The Chris Voss Show - The Chris Voss Show Podcast – The Unhackable Internet: How Rebuilding Cyberspace Can Create Real Security and Prevent Financial Collapse by Thomas P. Vartanian
Episode Date: January 27, 2023The Unhackable Internet: How Rebuilding Cyberspace Can Create Real Security and Prevent Financial Collapse by Thomas P. Vartanian Like most aspects of modern existence, more and more of our financ...ial lives have migrated to the digital realm. With the benefits of ease that our Internet allows us, that transition also raises numerous – and dangerous – threats to national security, our money, and the systems we use to store and transfer it. In TheUnhackable Internet, financial services and technology expert Thomas P. Vartanian exposes the vulnerabilities of the many networks that we rely on today as well as the threats facing the integrity of our national security and financial services sector. From cyberattacks by foreign adversaries like China and Russia, the explosion of cryptocurrency, the advancement of ransomware, phishing, surveillance apps, spying software, and logic bombs, along with the increasing savvy and daring shown by Internet hackers, the next financial panic is likely to be delivered to us through use or abuse of technology. The Unhackable Internet describes how society can remake an Internet that was never conceived as a secure environment and badly tainted by the original sin of substandard coding. Vartanian argues for increasing the use of private and offline network infrastructures, controlling the ownership of Internet infrastructure, and imposing enhanced authentication, governance, and enforcement standards. This online universe would look more like our analog lives, authenticating all digital traffic to a real person and removing any virtual traveler that violated the new rules of the road. The Unhackable Internet poses a challenge to America: take the lead and create a coalition of democratic nations to implement financial cyber strategies or be left with no counterweight short of military power to respond to those who weaponize technology. This comprehensive and compelling book makes it clear that nothing less than the control of global economies is up for grabs, and that how we use technology is our choice.
Transcript
Discussion (0)
You wanted the best. You've got the best podcast, the hottest podcast in the world.
The Chris Voss Show, the preeminent podcast with guests so smart you may experience serious brain bleed.
The CEOs, authors, thought leaders, visionaries, and motivators.
Get ready. Get ready. Strap yourself in. Keep your hands, arms, and legs
inside the vehicle at all times because you're about to go on a monster education roller coaster
with your brain. Now, here's your host, Chris Voss. Hi, folks. Chris Voss here from thechrisvossshow.com,
thechrisvossshow.com. Welcome to the big show, my friends. We certainly appreciate you being here.
We always love our audience.
We have the best audience in the world.
Have I told you that lately?
Can I kiss butt anymore to my audience?
No, you never can kiss butt enough.
So we really appreciate you guys.
Thank you for being here.
And thanks for referring the show to your family or friends.
If you haven't gotten a chance, get them to join the family.
The family that loves you but doesn't judge you, at least not as harshly as your mother-in-law.
The Chris Foss Show.
Tell him to go to goodreads.com, 4chesschrissvoss, youtube.com, 4chesschrissvoss, all of our groups on LinkedIn, Twitter, Instagram, TikTok, all those crazy places the Chris Voss Show is playing at.
He is returning guests.
We've had his brilliant mind on the show once before for his prior book, and we have the newest book out for him, The Unhackable Internet,
How Rebuilding Cyberspace Can Create Real Security and Prevent Financial Collapse.
Thomas P. Bartanian is on the show with us today.
His new book will be released on February 15th, 2023, and we'll be talking to him about
that today.
He's the author of the new book and currently the executive director of the Financial Technology
and Cybersecurity Center, having chaired the financial institution's practices at two international
law firms.
During the S&L crisis, he served as general counsel to the Federal Home Loan Bank Board
and the FSLIC. He represented either the government or private parties in a majority of the 50 largest American financial institution failures
and has worked on technology advancements from the introduction of, we appeared prior with this on the show,
the author of 200 Years of American Financial Panics. I'm panicking now. No, I'm just kidding.
Welcome to the show, Thomas. How are you? Thanks, Chris. I'm just delighted to be back
and to participate in what you characterize as a brain bleed. There you go. Well, it's all about
the brain bleed. That's just mostly for me.
But we have brilliant authors like you on the show so they can educate us to help stem the bleeding, I suppose.
So, Thomas, welcome to the show.
We really appreciate having you back.
Congratulations on the new book.
Give us your dot coms wherever you want people to look you up on those interwebages in the sky.
Yeah, so you can find me on thomasvartanian.com.
It's probably the simplest place to find everything about me and what I'm doing and about the book.
There you go.
So what motivated you to want to write this book, Tom?
So I'll tell you, Chris, I started working with the largest financial institutions in the world,
helping them build out their online infrastructures in the 1990s.
And I realized now we were all captivated by the euphoria of technology, right?
It's hypnotizing.
You want to do it.
You want to get involved.
You want to reach more customers.
You want to be more competitive.
You want to save money.
And so everybody jumps at this stuff.
And I've realized now, 30 years later, the mistakes that we made.
And the principal mistake is that we have overestimated the euphoria and the benefits of technology and underestimate the insecurities and the vulnerabilities that we've built.
And so this book is really my way after 30 years of sort of warning that we're out of balance here.
And if we stay out of balance, it's going to be very risky to our money, our freedom, and our democracy
because we are basically creating vulnerabilities that others can take advantage of.
And as technology gets into the hands of people who aren't nation states,
people who don't play by the rules of
civil society, we're going to see a lot of things happening.
And we have seen a lot of things happening.
They're going to be very, very threatening to us.
There you go.
Yeah, it's kind of, you know, when social media first came out and a lot of technology
and the iPhone and stuff, a lot of people were like, hey, a new frontier, a new world.
And, you know, then there was the Arab Spring and we were kind of like, hey, this can bring a better thing.
And then I think a lot of governments looked at Arab Spring and thought, how do we use this as a weapon against people that we want to control?
And so then, you know, it kind of got turned on its head.
It's kind of become a Pandora's box that once we've got it open, it doesn't seem we can close it.
And it's become really dark.
Like I, I think is from my opinion, social media is destroying the world and, and, uh,
our culture.
But I mean, what do I know?
I'm just some guy with a podcast.
Well, think about it, Chris.
I mean, look, think about your analog life, which is your real life and think about your
online life, right?
In your analog life, you lock the doors of your home.
You have fences.
We have borders.
We have police.
We have armies.
And people live by rules because that creates a civil society.
Why is it that online, not only do we not have any of those things, and we don't have a cyber
coast guard to warn us, we actually, with social media, invite people in to rifle through
our personal data, our most sensitive personal data.
We invite them in.
We put it out there.
We advertise.
We're like, hey, look at this.
Right. is right and if if the if the ordinary person using social media knew and the internet for
that matter knew how the data was being collected what data was being collected how was being
sliced and diced and sold and resold over and over again and used i think they would be shocked
yeah most people have no idea i mean they don't realize that the reason those services are free is you are the product.
You are the product.
That's exactly right.
You're the product.
You're the inventory.
And frankly, you know, I talked about this the last time we were together.
There's a great book by Shoshana Zuboff called The Age of Surveillance Capitalism.
And she talks a lot about how we've become the product
and data is the main asset out there.
And the most interesting part about her book is how she argues
and I think demonstrates that big tech is taking all this data,
whether we like it or not.
I mean, you sign these terms of service agreement,
which may say they can take any data and use it in any way they want.
How would we know?
We don't read them, right?
And even if they do promise not to, they're selling data to people who aren't making those promises, who are reselling it and reselling it again.
And so, you know, the concept of privacy has long since ended. And the question I'm raising in the book is,
well, now that we've gotten to this point,
and now that we know the vulnerabilities of online life,
and now that we know that we are loading every inch of data
and every ounce of value onto those insecure networks,
there's a question that we ought to be asking
that I haven't heard anybody else ask.
And that's why I wrote the book.
Did we build the right internet and should we fix it?
There you go.
Right?
Cybersecurity experts are charging upwards of $400 billion a year just to keep businesses
running like rats on a wheel because they're never going to get to the place where they've
got to secure enough network for because they're never going to get to the place where they've got to secure
enough network for what they're doing. And so my question is, which I answer in the book,
frankly, I said, I couldn't write this book without answering the question.
Do we have a secure enough internet? Did we build the wrong internet? Should we build a new one?
And my answer is yes. Ah, now there's a lot of talk about this new Web 3.0.
That seems to be some sort of attempt to reinvent the Internet.
Is that the product we need or result we need, or do we need something better?
Yeah, I'll tell you why it's not the product we need, although I think it's a step forward.
So Web 3.0, and one of the problems we've got in technology, and I'm sure you come across this all the time in doing your podcast show, is we have no definitions for any of the terms anybody uses.
Everything has its own definition, right?
So Web 3 has its own definition depending on who you're talking to.
But I write about Web 3 in the book, and I say it's a step forward.
Why? Because it is moving towards decentralization of the data,
meaning that instead of me giving all my data to Google, Apple, Amazon, Facebook,
the data stays on my computer, right?
And I control the data.
And so what Web3 is about is about taking the power back from big tech
and giving it back to people and who own the data.
That's what the purpose is.
My purpose in writing the book and talking about these issues after having been a technology advocate for 30 years is that we have to go one the next web as a means of becoming more secure, not just decentralizing data, but adding enormous security to eliminate the vulnerabilities that we've created.
There you go.
So web 4.0 maybe.
Web 4.0, web 5.0, I don't know.
Hi, folks.
Chris Voss here with a little station break.
Hope you're enjoying the show so far.
We'll resume here in a second. I'd like to invite you to come to my coaching, speaking, and training courses
website. You can also see our new podcast over there at chrisvossleadershipinstitute.com.
Over there, you can find all the different stuff that we do for speaking engagements,
if you'd like to hire me, training courses that we offer, and coaching for leadership,
management, entrepreneurism, podcasting, corporate stuff.
With over 35 years of experience in business and running companies as a CEO, I think I
can offer a wonderful breadth of information and knowledge to you or anyone that you want
to invite me to for your company.
Thanks for tuning in.
We certainly appreciate you listening to the show,
and be sure to check out chrisfossleadershipinstitute.com.
Now back to the show.
And how do we get this to happen?
Does everyone need to just be educated, read your book,
understand what's going on?
Does there need to be some social uprising where we need to say,
you know, we've had enough and we're not going to take any more of that whole network movie sort of guy? Yeah. So being a lawyer, I decided I had to answer that question
too. I mean, I just couldn't raise these questions, talk about solutions and not talk about
how it should happen. And so what I did in the book, Chris, is I walked through the last 25 years, the Clinton
administration, the Bush administration, Obama, Trump, and now Biden, and what the government has
done in those 25 years. And interestingly enough, the Clinton administration identified all of the
issues and all of the conceptual solutions back in 1996. They did a great job at identifying the issues, the concerns, the vulnerabilities.
And what have we done since then?
Relatively nothing, right?
Every president since then has put out an executive directive that's essentially a cut
and paste job of the Clinton executive director, directive.
Just same stuff over and over again. We have warned private businesses, private organizations, think tanks have for 25 years
been warning that we are heading in the wrong direction.
But who's done anything?
Nobody.
I mean, look at President Biden's directive of last year on cybersecurity.
What did he do?
He did some good stuff in that directive.
He required zero trust architecture in the government, which we can talk about later.
But the problem is he delegated the responsibility for cybersecurity in the government to 24 different agencies.
Now, you know and I know when you delegate something to 24 people, nobody's in charge.
Nothing's going to get done.
So how does this all get done? I think the way it gets done is number one, leadership,
right? There needs to be somebody, it's not Congress, that's for sure. I think the business
community has got to come together with their legislators and they have to say, this has to be
done because the future is too insecure to risk that.
Now, when is the business community going to do that?
The business community is going to do that when the profits from the Internet are dwarfed by the expenses of vulnerabilities.
And we're going to get there.
We're going to get there at some point.
And they're going to say, well, wait a minute.
We're not making the kinds of money we thought from this interface.
We better fix it.
And I think step number one, the business community has got to step forward.
It's got to demand action from the Congress.
We've got to find some leadership in this country, wherever it may be.
And they're going to have to work together globally to fix this problem.
Because we can't swim in the same online water with China.
We can't swim in the same online water with Russia and North Korea and Iran.
It's crazy to share the internet with them when they don't agree with any of the rules
of civil society for how an internet should work.
So I think, you know, I think there really has to be sort of a grassroots effort in the business community.
And, you know, I chaired a 20-country report in 2000 on jurisdiction in cyberspace because the issue then was, well, whose laws apply in cyberspace?
There's no borders, right?
We put 20 countries together and we came up with a report that has really laid down the skeletal structure for what the courts have done.
But how did we do it?
You know how we did it?
We found lawyers and investment bankers and accountants in 20 countries who wanted to get involved in this.
Why did they want to get involved in this?
One, it's interesting to them. But two, they knew when this report came out and it laid the groundwork for what was coming, they'd be on the ground floor of getting clients and getting business from this.
Right.
So it may be very structured and maybe very, you know, ordered in terms of finding people because there's some upside.
But that's the way you make things happen.
They have to see an upside to go forward and do it. And those are the kinds of things that I
suggest in the book and talk about. It's worked in the past. It can work in the future, but you
said it and I'll say it here. The consumer needs to be educated because they have no idea what's
going on when they look in that screen. They have no idea what's going on between the keyboard that they're tapping.
And if they did, and if our leaders inform people about what was going on, I think they would be more cautious and they would demand change.
Because here's the bottom line.
You're more than willing to engage in social media, to get information online, and do whatever it is because it's convenient.
You hit a keyboard, something pops up, and you got information, and you've been very effective and very efficient.
If I told you every time you touch your keyboard, you're increasing the risk that all of your money disappears tomorrow morning, you would think twice about what you're doing.
Definitely. Yeah. I mean, I like my money about what you're doing. Definitely.
Yeah.
I mean, I like my money.
I like to keep it too.
Well, the one thing I learned when I was a financial services lawyer for 40 years is
that everybody has an emotional relationship with their money.
They do.
They do.
Yeah.
I like my money.
I have a thing about it.
So, you know, this is really interesting.
Are you saying that the money has basically got to run out for companies
where they realize that the downside of hacks and the cybersecurity and everything,
and basically the money has got to run out that they're currently getting for them to go,
oh, we need to invent a new model.
That usually seems to be the way it works.
Am I correct or wrong?
Yeah, no, you're exactly correct.
So if you go and read J.P. Morgan's annual report, Jamie Dimon, who is one of the smartest
financial minds around, basically says, you know, this has become a huge problem and a
huge expense for the bank he identifies get this
43 000 people in the organization working on what he calls fortress defense at cyber security and
compliance with regulations 43 of 250 000 employees working on Fortress Defense. Now, that's an enormous cost, right? It's an
enormous cost. So, so far, they're handling that cost. But at some point, at some point,
that cost crosses the line. And those businesses begin to say, we can't handle that cost anymore.
It is unsustainable to stay on that trajectory. We've got to change something. And when that
happens,
they'll go to the legislators, the legislators will change their minds and do something.
Why aren't the legislators doing something now? I think it's a very easy answer. And that is
cybersecurity is not an issue that they can raise money off of. Right? Who's going to make
political donations over the issue of cybersecurity. So they have to focus on the issues that they can fund their operations, so to speak,
and they're only going to respond to businesses when the businesses say, this has to happen.
And by the way, the consumers will be right behind them at that point.
Yeah, the interesting thing to me is how much the government has – I forget the name of the – there's a rule that the social security – or not the social security, but the social media empires have rule 203 or 200.
Basically, it's a rule that makes it so that they aren't publishers.
Right, yeah. that makes it so that they aren't publishers. Right. And so they can avoid the demands of normal media,
mainstream media, big papers, stuff like that,
that come with all sorts of downsides.
And it seems like even recently with the January 6th report,
it came out that the politicians that were on the January 6th committee
didn't want to take on social media
and some of the contributions that social media did
to January 6th and the insurrection.
And part of it is they don't want to regulate them
because that's how they get re-elected,
is buying ads on Facebook,
you know, re-elect me to Congress for the next thing.
And there's almost like a dirty sort of relationship there going on where it's symbiotic and it's
like, I'll scratch your record, you scratch mine.
And it's like, well, we don't want to control Facebook because we don't want to piss them
off because we won't be able to run our re-election politician ads and our fundraising ads.
But they need to be regulated and there's been like this thing where it's like a hands-off thing and and social media companies
can just get away with whatever they want do you think that's part of the impetus yeah i think
that's exactly part of what's going on here so uh when uh when ftx went down and sam bankman
freed was sort of uh at the forefront of everybody's thoughts at the moment.
I was on TV and I did a number of BBC spots on the whole question of what had happened and why it had happened.
And somebody asked me a question about the fact that FTX had donated $70 million to Congress.
And was that a problem?
And I said, I'm shocked. There's gambling in this casino,
right? But that's the fundamental core of the problem here. And that is big tech is giving
so much money to Congress. Congress is not going to budge unless we get into a crisis or the
inevitable financial Armageddon happens, and then it may be
too late. That's the problem with all this. The scale of the threat is what concerns me.
And as I say, I was a great supporter, euphoric about technology. I helped financial institutions
create their online interface. But I now understand that we didn't appreciate the
scale of the problem. So let me give you an example. When I started in the banking business
in the 1970s, the maximum amount that could be stolen in a bank robbery was the amount of dollars
that could be stuffed in a duffel bag and shoved into a waiting van. How much is that, right? A few hundred thousand dollars maybe.
Well, today, the amount of money that can be stolen online is infinite.
I mean, it could all disappear.
So in 2021, $14 billion of cryptocurrency was stolen.
Wow.
$14 billion, okay?
Wow.
That's more, and I don't know how to calculate this professionally, but that is likely more than has been stolen in all the bank robberies in the history of time.
Right?
Probably, yeah.
Just in one year, $14 billion.
So what you see is you see the scale of the problem has changed.
The scale of the risks has changed changed and we haven't reacted accordingly. We're
still sort of, you know, operating as if, well, the scale is, you know, we'll lose a few dollars
here or there. We'll lose our lights for a few days. No, we could lose everything in one fell
swoop. And then the question becomes, can we respond? Can the government respond, right?
And that's why they say,
if you read a lot of the experts on cyber war,
they say it's a first strike war because you don't know if you'll ever be able to react
after the first strike.
The lights go out, nothing works, right?
And so, you know, there's an enormous number of issues
that are simply not being discussed.
And what I'm trying to do in the
book is get people to discuss them, raise the hard questions and say, these are the answers I think
that are out there. Let's talk about them and let's try to make something happen so that we're
not on this road to inevitable vulnerability. It's one of the problems too, excuse me, it's one of the problems, too. It's one of the problems, too.
You saw some of the interviews of the
social media giants,
Google and Facebook, in front of
Congress, and it really
exposed how out of touch
the people in Congress, some of them might be
too geriatric.
I mean that in a nice way.
They just might be, they just seem
completely out of touch with what technology was.
I mean, you saw the idiot questions they were asking.
You're just like, are you serious?
Like, you have no idea how just a simple form of email works or something,
and you're the person who's overseeing technology?
It seems like that's a big problem.
These guys really don't even understand it or get it.
Yeah, you know after after the amount
of money that's flowing into congress uh from vested interests involved in keeping this going
the second biggest problem is most it's not all but most of congress doesn't understand the basics
of technology uh they don't understand what is going on in that machine in front of them, what's going on
online and how things are moving, how they were encrypted. When I started representing
financial institutions in the technology world back in the 90s, I decided I couldn't do that
without learning the underlying computer science. I learned digital signatures. I learned encryption. I learned all the stuff that
surrounds that and how blockchain is formed. And I concluded I couldn't represent my client's
interests without understanding the nuts and bolts of what they're doing. Same thing goes for
Congress. They have no chance of writing meaningful legislation unless they understand the science and
they don't understand the science. And look, looking to their staffers, they all have smart staffers,
but they're young, they're inexperienced, and they're not the decision makers, right?
And so that's a huge problem.
We're dealing with a Congress and with legislatures who are out of touch
with the economy, the digital economy, and the digital social life that
everybody leads today.
Yeah.
So it sounds like what it comes down to is just consumers have got to be the ones to
take up the mantle on this and go, we're not going to take it anymore.
Yeah.
You know, and that's going to happen because when consumers, when the lights start going
out, look, we've had in the last three years, we've had solar winds.
We've had the JBS, Colonial Pipeline, Lodge 4J, all of those cyber attacks, which could have been far worse.
I mean, on the East Coast, we actually didn't have gas for a few days because of the colonial pipeline shutdown.
And that was just a ransomware attack, right?
And so if you look at these things and you put them all together, let me give you an example.
I argue in the book that while it is difficult and it has never happened that a financial infrastructure in a country could be taken down.
It is possible.
The fact of the matter is if you take all of the various components and parts of shutting down a financial infrastructure,
it's all happened in different places around the world at different times.
Put them all together, you've got the collapse of a financial infrastructure.
It happened partially in Estonia. It happened partially in Estonia.
It happened partially in the Ukraine.
You know,
people think the Russians were behind both of those,
but the fact of the matter is,
and I've said this before,
and I want to say it again.
I think as long as countries are in charge of the technology,
there are basic understandings.
Cause if you do it to me,
I'm going to do it to you, right?
It's the nuclear mutual assured destruction, right?
You take down my power grid, I'm taking down your power grid.
And so, you know, for China to take down our power grid doesn't make any sense because they do so much business with it.
It's like taking down their economy, right?
Yeah.
So as long as that sort of face-off exists, the fact that we can
take down or they can take down our financial or power grid infrastructures has been kept at bay.
But the problem is, is that technology is getting cheaper and cheaper and cheaper,
which means it's getting into more and more hands. So you have criminal cartels using technology as their primary source of
income.
You've got fanatics,
you've got terrorists,
you've got,
you know,
downstairs bedroom hackers,
anything you want.
And,
and,
and they don't live by the rules of civil society.
They don't care about,
you know, somebody hacking back at them.
And that's the danger here.
As technology gets into the hands of lunatics who might do it just for fun, and you really have no way of knowing where this all ends, but you can see the line.
You can see the trajectory of where we've been over the last 25 years and where we're going.
Yeah, a lot of people have no idea the attacks that go on constantly at power stations,
nuclear power stations around our country.
A big favorite is the nuclear, is the New York's, is it called Thunderbird?
It's the New York's power supply for for their I believe their nuclear yeah uh power
supply that thing is under constant attack uh cyber wise uh ransomware of course you've mentioned
uh is a huge thing a lot of companies don't even talk about it they just pay the fee and
sometimes they give their data back sometimes they don't um it's really crazy all the stuff
that's going on um well the average Well, the average large financial institution in this country, many of which I represented, they're going through literally hundreds of thousands of attacks a day.
Yeah.
I mean, it's just, as you suggest, it is constant.
It is continual.
And the thing is, they've got to deter and prevent every single one to live another day, whereas the attacker
only has to get in once.
That's true.
That's a good point.
You know, it was interesting to me.
I remember when I was, I had first moved to Vegas, and in Utah, you would pass checks,
and it was like no big deal.
I mean, this is kind of 20 or 30 years ago, 20 years ago. But when I moved to Vegas, I went to pass a check,
and it was from a deal we'd made,
and they had to, like, call the person who had written the check
and all this stuff.
They're like, well, you're a new customer.
You've never cast a check here before.
And I'm like, God, this is a really big deal.
I've never really been through this.
I mean, you know, they have the money in the county or whatever.
And they told me, they go, no, one of the problems you don't understand is you're in Vegas now.
And we have degenerate gamblers who will steal checks and print checks and do all sorts of things to feed their addiction for gambling.
And I said, wow, that's crazy.
And they go, yeah, one of the problems with gambler addict uh, gambler addicts is they don't die of their,
of their disease,
of their affliction for addiction.
A heroin,
a user will eventually die.
Cocaine,
you know,
all those sort of things will eventually kill them and catch up to that.
But a gambling addict lives forever.
And so it kind of calls to the point that you mentioned where,
you know,
a hacker can only needs to get in once they can live forever.
They can keep hacking until they get caught. Um, and they usually do. I mean, once they kind of
learn this game, they, they keep going at it. Well, that's the ransomware business, right?
You try 20 times, you, you get one win, you're, you're, you're golden for the day,
right? And, and, and if you keep going down that route, so it raises an interesting question. If companies pay the ransomware, you are actually creating an incentive for the attacker to continue to do that, right?
Yeah, you're just giving them a license to go, hey, continue on.
You know, I get angry as a consumer when I get these notifications.
I forget the site, but there's a website that tells you. You know, I get angry as a consumer when I get these notifications.
I forget the site, but there's a website that tells you,
and some of your credit cards and stuff tell you now too.
They're like, hey, your password has been hacked.
It's on the interweb.
Hey, your credit card or your data has been hacked over here.
And it just makes me angry sometimes when I see, you know, huge things. What was the credit reporting agency that got hacked?
Equifax.
Equifax and just exposed so many people.
And I was pissed.
Really made me angry.
But then some of the people you do business with,
you're just like, well, I mean,
I either have to give up using the value of their service
or I don't have a choice on Equifax.
I mean, they're going to hold my data.
At this point, I just kind of figure
everyone knows my private information,
my social security number,
all my passwords and everything else.
I think two-factor identification
and QR codes is about the only
reason my accounts get
hacked daily. It's crazy.
Yeah, well, you know, look, I mean,
you're putting your finger
on an interesting point. In the last
two years or three years, Capital One, J.P. Morgan, Equifax,
and CNA Insurance Company have all been hacked, right?
With hundreds of thousands of personal data files taken,
hundreds of thousands, right?
And if they can't prevent it, and they can't,
if they can't prevent it,
what chance do we have of preventing anything
from happening to us?
Now, we may be, you know, not big targets individually.
Maybe it's a better target to go after a J.P. Morgan or a Capital One.
But it shows you the vulnerability of the system we've created.
Why have we created a system that's inherently vulnerable, where software and hardware has all kinds of deficiency in it, where human error can
let somebody into a system and they just gallivant around wherever they want. I mean, one of the
questions I spend a lot of time in the book, when I get to the end of the book and I talk about
solutions, is anonymity. You can't do anything in the analog world anonymously. I mean, what the
hell? My dog has a license, right? You can't do anything anonymously. I mean, what the hell? My dog has a license, right?
You can't do anything anonymously.
Whereas online, you can do everything anonymously.
So my first solution is that has to end.
You have to authenticate everybody personally,
not authenticate machines and IP addresses.
Today, the authentication that goes on is your machine is authenticated when you go
on something.
It doesn't authenticate you.
It's your machine or your IP address.
Well, that's crazy.
In a world where we're putting all of our value and all of our data to let people run
around anonymously rifling through it is just nuts.
I mean, and anonymity, I think what we're seeing from social media and the internet
is there's a good amount of people who don't act very well when they can be anonymous.
That's true.
That's very true.
And so that's going to have to change if we're going to create a more secure online network.
And at the other end of the spectrum, how is it that we have moved everything
from our analog lives onto an online environment where there's no police? If your money disappeared
tomorrow, would you know who to call? No. The FBI, I don't know.
Right. Who do you call? I mean, who are the cyber police, right? And if your money was taken
and it was just you, you'd probably get it back from your investment advisor, from your companies, from your bank.
You'd probably they probably all make good.
But if everybody's money was taken tomorrow morning, nobody would get it back.
There wouldn't be anybody left to sort of make good on any of that. And so, you know, I think that we have to think about, and I articulate it as
what I call the age factor. A is for authentication, G is for better governance,
and E is for enforcement. If we have those three things built into the system,
and then we create what I think we need are sidecar private networks that you don't get
into unless you've satisfied all the rules, you've identified yourself, you agree to live
by those rules.
And if you don't, an artificial intelligence monitor just kills your application, wipes
you out, right?
And so those are the kinds of things we're going to need to instill some sort of discipline in a world that looks like our analog world but has no discipline.
Yeah.
We need, you know, cops that can pull people over and say, man, your registration expired.
Right.
So what would your, you know, like I said, I've advocated for probably five or six years.
I mean, I just say it on social media.
But I say, like, you know, when you see really extreme exposure of data,
you know, like some companies like, oh, we kept all the passwords in a text file
that wasn't encrypted.
You know, stuff like that, to me, I'm like, that needs to be criminalized.
That needs to be criminalized.
There's some sort of intent in the laziness of you just don't want to pay enough to protect my data.
So let me pose that to you as a question.
This is a second follow-up question.
Does it need to be criminalized?
Or some behaviors need to be criminalized.
When you see something egregious like, yeah, we kept it in a text file, and it was outside the encryption, and just sitting there for everyone to pick up.
The other thing is, like, does my IP address need to have my name on it?
Does it need to perform like the phone book where every time I log on,
everybody knows Chris Voss is here on block A?
Yeah.
So the first question is,
does it need to be criminalized? I talk about that a lot in the book and I give examples.
I don't like just throwing out ideas and solutions without examples of how they work. So
I'll give you an example that's going to ring true with you. All of these companies that have
been hacked and have lost personal data,
hundreds of thousands of data files lost, millions of data files lost,
goes onto the dark web.
Who knows what happens to it in the dark web?
Most of us don't function on the dark web, but the things that go on at the dark web are such a huge amount of criminal
and deviant behavior that we don't even want to know what's
going on in the dark web. But that's where the data goes. Well, what happens to the companies
who've been hacked? And this gets exactly to your question. Pretty much nothing, right?
So they have to maybe pay a price by giving consumers free access to credit reports for
some period of time. Oh, big deal. At the end of the day, what's happening,
and this goes back to what I said at the beginning,
they're not losing enough money from insecurity
to want to change it yet.
They're not being penalized enough.
Nobody's being held responsible.
In fact, what the government is doing part of the time
is apologizing for corporations that are getting hacked.
And the corporations just don't have enough financial incentive to fix that issue.
It's just as easy to keep going down the same path they're going because it's profitable to do so.
Yeah.
When it becomes unprofitable, when people go to jail, when people are held responsible,
when there's huge civil penalties for these kinds of hacks.
Then the companies will say, well, wait a minute.
I guess we better really fix this because what we've got now, and this is what really has bothered me over the last five or eight years, there's this sense of inevitability when a hack occurs, right?
Oh, well, it can happen to anybody.
Let's just move on.
Well, no, that shouldn't be the answer.
The answer is you run a business.
You don't let anybody come in through the front door and rifle through your files and take whatever they want.
Your responsibility is to stop it.
If we impose that responsibility on companies, if we impose it on individuals, we would have greater security out there because they'd say, hey, this doesn't pay to be sort of reckless about this.
Take coding, for example, Chris.
Time and time again, you'll read about the creation of software.
And the principal problem with the creation of software now in an environment where, you know,
getting it out there quickly is money, is that it gets put
out there too quickly. It gets put out there because we live in an era where we say, launch
and then patch, right? Let's launch it. And if something happens, we patch. But the problem is,
once you launch defective coding and defective software, you're patching and you're always
trying to catch up, right? And you never do catch up because the bad guys are always out there ahead of you.
And so we need operating standards on coding.
I hesitate, you know, I'm not a big government guy.
I'm a small government guy, but I hesitate to say, you know, hey, look, if there was
an FDA for software and coding, maybe it would work better.
I mean, maybe people would actually stop and make that coding and make that software perfect before it went out there.
That's why I really think if there is more criminal penalties and civil penalties,
and like you say, maybe a government oversight thing,
because we rely too much on these guys to police themselves.
We hear all the time, Facebook, we police ourselves.
We have a good thing to police ourselves.
Yeah, we've seen what happens with that.
Somebody's got to pay the piper when this happens.
Because you certainly, under today's rules, when nobody's identified, you certainly can't find the hackers, right?
And if you do find them and they're sitting in North Korea or Russia or Iran and you indict them, what does that do? They're not coming
to the United States to make themselves susceptible to jurisdiction here. They're never coming here,
right? So, so indicting six guys in Russia is an absolute meaningless action. I mean,
obviously get some press release, right? We indicted Kukla, Fran and Ali in Russia. And,
you know, if we ever come here, you know ever come here, they'll get thrown in jail.
Oh, great.
Well, they're not coming here.
In fact, they're busy hacking the next company they're going to find.
So you're right.
Somebody's got to pay the price.
It's not an easy thing to do.
It's not an easy formula, but it's not impossible.
And my bottom line is always this.
If we move our analog lives to the online environment
we move all the rules that go with it we move all the police that goes with it we move all the
governance that goes with it otherwise we're absolutely you know absolutely asking somebody
to do something bad to us yeah i've known startups that when they start up the last thing on their
mind is security.
They just want to get rolling. They want to make money.
They want to make their big bucks. Just ship
it and all that stuff.
I'm like, maybe we should wait just
a little bit longer to make sure it's a little bit more secure to ship it.
The VCs have their own agenda
and stuff. Do we need to get rid of the
dark web? That's beyond my pay grade
how to figure that out. Maybe that's a dumb
question.
If you're looking to you know google plus and google tried to do this years ago they tried to force everyone on youtube well they did actually uh on google plus and youtube and some of
their other properties that they had to validate themselves they had to authenticate themselves
and expose who they were um it was
kind of interesting to me as a big youtube content maker that overnight they literally killed my
comments and my likes and everything like literally overnight they killed the trolls which i think was
kind of their intent at the time the problem was it killed the engagement um and fewer people didn't comment.
Mike, literally just everything nosedived at that point in time.
So I guess do we have to kill the dark net?
Well, you know, it's an interesting question.
I think we could kill it if we wanted to.
I mean, you know, it's interesting to me that I've worked with a known technologist,
computer engineers for the last four decades.
And they're the kind of people who basically say, I can do anything in a technology world,
just tell me what you want to do. But the one thing they don't be able to seem to do is to
react to building a better internet, you know, recreating it. I mean, I've said, I've mentioned
the thesis of a book to a few people who are
actually involved in the creation of the internet. And you would think I just shot their dog on their
front lawn. You know, they go into a fetal position and say, oh, no, that can't happen.
You can't, you know. And the fact of the matter is, I think we can do almost anything technologically.
Now, how do you get to the dark web? You get to the dark web by using a special browser. It's the only way you'll get there. And a lot of the sites
are by invitation only, or you have to be admitted by an administrator. So it's difficult to deal
with that kind of a construct. But if you can't find the browser, because the browser is not
around, and you can't get to those sites, It doesn't matter whether you're invited or not, right?
So, yeah, we could do a lot of this stuff, but at the end of the day,
who is it that's doing it?
Who's the we, right?
Remember, the Internet is under the control of the entire globe.
It's not just an American Internet, right?
And who are the governance authorities?
Well, there's ICANN, there's this, there's that.
You get your domain name from them.
But as I said, there's no cyber police.
There's nobody governing any of this stuff.
So that's the first question.
Who's the we that does this, right?
Who's the we that makes the rules and enforces them?
And what I say in the book, I was a regulator,
a financial regulator for eight years in this country,
and I know the pitfalls of regulation.
I know the upside of regulation.
And what I say in the book is the digital economy is forcing us to have a different mode of regulation.
And what I mean by that is regulation has got to be collegial, not adversarial.
The regulatory system we have today is a gotcha system.
You do something, the FDIC comes out and crushes you. The Federal Reserve Board crushes you.
It's an adversarial relationship. I would rather see regulators that are composed of the business
side and the government side together. Just think about this for a second. Supposing the Federal
Reserve Board had four people from the private sector who are operating still in the private sector.
They haven't left to go in the government.
And four people who are government experts, right?
Four and four.
They would actually have to reach a consensus to do something because they'd have to find a consensus position to get a vote to do something.
And that means they would have to share information with each other.
The technology side would have to share information with the government side.
They'd have to work together to get to a solution.
That's the kind of regulatory system that's going to work in this digital economy.
The old one is not going to work.
I think the FBI and the NSA and probably some other Homeland Security,
I think they all have different aspects of this where they're trying to be a policing unit.
Are those guys effective?
Do they need to be more effective?
Is that the way to go at trying to have the FBI and other government authorities
that are supposed to be running security in this country do more and spend more?
Yeah, well, like everything else, Chris, you've got a lot of agencies doing a lot of things
and not a lot of coordination, but you do have the FBI.
And the FBI, I mean, if you read about it, the FBI is spending an enormous amount of money
and resources dealing with the dark web.
You've got NSA.
You've got Homeland Security.
You've got any one of a number of law enforcement
agencies all sort of trying to figure out how to deal with all of this flood of threats
and cyber attacks.
And the problem is we have tied their hands behind their backs.
We have given them an environment to work in that's impossible.
They're going after people who are anonymous anywhere on the globe, right?
It takes forever to find them.
There's a great book written called The Cuckoo's Egg.
I think it was written in 1987, 88,
about a hack of a lab in Berkeley by what turned out to be the KBG at that time.
Oh, wow.
And it turned out it showed up as a 75-cent discrepancy on the accounting files of the
Berkeley lab.
And the person who was appointed, an astronomer, was appointed to basically look at the accounting
statements every month.
And he said, what's this 75-cent discrepancy? was appointed to basically look at the accounting statements every month.
And he said, what's this 75-cent discrepancy?
Who used the computer for 75 cents worth of time and didn't pay for it?
Right?
Two years later, with no help from the FBI and the Secret Service, the CIA,
but help from the German authorities, he found a few guys sitting in Germany who were from Russia, part of the KBG or the GRAU, whatever it was at the time, who were infiltrating the Berkeley lab because it was an access point to get into every Air Force base in America.
Holy crap.
Right?
And eventually some people went to jail.
But it took years and years and years.
And so what kind of disincentive is that to people to try to do those things?
Because their chance of getting caught and their chances of getting punished are astronomically low.
It's a terrific book, The Cuckoo's Egg.
It's just, it goes on and on.
And you would hope, he said, for instance, i called the fbi and they said does this involve
a million dollars of damages he goes no it's 75 cents and they said well don't bother me well
75 cents was the tip of the iceberg it turned out to be multi multi millions of dollars but of course
you can't see that at the beginning the second question the fbi asked is it classified documents
he said i don't know and they know. So they wouldn't help him.
And that's probably true today.
That's probably what happens today.
And I'm not faulting the FBI or any agency.
They only have the resources they have.
They have to go after sort of the things they can get.
But we have tied their hands behind their backs in terms of trying to deal with these situations and they're only going to get worse.
There you go.
There you go.
Well,
this has been really insightful.
We want people to go buy the book.
Anything more you want to tease out on the book before we go?
Well,
one of the things I guess I'll tease out is some of the solutions I talk
about in the book and how they might work.
And,
you know,
I lay out about a hundred different things that people have. And, you know, I lay out about 100 different things
that people have talked about.
You know, better coding, standards for coding, transparency.
I mean, transparency is an important one.
Does the government tell us what it's protecting
and what they're not protecting?
We don't know, right?
We assume, the normal human being will assume,
since it's on the internet, the government must think it's okay.
Well, that's not the case.
The government's not doing anything there.
And what about transparency from the people who are providing this information on the Internet?
Does any of them tell you what they're using the data they're taking from you for?
No.
I mean, so we need transparency.
We need zero-trust architecture.
And lastly, I'll come back to what I said before.
We need sidecar networks for critical infrastructure.
The current internet was never meant to be secure.
It was never meant to support critical infrastructures like financial services, power, military defense.
It just wasn't built for that. And so if we're going to use an online
capability for that, we have to rebuild at least that part of the internet. If people want to use
the other part of the internet as sort of a three ring circus for things that aren't important,
that's fine. But if it's something critical, something important, it's got to be in secured
networks that the general public can't get onto without satisfying authentication, governance, enforcement standards.
There you go.
There you go.
Well, Thomas, it's been wonderful to have you on the show once again and very insightful as well.
Give us your.com so we can find you on the interwebs, please.
Yeah, it's thomasvartanian.com.
Very easy to get to, and you'll see everything you need to see there.
There you go.
Order it up, folks.
You can preorder it right now.
It'll be released on February 15, 2023.
The Unhackable Internet, How Rebuilding Cyberspace Can Create Real Security
and Prevent Financial Collapse.
Thanks to Tom for being on the show with us today.
Thanks, Viannis, for tuning in.
Go to Goodreads.com, FortesCrispVas, YouTube.com, FortesCrispVas, LinkedIn, and all those crazy being on the show with us today. Thanks to my audience for tuning in. Go to goodreads.com, Fortress Christmas,
youtube.com, Fortress Christmas,
LinkedIn, and all those crazy places on the internet.
Thanks for tuning in.
Be good to each other.
Stay safe, and we'll see you guys next time.