Bridging The Public-Private Sector Gap in Crypto: Podcast Ep. 150

Welcome to season 3 of the Public Key podcast! New Season, New Hosts, New Look. “We should be able to dare criminals to use blockchain and cryptocurrency to conduct laundering. We should be able to dare them to launder on a public, unobscured ledger.” This is a powerful statement to start off one of the most anticipated episodes of the year with one of our national security experts at Chainalysis, Eitan Danon speaking with Former White House National Security Council Special Advisor, Carole House about the critical need for robust public-private partnerships to address the challenges of cybercrime and illicit finance.

You can listen or subscribe now on Spotify, Apple, or Audible. Keep reading for a full preview of episode 150.

Public Key Episode 150: National Security’s Digital Asset Frontier: Tackling Illicit Finance

“We should be able to dare criminals to use blockchain and cryptocurrency to conduct laundering. We should be able to dare them to launder on a public, unobscured ledger.” – Carole House

This is a powerful statement to start off one of the most anticipated episodes of the year with one of our national security experts at Chainalysis, Eitan Danon speaking with Former White House National Security Council Special Advisor, Carole House.

Carole provides her unique experience working on both sides of the biggest public private partnerships when it comes to emerging technology, crypto regulation, and national security.

Carole explains the critical need for robust public-private partnerships to address the challenges of cybercrime and illicit finance and the importance of accountability and transparent standards in enhancing blockchain trust and security globally.

They even found time to discuss promising intersections of artificial intelligence with blockchain, emphasizing AI’s potential in scaling compliance and cybersecurity initiatives.

Quote of the episode

 ” We should be able to dare criminals to use blockchain and cryptocurrency to conduct laundering. We should be able to dare them to launder on a public, unobscured ledger. That should be something that makes it essentially a moot point for criminals to be able to use and exploit, because we can so successfully scale and hold accountable these illicit actors.” – Carole House (Senior Fellow, Atlantic Council)

Minute-by-minute episode breakdown

2 | From Army officer to crypto regulator: Carole House’s journey
5 | Bridging gaps between government and crypto industry partnerships
11 | National security threats in the cryptocurrency ecosystem
16 | Global efforts and challenges in combating ransomware threats
22 | Building trust and accountability in the blockchain ecosystem
27 | Harnessing AI to combat cybercrime and enhance digital asset cybersecurity
32 | Public-private partnerships and digital identity in crypto sector
37 | The future of the digital economy and crypto

Related resources

Check out more resources provided by Chainalysis that perfectly complement this episode of the Public Key.

• Website: Chainalysis: Building Trust In Blockchains
• Insights: The White House Executive Order on Strengthening and Promoting Innovation in the Nation’s Cybersecurity
• Article: Designing a blueprint for open, free and trustworthy digital economies

• Research Paper: Blockchain Privacy and Regulatory Compliance: Towards a Practical Equilibrium (Jacob Illum, Vitalik Buterin and others)

• Report: The Chainalysis 2025 Crypto Crime Report (Reserve Your Copy Today)

• Blog: 35% Year-over-Year Decrease in Ransomware Payments, Less than Half of Recorded Incidents Resulted in Victim Payments

• YouTube: Chainalysis YouTube page 
• Twitter: Chainalysis Twitter: Building trust in blockchain
• Telegram: Chainalysis on Telegram

Mentioned Episodes

Episode 133: Building Bridges to Tackle Pig Butchering

Erin West has been on this podcast 3 times and all 3 episodes have been the most downloaded in Public Key history. She is the Deputy District Attorney, Santa Clara County, Office of the DA, who announces her retirement exclusively on the podcast, to pursue her efforts of fighting transnational criminal syndicates facilitating pig butchering scams, with her Crypto Coalition and Operation Shamrock initiatives.

Speakers on today’s episode

• Eitan Danon *Host*  (Content Marketing Manager, Chainalysis)
• Carole House (Senior Fellow, Atlantic Council)

This website may contain links to third-party sites that are not under the control of Chainalysis, Inc. or its affiliates (collectively “Chainalysis”). Access to such information does not imply association with, endorsement of, approval of, or recommendation by Chainalysis of the site or its operators, and Chainalysis is not responsible for the products, services, or other content hosted therein.

Our podcasts are for informational purposes only, and are not intended to provide legal, tax, financial, or investment advice. Listeners should consult their own advisors before making these types of decisions. Chainalysis has no responsibility or liability for any decision made or any other acts or omissions in connection with your use of this material.

Chainalysis does not guarantee or warrant the accuracy, completeness, timeliness, suitability or validity of the information in any particular podcast and will not be responsible for any claim attributable to errors, omissions, or other inaccuracies of any part of such material. 

Unless stated otherwise, reference to any specific product or entity does not constitute an endorsement or recommendation by Chainalysis. The views expressed by guests are their own and their appearance on the program does not imply an endorsement of them or any entity they represent. Views and opinions expressed by Chainalysis employees are those of the employees and do not necessarily reflect the views of the company.

Transcript

Eitan

Welcome to public key. I’m today’s host, Eitan Danone, and I’m here with my friend Carole house, cyber security and critical infrastructure expert. Carole, welcome to the pod. Thanks so much. I’m thrilled to be here. Eitan, really looking forward to our discussion. We’ve got lots of different things to discuss, so why don’t we hop right in? I’m in. Tell us how and when you first came to crypto, what were your initial thoughts?

 

Carolee

Oh, man, I love that. You guys often like to really set the scene by starting the story of, like, what is your story and how you got here? And not expectedly. I’ll tell you. When I was an Army officer in Afghanistan, I remember my soldiers showing me what this Bitcoin stuff was and they were buying it, and they were like, trying to convince me to if you had told me that, like, I don’t know, four years later that I was gonna end up regulating Bitcoin, I would have laughed in your face. If you told me I was gonna work in cyber or finance at all, I would have laughed at you. I was an intelligence collection manager and a chem, bio, rad, nuclear defense officer. So I got into crypto the way that so many people do, which is on the illicit finance side. So I specifically through cyber security when I when I first left the military, and then my first job out of uniform was at the White House Office of Management and Budget. They were standing up a cyber and Nat SEC unit. They had a bunch of cyber nerds. They needed a NAT SEC nerd. So they brought me aboard. I got my, my first really deep dive exposure into cyber security work. I spent some time on the hill, and then came over to FinCEN as a presidential management fellow. And they, you know, I met someone there at a Chinese warfare symposium. They sounded so interesting, as one does, yeah, of course. Who doesn’t meet people? It’s so DC. Like, I’m so DC. It hurts sometimes, but it’s really I like when, when he described this bureau at Treasury that hunts down money launderers and terrorist financers like that, completely hit me right in the in the mission fields, as so many people who work in this space do. And I asked them if they had a cyber unit, and they said yes. And so when I came over there on a detail at first, and then fell in love with the mission and just came over permanently, when you work to hunt down cyber criminals and cyber enabled financial criminals, you inherently get into crypto, right? Because FinCEN was the first major regulator in the US, certainly the most comprehensive one in the world for AML purposes. And so so that was my first exposure to it. And I feel like most, most policy makers really get exposure to to crypto through this evolution of, at first thinking like, who, who would want to use this, you know, this asset that’s not $1 that’s not backed by anything, um, forgetting the fact that, you know, we also don’t, don’t back, um, our our currency with commodities, it’s just backed by faith in the nation and faith in our military and roads and rule of law, but instead belief in this broader, you know, community and and the Bitcoin nation, if you will. But starting with with that kind of skepticism and incredulity, to then seeing, Oh, bad guys are using it. Oh my gosh. What does this mean? To then recognizing, well, like this is all published on a public ledger. That’s really, that’s really interesting. Swift and Fedwire and chips don’t publish public ledgers. Cash don’t, doesn’t publish public ledgers. So recognizing the benefits of that and then getting into looking more deeply into the technology as it really Stokes your intellectual curiosity, I feel like that’s oftentimes people’s evolutionary arc. And getting exposure to crypto, that was definitely mine, just on different on different timelines than other people sometimes. So that was, that was my first exposure to it was some incredulity, really early on, when I was in the army and not in that space, and not really in tech space, and then getting into tech, starting to recognize the value and just the interest in the technology ultimately, but also recognizing the limitations because of how that technology has been implemented that has allowed it to be exploited.

 

Eitan

Sounds good. Yeah, I think technology and illicit finance, it sounds like we’re the gateway drug into the world of the wild, World of cryptocurrency. So you’ve done it all. It sounds like, I mean, you’ve done certainly, policy making, in spades, military service, punditry, think tanks, advisory in the private sector. What would you say the through line has been kind of starting at your WMD you know, journey and ending up, you know, on the National Security Council. And how does that relate to crypto? Yeah,

 

Carolee

that’s, that’s totally fair, especially my, like, my career can look like a bit of a patchwork quilt of different national security issues. Service is definitely one of them. I was, I think I was doomed to, to always want to be somehow touching service in a lot of ways, because of my incredible parents and how I was raised by by a retired colonel, and he also went into politics and was a city councilman down in Columbus, Georgia. And so I just, I think that was, that was sort of a foregone conclusion. It’s. Purpose was going to be part of my, of my North Star. But then, really, for me, anywhere where tech is is being exploited by bad guys to exploit good people, I want to be there to stop it and to hopefully use and harness technology and other things to help, to help fix that. But basically, whether that’s been in in combating, you know, chem, bio, rad, nuclear, and like another, sorts of illicit weapon systems that were being used to to certainly target individuals and vulnerable populations, as we were seeing, and then evolving into the cyber security domain, and then ultimately in cryptocurrency, digital identity, quantum computing, like the all of these technologies are fascinating and have incredible, incredible potential to drive really great innovations. We’re seeing this in AI also right now, like the great economic potential, but then also, like, if you don’t build in the necessary protections, whether through through governance, through operations, through technological controls. Then, just like with blockchain and other things like no technology is inherently evil. It’s all about its implementation and its use. So we need to figure out how, how to build those protections in and then and then operate them with people that are that are doing the work to hold those bad guys accountable. So that’s really, I think, my common through line for where I always want to be, whether in industry or in government, is stopping bad guys, the

 

Eitan

old double edged sort of emerging technology seems to be ever present. Well, you mentioned bad guys, and more broadly, illicit finance. I think at chainalysis, our motto is building trust in blockchains, and the way we do that is by shining a light on all manner of entities and actors who are abusing the financial system through digital assets, across a lot of kinds of cyber crime, illicit chain on, chain activity, routinely and probably increasingly these days, we talk about the importance of public private partnerships. One question I have for you is, what does the crypto sector not get about the government’s perspective and vice versa, having worked closely with and sat in the chair on both sides of the discussion, how do you see things improving, and where is there perhaps a disconnect still? Yeah,

 

Carolee

I do love this, this question, because you’re you’re not just asking, like, what are the partnerships that are needed, but also really driving a scalpel into what is stopping these partnerships from having evolved? Because we’ve been in this space. Many people have been in this space for many, many years, and we’ve talked about public, private partnerships and the need for things like information sharing for so, so long. The talking points are the same ones for the most part, that I was saying five years ago. Those have not evolved and and I and even saying them then, wasn’t because I was like any any special visionary. I was surrounded by the visionaries that that I think work at places like FinCEN and also out in industry that have really been on the cutting edge and at the tip of the sphere on these issue sets, but I am, I am not happy with the pace of evolution that has happened in the ecosystem and definitely in partnerships as well across industry and government. I think that there’s a lot of action that can be taken that should be taken in a more timely manner to help us combat the illicit actors in this space, and some of that is driven by the exigency of of of the threat that is also reinforced by some of the unique characteristics of this technology. Because, because it’s it’s based in the digital domain, and because most of this is code, it’s essentially arbitrary to create so many of these assets and to conduct so much of this activity, right? Like when you get digital networks and devices and assets, you get scale, scale of lots of good things, including like cross border, reach and speed and lower costs and greater efficiencies, like of peer to peer, of my pocket to yours, but my digital pocket to yours anywhere in the world. And that’s good, but we also haven’t built in the necessary protections to make sure that, like, I’m not in Iran, you’re not in North Korea, or whatever the things are that we’re concerned about that are facilitating terrorist financing, human trafficking, cyber crime, basically, those kinds of partnerships can only occur if you if we have put in place the kinds of standards that we need, that have not been built and scaled, and then also putting in place the research and development, the R and D building blocks that really require and are best done when you have government partnership driving a lot of the most innovative R and D in strategic technologies in the world has been driven by government focused R and D, and I don’t think that there’s enough at all happening related to blockchain, as well as the underlying building blocks and the underlying technologies that are needed to make those blockchain based implementations more successful. And then certainly for like. For information sharing to be able to stop a lot of this illicit activity in its tracks, we should be able to dare criminals to use blockchain and cryptocurrency to conduct laundering like we should be able to dare them to launder on a public, unobscured ledger. That should be something that makes it essentially like a moot point for criminals to be able to be able to use and exploit, because we can so successfully scale and hold it holding accountable these illicit actors, that’s just not where we are right now. Like when you look at our enforcement cases, whether civil or criminal, they’re taking, like, many years, half a decade, a decade, and in some cases, to bring these actions. That kind of scalability is is is not being achieved on the accountability side. And I think that we really have to lean in on industry, especially there, because of a lot of reasons, including that. I think that in democracies, are not really made very well for government to scale. They’re made for industry to scale. So I just think that with industry, you know, who is the operator of these services, who’s the most successful innovators in the reg tech space, companies like yours? We need industry to scale its efforts, including working together and with each other, but the incentives haven’t really been aligned just yet. And so I think that this is where there’s there’s a misunderstanding on both sides for understanding what what I think each other’s responsibility really can and should be, and also what is with it, what is in the realm of possible right now for us to be able to share and take action. I think oftentimes people like keep asking for things like, oh, I want liability protections from the government. The executive branch has already has done everything that they can for liability protections to industry. So oftentimes, when industry is saying that it’s they’re talking to the wrong branch of branch of government, they need to be talking to Congress. Or candidly, most of those liability protections have, in fact, already been given. So actually, their problem is with every other nation internationally where these companies operate, the US can’t give a blanket global protection from, like, for stop, from, you know, sovereign nations that they don’t, that we don’t have authority over. We are not, in fact, the global police. So I hear a lot thank you for the fact check. Yeah, I hear this messaging a lot coming from people, and I like you like they misunderstand the role that the US plays. And so I think that there’s oftentimes that talking point, and if it isn’t earnest talking point, then they are often misunderstanding who they’re talking to and what liability protections, in fact, already exist, and certainly what limitations I think that exist within the government to be allowed to share certain information on their side to get to industry and why, ultimately, industry ends up asking for the government to do things that are the response that that actually industry is best positioned to have the information on and to take the action, to do something about because legal due process takes a long time, and for good reason, but also that means that Government levers often cannot scale sufficiently to be able to take action against this. Now, I absolutely believe that the government can be doing more to make available information that they absolutely get tons of amazing, exquisite reporting on, and that those were some of the partnerships that I was focusing on when I was at the National Security Council. So there’s, there’s absolutely efforts in areas where I think that the government needs to acknowledge and recognize that there are a lot of good partners with industry. Industry is actually the best place for where scaling needs to occur, and where the government needs to understand that that their levers aren’t always the ones that are going to be best positioned to achieve the most disruptive impact across the ecosystem. Sometimes they are and this is where a really strategic assessment of the tools that are available for you to be able to disrupt illicit activities need needs to occur. But, like, there’s you get different effects from things like law enforcement actions that often take many, many years, but are also the most enduring impacts. Right? Like those are some of the only ways that you ever get somebody out of the battle space, or, like, like you put them behind bars and truly hold them accountable, versus like, infrastructure takedowns that may be reconstituted within a few months, but have that nearer term, like, perhaps more sustained sequence of actions, right, right? Yeah. So it’s like, there’s, there’s a variety of different things that I think that that’s where some of the greater misunderstandings are occurring. Is understanding where you’re like, like, whether your sector has what, what authority and capability to do something about it, and recognizing and acknowledging then your limitations and needing to come together to figure out what is the most sustained pressure campaign that we can, in partnership with industry, you know, bring to bear on the illicit networks that are exploiting crypto to exploit good guys, like responsible players don’t want this happening either. So sorry, that was a really long

 

Eitan

No, no, I think. I mean, you mentioned we should dare illicit actors to use the blockchain, I think, probably a year and a. Half ish or two years ago, Hamas put something out on telegram saying, hey, hey, y’all. They didn’t say, y’all, they put it. You know, it’s Arabic and it’s written differently. But don’t use Bitcoin. Don’t use cryptocurrency. This can be tracked. This can be traced. And certainly, you know, as a company, we try not to tip our hand. We always ask ourselves, at what point, how many blogs, how many reports will it take for different threat actors, be they state linked or otherwise, realize that, hey, this is immutable, this is traceable, this is actionable. You mentioned that you’re not in North Korea, and I’m not. I’m not in Iran. We’ll let our listeners determine if that’s actually true. Haha. But we’ve recently had a few national security centric guests on the pod, including Tom Keating from Rusi. Matt pines came on from Sentinel one. You are certainly an excellent continuation in the geopolitical and that SEC discussion. And I would love to hear from you what you see as the greatest national security threat with a crypto Nexus going into the upcoming year. No shortage of actors. But what kind of what gives you the most pause? Or what do you think is the most worrisome, and why is that the biggest

 

Carolee

national security threat? So I think if it’s the near term one, because there’s some longer term issues that I am concerned about that. Again, don’t make crypto evil, just concerns around things like displacement of correspondent banking networks and systems and things that like, ultimately, if, if we don’t figure out the appropriate regulatory structure, you end up losing out like on the ability to essentially assert AML frameworks and visibility and transparency and sanctions levers, if people no longer need things like $1 to go between lira and renminbi, for example, or something like, I just there’s displacement of the correspondent banking system in the longer term. Is something that that concerns me? Do I recognize that stable coins can be a part of mitigating that? Absolutely yes, and like have have long stated that. So I there’s there’s mitigations, but that’s one of my bigger concerns about the the strategic impact on our set of national security tools, as well as the economic benefits that come from, from the role of the dollar near term. My like, this is probably a very highly predictable answer from a cyber nerd cyber security I you know, we still have state actors that are treating the cryptocurrency space like like an open ATM, and that’s not because the crypto space is wanting to be that no one likes getting robbed, no one likes getting robbed. But we’ve not put in place the necessary cyber security protections at scale across this ecosystem, it is telling if Lazarus group has transitioned from targeting swift terminals and banks to going after defi, and it’s because it’s easier to hack and it’s easier to launder after the fact, like that is that is truth. Like that, they’re not doing that by accident. Like this is a reason, and then I think that so for cyber crime, which both means state actors that are absolutely like using using those funds to help finance their proliferation activities, not to mention propping up a regime that is guilty of massive human rights violations and labor violations. And I just it’s, it’s awful. But also then broader cyber crime, like is, a huge concern for me, because this is, this remains, the top method of payment and laundering in ransomware as a service ecosystems and ransomware, I remember when people thought that it was just a buzzword, but it’s not a buzzword. It’s the most pervasive form of disruptive cyber crime that is affecting Americans and critical infrastructure and taking down hospitals and pipelines like, what would we think if there were people, if there was, you know, like a gang roaming around hospitals that were taking it over with weapons and firearms and disrupting its ability to provide services to people like this is what’s happening via these really sophisticated ecosystems. So I’m, I’m really concerned, from a national security perspective, about that. And then I like, I’m curious. Also, if you have some thoughts here, it’s, it’s not gotten the attention that it absolutely warrants and deserves. And wonderful people like Aaron West have been, have been sounding the alarm on this. But fraud, fraud and things like pig butchering, confidence scams, whatever you want to call it. Because, yes, I understand people concerned about we

 

Eitan

actually had Aaron on the pod, uh, in late 2024, and was a terrific conversation, but you’re definitely preaching to the converted.

 

Carolee

Absolutely, she’s, she’s completely spot on and right. And I remembered hoping, hoping that this would be like that over the last few years that we would recognize that this would be the time where fraud was recognized as not just like the unsexy thing that no one really knew what to do about, and especially, even though no one likes fraud for a lot of different reasons, they also don’t tend to like the answers to solving fraud. Things like digital identity are radioactive on both sides of the. File in a lot of ways, I was really thrilled that we were successful at the end of at the end of the Biden administration, President Biden issued the cyber security executive order. That was one of the reasons why the NSC asked me to return from industry and we and we included a couple of very specific, targeted counter fraud and pro digital identity efforts and initiatives that are needed to help foster creation of the digital identity infrastructure and ecosystem that we need that will help do things like, you know, combat crypto crime and other things too, but more needs to be done. And like the on the pig butchering side, we now have this like perfect storm, this horrible, horrendous storm of a combination of transnational organized crime group groups and jurisdictions that are like, unfriendly to the US or or certainly not doing what’s necessary to hold accountable the illicit actors there, combining with human trafficking combining with fraud. We have a blockbuster, you know, film with Jason Stephen that starring in it like maybe we’re ready finally to acknowledge that this is a national security issue and something that’s amounting to billions and losses so toxic

 

Eitan

cocktail of organized crime, state threats and cyber crime, certainly, you know, does not bode well, but I think a lot of the international collaboration of the kind you described is front and center in our in our research. Allow me to kind of go back to something you mentioned. So during your first tour on the NSC, you were part of the team that stood up the counter ransomware initiative, which for our listeners, is an international operational and policy cooperative in the ransomware section of our 2025 crypto crime report, which just dropped on our blog today, actually, we found that the total volume of ransom payments, year over year, decreased by approximately 35% and that’s multifactorial. We see that because of increased law enforcement, increased law enforcement actions, improved international collaboration and a growing refusal to pay by victims. So the landscape is certainly dynamic. There’s, I think, more than one reason for optimism, but my question for you is, how can the international community still stay aggressive in the face of the ransomware threat? You mentioned that it’s pervasive, it’s ongoing, it’s always evolving. How do you kind of characterize things early in 2025

 

Carolee

Yeah, I thank you for highlighting that that’s in your report. That’s really exciting news to hear this like, like, you know, the outcome and impact of the efforts that we had in just trying to stay on top of everything that we could to improve defense, but especially to focus on on disruption in as we were standing up the counter ransomware campaign. Loved the international counter ransomware initiative, and thank you for calling it out, because that’s, it’s, it’s the largest cyber security cooperation and partnership effort that focuses both on policy and on operational partnerships. So we were incredibly proud of that effort. You’re right that we still need to stay on top of this, because these, these criminals are they are creative, they are adaptable. They are resourceful, obviously, in the creation of ransomware as a service. Economy is like, it’s not just SAS, you know, an infrastructure as a service. We now have these, these specialists who focus on things like negotiation and developing of exploit kits and actually doing the Recon and deploying them all where our networks and doing negotiation and HR recruiting. I I absolutely think that they will continue to adapt. I remember when pandemic, when the pandemic was starting and happening, we were seeing the evolution and like, the transition into, like, big game, hunting and targeting a lot of the big actors and asking for really, really big payments. I’m glad to see that people are now recognizing that, I think that recognizing the threat, including that oftentimes, if they end up paying, they’ll just get further exploited and targeted down the road that there’s no guarantee of them getting their their information back, etc. So there’s, there’s lots of reasons why I suspect that that evolution is happening, why people are increasingly refusing to pay. So that is an optimistic, an optimistic trend that I’ll be hopeful for. I suspect that what that means will just be a transition to, like, lower level, like, really what you’re going to start seeing, I expect, and I think we have been seeing that to a level, is decreasing the payment amount, so that you start making making that, like that decision calculus, a lot tougher, right? Like, if the payments aren’t as big, then, then you start seeing people a lot more willing, a lot more willing to potentially pay and to absorb those costs. So I, I think that that’ll be interesting to see what, what happens there, which but ultimately, what that does mean is that I don’t think that ransomware is going to go away, and I think that as things get more and more and more digitized, you’re only going to continue to see that the ransomware just ends up becoming something that gets like the way that it already has sort of been institutionalized in cyber crime ecosystems as one of many of a suite of tools and can. Abilities that they have available to them. So until people like globally just have all decided that we refuse to pay, which will take a while, I think that that for a while that this is going to continue to exist. So I think that to stay vigilant, it means recognizing that ransomware is both a cyber and a financial crime, which many jurisdictions, the members of the CRI have certainly acknowledged and recognized, but we need to implement the FATF standards for virtual assets. We have absolutely not made sufficient progress on that front. And I appreciate the FATF, and I was the lead delegate for FinCEN to our negotiations as we established the virtual asset standards over the course of years, I hope that they focus not as much on policy refinement and update on the virtual asset side, but instead focus on implementation. Policy that isn’t implemented is feckless, and we need to make to drive that actual implementation and accountability there it’s so that is what I’m hoping is what really occurs on that front. On the cybersecurity side, we have that the Cybercrime Convention also, which now we need to start. We need to hold accountable jurisdictions to actually follow and hold accountable the illicit actors that are operating inside of their jurisdiction. And many of these guys are operating from inside of Russia. So we need, we need that. So it’s all about accountability and implementation right now is what I think needs to occur to make sure that we stay vigilant against the ransomware threat

 

Eitan

Absolutely. And you know, as the cliche goes, Rome wasn’t built in a day. And I think a lot of these efforts are multi dimensional, and by their very nature, require tons of international collaboration, long term investments. That actually brings me to my next question. So you you have written extensively about the historical payoff that the world has enjoyed from investing in web two the early days of the internet. Many of us in industry have drawn parallels between web two and web three. What initiatives and investments do you think are going to have the biggest ROI to help build trust in blockchains. Like, what do you think government and industry should do? You know, in the early days, everyone loves to point this out. Everyone thought, the internet, oh, that’s the place for scams. That’s the place, you know, for cyber crime. The idea of putting a national ID number or a social security number on the web was unthinkable. Think, with the development of advanced encryption, SSL, encryption, e commerce could flourish. There was a lot of development in that, in that way, what needs to happen? What’s the analog or kind of as you see it? What is the, what are the investments that you think will will bring that big ROI to unlock the potential of DLT broadly, and cryptocurrency in particular. Yeah,

 

Carolee

I again, really appreciate how you build that narrative arc and highlight the lessons that we’ve learned previously from the development of the Internet and what, what? What is going to happen here? I I do not believe that we’re going to get wide scale adoption of crypto and blockchain, until there is an acceptance of accountability within the ecosystem. That does not mean that no one in crypto is accepting accountability or responsibility, but especially, where does

 

Eitan

the buck stop? I guess accountability with or you know exactly on who, on whose part?

 

Carolee

Yeah, so many, so many of the discussions and the ethos is, and the white papers and everything coming out from from a lot of the people who are thought leaders and and again, these are bright people. And I appreciate that the technology can allow for lots of these things to occur, like technology has allowed for lots of things to happen, but then we put regulation and controls in place where the where the free market, or it’s like, natural and UN, you know, unobstructed use, could potentially reap dangerous consequences towards people. And I think that like, like this is where I think that like people that are implementing blockchain for the future of the internet and web three and the future of finance, there has to be an an understanding that accountability must exist across the ecosystem, not I understand that it’s not like 100% accountability and responsibility. We don’t have a big brother state and tradfi either. We don’t have complete visibility into all transactions, but we have enough of a calibrated like and trust me, I’m not satisfied with with all of our AML capabilities on the tradfi site, either. But we have enough of a capability in like the banking system and other payment system that people generally like, they trust the dollar, and they trust that generally, they have recourse for where to go if they’ve been defrauded, and there’s at least a chance of being able to get assets back and hold somebody accountable. That’s that’s the purpose behind a lot of counter fraud measures and purposes behind why we have AML controls and record keeping requirements, if the future of of block. And defy is that? Well, I guess you didn’t protect your keys well enough. They got stolen. And there are people in the ecosystem that feel that way, that like code is law, and if people get a hold of your assets because you didn’t sufficiently protect against them enough, and you were foolish enough to like to, you know, to operate a platform that had a vulnerability in its code, or you were foolish enough to, as a consumer trust a system that had one, you know, zero day exploit in it, that then gets that, then gets exploited, that shame on you and you and you got robbed. And that’s and that is the way of things, which feels very Lord of the Flies I see to me, it feels incredibly it’s certainly very Darwinistic, very Darwinian. Yes, it is, yeah, Darwinian is better. Yeah, that is. That’s not the future that we want, we like, and it’s not the future that consumers on the whole want. They want there to be some recourse if they’ve been defrauded and hurt. And so to me, trust doesn’t just mean that cryptographically, I can allow a thing to exist somewhere or to go somewhere like it, part of that trust means that I have some recourse if I’ve been hurt or if I’ve made a mistake like that’s also something that I think has to be addressed in the ecosystem. And the more decentralized you get, the the less willing you find entities to accept accountability. And accountability and accountability doesn’t mean accepting accountability for all things that happen. But, like, I don’t think that the future of infrastructure operation, like, means that the network layer in blockchain infrastructure is totally off limits and devoid of any responsibility or accountability. That doesn’t mean I view it the same as I do the coin bases of the world or or the meta masks of the world, or the circles or tethers like these are like. They all you play a different role in the ecosystem, which means you have different levels of control, different different types of visibility. And I think that that’s where the like there needs to be a focus on figuring out, what does that accountability look like? I wish that self regulation could be the future of the ecosystem. Decentralized communities have a hard time organizing and again, the ethos of the community has so far involved a an unwillingness to embrace and lean in on accountability, which means that the things that you would need to foment around a self regulatory structure are not are not existing and are not happening so and whether it’s on regulation or even just standards and standardized best practices, like I keep pointing to standards because I love standards, and I love our Department of Commerce and NIST and things like standards, I’ve testified to them, many other people have spoken to it and written on the need for greater standards. Here, this is where I need industry to come to the table to the government and say, here’s where we need some standards. Let’s bring together the best thinkers in academia and industry and infrastructure, otherwise, in traditional spaces, as well of infrastructure and finance, and let’s build let’s build out what those standardized best practices should be, because there’s some instances where I see like basic key management practices are not being followed, and that’s the culprit in a lot of the like the exploitation and the hacks in this space. So it’s already existing standards not being implemented. But in other cases, it’s not. It’s because there aren’t already existent practices. So it’s not an implementation problem yet. It’s a we haven’t built out what that should look like. So I think that there’s a lot of opportunity for some real candor and intellectual honesty to happen between industry and government, to talk through what’s not working, and then talk through what should exist, and then think through things like standards of practice, of different governance models inside of decentralized systems, of where you can put accountability and different controls at different places. I think it can look different in different systems, but something that allows for the creation of enough trust and recourse for at least enough of the illicit use cases that we’re currently seeing, which is not, it’s not currently happening. That’s

 

Eitan

an awesome point, and I think you’ve definitely hit the nail on the head there. And certainly a sensitive issue for many on the web, three side in terms of regulation, and whether crypto, you know, or, to be more specific defi or certain parts of the ecosystem and regulation. How can they coexist? I think for our braver listeners, I would suggest they check out a paper by our chief scientist, Jacoby loom that he co authored last summer with Vitalik and several others, on how privacy could be preserved while ensuring, you know, certain AML protections. He actually went on unchained with Laura Shin to talk about the paper. It’s a great read that that for those who are interested in ZK zero knowledge technology and you know, Privacy Enhancing protocols and that sort of thing, definitely would recommend you check it out. But. Well, I’d like to switch gears a little bit. You know, no emerging tech podcast and no conversation is complete these days without a discussion of artificial intelligence. I want to know, you know, you are well versed, not only in crypto and cybersecurity, but I would say in emerging tech writ large. How does AI fit into this conversation. And certainly, you know, in our 2025 crypto crime report, we see a number of different threat actors leveraging AI and abusing the technology for a whole host of reasons. You know, it’s certainly to facilitate the laundering process to bypass KYC, and the list goes on and on. So instead of relitigating that, I’m curious to hear Carole, how do you think AI can be best harnessed to to fight back against cyber crime and to kind of attack the attackers, as it were, play defense? Or how do you see that kind of acting as a boon or something to empower government.

 

Carolee

Yeah, and you’re right. Like any, any general purpose technology, like AI or blockchain, like, you know, good or bad based on its implementation, just like you said, for use of AI, that’s us figuring out how to scale using AI is the only way that we’re going to be able to keep pace with illicit use of with illicit use of AI, obviously getting hit massively with deep fake enabled fraud, even instances of certainly AI driven laundering activity is happening basically, I Think, in the crypto world, blockchain and AI are technologies that really reinforce each other’s best and horse traits, and really fascinating ways. I think, you know, in a way, that blockchain had challenges with scalability up front, right? But AI can help address some of that scalability problem. Can help address some of the compliance issues. And, you know, being able to do analysis across across lots of amount of data to be able to assess risks or and that doesn’t just have to be AML. It can be to identify stability risks or vulnerabilities in code that may be further exploited. I There’s AI can be used to help, to help solve a lot of different problems. Of course, the advanced, the advanced, you know, algorithms and models that can be used to do things like to generate, you know, code and software patches can also be used to develop malicious malware, as well as to potentially detect vulnerabilities that could then be that could then be exploited by illicit actors. But basically, and that that certainly holds true in a lot of other ways. You know, the same advanced protein models that can help to do things like develop vaccines can also then be turned to help generate a bio weapon, potentially. So this is hence why some of the fear or the concerns of AI, if you don’t manage its use in some way, have raised concerns for people, and some really, like some really tough questions around, how do we, or should we impose, you know, requirements or security features into into technologies themselves, or into their specific use cases, the way that we normally regulate in an activity or function based approach in the US? So I think here, the way that we can be using AI, certainly, we need to be keeping pace to leverage AI to detect where like to turn AI towards itself, and like tell us where is AI being used to generate fraudulent images and things like so to try to detect those deep fakes, to look for some of the indicators that point to the fact that an image that’s been created is not, in fact, something that’s Real or it’s been generated by a lot by you know, an AI that’s using lots of other repositories of images in order to create something that’s synthetic. So I think that there’s AI that can help us to better detect illicit credentials and capabilities that are happening there. Hopefully AI to help us better detect where money laundering activity that’s occurring may, in fact, be aI generated, or AI fueled and enabled, because when you have a lot of when you have, you know, the ability for smart contracts to now be smart, but that’s really what you have now with the state, with the, you know, exquisite state of the art of AI is that where code can be the coder, and now smart contracts can be truly smart and truly self optimizing. That means that we need to ensure that we’ve got ais that are looking for where some of those smart contracts may be operating illicitly or maliciously, or where it’s not even malicious, where it’s just accidental or inadvertent, like I’m waiting for the moment or Well, hopefully it never happens, but I anticipate that the first instances of seeing smart contracts that are exploited this way, it’ll be accidental, because, you know, they’ll be they’ll just be a vulnerability in, you know, a smart contract that was written that will start to erroneously, you know, allocate assets from a Treasury or something, and you’ll be unable to potentially stop it, because, like I mentioned, these technologies. Reinforce each other’s worst traits in some ways, if you get scalability combined with absence of accountability, or with things like immutability or difficulty to censor, like if you can’t take down something that’s operating illicitly, that creates a real problem or vulnerability, especially if it’s again, if it’s self optimizing, I had an interesting instance of asking chatgpt, what would happen if I deployed it on a smart contract and it started to operate illicitly. Could I stop it? And it answered on stage. It depends on how good my security is, how good how good your authorities are. That’s a really good answer in chatgpt. So anyway, I think that AI we need to figure out how to use it to support things like compliance, to support our own cyber security efforts and vulnerability mitigation and patching in an automated way. Because I think that the only way that you’re going to get that timeliness and that scalability isn’t something that humans are very good at doing. It’s something that machines are good are better at doing.

 

Eitan

Yeah, yeah. Well, that was an awesome answer. I think you mentioned before you know that a lot of cyber crime, people need to reconceptualize it’s not only a tech crime, kind of an internet crime, but also at its core, financial crime. And so there are many prongs, and I think in the AI discussion, there will be many more use cases to address those different aspects of cyber crime and to integrate them. I guess my final question to wrap up building on your experience and spoiler alert for our listeners, given that you’re not in government anymore, but have a lot of valuable perspectives derived from your time in government. You’ve worked on a lot of public, private partnerships, lots of initiatives. Are there any public, private partnerships or other kind of, you know, sector specific projects, or kind of any, any of those types of initiatives that you think the crypto sector, or, more broadly, kind of industry and government should look more carefully at creating? Is there anything that you think you’re going to personally kind of give a little more attention to now that you have, you know, lots of different cookie jars open, and I reckon a hand in each one. What do you what do you think has not been done that desperately needs doing?

 

Carolee

Yeah, great question. And you’re right, as I am thinking about what’s about, what’s coming next, and I’m considering whether that, like, I really do like working with companies, so whether that’s in, whether that’s through consulting or through board work, otherwise, like, I just want to be, I just, I really want to be in, in the thick of it, with helping a lot of companies that are trying to get to get good on leveraging this technology to help answer a lot of really tough national security and and economic issues so on this on on the partnership side, some of the work that I definitely hope to continue to lean in on and and to help just drive forward the conversation is definitely around those partnerships for information sharing, but actionable information sharing and like actually putting that into practice and taking action there. I think that there’s, there is not much of an excuse for us not doing that, like more successfully at this scale. Right now, I’m very encouraged and enthusiastic by the fact that multiple ISACs have have been created in the cryptocurrency. You

 

Eitan

mean beyond, oh, I got hacked, I need to get on Twitter and share the news. Yes,

 

Carolee

exactly like, while I love the idea of like, of radical transparency, and I sex and sharing information, that’s wonderful if, if what’s being shared, it doesn’t include things like indicators of compromise, and if what has occurred as the outcome or the output of that compromise is funds being stolen, and funds not just for you, like, I don’t want you to be robbed, either as a platform, but for your consumers that are relying upon you to be able to safeguard and hold those assets. Like, generally, those platforms all have customers that are relying on those assets. So ultimately, what’s needed is the action, ability and capability to like to take what’s necessary to be able to stop those funds that are moving. That’s going to be a tough issue. That’s not something that everyone in the ecosystem has necessarily bought into. Needing to be something that gets put in place. I think on the cybersecurity side, that’s much less controversial, because, again, nobody likes getting robbed. I think the the ultimate ramification after the fact, though, of then sharing information to try to go stop those funds and make sure that they can’t get, you know, exfiltrated out into the unregulated system or cashed out, etc, and used, ultimately, by those illicit actors, that’s that’s where there’s going to be some tougher some tougher points of partnership internationally, even with an administration that is not focusing or prioritizing efforts on enforcement, is certainly what I anticipate not to be a priority for this administration. Um, there it’s so far based on the messaging from them, focusing on innovation, focusing on deregulation, deregulation, yet also focusing on legislation to create more regulation so that, like what areas they decide to deregulate in, and in other areas create regulation, I think is going to be, it’s going to be a big area of question for me, I am optimistic that at least a clear pathway to registration and supervision will be a way forward here, which I am very much looking forward to and am sad, and that that’s not something that we were successful in doing to the extent that we really needed to over the past four years. So I think that some of that will be good. But on efforts around standards to improve cybersecurity, and then on sharing information on illicit finance, those are low hanging fruit, something that I think that everybody should be able to get behind the cybersecurity one, and I think most everybody should be able to get behind the sharing of information that like around illicit actors, and especially where we know that it’s defrauding and hurting people and vulnerable populations, things that nobody is happy about, except for the criminals. And then also where it’s the biggest bads, like state actors and, you know, propagators of CSAM and Child Sexual Abuse material and human traffickers like I think that there’s opportunities there for creating that operational partnership, for sharing of info to be able to stop those illicit funds in their tracks. I think that those are the two key places that I really want to make some meaningful effort on. Apart from all that, digital identity has to be a priority this time. That goes way beyond crypto and more broadly into the fact that we need to put in place the necessary investments to ensure that we’ve got the digital identity infrastructure to more to more greatly trust each other and who we are in digital economies. I think that’s true for governments, for any for legal entities and corporations, as well as for individuals. So that remains a major, a major bully pulpit issue for me, so I’m going to continue to lean in on that. I was going

 

Eitan

to say is that it you’ve got your work cut out for you. That’s quite, quite a lot of stuff. No, certainly on the info sharing front. You know, one of the most beautiful aspects of the blockchain is its unclassified nature and the international collaboration that that drives for those of us who have come out of the underbelly of the national security vortex, or have just been used to protections against discussing certain things, certainly between governments and then between government and industry, that I think that will resonate with lots of our listeners, for our listeners who are interested in following your work and connecting with you, how do you recommend they keep tabs on you or drop you a line?

 

Carolee

Great question for now. I’m mostly on LinkedIn. I mentioned before. I’m so DC. It hurts sometimes, but, but truly, do do reach out anytime to me on LinkedIn. I monitor it frequently, and it’s how I keep a pulse about where a lot of folks are currently in their thought leadership and their and their efforts on on the crypto front, and otherwise I’m I’m in DC also, but I travel quite a bit, so really happy to meet up with with folks anywhere to talk about or argue about what the future is of of digital economy infrastructure as well as the future. I don’t know that anyone

 

Eitan

having listened to this episode would want to pick a fight with you on digital identity or crypto, but thank you for the for the great conversation, and thanks for coming on the pod.

 

Carolee

Thank you really enjoy being here and appreciate the work you guys do, listening all the time. So it’s wonderful to

 

Eitan

be excellent. Take care. Carole, thanks a lot. Thank you. You.