Jason Lau. PHOTO: Cybercrime Magazine.

CISO Report: Crypto.com’s Jason Lau On Cyber Threats

Breaking down cryptocrime, ransomware, and the skills gap

David Braue

Melbourne, Australia – Jan. 15, 2022

The CISO Report is sponsored by KnowBe4.

It was a major branding coup for the marketing department, but Jason Lau admits that Crypto.com’s recent $700 million purchase of naming rights to the Los Angeles Lakers’ home arena may have other, less enjoyable side effects.

“It’s absolutely exciting, but it also puts a pretty big target on our head,” says Lau, also flagging the impact of the recent appointment of Matt Damon — aka Jason Bourne — as the company’s spokesperson.

“Put those two things together, and you can just imagine the amount of press and coverage that we’ve been getting recently,” Lau, who as chief information security officer (CISO) of the fast-growing cryptocurrency exchange is acutely aware of the impact of a growing public profile, told Cybercrime Magazine.

With a responsibility for securing the company’s expansive cryptocurrency holdings — and the security of its 10 million users and 3,000 employees — Lau is well aware of the constant threat of cryptocrime, the fast-growing cybercriminal activity that is proving deadly effective at depriving exchanges of their money.

The number of consumers trading crypto is expected to double in the next 12 months, creating significant business opportunities for Singapore-based Crypto.com and new headaches for Lau as he works to keep the inevitable surge in cybercriminal interest at bay.

Cybersecurity Ventures forecasts have predicted the financial impact of cybercrime will grow to $10.5 trillion by 2025, and Lau knows much of this will come from successful breaches of ever-larger cryptocurrency exchanges.

“Absolutely, I think these numbers are not overestimated,” he explained, noting that the disastrous 2014 Mt Gox attack saw the theft of $460 million — and that there were more than 30 reported attacks on crypto exchanges, involving $3 billion in losses, during 2021 alone.

“Literally every day you see news about new hacks,” Lau said, noting the increasing frequency of attacks on decentralized finance (DeFi) pioneers, “and every single year these new crypto cases are becoming more and more of an issue.”

There is a bright side, however: the increasingly decentralized nature of online finance services is increasing visibility of activity across DeFi networks, ensuring that “almost everybody has a lot more transparency into this space,” Lau said.

“So if there was an attack, it would have a material impact not just on one particular company, but on a network of many people — which is just going to have cascading effects. So, it will be harder to hide it: in a DeFi space, news spreads pretty fast.”

Investing to protect investments

As the increasing profile of cryptocurrency pushes exchange operators into a financial services market generally known for its conservatism, Crypto.com and its ilk are investing heavily to ensure the levels of operational security and governance that would be expected of any financial services operator.

That means investment — and lots of it, Lau said, noting that a rationalization of network and cloud architectures is redistributing the security weaknesses that companies like Crypto.com have to manage.

“Companies going to digital transformation are realizing that the on-premise network is no longer where your entire data is, and their infrastructure is now much more diversely spread out in a hybrid space,” he explained.

“When this is happening, these new technologies are going to give rise to new vulnerabilities, and new threats, and new risks — which is going to give rise to new gaps. And this gives rise to the controls that need to be put in place, from a cybersecurity perspective, to harden these gaps.”

With a range of new security paradigms rapidly becoming standard issue — think zero-trust security, identity-driven security, defense in depth, and other frameworks — successfully implementing them “requires a significant amount of investment as well as a lot of accountability,” Lau said. “There definitely needs to be more investment in cybersecurity.”

Is it still a gap if the skills have barely been invented yet?

That investment isn’t only necessary for new security technologies, however: as the security environment evolves and changes, Lau said companies need to expand their understanding of the roles necessary to stay abreast of changing security threats.

“Cybersecurity jobs are not just jobs that have some sort of information security title in the actual name,” Lau explained. “You should also be thinking about other titles that may not necessarily be pure cybersecurity, but still deal with a lot of cybersecurity-related types of issues.”

That means considering the need for roles like fraud specialist investigators, cybersecurity-focused legal professionals, and data privacy technologists — a role that bridges cybersecurity and data privacy protections and is increasingly being addressed with formal certifications such as ISACA’s Certified Data Privacy Solutions Engineer (CDPSE).

“If you’re simply looking at information-security type people, threat analysts and incident response people, then you’re also looking at these other new cybersecurity skills that are needed,” he said.

Finding people with cryptocurrency’s enabling technologies have been particularly challenging both because they are so young and because they are changing so rapidly.

“A lot of these new Blockchain technologies have only just come up over the last few years,” Lau said, “and looking for someone with five years of Blockchain security experience just doesn’t exist. So a lot of things that we need, we are basically inventing — and then training people inhouse with a lot of these skill sets.”

With millions and potentially billions in windfall awaiting the person who can execute the perfect hack, cybercriminals are also evolving their methods rapidly, Lau said, noting the “scary evolution” of ransomware that is increasingly leaning on artificial intelligence to avoid security defenses.

“Instead of attacking everybody, it’s very targeted in knowing what it wants to do,” Lau explained, “and it releases its payload at the right time and the right moment at the right person. This is a scary evolution of ransomware, and we know where it’s going to go.”

Also raising eyebrows for Lau is the increasing use of ransomware-as-a-service — which is helping cybercriminals scale their attack methods as quickly as defenders can fight back — and attack methods such as SIM swapping, which has been used to steal cryptocurrency by bypassing exchanges’ authentication controls.

When you’re guarding an asset as intrinsically valuable as cryptocurrency — which offers not only its present value but also the promise of vast future growth — staying ahead of the cybersecurity curve is literally the difference between thriving and becoming another Mt Gox.

Lau, for his part, is determined to keep Crypto.com in the former category – both by managing technological defenses and actively educating users about security risks and best practices.

Yet the human element continues to pose its own challenges — keeping Lau and his dedicated human security team on their toes.

“Humans are humans and they will always find the quickest and easiest path to do something,” Lau explained. “As a result, it can create risks for the user and also for the company.”

“But if you want to learn something, you’ve got to really learn it — but if people don’t put in the time and effort to learn the concepts, it becomes really challenging for the organization to embed security into its culture.”

– David Braue is an award-winning technology writer based in Melbourne, Australia.

Go here to read all of David’s Cybercrime Magazine articles.

Sponsored by KnowBe4

KnowBe4 is the provider of the world’s largest security awareness training and simulated phishing platform that helps you manage the ongoing problem of social engineering. We help you address the human element of security by raising awareness about ransomware, CEO fraud and other social engineering tactics through a new-school approach to awareness training on security. Tens of thousands of organizations like yours rely on us to mobilize your end users as your last line of defense.