, his writings on digital currency, the Target data breach, and Google combining Google + video chat with Google Hangouts video chat have been validated by many. He holds an MBA from St. Mary’s University of MN, an MSST (Master of Science in Security Technologies) degree from the University of Minnesota, and a BA in political science from the University of Wisconsin Eau Claire.
Cryptocurrency mixer and/or splitter services serve no valid “real-world” ethical business use case considering the relevant FinTech and legal options open. Even in the very rare case when you are a refugee fleeing a financially abusive government regime or terrorist organization is seeking to steal your assets while the national currency is failing, like in Venezuela which I wrote about in my 2014 article; that is about political revolution and your personal safety more than anything else. Although cases like this give a valid reason why you might want to mix and/or split your crypto assets – that’s not fully the same use case we’re talking about here with the recent uptick of crypto mixer and/or splitter service use. It’s only fair that we discuss the most likely and common use case, which is trending up, and not the few rare edge cases. This use case would be fraud and money laundering.
The evidence does not support that a regular crypto exchange is the same thing as a mixer and/or splitter service. For definitions sake, I am not defining mixing and/or splitting cryptocurrency as the same thing as selling, buying, or converting it – all of this can be done on one or more of the crypto exchanges which is why they are called exchanges. If they are the same or even considerably similar, then why are people and orgs using the mixer and/or splitter services at all? They use them because they offer a considerably different service. Using a mixer and/or splitter services assumes you have gotten some crypto beforehand, from a separate exchange, a step or more before in the daisy chain. This can be done via legal or illegal means. Moreover, why are they paying repeated and hugely excessive fees for these services? The fees are out of line with anything possibly comparable because there is higher compliance and legal risk for the operators of them in that they could get sanctioned like Blender.IO and others.
You can still have privacy if that is what you are seeking via a semblance of legal moves such as a trust tied to a separate legal entity, family office entity, converting to real estate, and marriage entity – if you have time to do the paperwork. Legally savvy people have anonymity over their assets often to avoid fraudsters, sales reps, and just privacy for privacy’s sake – but again still not the same use case. Even when people/orgs use these legal instruments for privacy, they still have compliance reporting and tax obligations – I.E., some disclosure. Keep in mind some disclosure serves to protect you that you in fact own the assets you say you own. Using these legal instruments with the right technical security including an encrypted VPN and multifactor authentication serves to sustain privacy, and you will then not need a crypto mixer and/or splitter.
Yet if you had cryptocurrency and wanted strong privacy to protect your assets, why would you not at least use some of the aforementioned legal instruments or the like? Mostly because any attorney worth anything would be obligated to report this blatant suspected fraud, and would not want to tarnish their name on the filings, etc. Specifically, the attorney would have to see and know where and what entities the crypto was coming from and going to, under what contexts, and that could trigger them to report or refuse to work with them – I.E. a fraudster would want to avoid getting detected.
Specifically, the use of multiple legal entities in different countries in a daisy chain of crypto coin mixing and/or splitting tends to be the pattern for persistent fraud and money laundering. That was the case in the $4.5-billion-dollar crypto theft out of NY and in Blender mixing fraud, and many other cases.
“Blended.io (Blender) is a virtual currency mixer that operates on the Bitcoin blockchain and indiscriminately facilitates illicit transactions by obfuscating their origin, destination, and counterparties. Blender receives a variety of transactions and mixes them together before transmitting them to their ultimate destinations. While the purported purpose is to increase privacy, mixers like Blender are commonly used by illicit actors. Blender has helped transfer more than $500 million worth of Bitcoin since its creation in 2017. Blender was used in the laundering process for DPRK’s Axie Infinity heist, processing over $20.5 million in illicit proceeds”.
Fig 1. U.S. Treasury Dept, Blener.io Crypto Mixer Fraud, 2022.
The question we as a society should be thinking about is tech ethics. What design feature crosses the line to enable fraud too much such that it is not pursued? For example, Silk Road crossed the line, selling illegal drugs, extortion, and other crime. Hacker networks cross the line when they breach companies and steal their credit card data and put it for sale on the dark web. Facebook crossed the line when it enabled bias and undue favor to impact policy outcomes.
Crypto mixer and/or splitter services (not mere crypto exchanges) are about as close to “money laundering as a service” as it gets – relative to anything else technically available excluding the dark web where there are far worse things available technically. Obviously, the developers, product owners, and project managers behind the crypto mixer and/or splitter services like this are serving the fraud and money laundering use case more than anything else. Some semblance of the organized crime rings is very likely giving them money and direction to this end.
If you are for and use mixer and/or splitter services then you run the risk of having your digital assets mixed with dirty digital assets, you have extortion high fees, you have zero customer service, no regulatory protection, no decedent Terms of Service and/or Privacy Policy if any, and you have no guarantee that it will even work the way you think it will.
In fact, you have so much decentralized “so-called” privacy that it could work against you. For example, imagine you pay the high fees to mix and split your crypto multiple times, and then your crypto is stolen by one of the mixing and/or splitting services. This is likely because they know many of their customers are committing fraud and money laundering, yet even if they are not these platforms are associated with that. Therefore, if the platform operators steal their crypto in this process, the victims have little incentive to speak up. Moreover, the mixing and/or splitting service companies have a nice cover to steal it, privacy. They won’t admit that they stole it but will say something like “everything is private and so we can’t see or know but you are responsible for what private assets you have or don’t have”. They will say something like “stealing it is impossible” which is course is a complete lie.
In sum, what reason do you have to trust a crypto mixing and/or splitting service with your digital assets as outlined above as they are hardly incentivized to protect them or you and operate in the shadows of antiquated non-western fintech regulation. So, what really do you get besides likely fraud? What is the business rationale behind using these services as outlined above considering no solid argument or evidence can support it is privacy alone, and what net benefit do you get besides business-enabling money laundering and fraud?
Now there are valid use cases for crypto and blockchain generally and here are five of them:
Innovative tech removing the central bank for peer-to-peer exchange that is faster and more global, especially helping the underbanked countries.
Smart contracts can be built on blockchain.
Blockchain can be used for crowdfunding.
Blockchain can be used for decentralized storage.
The traditional cash and coin supply chain is burdensomely wasteful, costly, dirty, and counterfeiting is a real issue. Why do you need to carry ten dollars in quarters or a wad of twenty-dollar bills or even have that be a nation’s economic backing in today’s tech world?
Here are six tips to identify crypto-related scams:
With most businesses, it should be easy to find out who the key operators are. If you can’t find out who is running a cryptocurrency or exchange via LinkedIn, Medium, Twitter, a website, or the like be very cautious.
Whether in cash or cryptocurrency, any business opportunity promising free money is likely to be fake. If it sounds too good to be true it likely is. Multi-level marketing is one old example of this scam.
Never mix online dating and investment/financial advice. If you meet someone on a dating site or social media app, and then they want to show you how to invest in crypto or they ask you to send them crypto. No matter what sob story and huge return they are claiming it’s a scam (FTC).
Watch out for scammers who pretend to be celebrities who can multiply any cryptocurrency you send them. If you click on an unexpected link they send or send cryptocurrency to a so-called celebrity’s QR code, that money will go straight to a scammer, and it’ll be gone. Celebrities don’t have time to contact random people on social media, but they are easily impersonated (FTC).
Celebrities are however used to pump crypto prices via social media, so they get a windfall, and everyone else takes a hit. Watch out for crypto like Dogecoin which is heavily tied to celebrity pumps with no real-world business value. If you are lucky enough to get ahead, get out then.
Watch out for scammers who make big claims without details, white papers, filings, or explanations at all. No matter what the investment, find out how it works and ask questions about where your money is going. Honest investment managers or advisors want to share that information and will back it up with details in many documents and filings (FTC).
Jeremy Swenson is a disruptive thinking security entrepreneur, futurist/researcher, and senior management tech risk consultant. Over 17 years he has held progressive roles at many banks, insurance companies, retailers, healthcare orgs, and even governments including being a member of the Federal Reserve Secure Payment Task Force. Organizations relish in his ability to bridge gaps and flesh out hidden risk management solutions while at the same time improving processes. He is a frequent speaker, published writer, podcaster, and even does some pro bono consulting in these areas. As a futurist, his writings on digital currency, the Target data breach, and Google combining Google + video chat with Google Hangouts video chat have been validated by many. He holds an MBA from St. Mary’s University of MN, a MSST (Master of Science in Security Technologies) degree from the University of Minnesota, and a BA in political science from the University of Wisconsin Eau Claire.
Every year I like to research and commentate on the most impactful security technology and business happenings from the prior year. This year is unique since the pandemic and mass resignation/gig economy continues to be a large part of the catalyst for most of these trends. All these trends are likely to significantly impact small businesses, government, education, high tech, and large enterprise in big and small ways.
The pandemic continues to be a big part of the catalyst for digital transformation in tech automation, identity and access management (IAM), big data, collaboration tools, artificial intelligence (AI), and increasingly the supply chain. Disinformation efforts morphed and grew last year challenging data and culture. This requires us to put more attention on knowing and monitoring our own social media baselines. We no longer have the same office due to mass work from home (WFH) and the mass resignation/gig economy. This infers increased automated zero-trust policies and tools for IAM with less physical badge access required. The security perimeter is now more defined by data analytics than physical/digital boundaries.
The importance of supply chain cyber security was elevated by the Biden Administration’s Executive Order 1407 in response to hacks including SolarWinds and Colonial Pipeline. Education and awareness around the review and removal of non-essential mobile apps grows as a top priority as mobile apps multiply. All the while, data breaches, and ransomware reach an all-time high while costing more to mitigate.
1) Disinformation Efforts Accelerate Challenging Data and Culture:
Disinformation has not slowed down any in 2021 due to sustained advancements in communications technologies, the growth of large social media networks, and the “appification” of everything thereby increasing the ease and capability of disinformation. Disinformation is defined as incorrect information intended to mislead or disrupt, especially propaganda issued by a government organization to a rival power or the media. For example, governments creating digital hate mobs to smear key activists or journalists, suppress dissent, undermine political opponents, spread lies, and control public opinion (Shelly Banjo; Bloomberg, 05/18/2019).
Today’s disinformation war is largely digital via platforms like Facebook, Twitter, Instagram, Reddit, WhatsApp, Yelp, Tik-tok, SMS text messages, and many other lesser-known apps. Yet even state-sponsored and private news organizations are increasingly the weapon of choice, creating a false sense of validity. Undeniably, the battlefield is wherever many followers reside.
Bots and botnets are often behind the spread of disinformation, complicating efforts to trace and stop it. Further complicating this phenomenon is the number of app-to-app permissions. For example, the CNN and Twitter apps having permission to post to Facebook and then Facebook having permission to post to WordPress and then WordPress posting to Reddit, or any combination like this. Not only does this make it hard to identify the chain of custody and original source, but it also weakens privacy and security due to the many authentication permissions involved. The copied data is duplicated at each of these layers which is an additional consideration.
We all know that false news spreads faster than real news most of the time, largely because it is sensationalized. Since most disinformation draws in viewers which drives clicks and ad revenues; it is a money-making machine. If you can significantly control what’s trending in the news and/or social media, it impacts how many people will believe it. This in turn impacts how many people will act on that belief, good or bad. This is exacerbated when combined with human bias or irrational emotion. For example, in late 2021 there were many cases of fake COVID-19 vaccines being offered in response to human fear (FDA; 09/28/2021). This negatively impacts culture by setting a misguided example of what is acceptable.
There were several widely reported cases of political disinformation in 2021 including misleading texts, e-mails, mailers, Facebook censorship, and robocalls designed to confuse American voters amid the already stressful pandemic. Like a narcissist’s triangulation trap, these disinformation bursts riled political opponents on both sides in all states creating miscommunication, ad hominin attacks, and even derailed careers with impacts into the future (PBS; The Hinkley Report, 11/24/20 and Daniel Funke; USA Today, 12/23/21).
Facebook is significantly involved in disinformation as one recent study stated, “Globally, Facebook made the wrong decision for 83 percent of those ads that had not been declared as political by their advertisers and that Facebook or the researchers deemed political. Facebook both overcounted and undercounted political ads in this group” (New York University; Cybersecurity For Democracy, 2021). Of course, Facebook disinformation whistleblower Frances Haugen who testified before Congress in 2021 is only more evidence of these and related Facebook failings. Specifically that “Facebook executives, including CEO Mark Zuckerberg, misstated and omitted key details about what was known about Facebook and Instagram’s ability to cause harm” (Bobby Allyn; NPR, 10/05/21).
Fig. 2. Facebook Gaps in Ad Transparency (IMEC-DistriNet KU Leuven and NYU Cyber Security for Democracy, 2021).
With the help of Facebook’s misinformation, huge swaths of confused voters and activists aligned more with speculation and emotion/hype than unbiased facts, and/or project themselves as fake commentators. This dirtied the data in terms of the election process and only begs the question – which parts of the election information process are broken? This normalizes petty policy fights, emotional reasoning, lack of unbiased intellectualism – negatively impacting western culture. All to the threat actor’s delight. Increased public to private partnerships, more educational rigor, and enhanced privacy protections for election and voter data are needed to combat this disinformation.
2) Identity and Access Management (IAM) Scrutiny Drives Zero Trust Orchestration:
The pandemic and mass resignation/gig economy has pushed most organizations to amass work from home (WFH) posture. Generally, this improves productivity making it likely to become the new norm. Albeit with new rules and controls. To support this, 51% of business leaders started speeding up the deployment of zero trust capabilities in 2020 (Andrew Conway; Microsoft, 08/19/20) and there is no evidence to suggest this is slowing down in the next year but rather it is likely increasing to support zero trust orchestration. Orchestration is enhanced automation between partner zero trust applications and data, while leaving next to no blind spots. This reduces risk and increases visibility and infrastructure control in an agile way. The quantified benefit of deploying mature zero trust capabilities including orchestration is on average $ 1.76 million dollars less in breach response costs when compared to an organization who has not rolled out zero trust capabilities (IBM Security, Cost of A Data Breach Report, 2021).
Fig. 3. Zero Trust Components to Orchestration (Microsoft, 09/17/21).
Zero trust moves organizations to a need-to-know-only access mindset with inherent deny rules, all the while assuming you are compromised. This infers single sign-on at the personal device level and improved multifactor authentication. It also infers better role-based access controls (RBAC), firewalled networks, improved need-to-know policies, effective whitelisting and blacking listing of apps, group membership reviews, and state of the art PAM (privileged access management) tools for the next year. In the future more of this is likely to better automate and orchestrate (Fig. 3.) zero trust abilities so that one part does not hinder another part via complexity fog.
3) Security Perimeter is Now More Defined by Data Analytics than Physical/Digital Boundaries:
This increased WFH posture blurs the security perimeter physically and digitally. New IP addresses, internet volume, routing, geolocation, and virtual machines (VMs) exacerbate this blur. This raises the criticality of good data analytics and dashboarding to define the digital boundaries in real-time. Therefore, prior audits, security controls, and policies may be ineffective. For instance, empty corporate offices are the physical byproduct of mass WFH, requiring organizations to set default disable for badge access. Extra security in or near server rooms is also required. The pandemic has also made vendor interactions more digital, so digital vendor connection points should be reduced and monitored in real-time, and the related exception policies should be re-evaluated.
New data lakes and machine learning informed patterns can better define security perimeter baselines. One example of this includes knowing what percent of your remote workforce is on what internet providers and what type? For example, Google fiber, Comcast cable, CenturyLink DSL, ATT 5G, etc. There are only certain modems that can go with each of these networks and that leaves a data trail. Of course, it could be any type of router. What type of device do they connect with MAC, Apple, VM, or other, and if it is healthy can all be determined in relationship to security perimeter analytics.
4) Supply Chain Risk and Attacks Increase Prompting Government Action:
Every organization has a supply chain big or small. There are even subcomponents of the supply chain that can be hard to see like third/fourth-party vendors. A supply chain attack works by targeting a third/fourth party with access to an organization’s systems instead of hacking their networks directly.
In 2021 cybercriminals focused their surveillance on key components of the supply chain including hacking DNS servers, switches, routers, VPN concentrators and services, and other supply chain connected components at the vendor level. Of note was the massive Colonial Gas Pipeline hack that spiked fuel prices this last summer. This was caused by one compromised VPN account informed by a leaked password from the dark web (Turton, William; and Mehrotra, Kartikay; Bloomberg, 06/04/21). The SolarWinds hack was another supply chain-originated attack in that they got into SolarWinds IT management product Orien which in turn got them into the networks of most of the customers of that product (Lily Hay Newman; Wired, 12/19/21). The research consensus unsurprisingly ties this attack to Russian affiliated threat actors and there is no evidence contracting that.
In response to these and related attacks the U.S. Presidential Administration issued Executive Order 14017, the heart of which requires those who manufacture and distribute software a new awareness of their supply chain to include what is in their products, even open-source software (White House; 05/12/21). This in addition to more spending on CISA hiring and public relations efforts for vulnerabilities and NIST framework conformance. Time will tell what this order delivers as it is dependent on what private sector players do.
5) Data Breaches Have Greatly Increased in Number and Cost:
The pandemic has continued to be a part of the catalyst for increased lawlessness including fraud, ransomware, data theft, and other types of profitable hacking. Cybercriminals are more aggressively taking advantage of geopolitical conflict and legal standing gaps. For example, almost all hacking operations are in countries that do not have friendly geopolitical relations with the United States or its allies – and all their many proxy hops would stay consistent with this. These proxy hops are how they hide their true location and identity.
Moreover, with local police departments extremely overworked and understaffed with their number one priority being responding to the huge uptick in violent crime in most major cities, white-collar cybercrimes remain a low priority. Additionally, local police departments have few cyber response capabilities depending on the size of their precinct. Often, they must sheepishly defer to the FBI, CISA, and the Secret Service, or their delegates for help. Yet not unsurprisingly, there is a backlog for that as well with preference going to large companies of national concern that fall clearly into one of the 16 critical infrastructures. That is if turf fights and bureaucratic roadblocks don’t make things worse. Thus, many mid and small-sized businesses are left in the cold to fend for themselves which often results in them paying ransomware, and then being a victim a second time all the while their insurance carrier drops them.
Further complicating this is lack of clarity on data breach and business interruption insurance coverage and terms. Keep in mind most general business liability insurance policies and terms were drafted before hacking was invented so they are by default behind the technology. Most often general liability business insurance covers bodily injuries and property damage resulting from your products, services, or operations. Please see my related article 10 Things IT Executives Must Know About Cyber Insurance to understand incident response and to reduce the risk of inadequate coverage and/or claims denials.
According to the Identity Theft Resource Center (ITRC)’s 2021Q3 Data Breach Report, there was a 17% year-over increase as of 09/30/21. This means that by the time they finish their Q4 2021 report it’s likely to be above a 30% year-over-year increase. Breaches are also more costly for organizations suffering them according to the IBM Security Cost of Data Breach Report (Fig 5).
Fig 5. Cost of A Data Breach Increases 2020 to 2021 (IBM Security, 2021).
From 2020 to 2021 the average cost of a data breach in U.S. dollars rose to $4.24 million from $3.86 million. This is almost a 10% increase at 9.1%. In contrast, the preceding 4 years were relatively flat (Fig 5). The pandemic and policing conundrum is a considerable part of this uptick.
Lastly, this is a lot of money for an organization to spend on a breach. Yet this amount could be higher when you factor in other long-term consequence costs such as increased risk of a second breach, brand damage, and/or delayed regulatory penalties that were below the surface – all of which differs by industry. In sum, it is cheaper and more risk prudent to spend even $4.24 million or a relative percentage at your organization on preventative zero trust capabilities than to deal with the cluster of a data breach.
Take-Aways:
COVID-19 remains a catalyst for digital transformation in tech automation, IAM, big data, collaboration tools, and AI. We no longer have the same office and thus less badge access is needed. The growth and acceptability of mass WFH combined with the mass resignation/gig economy remind employers that great pay and culture alone are not enough to keep top talent. Signing bonuses and personalized treatment are likely needed. Single sign-on (SSO) will expand to personal devices and smartphones/watches. Geolocation-based authentication is here to stay with double biometrics likely. The security perimeter is now more defined by data analytics than physical/digital boundaries, and we should dashboard this with machine learning and AI tools.
Education and awareness around the review and removal of non-essential mobile apps is a top priority. Especially for mobile devices used separately or jointly for work purposes. This requires a better understanding of geolocation, QR code scanning, couponing, digital signage, in-text ads, micropayments, Bluetooth, geofencing, e-readers, HTML5, etc. A bring your own device (BYOD) policy needs to be written, followed, and updated often informed by need-to-know and role-based access (RBAC) principles. Organizations should consider forming a mobile ecosystem security committee to make sure this unique risk is not overlooked or overly merged with traditional web/IT risk. Mapping the mobile ecosystem components in detail is a must.
IT and security professionals need to realize that alleviating disinformation is about security before politics. We should not be afraid to talk about it because if we are then our organizations will stay weak and insecure and we will be plied by the same political bias that we fear confronting. As security professionals, we are patriots and defenders of wherever we live and work. We need to know what our social media baseline is across platforms. More social media training is needed as many security professionals still think it is mostly an external marketing thing. Public-to-private partnerships need to improve and app to app permissions need to be scrutinized. Enhanced privacy protections for election and voter data are needed. Everyone does not need to be a journalist, but everyone can have the common sense to identify malware-inspired fake news. We must report undue bias in big tech from an IT, compliance, media, and a security perspective.
Cloud infra will continue to grow fast creating perimeter and compliance complexity/fog.Organizations should preconfigure cloud-scale options and spend more on cloud-trained staff. They should also make sure that they are selecting more than two or three cloud providers, all separate from one another. This helps staff get cross-trained on different cloud platforms and add-ons. It also mitigates risk and makes vendors bid more competitively.
The increase in number and cost of data breaches was in part attributed to vulnerabilities in supply chains in a few national data breach incidents in 2021. Part of this was addressed in President Biden’s Executive Order 1407 on supply chain security. This reminds us to replace outdated routers, switches, repeaters, controllers, and to patch them immediately. It also reminds us to separate and limit network vendor access points to strictly what is needed and for a limited time window. Last but not least, we must have up-to-date thorough business interruption / cyber insurance with detailed knowledge of what it requires for incident response with breach vendors pre-selected.
About the Author:
Jeremy Swenson is a disruptive thinking security entrepreneur, futurist/researcher, and senior management tech risk consultant. Over 17 years he has held progressive roles at many banks, insurance companies, retailers, healthcare orgs, and even governments including being a member of the Federal Reserve Secure Payment Task Force. Organizations relish in his ability to bridge gaps and flesh out hidden risk management solutions while at the same time improving processes. He is a frequent speaker, published writer, podcaster, and even does some pro bono consulting in these areas. As a futurist, his writings on digital currency, the Target data breach, and Google combining Google + video chat with Google Hangouts video chat have been validated by many. He holds an MBA from St. Mary’s University of MN, a MSST (Master of Science in Security Technologies) degree from the University of Minnesota, and a BA in political science from the University of Wisconsin Eau Claire.
National author, speaker, consultant, and entrepreneur Evan Francen got into information security long before it was cool and buzzing in the media, and long before every so-called IT consultancy started chasing the money. In fact, he and I both dislike the money chasers. He and his growing consultancy, FRSecure are for-profit, but they don’t do it for the money.
Like a patriot who delays college to join the army amid dire national conflict, Francen offers a fact-based call to arms to fix the broken cybersecurity industry in his 2019 book “Unsecurity”. Having known him and his company for a few years, and having read the book and many on this subject, this content is worth sharing because too few people write or talk about how to actually make this industry better. Here are my three unbiased key points from his book.
1) We’re Not Speaking the Same Language:
Francen opens his book with a lengthy chapter on how poor communication between cybersecurity stakeholders exacerbates trouble and risk. You can’t see or measure what isn’t communicated well. It starts because there are five main stakeholder groups who don’t share the same vocabulary amid conflicting priorities.
IT: Speaks in data tables and code jargon.
Cyber: Speaks in risk metrics and security controls.
Business: Speaks in voice of the customer and profits.
Compliance:Speaks in evidence collection and legal regulatory frameworks.
Vendor: Speaks in sales and marketing terms.
Ideally, all these stakeholders need to work together but are only as strong as the weakest link. To attain better communication and collaboration between these stakeholders, all must agree on the same general security framework best for the company and industry, maybe NIST CSF with its inferred definitions or maybe ISACA Cobit. However, once you pick the framework you need to start training, communicating, and measuring against it and only it –going with its inferred definitions.
Changing frameworks in the middle of the process is like changing keys in the middle of a classical song at a concert – don’t do it. That’s not to say that once communication and risk management gets better, that you can’t have some hybrid framework variation – like at a jazz concert. You can but you need proof of the basic items first.
Later, in the chapter Francen describes the communication issue of too many translations. That’s too many people passing the communication onto other people and giving it their spin. Thus, what was merely a minor IT problem ticket turns into a full-blown data breach? Or people get tied up arguing over NIST, ISSA, ISACA, and OWASP jargon – all the while nothing gets fixed and people just get mad at each other yet fail to understand one another. Knowing one or two buzz words from an ISACA conference or paper yet failing to understand how they apply to NIST or the like does not help. You should be having a framework mapping sheet for this.
The bigger solution is more training and vetting who is authorized to communicate on key projects. The issue of good communication and project management is separate from cybersecurity though it’s a critical dependency. Organizations should pre-draft communication plans with roles and scope listed out, and then they should do tabletops to solidify them. Having an on-site Toastmasters group is also a good idea. I don’t care if you’re a cyber or IT genius; if you can’t communicate well that’s a problem that needs to be fixed. I will take the person with much better communication skills because likely they can learn what they don’t know better than the other.
2) Overengineered Foundations:
In chapter two, Francen addresses “Bad Foundations”. He gives many analogies including building a house without a blueprint. However, I’m most interested in what he says on page 76:
“Problem #4 Overengineered Foundation – too much control is as bad as too little control, and in some cases, it’s even worse than no control at all.”
What he is saying here is that an organization can get so busy in non-real world spreadsheet assessments and redundant evidence gathering that their heads are in the sand for so long that they don’t see to connect the dots that other things are going array and thus they get compromised. Keep in mind IT and security staff are already overworked, they already have many conflicting dials and charts to read – amid false alarms. To bog them down in needless busywork must be weighed against other real-world security tasks, like patch management, change management, and updating IAM protocols to two-factor.
If you or your organization have an issue figuring this out, as Francen outlines, you need to simplify your risk management to a real-world foundational goal that even the company secretary can understand. It may be as simple as requiring long complex (multicharacter) passwords, badge entry time logs for everyone, encrypting data that is not public, or other basics. You must do these things and document that they have been done one at a time, engraining a culture of preventative security vs. reactive security.
3) Cultivate Transparency and Incentives:
In chapter five, “The Blame Game” Francen describes how IT and business stakeholders often fail to take responsibility for security failings. This is heavily influenced by undue bias, lack of diversity, and lack of fact-based intellectualism within the IT and business silos at many mid-sized and large organizations. I know this is a hard pill to swallow but its so true. The IT and business leaders approving the bills for the vendors doing the security assessments, tool implementations, and consulting should not be under pressure to give a favorable finding in an unrealistic timeframe. They should only be obligated to give timely truthful risk prudent advice. Yet that same advice if not couched with kid gloves can get a vendor booted from the client – fabricating a negative vendor event. Kinda reminds me of accounting fraud pre-Sarbanes Oxley.
The reason why is because risk assessors are creating evidence of security violations that the client does not agree with or like, and thus you are creating legal risk for them – albeit well justified and by their own doing. From Francen’s viewpoint, this comprehensive honest assessment also gives the client a way to defend and limit liability by disclosing and remediating the vulnerabilities in a timely manner and under the advisement of a neutral third party. Moreover, you’re going to have instructions on how to avoid them in the future thus saving you money and brand reputation.
Overall, transparency can save you. Customers, regulators, and risk assessors view you more positively because of it. That’s not to say there are not things that will remain private because there are many, trade secrets, confidential data, and the like. My take on Francen’s mention of the trade off’s between transparency and incentives in a chapter called “The Blame Game” is that it’s no longer acceptable to delay or cover up a real security event – not that it ever was. Even weak arguments deliberately miscategorizing security events as smaller than they are will catch up with you and kick your butt or get you sued. Now is the time to be proactive. Build your incident response team ahead of time. It should include competent risk business consultants, cyber consultants, IT consultants, a communication lead, and a privacy attorney.
Lastly, if we as an industry are going to get better we’re going to have to pick up books, computers, pens, and megaphones. And this book is a must-read! You can’t be passive and maintain your expert status – it expires the second you do nothing and get poisoned by your own bias and ego. Keep learning and sharing!
National author, speaker, consultant, and entrepreneur Evan Francen got into information security long before it was cool and buzzing in the media, and long before every so-called IT consultancy started chasing the money. In fact, he and I both dislike the money chasers. He and his growing consultancy, FRSecure are for-profit, but they don’t do it for the money.
Francen opens his book with a lengthy chapter on how poor communication between cybersecurity stakeholders exacerbates trouble and risk. You can’t see or measure what isn’t communicated well. It starts because there are five main stakeholder groups who don’t share the same vocabulary amid conflicting priorities.
Abstract Forward Consulting 