ISMG Editors: Major Crypto Mixer Decision Redefines Rules
Also: Gen AI's Impact on Privacy; Cybersecurity Reasons To Be Thankful Anna Delaney (annamadeline) • November 29, 2024In the latest weekly update, ISMG editors discussed Tornado Cash's landmark legal victory affecting crypto mixers, the impact of artificial intelligence on data privacy, and advancements in cybersecurity for which the industry can be thankful as it heads into 2025.
The panelists - Anna Delaney, director, productions; Tom Field, senior vice president, editorial; Rashmi Ramesh, assistant editor, global news desk; and Suparna Goswami, associate editor, ISMG Asia - discussed:
- How a U.S. federal court decision overturning sanctions against Tornado Cash highlights a number of issues, including outdated laws, the legal gray area surrounding crypto mixers and the challenges enforcement agencies face in addressing cybercriminals who use privacy-focused tools;
- The impact of generative AI on data privacy in 2024, including the rise of data discovery technologies, debates on data localization driven by geopolitical tensions, and the potential convergence of AI and privacy governance teams to streamline oversight;
- Recapping positive cybersecurity developments of late, including the resilience of the community, real progress in cloud security, better collaboration and the ability to learn from challenges.
The ISMG Editors' Panel runs weekly. Don't miss our previous installments, including the Nov. 15 edition on the growing public health crisis of ransomware and the Nov. 22 edition on China-linked espionage targeting U.S. telecommunications firms.
Transcript
This transcript has been edited and refined for clarity.
Anna Delaney: Hello and welcome to the ISMG Editors' Panel. I'm Anna Delaney. Today, we'll delve into Tornado Cash's legal victory, the impact of AI on privacy and what the cybersecurity industry has to be thankful for as we look toward 2025. Joining me are the brilliant Tom Field, senior vice president of editorial; Suparna Goswami, associate editor, ISMG Asia; and Rashmi Ramesh, assistant editor for the global news desk. Lovely to see you all.
Tom Field: It's nice to have this group together. It's been a long time.
Suparna Goswami: Yes, it has been a long time.
Delaney: Rashmi, we're starting with you this week because big news from the courts in the U.S. A federal ruling has overturned sanctions on Tornado Cash, a crypto mixer accused of enabling money laundering, including by North Korea. So, can you break down the case and tell us what this means for privacy, crypto regulation and government overreach?
Rashmi Ramesh: The Fifth Circuit Court of Appeals overturned the decision to sanction Tornado Cash saying that the Treasury Department overreached its authority. The key thing here was the focus on smart contracts, which are essentially immutable lines of code; so, they can't be changed. Now, these smart contracts are at the heart of Tornado Cash, and the three-judge panel that made the ruling said that such contracts cannot be controlled or owned; so, they're not property and therefore cannot be sanctioned under existing federal law. The judges said that it is a legitimate concern because state hackers are using the service to launder billions in stolen cash. But, the issue here is that Congress has not equipped existing laws to target tools like this directly. So, what's crucial here is the court's recognition of a legal gray area, and crypto mixers are relatively new challenges that outdated laws, many that date back decades, aren't designed to address. So, the court said this isn't about ignoring criminal misuse but it's more about ensuring that the law evolves to tackle emerging technologies like this.
Delaney: This specific law was created under President Carter's term, right?
Ramesh: Yes.
Delaney: A few decades old. What I find interesting about this, despite sanctions, is that Tornado Cash saw billions in deposits in 2024. So Rashmi, what does this suggest about the challenges that enforcement agencies are grappling with in the crypto space?
Ramesh: So, people want privacy, and that was the original intention of setting up these mixers. So, people will go where they find it, and if you shut that down, it's easy to find alternatives. And hackers don't care if it's a sanctioned entity or not. They're criminals. They're using these services to launder funds that they stole. It's not like they'll not use a service because the government says they can't. And to add to this, even Tornado Cash, in fact, was accessible even after it was sanctioned, and its code was openly available for anyone who wanted to build a new Tornado Cash and a dozen alternatives popped up in its place almost immediately. So, it's like whack-a-mole at this point. How do you crack down on that? I wish I had the right answers, but I definitely don't envy the position the law enforcement is in right now.
Delaney: Lots still to be revealed on the story. Thank you, Rashmi. Look forward to hearing more. Suparna, as we approach the end of 2024, we've certainly seen generative AI take center stage yet again, putting data privacy and regulations such as GDPR and the European AI Act firmly in the spotlight. So, reflecting on these developments, what were maybe the standout or highlight moments in the data privacy space this year?
Goswami: Sure. Anna. So, like you said, 2024 is the year. Probably, 2023 was about generative AI and people talking about it. 2024 is the year when they have actual use cases. They have experimented with it, and that has highlighted the importance of data privacy with significant developments in price regulations as well. So, I spoke with a Gartner VP analyst - Nader Henein. He's from Germany, and he discussed the impact of AI on data privacy and that has led to the emergence of new technologies such as data discovery technologies, and there's a whole vendor market that is coming down. So, he sees AI as something that is not new. So, we have been talking about AI since the 50s maybe. But, what is new right now is the generative capabilities. So gen AI has shed light on everything AI and that has in turn shed light on the importance of data. And in many instances, what we are seeing is you're using data to train models. The data that is being used to train these models is usually personal information data. But, once these models are trained, you cannot take back this information, and it has become very important to curate data properly. Hence, what we saw in 2024 was AI gaining a lot of attention. It's not that it's absolutely new, but data discovery technology has gained a lot of attention this year, and there are a lot of vendors who are coming into the market. This year, they saw a double-digit growth, and through data discovery technologies, they allow organizations to go and understand the information at a very granular stage, and you can act on your data like that. Another topic that I thought throughout the year people spoke about in the privacy space was data localization. Unlike GDPR, which does not insist on keeping the data locally as long as it's being protected according to the standard set by GDPR, other states and countries are insisting on data residences. For example, Florida has restrictions on data transfers outside of the U.S. or Canada for health records. So, these things are starting to show up in bits and pieces in APAC. We have it in China. We have it in the Philippines. And the analysts hope that this does not become a trend and this is, in fact, a sentiment that everyone I speak with - practitioners and CISOs - because they've spent the better half of the last decade building a cloud infrastructure. So now, if this trend becomes the norm, the entire effort goes away. But yes, there is a trend that is being seen in data localization related to geopolitical tension zones, and that's not a very good thing. So hopefully, we'll see a balance somewhere. So those were the highlights for me in 2024.
Delaney: Good. And what about 2025? What are the key trends or developments you anticipate that will shape the data privacy space next year?
Goswami: So again, in terms of technology, there would be a lot of demand for privacy-enhancing technologies because of AI using data. The market is expecting a double-digit growth in the vendor market space and new vendors coming into that space. Even the cybersecurity vendors are baking in privacy now. Privacy by design has been the talk for years now, but now we are seeing that in practice, because of everything that we are talking about - AI and generative AI. Another trend that I found very interesting and I would love to follow up on is the convergence of AI and the privacy governance team. So in Europe, the European Data Protection Board that oversees GDPR recommended appointing their existing privacy regulators as AI regulators, and that is something that going forward makes more sense, because you can't have two teams reporting to one regulator. So right now, organizations have a very ad hoc team dealing with AI governance. But going forward, businesses will have the data governance team handle both privacy as well as AI. So, that is something that the practitioners are in talks about. Now, nothing concrete has happened, but they also said that it makes sense. So, let's see. I will be closely observing the space.
Delaney: I look forward to those insights. Thank you so much, Suparna. Okay Tom, with Thanksgiving around the corner, it's a great moment maybe to shift our focus from the usual challenges in cybersecurity to what's actually going well. So, what are you thankful for this year in cybersecurity?
Field: I'm thankful for the U.S. finally having a holiday. We could celebrate that. All the time, I'm watching you in the U.K. and Suparna and Rashmi in India have a state holiday, national holiday or bank holiday, and finally, in the U.S., we get our turn. For that, I'm thankful. I'm also thankful for the snow that's in my background. I was in Chicago last week waiting to host a roundtable dinner when the snow hit; the first snow of the season; two to four inches that can stop people in their tracks. I am very concerned about whether we even have anybody show up at the event, and it turned out we had nine registrants, and all nine people showed up at the event despite the weather, and we had this engaging conversation about cloud security. It was an event that was hosted by Wipro and AWS, and I was grateful that everybody found this so important that whatever was happening on the outside, they still came and participated and made it a terrific event. My takeaway was that, as we're talking about cloud security, we're seeing real progress, because the enterprises and leaders are getting beyond this whole notion of - Whoa! This is a shared responsibility. Okay, we get it. Shared responsibility. Move on. They're moving on. They are starting to work to improve their visibility and their access controls across all these multi-cloud environments. And the discussion was about that. And for me and why I tie this back to Thanksgiving is because it was the perfect event because I saw people from past events that I had seen in Chicago before. I met some new people who were attending their very first in-person roundtable. And for me, it reinforces the vitality of these events. People need these opportunities to sit and talk with one another, meet people from outside their sectors and be able to discuss common issues. We make that happen, and it's something that we all leave with - the same gratitude for the opportunity to sit there and be a part of these discussions and see the community come together. We have a rare opportunity to be able to do that, and I'm glad to be a part of it. So, I'm thankful for that, but I have a list of thanks that I would like to share with you.
Delaney: Please do.
Field: I'm thankful for our adversaries this year because they're the ones that keep testing us, testing our defenses. And I don't know if they say this, but they should say this. Every breach that doesn't bankrupt us makes us stronger. So, I'm thankful for our adversaries. Thankful for our defenders. They patrol their beats like police officers every day, not because it's easy, but because it is hard, and because it's the right thing to do. And I appreciate the dedication of these people. I appreciate our vendors and sponsors, because they develop new solutions and strategies, and they give us new opportunities to defend our critical resources. It's a business. I know they're in this to make money, but it's one of the most vital businesses that we support today. I'm thankful for that community. I'm thankful for the government. We talked about them some in this event here, because they do recognize the criticality of critical infrastructure protection, and they are helping us develop the proverbial guardrails - guardrails around AI, privacy and data security. We're seeing some maturity, particularly in Asia and in Europe. And I'm grateful to see this. I'm grateful for our audience. We now have over 1.6 million security and technology leaders around the world paying attention to a forum such as this. They're reading our stories, watching our videos and engaging in our events. This connection deepens the dialogue that we have on a daily basis. And as much as we collectively seek to educate our audience on a daily basis, they teach us so much. They're our greatest teachers, and I'm grateful for this audience that's expanding month over month. I also want to take the time to give thanks to our founder, our CEO, Sanjay Kalra, because ISMG was his dream first, and I don't think even he could imagine what it's become today and what it can become in the future. And my last thanks here is for this team, for our global editorial team. We've got more than 20 editors and journalists around the world - in the U.K., Israel, India and the U.S. You guys are the best. You're the best set of global journalists in the world when it comes to understanding and conveying the criticality of cybersecurity and technology maturity. And I'm grateful to get up every day and be able to work with this team. So, thank you all very much for being a part of this ISMG community, and we have much more to do in 2025 and I can't wait.
Delaney: Beautifully put! We're grateful to you, Tom, for leading our team. It's a pleasure to work with you. So, building on that, what developments or trends are you most hopeful for in cybersecurity in 2025?
Field: I don't think that I'm in a hopeful position right now. I'm a little bit anxious honestly, because we're about to go through a regime change in the U.S., and I don't know what the shakeout is going to be in terms of cybersecurity policy and posture. I don't want to be egocentric, but I do recognize that what happens in the U.S. does impact the world, and I just don't know. I'm a little bit anxious about how things are going to look when we get into 2025. There are going to be some shifts. Now, we go through regime changes and shifts all the time and we continue to preserve it. I don't think this will be any different, but I don't know how things are going to look right now. So, I'm a little anxious about that.
Delaney: Plenty for us to be working on and writing about.
Field: I am sorry. There wasn't a thankful note you were looking for.
Delaney: I was hoping for a little ray of sunshine there. But great. Thank you so much all of you. Brilliant insights as always.
Field: Thanking our audience as well. Thanks so much.
Delaney: Yes, and Happy Thanksgiving. Take care. Thank you for watching.