AI Cyber Attacks: Why Compliance Is Not Security | Mitchell Amador, Immunefi CEO

Sure. Well, I got here accidentally. I had no particular enthusiasm to become a security professional and the technical side of the business was never my forte. But I found in the course of building lots of different things in early crypto and prior that I kept stumbling into the most severe security and threat modeling problems that we had in the industry. I had to deal with SIM swap attacks where someone takes over your phone, breaks into your iCloud, tries to steal all of your data. It's like identity theft at mass scale. Insider attacks, social engineering attacks, attempted hacks of company treasury and funds, attempted kidnappings and stalkings of all sorts. IP thefts, technology thefts, corporate espionage and everything in between. So in the course of building a lot of things I was pulled into this world of security and I saw all the problems that ultimately brought me to the conclusion that this was in 2019, 2020, that if we didn't transform how we were doing security in crypto we were not going to survive. That we would hit a kind of vulnerability apocalypse that would delegitimize our whole industry. And it was that insight and a wish to prevent that and to safeguard my industry that I loved, I got involved for ideological reasons that I entered the space and that I built Immunefi, which is one of the larger protectors of the industry today.

So, Immunefi is the biggest security platform protecting on-chain protocols, platforms, and blockchains in the world today. And specifically, we occupy the bug bounty niche and beyond. But we occupy almost all of the major protocols' bug bounties. If you look at major protocols by TVL or size, almost all of them are going to be Immunefi customers and they're going to host their crowdsource security defense mechanisms with us. In practice, what that means is we've aggregated the largest white hat community spanning the entirety of the crypto security scene and also the traditional web security scene. And we tell these guys, hey, look, we've got all these amazing projects. They need protection. They need support. And you and only you are on the frontier of security that can go and help provide these things. You can find out how to crack their infrastructure and disclose the vulnerabilities that they don't know exist before they could be exploited. And we operate as the central clearing house for all these what would be traditionally known as zero days to go between almost every major project in the industry and the global white hat security team.

That's right. We help people find the holes in their bank vaults they didn't know they have. And unfortunately with software there are always holes.

Sure. So I would bet that a number of your listeners are actually going to know exactly what that refers to because this quote of course comes from the famous Chinese science fiction novel The Three-Body Problem. And in The Three-Body Problem they describe this challenge: why is it not that the aliens have reached out? Why do we see no evidence of alien life and activity in civilization when we earthly humans are broadcasting infinite amount of very specific and particular and sensible radiation out into the cosmos constantly. Why don't we see it in return? And they get to this conclusion, this terrifying conclusion that the galaxy, the universe is a dark forest. And what that means is that there are these predators that are constantly prowling the environment the entire time. And so the advantageous position in this environment is just to be strictly silent and to be unnoticed, to be unseen, to be invisible because the moment you reveal yourself, a predator will pounce upon you. It is game theoretically optimal for them to take you out. And the connection to crypto is we are the same way but with vulnerabilities. At any particular moment, there are dozens of illegal criminal groups, many of which could be operating at vast scale. Think billions of dollars, okay? It's like really really large scale that are scanning every major contract on chain that are looking at every new project and every new deployment hoping and waiting for a single gap, a simple break in the armor that they can exploit to steal all the money in those contracts. Because in crypto, a hack is not just a hack. It's not a breach of PII or personal identifiable information that's going out. Nobody cares about that here. The hack allows you to steal real money. The biggest heists in the history of mankind all happened here with our bare assets. And so every sophisticated technical criminal organization in the world realizes there's no better place to be a thief than crypto. And at the peak of these, by the way, just to color and contextualize this dark forest analogy, the peak, the most famous group of thieves in crypto today is North Korea, specifically the North Korean army. Okay, this is the environment we're operating in.

100%. And not just North Korea. North Korea is just the most famous. The largest Iranian exchange went down in the opening days of their war being hacked by an Israeli cyber attack group. And we know that some of these other groups in Ukraine and Russia have been throwing cyber bombs, so to speak, at each other for years and years and years now. So North Korea is just the most public, but we're in an environment where the norm or the default, the typical threat model for a builder in our industry is that there are nation-state actors and they are out to get you and to rob you.

Sure. This is where the dark forest analogy breaks down by the way because at least in The Three-Body Problem in the dark forest you had a solution. You stay silent. You do not emit or radiate any signal. You stay invisible in order to stay alive. But in crypto we built the whole system so it's transparent by default and everybody can see what everybody else does. So no such option. We don't have good solutions in that part. And so the only solution that we have is really to go after the holy grail of cyber security which is we need objectively secure systems. We need as close to perfect security, perfect defense, unhackability as you can get as the technology can allow as physics will allow. And this is actually what all of on-chain security is about. And this is what we do. We create objectively secure systems.

Sure, great question. It matters for two reasons. Number one is this technology has proven so impactful and transformational, the blockchain that is, that it is inevitably going to underpin global financial infrastructure for the next several decades. Okay, we are in process of replacing financial infrastructure across the world. The tech works great, lowest cost, has all these benefits that will be brought to society, is being brought to society. It's happening. But the flip side of that is when an attacker can compromise these systems, they can do incredible damage. The biggest hack last year was for $1.6 billion. $1.6 billion in less than 15 seconds. Okay. Scary. Two hacks earlier in March were for $300 million each cash. Okay. This is a high stakes game. This is, you know, the GDP of entire cities across the world, right? Tens and hundreds of thousands of people laboring to create good lives just stolen like that. Okay. It has immense impact on people's lives.

Exactly. So, and this is especially salient when you think of what crypto is and what it offers, which is superior, fairer, more transparent, more inclusive financial markets. Okay? Which is exciting, but financial markets, if they're going to be efficient, they're going to have leverage. And so, they're prone to contagion. And so, these events can get really out of hand. Okay? They can cause much more damage. We've been able to prevent those scenarios to date. We've done a very good job. The industry has some really great people who believe in the mission and who support it and they put up, you know, a billion dollars in some cases to make sure that creditors at some of these institutions that are harmed stay whole. But that's the kind of stakes that we're playing with here and eventually it's going to touch the whole of society. So we need to create these systems and make them safe right now before we see trillions more in assets flow on-chain.

Yes and no. I mean, look, we've been building in this at scale now, Martin, for over a decade, okay? At scale, I'm talking millions and millions of users, no longer hobbyist projects, but serious money and people dedicating their entire careers to this type of activity. So, it's been a long road. We had our period there where we were YOLOing and you know we were influenced by the move fast and break things philosophy but all of crypto has converged on you know kind of move as fast as you can and break absolutely nothing as security philosophy. Every single investor will enforce that standard and expectation on their portfolio companies. Every single institution will expect it. Every single exchange will demand it. So we've gone in this new direction where yes, that is our point of view and it's still early days, right? So you could say that we've committed to that. Obviously being around in the industry a long time, I'm a little more nuanced. I see all the things we tried and failed at as well. So I can't say we really decided it from the beginning. It's more like we learned the hard way at small scale and now we've committed as kind of more mature adults that this is going to be the foundation of our industry and it's working.

Sure. So, a bug bounty is real simple. It's a big prize that you put up for someone in case they can find a vulnerability in your system. Okay? And that's a very general statement because it's a very general tool. The bug bounty itself, the bug bounty program we call it, is really just a legal contract. It's a prize contract. It's a contest or saying, look, I'm looking for this type of thing. I've got my bank vault, if you will. And my bank vault is not just made up of a building, or it could be. It's also made up of code. It's also made up of servers. It's also made up of infrastructure. It's made up of websites and so on and so forth. And I say to you, Martin, you being the cunning, clever, brilliant, hopefully white hat hacker that you are, if you can find a vulnerability that meets these requirements, that lets you do these bad things to me, to my customers, to my data, then I'm going to pay you a prize. I'm going to pay you, and I'm going to pay it according to this much money that I specified in advance in the contract, the bug bounty program. So this is what a bug bounty is. Now even though the description I gave here was simple as you can imagine it can get very very technical right because we're talking about technical systems and your typical bug bounty program is going to specify at least half a dozen if not two dozen different impacts or deliverables so to speak that they're looking for like you need to be able to hack this system so that it achieves this thing specifically or this thing or this thing and that determines how much money you get. But on a high level at how it works, it's a contest.

That's a benefit, Martin, but that is off the mark. That is not why we do this. It is nice. Hackers are brilliant and creative and, you know, hairbrained people, make no mistake, and it's great to have them on our side. But the real reason that we do that is numbers. It's the sheer force of security power that we can bring to bear into hardening our systems. And I'll give you this example real simple. Imagine we have our own vault that we're protecting and we've got you've got two three colleagues who do it in security and you need to make sure all the system is secure because you got gold there. You got your corporate IP there. You've got all the PII from your business. You got all your customers records, all the transactions. Maybe you have access to your actual banking infrastructure as well, passwords and the like. There's a lot of valuable stuff there. Now, we're going to say on one side, you have three guys that are going to work great and they're going to work hard. I'm sure they're extremely competent, but they're three guys. Now, what if I said I could deploy 30,000 guys to stress test your system? Which one do you think is going to result in a more secure system?

30,000, not a thousand times more because that's not how it works, but definitely 5, 10, 20 times as much. You start to approach the kind of hypothetical limit of how secure a system of that architecture can be. And the only way we found to do that in cyber security is really by deploying more eyes. More eyes, more people who are using different techniques and who have different points of view and ways of looking at it. And so what a bug bounty really does is it gives you scale. It gives you the kind of scale that you could never build yourself. Like and let's go back to this North Korean example. So the North Koreans who are doing this, they are not a corporate outfit. They are literally part of the army, the intelligence division of the army, and they're responsible for bringing in revenue to which they bring at least billions of dollars per year, which of course goes to fund the North Korean military and society and so on and so forth. Now, in the total of their program, I would say there's probably maybe 300 to a thousand hackers, probably on the lower end of that. Okay? And these guys operate one of the largest and most sophisticated and certainly the most feared hacking armies in the world of finance today. Okay? And there's less than a thousand guys. Immunefi alone has over 90,000 registered hackers. Okay, just us, not including our competitors or all the other players in the industry, just us. We outnumber the biggest threat actor in the world, right? Many many times over. Okay, many many many many times over. And many of these hackers with us are also corporate entities or companies that have access to some of the most advanced and frontier security technology in the world. The best formal verification solutions which is like fuzzing solutions and these are basically sci-fi technologies that we've burst into reality in the course of crypto that make us able to create secure code. Crypto makes the safest code in the world at this point. It's just us and people working on nuclear and ballistic missile systems. Okay, this is the small group of people who can create objectively secure code in the world today. And we've created tech to make that commercially viable and feasible at massive scale. Now combine all that, these crazy brilliant minds plus we outnumber them, right? We outnumber them 100 to one easily. Probably more like a thousand to one if you pull in the broader web two security communities. And you realize, wow, if you can deploy all that talent to secure a system, that is going to be incomparably more valuable. That's going to be the most effective thing you could possibly do to secure your code and to secure your infrastructure. And that's why we use bug bounties because in a world where a single failure where if you get 99.9% you fail, right? And getting even a fraction of that wrong. In that world, you need this disproportionate army of security experts who are protecting you and bug bounties and crowdsource security is the only way to do it. You are always going to be outnumbered. No matter what company you go to, Martin, no matter what project you build, the odds are the North Koreans are going to have more hackers than you. But with the crowdsource solution, we can give you an army that's infinitely larger than theirs.

Yes, I would say so. I would say so. And in more ways than I explained, right? Obviously numerically we are much more advantaged than the attackers. There's just more brilliant good people in the world who have more brilliance and expertise than there are attackers. That's the reality. We do have technological breakthroughs. In fact, we the very people who are the ones who would want to help society and do this work. We are typically the ones who make the technical breakthroughs as well because you know the great inventors, the geniuses, they don't tend to be like you know the criminal masterminds of society for the most part. They tend to be the tinkerers and the creatives and the kind of like artistic engineering types who just like to build things and want to contribute to society. And then we've created really an excellent culture around this work even better than traditional web even better than traditional open source. The crypto security culture is I think in my opinion in my experience the best security culture in the history of the world. We share everything. Okay. We share our data with each other. We share our information. We share our technology and techniques with competitors more like coopetition or almost anywhere else. And we glorify people who protect society. And this has created an environment where it's very easy to get involved. Plus, we have huge incentives like, you know, Immunefi pays out. We just paid a $3 million bounty for a single bug two months ago. And that's not an uncommon occurrence. That's just something that happens. Some guy can retire for life on that if he wants. You know, he's probably sitting in Indonesia somewhere because he's probably from Indonesia just relaxing.

Coopetition.

Coopetition.

Excellent and prophetic inference about where the future of security and the rest of the internet must go and we will see there are pressures that will force it in this direction but to your point yes that's exactly what we do so security leaders in crypto are well networked almost all of us know almost all of us right we go to the same events we meet in the same groups we share our information very liberally. And while this won't be exotic or strange to traditional C-suite, the reason why we do that is because we all understand we face a much greater threat and that threat is total annihilation, total destruction of equity, total loss of customer well-being. Okay, it's very frightening and because of that we have to take extreme measures and the best measure is to coordinate our resources amongst each others. Any one CISO, any one security leader can only do so much. But when coordinating with 100 others, we might see a threat that's happening in the Chinese community or in the Indonesian community and be able to route that immediately to the American teams or the European teams or pass information of a known hacker, you know, straight to Interpol for dealing with to see if those funds can be frozen and returned to the people. In fact, we've been a part of many such cases where by coordinating we've been able to stop thefts. You know, most recently, North Korea stole $300 million on one of these cases. And in one such event during one of these DAOs managed to freeze 90 million of those dollars. Okay, because they could coordinate in this intelligent pro-social way where people had the same expectations first and foremost that we should be protecting the community and this is a primary and critical and important thing. Okay. And as a result, this creates the valuation and the prioritization of sharing information. Now, I said this is a very prophetic inference because there's a huge change that's happening in security right now that we already went through in crypto that the rest of the internet and by extension the rest of the global economy is about to experience in front. And that's the nature of the severity of your threat model. Your average American company doesn't really defend against nation-state actors for the most part, right? Maybe the largest ones do, but like your typical, you got Ohio beer company that it's not on their radar that anything could happen. They may not even have passwords on their Wi-Fi systems, right? It's probably all open access like hotels that you see almost everywhere in the world are open access systems, easy to enter and exfiltrate data. So, and that's most people most of the time by default only the largest institutions get to that realization. But in crypto, we've been living in that world all the time. We are in the dark forest where these North Korean monsters, right, are looking about for any moment of weakness. Like they can steal quite literally steal all of our money in a flash. And the reason why I mention that the rest of the world is soon going to be changing there is because the advance of frontier models have made it easier than ever to create effective cyber attacking teams and resources at mass scale. You know, if I look back three or four years ago, we had a handful of these groups across the world. We even had names for them called APTs or advanced persistent threats because hacking groups were so rare. But now any reasonably sophisticated hacker, reasonably competent and expert hacker can create their own operated mostly by themselves if they can use these advanced LLM agents effectively which have proven very effective at cyber offense. And so the same problem that we had right where we had a disproportionate number of APTs looking at us hacking groups finding these things. Well, now all of the hacking groups and all the small-time hackers in the world can do the same things that it once took a 300 person army from North Korea to be able to do. Everybody can have a nation-state cyber attacking army now. And the world's just beginning to realize that. And they're gonna discover the whole internet is discovering slowly but it'll escalate soon that most traditional CISOs are really doing a version of compliance not security or rather the definition of security changed. They were securing against crime not war but in crypto we secure against war. I give this analogy to my colleagues. I say we don't do cyber security we do cyber defense because we're in a war that never ends. Our colleagues are about to join us in this new war whether they like it or not.

Yes and no. Yes, understood that what you said is true, but no, in the sense that that's not the core thing. That is a tangential or kind of like secondary point. The central point is that the economics of cybersecurity were once based around the economics of how much it costs a human hacker to do things. Okay? And what it takes for a human hacker to do things at scale, and that whole status quo is officially out the window. Okay? The economics have changed dramatically.

I'll give you an example. You know, a few years ago, there were probably half a million sophisticated security professionals in the world who could do most of the interesting vulnerability or zero-day research that can impact large enterprises or the economy at scale. That's a very small number of people. Most of those people are going to be working for large companies or governments. And so, in the end, the pool of effective cybercriminals is quite small. It was very rare. But now with the advent of LLM techniques, that number has effectively exploded. Imagine that number going at least 10x. You can imagine instead of going 500,000, there are 5 million. Instead of there being, you know, possibly say 500 to 2,000 hacking groups in the world that could cause material harm, now that number is instantaneously more like 5,000 to 25,000. Okay? This explosion of capabilities, of offensive capabilities, it's like the world woke up and gave everybody the equivalent of these, you know, missile systems and these drone systems that have revolutionized warfare in Ukraine and the Middle East in a terrifying way. What if we were to take the equivalent of that in the cyber domain and just give it to everybody? Because that's what we did, right? That's what these new models have done.

They have no idea. But what's worse is that the vast majority of CISOs have no idea, right? Everything, their budget, their infrastructure is all based on the last war. Their whole system is imagining behaving under the same rules and conditions. There's a, you know, before we started we chatted about history and I, you know, there's that prior to World War II there was a very famous American general named Billy Mitchell and he was an advocate for air power while everyone wanted to build battleships. And he said no, no, no, the next war is going to involve airplanes that take off from ships and they're going to be able to sink ships really easily and you need airplanes. You need airplanes. Lo and behold, he turned out to be very right. And I think that that's a phenomenon, right? We get invested in what we bought and the tools we have rather than the tools we might wind up needing.

In what sense? Like the security framing or?

Well, it's complicated. It's not an easy, and now we must all be prophets, Martin. So, you put me in a difficult spot. I have to Cassandra this. I'm going to give something of value. But look, you know, crypto is a little different. In my view, most of the adoption will happen in a way that nobody notices. And the more crypto can do that, the more likely it is to succeed and provide value for society. And the reason for that is that it's a back-end system. It's a back-office system. Like, people don't want to know how the accounting is done for them to get paid. They want to get paid and move on with their lives, of which they're eminently correct. You know, debits and credits is not for everybody. And you know, crypto is complicated back-end shared and distributed databases. Okay? And the systems that do it will mostly be like that, the ones that touch people's lives. A few of them are going to be interesting, impactful, and front-facing. You know that I made the first social media application in crypto almost a decade ago now that got to millions of users. There will be things like that that are forward-facing. There will be things like net new assets like Bitcoin that are forward-facing and interesting. But that's a small number of things. If there was never any Bitcoin, for example, any ever kind of publicly investable or accessible crypto markets, this whole technology set could still provide incredible value for civilization just by replacing the traditional database models that we see across finance today. Okay? So it's not true that humans need to be at the forefront.

What's true is finding great and compelling use cases and being able to demonstrate the efficaciousness of superior and the safety of these distributed systems. That's what's key. And if you can do that at large enough scale, then adoption will take care of itself as basically superior technology sets do. The caveat with that, of course, is when we look at the history of the advancement of technology, the best technology does not always win, right? Germany discovered last year that it needed nuclear after all. Go figure. They don't have much at the moment. It's a problem. So, people go down different paths. I personally think we went down a different path by not investing in hovercrafts and not investing in more kind of air zeppelin technologies and inflatable balloons. Could have been a really interesting world, but instead we just skipped all that and we went to jet airplanes and I'm not sure that was the path. I mean, where is our sky yachts? Didn't work out for us. It was a big loss. Okay, so you know, things go that way and in that sense, you do need people to champion and crypto is really at the forefront of that with this huge kind of consumer marketing angle and its big focus on all these new financial applications that protect people's wealth in an environment that's becoming increasingly dangerous. Like the value proposition of crypto today is becoming more and more obvious to everybody as all these currencies effectively go bananas. So that's me hedging my bets and saying like, okay, there's a human element of this but like crypto can still win, blockchain can still win and become extremely relevant to your life without you ever hearing, without there being any famous figure, any proselytizing from on high. On the other hand, the more interesting, superior world, right, and the non-dystopian world, I think, is the world where we do have people who can speak to the benefits, who can make this a human-led movement, who can really inject their theology or their values, their worldview into the technology, which is where crypto started and what made it most interesting for me personally. Okay, that is going to be the best possible world for this tech and in that sense we are still doing that and it is still human-driven even though it's got a bunch of financing.

Sure. Okay. So there's a few different ways to think about that. My, the most important one is this, Martin. How do you feel about the effectiveness or the reliability of cyber insurance as a market today? The largest new insurance market in the world. Incredibly valuable. But what's the current state of it? What do you think?

That's a very wise and gracious answer. I would say, to be fair, like the central challenge of insurance of course is risk management and the big challenge with software is that this stuff is really risky and finicky. And when we designed software in the beginning, we didn't design it to be riskless or safe. That is not what we intended to do. We designed it to get to the answer that we wanted, usually fastest or cheapest. And we made a hell of a lot of trade-offs in that process. The classic example is the internet. The internet was never designed to be a secure system, and it's not a secure system. It has all of these foibles that make it exposable and make it brutalizable, that make it an environment for theft, that make it effectively a live fire zone, okay, for people across the world. We didn't have to be designed this way. There were alternatives, but that is how it was designed. And the global internet works in this way. And that's what makes it a haven for crime and other such problems.

Now, we have slowly figured out on the internet how to mitigate these solutions one band-aid at a time until we ended up with this kind of like interesting monstrosity with all these different casts and bandages and ointments all applied on wherever the little wounds are. And in crypto, we ended up having to go down a different path because we didn't have time. We didn't have space. We didn't have decades to figure out how this was all going to work. We had a few years. And as a result, we built security and learning the lessons from the internet, of course, knowing that we're dealing with money, we built security and as much, you know, risk reduction as we possibly could into the ideologies and the values of our systems. There's no blockchain in the world that's not designed to be secure first and foremost. Okay? There's no blockchain in the world that is not designed to minimize customer and user risk first and foremost. And many of the systems have quite complex measures in order to do that.

As a result, we are rapidly converging on a world where we can effectively price the cyber risk of on-chain systems. We're not quite there yet, but I'll give you an example. Over the last 6 years or so, we had the explosion of DeFi, which went from effectively zero into a market that's worth hundreds of billions, a financial market that is larger than the vast majority of countries in the world today. Okay. Now in that market we were seeing loss rates of between two and 4% of assets per year, which is really high, really, really painful, but it was the frontier and there were incredible gains to be made. Most of those losses were from logic errors. If I look at the losses from code errors and logic errors this year, we're sitting at 6%. Sorry, this was last year. This year the numbers so far are even lower. It was 6%. Okay? And those numbers are falling fast. There's a world that we can get to within, I believe by 2030, okay, where effective losses due to logic and code errors are going to be sub 10 basis points of annual resources per year.

And in that world, we're approaching par if not superior security risk reduction relative to traditional financial systems and traditional financial economy for various reasons. And who knows, we could get it even lower from there. Five basis points, right? Maybe one basis point depending on the scale. Why? Because we have objectively secure systems because we have objectively secure code. Okay, this does not eliminate financial risk. Of course, like you do not solve balance sheet risk with great code. That's not how that works, right? You don't solve systems engineering problems and kind of risk tolerance and managing your debts and your liabilities accordingly with super secure code. It doesn't help for that either. You don't solve black swan events or political problems with super secure code. It doesn't work for that. But you do solve the code problem. And the code problem is the most terrifying of them all because if you can't have secure code, you introduce downstream risk into every other system no matter how things are gone. Okay. So, we're on the cusp of a new kind of insurance in the blockchain markets where we can reliably predict and price smart contract insurance. And when we can do this, this is going to be one of the key unlocks for moving the larger traditional financial markets on-chain. We're not there yet, but we're going to be there within the next few years. We'll have achieved it because we created objectively secure code. And by the way, that is something we will be able to export to the rest of the internet. So, it's not going to stop here. We will share our benefits with everybody.

100%. 100%. Not just as an infrastructure layer, but as a tool stack. So, for example, the world is going to inherit our threat model and it'll make the internet and society a safer place when people learn that cyber defense is how you protect a company. Not cybersecurity, no longer mop security, but like understand the North Koreans are out to get you. And they'll take our tool stack, too. We've created the most advanced technologies for proving that code is safe and secure and making them cheap, making them economically accessible in a way that they never were before. Okay? And we're going to give those to the whole of the internet and we'll be like, 'Hey, look, do you guys want cheap, you know, objectively secure code? Here are the tools to do that. Ultra low cost. We did all the R&D. We did all the technological breakthroughs. We did all the scientific hard work. You can just have this and have it for free.' Okay? And if you want, you can create secure JavaScript. You can create secure Rust for whatever it is that you're using. And this is going to bring everybody else's danger, everybody else's hacks, everybody else's exploitability, everybody else's cyber risk way, way, way down. We're just going to give it to them all. It's going to be great. We're not done, but it's going to be great.

That is a very exciting question. The answer is what you suspect, which is it's going to impact us in either this, you know, exciting brave new world sense or it's going to be terrifying and destroy everything. And let's look at the latter part first, how it's going to destroy everything, because that's what people want to hear, right? It's an insurance podcast, we got the good stuff. If we can't find a solution to quantum cryptography that works for blockchains, then the entire premise of blockchain as a safe, trustworthy shared distributed database is destroyed. And then because whoever has effectively the ability to use their quantum computers in order to break this encryption can effectively steal everybody else's money sometimes in a way without them even knowing. And so that's a game over for blockchains if it can't be solved. Now, I don't worry about that too much because just like it's game over for us, it's also game over for every bank and financial institution in the world because if we can't crack quantum cryptography for our needs, they're sure as hell not going to do it. They're way less competent than we are. They're way less savvy about the frontier of computer science and security than we are. It's night and day difference. So, you know, they're going to be, sorry, screwed. The militaries around the world are going to be screwed for the most part. Most militaries are not capable of handling this kind of cryptography problem on their own. So imagine everybody's communications being broken overnight. Most governments are going to become effectively transparent to whoever this mysterious quantum computer operator is going to be. It's like really a nightmare scenario because all of what we depend on for electronic communication becomes breachable. Really.

Now on the other hand, we expect and we are building as an industry to solve that problem. We are working on new quantum cryptography solutions that we can upgrade existing blockchains with such that our systems prove invulnerable to that type of threat. But there's a caveat and the caveat is nobody really knows what will be invulnerable or not. It's very difficult to prove that your, you know, quantum secure algorithm, your quantum secure cryptography is really quantum secure. And so the rest of the world's in this position too, mind you. But we're all just going to have to YOLO this together in some form. And we're taking from the best of what the quantum community has and we're giving them the best of what we're discovering because just like we see, right? We're defending against the bigger enemy, the bigger enemy of quantum computation breaking existing cryptographic encryption schemes. Like that is a real boogeyman. That's much more damaging to society than any rogue state like North Korea is. Much worse.

100%. 100%.

Well, this will tickle you, Martin. You'll understand this right away. You know, as a man of history, you know, for most people, you can afford to do nothing because the stakes are so high that the people with the most resources must do a whole lot to ensure their own survival. And so there's this kind of tragedy of the commons where the vast majority of society is just going to freeload off of the few institutions that make the investment and it's going to, okay, sure, why not? You know, thanks guys. You do all the hard work and it doesn't really make sense to take the bet against yourself because you don't have the resources to make a material difference for the most part. And so you're kind of forced to make a bet that you're going to figure it out perfectly and then since you're already making that bet, why worry about it? It's kind of like nuclear war versus not a nuclear war. For the most part, you just bet that it's not going to happen and you continue on with life.

Yes. Having said that, if you're a CISO at a major company or government or institution, you do actually have a chance to play a privileged role in the story. You really do because there are, I mean, frankly, this industry needs money and it needs publicity and it needs culture, right? People need to develop the solutions. A lot of that is going on in military behind closed doors which is not great for us and industry and broader civil society because we don't get to share on those benefits and they will surely keep them from us. So we need more development on the public side of things. Then we need to popularize that. A lot of really cool stuff is being built, okay, in the quantum computing realm but so much of it gets locked up in these large organizations. We need to be popularizing what can get shared, both the large organizations and the small ones and the scientists and the academia all around the world. Popularize that so people can learn the lessons as fast as possible. And then we need to create a culture of sharing. Okay. And this is where CISOs all around the world can get involved and participate by just encouraging others to take a look and by sharing these things actively because this is a threat that we all share. And that culture may end up being the key towards saving a lot of society from harm from this because maybe somebody does get a quantum attack capability, but if someone else gets quantum defense, they have effective quantum encryption algorithms. They can be bullied. They have to be convinced to share that. Okay. And if we have a culture and an expectation in society that we're all going to look after each other, we dramatically increase the chances that that party will be incentivized to share that technology with the rest of us and thereby safeguard the global society, the global market, the global civil society. So these are three things and CISOs are going to have a role to play in this because believe me, I think the militaries are developing lots of stuff. But I will bet top dollar that the private industry will outproduce and out-research all the governments in the world on this subject. That's probably where the solution is going to come from. So, if we set this culture between us as security specialists that we all have a stake in defending society and we're going to share this information just because and we're going to encourage it just because even if we're not in a personal position to do anything about it, we'll at least publicize the good actors and reward them for doing good for society. I think that will be impactful. I think that will make a difference.

Yeah, I mean probably the thing that I would say is we are entering a new world in so many ways, right? Crypto is transforming finance. It's going to be unrecognizable in 10 or 15 years. Just, it's really completely different. AI is transforming knowledge work in just absurd and crazy ways. The kind of global chessboard of geopolitics is being rearranged before our eyes with strange and sometimes very comical combinations of events going on. It's, we live in this fascinating time of change. Okay, the longevity industry is blowing up. I don't know about you, I have a friend going out to California to meet a bunch of them right now. They're convinced they're on the verge of at least 50 extra years for most people. I hope they're right. That would be great. Everything is changing and we all have a kind of part to play in this story. One of these key parts you guys are working on the insurance side. This is something that we're going to need. We're going to have to stabilize this system. We're like a kid going through puberty once again. And that's great while it lasts, but at some point we're going to have to calm down and figure out how we're going to live with all of these things instead of allowing our civilization to sink into the dust. So, you know, you guys have a role to play in this story. People like me are trying to innovate on security, give you guys all the tools that we possibly can. We're telling you that we're moving into a world where we can create objectively secure code, objectively secure systems, and that it's really going to work. You'll be able to do magic with this. And I hope somehow into the future, all this stuff proves useful to you guys and helping create the future in your own way because you'll have a role to play, too.

There's so many things.

Oh, the one that will be a spicy one. That use of technology by individuals needs to be heavily controlled for health and wellbeing.

No, it was my pleasure. Martin, always a pleasure to chat. I learned some new things in the course of being interviewed which is always delightful. It was a great time and if I can prove helpful in the future, you just let me know. I'll come back on and support.