I'll Be Speaking at ETHCC[7]
North Korea Wages De Facto War on Crypto Companies
I’ll be speaking at ETHCC[7] this year in Brussels on July 8, the Security track. If you’re at the event, say hi. Those of you on the intertoobz can follow along online.
What am I talking about?
Managing security risk in crypto/web3 is completely different than in web2. Many newcomers to the space try to bring their tech stack and assumptions from web2 and then get rekt. You must adjust your assumptions and change your attitude to security risk.
I don't want to see anyone get rekt. That's what this talk is about.
The risks are different and so your approach must be different. YOLO-no-security-posture-take-the-tech-debt is a fine and more than acceptable way to launch a web2 startup. Your worst case scenario is a data breach that involves consumer PII, and from a business perspective, who actually cares? I know that sounds cynical but for the majority of companies, the financially-sound decision is to accept data breaches as the cost of doing business, pay the fine (if any), and move on.
But crypto is different. Unlike PII, fungible and non-reversible cryptocurrency causes your employer immediate financial harm when stolen.
In web2, cybersecurity is primarily about managing legal and regulatory risk.
In web3, cyebersecurity is primarily about managing real technical security risk. That is, it’s about defensive warfare.
This is a completely different problem space to a traditional web2 startup of the last quarter century.
In web3, security injects your business into a live-fire war zone where amoral actors operate outside the law without any legal recourse.
If the North Korean military steals a billion dollars from an American crypto company, do you think the Interpol red notice is going to do you any good?
“Hello, Pyongyang Police Department, I'd like to file a complaint”?
In the unlikely event they spoke English and understood you, they’d laugh you out of the room. They are a sovereign nation-state operating without regard to our law. They are operating in their own interests. That’s what reality looks like.
Whether you like it or not, whether you understand it or not, your crypto company is at war.
Not by choice. But when the North Korea military engages in acts of coercion against private sector cryptocurrency companies, the plain English word for that is “war”. North Korea wages de facto war on the entire crypto/web3 space.
That means if you want to defend against a sovereign military, you must think about security as a military problem, not as a legal problem.
One useful metaphor is to consider your CISO as a Defense-only Military General, as I’ve written and spoken about before.
The gummint ain't gonna protect us. Borders are obsolete. The Treaty of Westphalia is obsolete.
Nor can you get cybersecurity insurance against acts of war. No insurance company will offer you insurance against war—war is fundamentally not insurable.
That means you have to manage the risks yourself. YOLO security offers the extremely high likelihood of bankruptcy. Therefore you have no choice but to spend time and money to mitigate that risk.
That makes the only real question: What works? What doesn’t? And how should you spend budget to get maximum risk reduction for minimum spend?
Come to my talk to find out more. :-)