"Risk is a consequence of dependence. If you get really dependent on something, you probably want to think a lot more about what happens if it goes away."
Learned from his time in the military, Jason Crabtree reveals government agencies’ and private companies’ vast cyber insecurities, leading to his founding of QOMPLX. Crabtree details some of the most common mistakes and how individuals and organizations should approach cybersecurity. He discusses his decision to take QOMPLX public via SPAC. Crabtree offers his views on energy security following the attack on Colonial Pipeline and discusses whether crypto plays a role in increased ransomware attacks. He predicts the nature of future cyber battles and explains how to prepare.
While “complexity” is often viewed as a negative attribute, the most powerful things in life are complex. Planet Earth. Global enterprises. Human beings. Several years ago, Stephen Hawking said “the next century [21st] will be the century of complexity." Rick Nason of Dalhousie University’s Rowe School of Business explains in his book It’s Not Complicated: The Art and Science of Complexity in Business, “if you manage complex things as if they are merely complicated, you’re likely to be setting up your company for failure." Eliminating complexity would make no sense. Embracing complexity and harnessing it is the path to success.
LISTEN AND SUBSCRIBE
SPEAKER
MODERATOR
TIMESTAMPS
0:00 - Intro and military career
6:52 - Ransomware and founding QOMPLX
9:41 - Cybersecurity best practices and mistakes
15:45 - Cyber insurance
18:32 - QOMPLX choosing SPAC route
22:22 - Understanding personal cyber risk
24:56 - Future of energy security
27:15 - Global cyber risks
31:10 - Crypto and ransomware
33:18 - Data integrity and cyber warfare
TRANSCRIPT
John Darsie: (00:07)
Hello everyone and welcome back to Salt Talks. My name is John Darsie, I'm the managing director of Salt, which is a global thought leadership forum and networking platform at the intersection of finance, technology, and public policy. Salt Talks are a digital interview series with leading investors, creators, and thinkers. And our goal on these talks is the same as our goal at our Salt Conferences, which we're excited to resume in September of 2021 and welcome our guests to that conference as well. But that's to provide a window into the mind of subject matter experts, as well as provide a platform for what we think are big ideas that are shaping the future. And we're very excited today to bring you a Salt Talk focused on cyber security and operational risk with Jason Crabtree of QOMPLX. Jason co-founded QOMPLX with Andrew Sellers in 2014. As CEO today, he guides the vision and long-term direction of QOMPLX and oversees all aspects of the company's operations.
John Darsie: (01:05)
Prior to QOMPLX, Jason served as a special advisor to senior leaders in the department of defense cyber community in support of operational cybersecurity missions, including research and development, strategic risk management, and digital transformation initiatives. Jason is a widely recognized expert on cybersecurity, data and risk management. He's been featured on most major news outlets and quoted in the New Yorker, New York times, Yahoo Finance, and more. He received his bachelor's degree in engineering from the US Military Academy at West Point where he was selected as the first captain and brigade commander of the Corps of Cadets and later elected as a Rhode scholar. I received a master's in engineering of science at the University of Oxford before leading infantry troops in Afghanistan in 2012.
John Darsie: (01:52)
Hosting today's talk as somebody with not nearly the resume that Jason has, it's Anthony Scaramucci, who is the founder and managing partner of SkyBridge Capital, which is a global alternative investment firm. Anthony did go to Harvard law school so we'll give him that, but it took him three tries to pass the bar, so that knocks them down a couple of rungs. But with that, I'll turn it over to Anthony for the interview.
Anthony Scaramucci: (02:10)
You see how he starts? Are you going to mention the fact that I got fired from the White House? You throw that in there and once in a while too, you're going to mention that?
John Darsie: (02:17)
We're trying to forget that one.
Anthony Scaramucci: (02:18)
Jason, let's just put it this way okay, I was a little cocky. I was out on Manhasset Bay, water skiing when my friends were studying for the bar, it was my bad. Let's move on Darsie, let's move on. Jason, it's a real pleasure to have you. You got this great story. You're doing things that most people dream of. You went to West Point, you were in a war zone, fought for your country, thank you for your service. You were a Rhodes scholar and now you're building an amazing business. So we have a ton of young people that listen to us. I want you to take us through your mindset and the arc of your career and how you got us to where we are right now.
Jason Crabtree: (02:57)
So I started raising cows. So that was actually...
John Darsie: (03:01)
That wasn't in the bio.
Jason Crabtree: (03:04)
So I grew up raising some Angus cattle and I grew up around a lot of ex-military people out, out of just West of Seattle. So I got to know a lot of folks that had been mostly part of the Navy, usurprisingly, it's a little wet there in Puget Sound. And we realized hat frankly, that post 9/11, that I wanted to do something with public service. And when 9/11 happened, I said, "If I'm not going to do this now, then this isn't a serious thing for me." And I had an opportunity to get to know some West Point graduates that I used to go mountain climbing with for fun. And they had this tremendous view on leadership.
Jason Crabtree: (03:39)
It was much more about enabling the people that worked for them and it was a little bit of the opposite of the Navy boomer commanders that I knew that were in the area where there's nothing closer to God than a boomer commander that's underway. And so I ended up finding myself just really drawn to these people and decided to apply to the academy and was fortunate enough to get accepted. And that started a whole chain of unexpected events.
Anthony Scaramucci: (04:02)
Your service in Afghanistan was in 2012. And when did your service end?
Jason Crabtree: (04:10)
So I left the army in late 2014 after working at Cyber Command for a few years. So the time Paul Nakasone who now runs the NSA, he was a one-star still and so I worked for his boss, Lieutenant General [inaudible 00:04:22] Hernandez, which was awesome, great experience for me to just be able to see the whole of government capabilities in this space and what we were doing. And frankly, figuring out how the government was trying to sit alongside what was happening in the private sector.
Anthony Scaramucci: (04:36)
I got to Afghanistan on a troop support mission in January of 2015 and so I met with General Campbell and his staff in Kabul, and they took me into their Cyber Command center. They showed they had actually Australian army in there with them as well. They were showing us the drones that were up in the air at that point, it's declassified now, they were in the process of disrupting a terrorist camp of which was in the Khandahar region. They ultimately went in there with the Afghani special forces, wiped out 180 terrorists, took all their laptops and so forth. And then we met with the Cyber Command people to discuss how they were going to unbundle those laptops to find treasure troves of information related to potential terrorism in the West. Is that sort of the stuff that you were doing, Jason?
Jason Crabtree: (05:32)
So I was an infantry officer. So after I finished graduate school at Oxford, I came back, went to ranger school, went to entry school and then went to out to Fort Lewis and then across to Kandahar initially. So probably not that far from where you were, right at the tip of the horn of Panjwai and Arghandab River Val. And so I spent time down there with a really great group of soldiers. And as you noted, a big part of getting advantage in Afghanistan was trying to figure out how you could suck out enough information to have an intelligence driven mission. Could you be focused about what we were trying to do? So we were constantly dealing with the bags of stuff that would come back from some of the different types of raids or other things, and could you figure out quickly what was there so you could get ahead of where the enemy was planning in their own cycle?
Anthony Scaramucci: (06:18)
And so Cyber Command is wickedly important for the American military. It's wickedly important for the defense of the United States. And we are at war right now, at least that's my opinion. I'd like to get your reaction to that. We're in an information war, the war is hacking, ransomware, disinformation that's being flooded onto the internet. Tell us about your business. Tell us about where we are in the world related to ransomware? And tell us your business model, Jason.
Jason Crabtree: (06:53)
Yeah. So I think when you start to look at where we are as a country, we're experiencing two kinds of things. We're experiencing all the information operations stuff, that's all the disinflation capability, that's all the manipulation of social media and how can you get people to behave differently? And then we're experiencing all of the actual attacks you're seeing in the news right now, which are much more about getting paid. And most of those are these criminal organizations that are out there harvesting American and global companies. And they're harvesting vulnerable businesses that have money and they can shut them down and hold them hostage. And that's a really attractive thing to do if you know how to get paid for it. And the entry price, the ticket price for that to join that ecosystem is pretty low. And it's gotten a lot lower over the last decade because so many of the tools and techniques to actually go out and find vulnerable businesses and hold them hostage are just widely available.
Anthony Scaramucci: (07:51)
And so QOMPLX, you started it out of your garage, which is the classic American story, I absolutely love that. We started SkyBridge out of a little tiny office and you're going public via SPAC. Take us through that journey. Jason, take us through it.
Jason Crabtree: (08:06)
So, when Andrew and I were still in the service, we worked on a lot of these core defense issues. How do you be able to see not just the perimeter of these networks, but what's happening inside? And that's a big part of the story about why cyber attacks just continue to grow. The reality is that most businesses and government agencies, and you saw this not just in ransomware attacks, but remember department of justice, department of treasury owned end to ends, the keys to the kingdom held by Russian nationals. That's just this last year. Those capabilities were really about taking over the center of these networks because they look like a raw egg. They got this real thin crust and inside it's just a big gooey middle, and you can go wherever you want after you get in.
Jason Crabtree: (08:52)
And so we left in 2014 because we realized that some of the most important things that we were lacking, that private sector didn't have, public sector didn't have, was all about, could you actually make that big gooey middle more difficult? And could you identify the cracks on the outside of that network fast enough and quick enough that you could find them and patch them up before bad guys found them? And I think what you've seen as the answer is we haven't done very well in that as an industry and QOMPLX is doing that for some of the world's largest companies and government agencies, is we really try and change the power imbalance and put the blue guys back on the right side of history here.
Anthony Scaramucci: (09:30)
Oh, I love it. I want to take it to the very human level. What can individual executives and regular people do to keep themselves safer?
Jason Crabtree: (09:42)
Well, I think part of this comes down to the basics. Everybody wants to go talk about magic pixie dust, AI sparkle stuff, and they haven't gone back and done the basics and say, "Do I even know what's on my network?" If you're a corporation, "Do I actually know what kinds of privileges, what are people allowed to access?" That's one part of it. But for just a common person, don't reuse your passwords all over the internet. Go get a password manager. It's cheap, it's easy. There's even some free ones that are out there. It'll help you use a unique password and every site. And that's part of why you see a lot of folks get harvested and lose their social media accounts or lose their email accounts, it's because they're reusing passwords all over the place.
Jason Crabtree: (10:20)
The next thing is, turn on multifactor authentication. Multifactor authentication are being enabled everywhere. It's not going to stop everything, but it's definitely going to make it harder. It makes it more likely that someone has to target you. Last one is, backup your stuff. Whether you're a small business or whether you're an individual, a lot of people don't actually back up their things or ever even know how to restore from a backup. And that stuff's not sexy to talk about, but it's actually what helps people get going. And after that, it's all about visibility. And for corporations, are you looking for these things fast enough so you can identify where people screw up and put stuff on the internet that shouldn't have been there, or you can identify when people are in your network? You actually have to look for it. You can't bury your head in the sand and then say, "Oh my God, we're so surprised. Somebody was in here trying to get the money out of the bank. There's gambling in the casino, heaven forbid."
Anthony Scaramucci: (11:10)
I'm always worried about this stuff. And I'm fascinated about your view. Are there too many companies offering cybersecurity services and technology? I see more and more announcements and there are big transactions, public and private all the time right now. What's your thoughts on that?
Jason Crabtree: (11:27)
Yeah. I think cybersecurity is going to go through a real consolidation and we think that because you see so many legacy companies that were really designed for this big perimeter focused defense. A lot of corporations and government agencies were building more and more elaborate perimeter defenses, these tiler and taller walls. And it turns out that, whether you to pick the imagine a line or lots of other historical examples, you can go around the wall, you can go under the wall, ad that's exactly what you see happening with phishing attacks. So you get someone to click on something and download it and it bypasses the big wall into the organization. It's exactly what happens when someone in the finance department or the HR department opens up somebody's resume because that's their job every day to click that, someone's going to have a malware capability embedded in that, or they're going to have a macro in an Excel spreadsheet. Everybody loves to send those around.
Jason Crabtree: (12:22)
But turns out those are some of the most dangerous things you can possibly do is open up an Excel spreadsheet with a macro, and I don't see that going away anytime soon. And as a result of that, that means that you bypass all these tremendously expensive legacy companies that were really configured for a world that doesn't exist anymore. And their blinky boxes don't go to the cloud very well. And that's why you see QOMPLX and others, I think, positioned around the identity space. Identity is much more central to the future, and frankly, you're seeing the government endorse it. That's why President Biden just signed the zero trust order as part of the executive order for the federal government just a few weeks ago.
Anthony Scaramucci: (12:58)
It's great stuff. So where does QOMPLX fit into that picture? How do we defend business and society? Give us the macro framework.
Jason Crabtree: (13:07)
So the macro framework is you're hearing big words like zero trust. And zero trust is all been about this idea that you're going to move away from the big perimeter and you're going to make your identity the center of your defense. Great. It also only works if you can authenticate that people are real, that computer and user log-ons are real. And it turns out that whether it was the office of personnel management, so in 2014 you saw this huge, huge attack by the Chinese, where they took millions of people's personnel records, their applications to gain a classified intelligence permission from the government, and we saw millions of those records go to China. That same attack was a part of what you saw at capabilities like Marriott, Merck, TravelX, Finastra, Norsk Hydro, all of these massive breaches that disrupted companies. Same thing at Colonial, this is what dark side ransomware getting does. This is what the Russians just did to DOJ DOT and the whole solar winds debacle.
Jason Crabtree: (14:13)
They all attack the keys to the kingdom. And once they get the keys to the kingdom, they can create users, they can impersonate users, they can do what they want because it's not your network anymore, it's theirs. And I think what QOMPLX really does is we actually catch that and we do it now for some of the world's largest corporations. And it's funny because this is actually what Andrew and I helped work on some of these problems for the defense department when he was doing some chief architecture work for the air force, before we started the business. We just realized that we needed to go so much further than the big incumbent vendors were willing to go. And that's what QOMPLX has been doing for the last six and a half, almost almost seven years now.
Anthony Scaramucci: (14:49)
So when you say much further, describe what that means? What does so much further mean in terms of capabilities?
Jason Crabtree: (14:57)
Yeah. So every time a user or computer wants to do something, you want to send an email, go to a file share, you have to effectively say, "Hey, am I allowed to do this?" The problem is if I can just impersonate me being you well, that's better than me being me on the SkyBridge network. I'd rather be you on the SkyBridge network.
Anthony Scaramucci: (15:16)
You don't want to be me. Apparently I got fired from the White House and I failed the bar three times. So you can ask John Darsie, you probably don't want to be me. But I get the point, but I want to switch subjects for a second and ask you about your opinion of cyber insurance. We're watching more accelerated losses. I think they're confused about how to write premium related to these cyber losses. What's your thought there? And where do you think that industry is going?
Jason Crabtree: (15:45)
Yeah. So I think whether it's ransomware or whether it's cyber insurance, the whole world's gone digital. And that's not going away. But risk is all about what you're dependent on you. You have a lot of risks if you're dependent on stuff. And today cyber security is really in the news because in the course of the last decade, everyday business doesn't function without the IT department operating anymore. And I think the challenge when you look at cyber insurance, and this is where insurers are having to figure out what to do with it, it's the fastest growing line of insurance. It's also the one with the fastest deterioration in terms of its actual losses. So the adverse development you're seeing is really, really negative. But they have to solve it because everything's getting instrumented. You can manipulate a building control system and cause a fire.
Jason Crabtree: (16:38)
There was a big article this week talking about how vulnerable America's water systems are. Well, America's water systems can be manipulated, you can poison people, you can hurt people. So you don't really have a choice if you're an insurer in property and casualty about whether or not you're going to get good at this. You just have to figure out how to actually learn what the hell is going on so you can navigate it. And what you saw insurers start with was surveys and surveys didn't work very well. And then they said, "Hey, we'll look at the outside of that egg. We're going to scan the outside of you and maybe that'll work." The problem is though that all the big breaches were all about taking over the middle, getting the keys to the kingdom. And so what insurers are starting to figure out now is that all their loss events all look the same. 90% of breaches roughly, end up involving active directory and these big identity providers getting compromised.
Jason Crabtree: (17:24)
And that's exactly why you see both the security industry and the insurance industry suddenly saying, "Oh my God, we've got to totally reposition ourselves from building taller fences, to having really disciplined hunting and identification operations so we can find and root these kinds of people out. I don't want to be an outsider on your network. I want to be an insider. And if I take over your identity provider, I am an insider." That's the goal of every attack is to become authenticated. And that's why you see insurers really struggling.
Anthony Scaramucci: (17:53)
I think it's great insight. It's great commentary. Let's switch topics about going public through a SPAC.
Jason Crabtree: (17:59)
Sure.
Anthony Scaramucci: (17:59)
Now Jason, I know I'm not somebody, I'm going to explain to you why, because the Wall Street Journal said that everybody that's somebody has a SPAC. And we don't have one so therefore I know I'm not somebody. But you have a SPAC and you went public in that methodology rather than through a traditional IPO. Explain why, SPACs are obviously very popular, why did QOMPLX choose that path? And then obviously, can you hang with the big companies who are making moves in the space through that structure?
Jason Crabtree: (18:32)
Yeah. Well, I think it's a really fair question. The SPAC market is certainly widely debated. I think the reality is for companies like QOMPLX, we are a real business, so our performa business, we bought a partner as part of this as well, our performa business did 96 million in revenue last year. So we're not one of the folks that are, I'll call it in the totally speculative bucket. I think we're building a real company, we're driving real revenue, we work with real partners, we have long relationships with them. But we also really wanted to partner with long-term investors and institutions that we know are committed to cybersecurity and this broader digital transformation as part of the future. I think QOMPLX is really tied in to this idea that you're going to want to watch the things you care about. You're going to want to see how healthy they are. You want to see how they're interacting over time, and you're going to want to simulate a lot of different futures for them so you can figure out how to make better decisions.
Jason Crabtree: (19:28)
That's really what risk management is. Can you identify something that's going to get you hurt or is going to be a great opportunity? And can you figure out how to maximize the likelihood of avoiding the bad spots and getting the good spots? And for us, a SPAC vehicle and for us, we partner with Tailwind and Bill Foley, Cannae Holdings is our largest shareholder going into the transaction, the largest shareholder coming out of it. It was really just about building our company and making incremental improvements to the capabilities we provided the clients. We could have done it privately. Being public, it allows us to be more aggressive in our future as we actually are really preparing to continue to tussle with these much larger businesses that are trying to figure out how to transform themselves from these legacy providers to a company that looks more like us, where we're actually a cloud native analytics infrastructure provider. We actually do this stuff like they're trying to make themselves look like for the future.
Anthony Scaramucci: (20:24)
Well, listen, I think it's awesome. I don't want to take all the questions because we have the very elegant and intellectual John Darsie on deck here. But I want to ask this macro question. You went from West Point to Cyber Command, to taking your company public. After you ring that bell, what's next? And when do you sleep and how do you sleep? Do you sleep upside down? What are your secrets, Jason?
Jason Crabtree: (20:49)
Well, I think we're very just focused on how to go build the business, but I'm looking forward to getting some time back out in Montana with some family and frankly, getting an opportunity to just take a breather and spend some time with my little girl, my dog, and my wife. So that's definitely coming up for us. But I think for me, going through this whole process of going through the public listing process through SPAC has certainly been a great learning experience, but it's just really confirmed for us why I think a lot of great companies are going to continue to go through a SPAC listing process where they can partner with really good sponsors and frankly, engage with a lot of great investors. We had some great books come into our pipe and I'm excited about what that means for our future.
Anthony Scaramucci: (21:32)
I'm super excited for you. It's an amazing thing that you've done and congratulations on the company. I'll turn it over to John for some remaining questions, but I'm looking forward to meeting you in person.
John Darsie: (21:43)
Yeah, and one of the things we're really excited about for our Salt Conference in September is having Jason and the QOMPLX team there. I know you work with a lot of organizations that we do business with as well, but helping to train our audience in terms of how to create more secure environments and more secure work processes is something we're looking forward to in September, and having you guys there. So grateful to have you involved. But we were joking before we went live, as we were setting up our cameras, about whether you had tape over your webcam or things that you can do individually to maintain individual cybersecurity. What are steps, if I'm an individual looking to just create a more secure environment in my life, what are steps that you would recommend?
Jason Crabtree: (22:23)
Well, I think the reality is that people just need to be aware that everybody's a target. And especially when it comes to small businesses, a lot of the folks that really get hurt by a lot of the ransomware groups in particular are small companies. And you see that when they take on your local school district. Ryack is really famous for actually stealing your financial information, and when you say you don't have money for ransom, they'll give you back your bank statement, show you how much money you have so that they... They like that kind of stuff because it engenders the right kind of response. So I think if you know that you're a target and then you start to think, "Hey, I don't want to walk down that dark alley. I want to think a little bit more carefully about how it is that I'm positioned." Password managers, multifactor, backups, make sure that you're actually configuring your stuff to be secure. Don't just enable everything. You're going to be much better off.
John Darsie: (23:09)
Yeah. You, I understand, are in the early processes of writing a book about how the democratization of technology is going to impact security going forward and that covers a lot of different areas. But what exactly does that mean? How does this democratization we've seen in the technology world impact how we need to look at security and operations risks?
Jason Crabtree: (23:33)
I think the key thing just goes back to some really simple precepts. Risk is a consequence of dependence. If you get really dependent on something, you probably want to think a lot more about what happens if it goes away. And a lot of organizations that get themselves in a lot of trouble, don't take the time to say, "Hey, how do I fall back from my primary mode to my alternate mode, to some sort of contingency or emergency plan?" And I think for whether it's your personal life, if your phone goes dead, do you have a map? Those types of simple types of relationships with technology in our life are becoming more important. And you see this when you see the internet outages, you see ransomware attacks, you see this just very complex digital supply chain that's emerging.
Jason Crabtree: (24:11)
So a lot of what I've been thinking about and had published on the past has been much more about how do you allow people to think about what are their dependencies? What is my unique business? What is my unique life depend on? And how do I get more comfortable that I'm going to be able to be successful even if something in there gets mucked up on a day-to-day basis?
John Darsie: (24:30)
Right. And energy is an area that you've covered a lot in the past. You wrote a book in 2015 called Driven By Demand How Energy Gets Its Power, which we would highly recommend. And obviously we saw the colonial pipeline situation recently and there's a lot of implications of a move towards more smart infrastructure that's more plugged in, but with that comes more risk. What is the global energy future look like? And how do we optimize it from the current system?
Jason Crabtree: (24:57)
I think one of the key things when you talk about energy, and it doesn't matter if you're talking about the power system challenges you're seeing in ERCOT that have been in Texas over the last year that have been very visible and in the national eye, or if you're thinking about resource and exchanges because of climate concerns and the shift away from coal and fossil fuels. It turns out that you have to think about how do you coordinate this stuff? Electricity moves at the speed of light, so you have to balance the inputs and the outputs constantly. And that requires a lot of information technology because you have to coordinate a lot of different people that make energy and consume energy. So if you're able to do that, you can do a much better job of having a much more efficient and flexible future, but wind farms and all these other variable power sources, they're both variable and uncertain.
Jason Crabtree: (25:46)
And so I think no different than when you're talking about dealing with variability and uncertainty in financial markets, or dealing with it in your own life, those are two words you really have to watch out for. And it means that you have to think carefully about how you do your own planning and again, you have to think, "What happens if this thing isn't available when I need it?" A nuclear power plant, you pretty much know it's going to be there when you're thinking about being dependent on wind and others, it's not that those aren't very valuable, they are, but you have to coordinate them as part of a whole system. And that whole systems design is a big part of our future.
John Darsie: (26:16)
Let's talk more about China for a minute. So the US government in one of the first big bipartisan pieces of legislation that we've seen in a long time just passed the $250 billion bill that'll be deployed over five years to build up our manufacturing infrastructure and our high-tech infrastructure, as a specifically an answer to China, their dominance on chip making and other resources like that. There was a great podcast from The Daily recently about Apple and decisions it's made in order to do business in China that potentially come with some risks. Tele-communications infrastructure Huawei has been on the controversy around 5G and whether or not the US is doing enough to invest in that infrastructure or seeding that territory to China. But how much of a risk in your eyes is China in terms of aggressive cyber attacks, cyber espionage, and how that could be used in more nefarious way moving forward?
Jason Crabtree: (27:16)
Yeah. So listen, I think it's widely acknowledged that Russia, China, North Korea, Iran are some of the most belligerent entities we'll call them, in terms of thinking about global cybersecurity and what that means. I think it's important to remember though that China historically has been much more around intellectual property theft and data theft for espionage and intelligence purposes. And that's been different than, I'll call it some of the moonlighting and some of the toleration of large scale criminal organizations that you've seen in Russia or parts of the supply chain for those criminal enterprises that are largely in parts of the former sort of Soviet Union. And so I think China is important as well in the sense that, if you look at some of the major recent attacks, after solar winds, there was actually a series of events around some Legacy VPN providers perimeter backing up that firewall edge perimeter device space.
Jason Crabtree: (28:13)
But when China got burned on one of its ops, it actually effectively let everyone have access. So Russia imposed a different way of thinking about being very stealthy and a little bit more targeted. China burned down its operations by kind of saying it's free for all and hiding in the noise. So it's going to be important for us to be honest about how to deal with these folks in different ways. And China's mostly still focused on pilfering secrets that can be used elsewhere.
John Darsie: (28:42)
Right. There's certain cyber attacks, including the recent one of the US government that we believe came from Russian sources, that we stumbled into. And they might've been in those systems for longer than we would like to think they were. But it led me to a thought and a question around how many, or what percentage of cyber attacks do we discover and how many just continue to live inside some of our systems in a more surreptitious type of way? But in terms of our ability to discover and detect cyber attacks and espionage, is there a percentage that you think about in terms of how many we actually know about?
Jason Crabtree: (29:20)
Well, I think part of why you're seeing more reporting is you're actually seeing more organizations know they're breached.
John Darsie: (29:26)
Right. Which I guess is a positive thing, right?
Jason Crabtree: (29:29)
Well, I think understanding the scope of the problem is really important. And I think you're going to see more movement towards mandatory breach disclosure for public policy reasons as well. And I think you're seeing even some proposals this week from Senator Warner and others that are driving us that direction. And part of that is that a lot of organizations haven't shared that they've been breached because they didn't have a mandatory reporting requirement. So even when people think about how big the JBS or Colonial ransomware were, and those were 4.4 million for Colonial, roughly 11 for JBS. CNA Financial, big insurer in Cincinnati, $40 million ransomware this year.
Jason Crabtree: (30:11)
So there's real money out there that started to go into these criminal enterprises and it's hundreds of millions of dollars this year alone. And it's driving continued escalation of capabilities and it's driving a lot more people to get into that space. So you've got to see more aggressive prosecution, but we also just got to make ourselves less of a target. Right now we've got a target on our back, we live in a glass house, and we look like something that's really easy to rip off. And that's part of why you see them doing it.
John Darsie: (30:38)
Right. How closely have you studied cryptocurrencies, blockchains, how those are enabling this rise in ransomware and attacks? Obviously the Colonial pipeline situation, the ransom was paid in Bitcoin, but the government was actually able to recover portions of that bribe. Do you think that crypto is creating this rise in ransomware attacks, or do you think it's just something that people are using it as an alternative to other systems they've always used in the past for ransoms?
Jason Crabtree: (31:11)
I think certainly crypto is one of the contributing factors that's helped make it easier to move vast amounts of money, and at least pseudo attributable formats across national boundaries. It's certainly easier to get money around the world using cryptocurrencies or NFTs or other things than it is to get swift transfers through a process and laundered as an example. So it's certainly an element, but it's definitely not driving all of ransomware. I don't think it's fair to say that cryptocurrency is causing ransomware or causing crime. If a bank leaves a bunch of hundred dollar bills in the middle of the lobby and with a sign that says, "Don't take, pretty please." We don't say, "Oh fundamentally, the problem is that we make money." And I think that's exactly why you see us call for two things.
Jason Crabtree: (31:59)
You need to see more stuff like what Lisa Monaco is doing, what John Carlin and others are doing in department of justice, going after and imposing costs and consequences on criminal organizations. So we should prosecute them. But we also actually have to acknowledge that a lot of global corporates and a lot of American businesses, large and small, are making it really easy. They're leaving stacks of Benjamins in the lobby. And then they're upset that there's gambling in the casino. They're upset that somebody is going to try and take them. And we've got to actually harden our defenses and not be surprised that criminal organizations are going to try and get paid.
John Darsie: (32:31)
Right. And we're hopeful that Lisa Monaco is going to join us at Salt in September, actually, which will probably put her just before the panel that you speak on, because she's obviously tackling a lot of the cybersecurity issues within the administration, Deputy Attorney General, for those who aren't aware. The last question I have for you, and it's more around warfare. You obviously now are focused more on the business community, but you spent time in the military. What big threats keep you up at night when you think from a cyber perspective or even of the other perspectives and what is the future of warfare look like? There's some startups, Anduril is one that just got, I saw they got a series D round, they're raising a lot of money to tackle the future of warfare with drones and cyber and all kinds of stuff. But what are the threats that keep you up? And what does the future of warfare look like?
Jason Crabtree: (33:19)
Yeah. So I think when you think about challenges that we're going to face in the future, and in some ways this ties back into Anthony's earlier question, how do you deal with securing the integrity of the information that your people, your trusted sources give you, your financials, your operations, things that you believe to be true because you sensed them, you measured them, you stored them, you moved them? And how do you also reconcile that with a world where you've got lots of people walking around with what would have been in the 1980s, a supercomputer. The iPhones, the Android phones, they've got everything from cameras, to microphones, to other kinds of sensors on them, and they're tremendously powerful. And now you can take that information where there's a shred of truth, and you can use a lot of different AI tools to manipulate that in a really convincing ways and to amplify those signals.
Jason Crabtree: (34:16)
So I think half of this discussion, and I think this is just as true for warfare is about how do you make sure that the integrity of what you own and control and operate is real? Why do I believe what I believe? How do I know it's true? Do I have security and visibility in my data supply chain? And that's part of why we started QOMPLX was not just the cybersecurity stuff, but how do you control your data supply chain? What's the ingredient list? You think about food safety or something simple like that. What's the actual nutrition label for the datasets that you're making your decisions on? I don't care if you're trading or if you're going to actually launch a bomb strike, you need to know what that is. And then the second app is, if you're paying other people for information, how do you know why they know it? And is it real?
Jason Crabtree: (35:03)
And so I think you're going to continue to see military community, intelligence community, finance community, individual people, trying to figure out how to navigate that. And that's going to be here for a long time. It's part of why I think it's a big growth industry for us to be in. We're a data company about risk and it's one of the most dynamic and fun places to be. So I can't imagine any other place for me. And frankly, we're also doing it for government and we're doing it for big companies. So we're seeing both sides of that in a really unique way. And I think it's going to keep driving, at least my thinking.
John Darsie: (35:37)
Well, I sleep better at night knowing that smart people like you are tackling these problems. So Jason, thank you so much for joining us here on Salt Talks. You guys are doing amazing things at QOMPLX. Again, we're grateful to have your expertise at Salt in September. And I know our community is looking forward to hearing from you. Anthony, have a final word for Jason before we let him go?
Anthony Scaramucci: (35:57)
Well, we know as entrepreneurs, it's all about the execution, Jason. So congratulations on the brilliant execution of what you're doing and we wish you great success and we'll see you at Salt. And you I've made a three step authorization by that time so you'll have to take me through that as well. All right?
John Darsie: (36:16)
I'll tell you a story offline about when Anthony got the job in the White House and he was calling me to help him secure his iPad and his laptop and things, but story for another day.
Jason Crabtree: (36:27)
Looking forward to it.
Anthony Scaramucci: (36:28)
And if you think I was relying on him for that, okay, I got a bridge I can sell you here in Manhattan, all right, Jason? All right, you guys be well. Have a great one.
Jason Crabtree: (36:39)
You too.
John Darsie: (36:39)
And thank you everybody for tuning into today's Salt Talk with Jason Crabtree from QOMPLX. We think these topics around cybersecurity are extremely important. So thank you for tuning in and please spread the word about this talk if you enjoyed it. Just a reminder, if you missed any part of this conversation or any of our previous Salt Talks, you can access them on demand on our website. It's salt.org\talks or on our YouTube channel, which is called SaltTube. We're also on social media Twitter at SaltConferences where we're most active, but we're also on LinkedIn, Instagram and Facebook as well. And on behalf of Anthony and the entire Salt team, this is John Darsie signing off from Salt Talks for today. We hope to see you back here against soon.