Lessons in Security From Those in the Know | Bitcoin 2026

All right, we are I think like over time already, so I'm just going to jump right in. Folks, thank you so much for joining us this morning. We're really excited to be here at the beginning, the kickoff to Bitcoin conference. Um, this is the security panel. So, we're here to talk about what's going on with security and risk management uh as it relates to Bitcoin. My name is Justine Bone. I'm the executive director of an organization called the Crypto Isac. That's information sharing and analysis center. We're a nonprofit. We're independent. We work with the security teams in the biggest crypto companies out there. We allow these security teams to come together in a trusted space on a security platform to share what we call cyber threat intelligence and swap notes about the risk landscape, the threat landscape, threat actors, incidents, vulnerabilities, other issues that come up almost actually it's more than daily. So it's continuous. So uh my career was spent in the cyber security industry. I came into crypto about three years ago. Before that I was the chief information security officer at Bloomberg at Dow Jones. I'm also an entrepreneur in the cyber security industry. So I've started a few cyber security companies like many. Um I started my my career in government service in the public sector. And so I'm able to leverage a lot of that experience bringing together these different companies within the crypto ISAC. I'm really grateful to be joined here today by a set of security leaders who are dedicating a lot of their time to securing the Bitcoin ecosystem. So I'm going to allow the gentlemen here to introduce themselves and then we'll get into our panel. Thank you so much, Alex. >> Uh hey everyone, it's great to be here. I'm Alex Prudin. I'm the CEO of Project 11, which is an organization that does research at the intersection of quantum computing and postquantum cryptography as it pertains to blockchains and digital assets and then builds products uh around implementing postquantum cryptography at institutions that have exposure to uh to blockchain based rails. Um so yeah, that's that's uh what I've what I do. I've been in crypto for I guess about 11 years now. >> Hello everyone, my name is Eric Kellogg. I'm the CISO of Binance US. Uh been there for a little over four years. Been in technology security for almost 27 years now. It's a long time. Um but you know, I'm simply just the CISO at the Binance US exchange. >> Hey, I'm uh Garrett Kelly. I'm a principal software engineer and the uh entity CISO for Robin Hood crypto. I've been a Robin Hood for just over 5 years and uh yeah, I was involved in the custody program since day one at Robin Hood. >> Thanks, folks. So we've got a CEO on uh founder and we've got two CISOs here, chief information security officers. So uh let's start with that. Eric Garrett, what exactly is a chief information security officer? >> Sure. Uh so I think uh when people think about CISOs, there's a couple different archetypes that they'll think of. You'll think of people who are in more of a governance and regulatory kind of oversight position. And I think that's an important role. like obviously you need governance and regulatory oversight for a company but uh I also think that there's a a different archetype which is the technical CISO which is where I kind of feel like I I fit in and that is somebody who is uh deeply involved in all of the aspects of the of the products and the the security of the systems. Um, I like to think that a technical CISO answers the question, uh, so what? So when somebody brings you insight or knowledge, uh, or vulnerabilities externally, it's about being able to know how that fits into the entire stack and secure everything from, uh, from top to bottom. >> Yeah, I'd agree with that. I think um I' I've got a lot to do with that governance and and uh compliance aspect but um very much a technical seesaw hands-on uh very involved with the products and the teams and just making sure that the operations are running day-to-day and you know the assets are safe. >> It's um a multifaceted set of responsibilities when you're a chief information security officer. Often CISOs come from very technical backgrounds. Maybe they're software developers, maybe they're security researchers. But as Garrett pointed out, there's an important aspect to the set of responsibilities that is explaining the impact of a security issue to their respective company. So a vulnerability is discovered in you know a piece of hardware, a piece of software and some infrastructure. That question of so what really drives a lot and it speaks to sort of the larger responsibility which is managing risk that a that a CISO um participates in. So risk management, which can mean a lot of different things, including technology risk management, is really sort of the day-to-day focus of a chief information security officer within your respective programs. I was wondering if you could talk a little bit about vulnerability management um and what what that means what it means to keep systems sort of updated and how does that relate to security issues that especially in this generation of AI which we'll go into a little bit in a second um are are coming up over and over and over. How do you look at sort of system maintenance and vulnerability management? Yeah, I mean it's a it's a really tough problem, I think, especially for a company that uh the older a company gets, the more technical debt you have, like period. You don't there's no get out of jail free card for a technical debt like that. Um vulnerability management like is the is the way that you take the stream of incoming issues and turn it into uh action if you need to, right? You know, assessing the actual impact, assessing the exposure, that kind of thing. And it is it's very important, but it's also really easy to fall into like uh naive patterns where you say, "Oh, uh there's a there's a pur vulnerability or like a CVSs9 vulnerability in lib PNG. What do we do about it?" Uh and at the end of the day, it might not even affect your stack, but you've got some vulnerability scanner somewhere that's keynote, it's pinging off of it somewhere, and now it's the most important thing in the entire world that you patch the PNG. I it's a it's it's a balancing act, I think, and it's a one that a lot of companies spend a lot of money and time getting wrong in a lot of ways. >> H how do you how do you learn about a vulnerability, Garrett? Like how do you become aware that there's an issue that needs to be considered and addressed? >> Yeah. Uh so there's a couple different ways that a vulnerability will come through the front door. Um some of it will just be like uh threat uh sorry vulnerability feeds. So you might pay a vendor that give you uh vulnerability feeds for software packages. Um then you have to take that list of software packages, the list of software packages that you actually run in your infrastructure, stitch them together, figure figure out is that something we're affected by. Other times you'll have like a bug bounty program. That's a vulnerability if somebody's reporting that to you. It's externally expos uh exploitable. Um that's another way you'll get a vulnerability. And then sometimes it'll just be contact through researchers uh or intel from the field. like if you're working with other other teams, you might hear uh from another CISO or another group uh about a specific class of vulnerability that's coming up. >> And and I know I'm going to get to you in a second, Eric, but just riffing off of this for a second. What what when you do realize that a vulnerability impacts your business to the point that it needs to be addressed? What is that process of um fixing it? >> Yeah, so um it really depends on the vulnerability. Uh some some vulnerabilities might be like in your infrastructure. Some might be actual software packages. A lot of it can just be as simple as updating manifests and rolling out new software builds to the rest of the fleet. But some of it might be oh now you have to work with your cloud provider because your cloud provider is vulnerable to this vulnerability and what are you going to do about it if they have say they have a six-month timeline to their remediation. Um it it really comes down to the specifics of it and there's there's there's one sizefits most which is a software package needs to be updated and there's a published patch for it. But in some cases there won't be a published patch and you have to think okay well how do we limit the exposure to that to this uh vulnerability? How do we make sure that this can't actually affect our our infrastructure or engineers? >> So the reason I'm hammering on that is because this is a continuous process. It never ends. You're never done in cyber security. there's always more that needs to be triaged, analyzed, um considered in terms of the business priorities. So, it's a risk assessment. Um and and this is like this is a journey. It's it's there's a bit of misconception out there sometimes that security is a state that we can reach and we're done. And it's very much not that. Eric, any thoughts? >> Yeah, I agree. So, it's you're never done. I think one of the uh things that really you need to solve as a CISO is eliminating noise like which vulnerabilities actually you have to pay attention to versus what you don't because you can have some criticals that just are buried beneath a lot more layers of controls and so you got to prioritize you will get to that vulnerability at some point um but maybe not as quick and you know I think with AI in the mix those are just becoming more and more constant so developing our in-house tools to again keep kind of eliminating the noise so we know what to focus on first um is is pretty critical to the vulnerability. And I also think that >> one piece of vulnerability management is the human aspect. There is no patch for humans. So I think the people, you know, our our employees are are really used to us hammering this home and we're always testing them. We're always throwing them, you know, really hard fishing tests and and trainings and um just hammering home that, you know, the the security of the company is every employees responsibility because, you know, everyone could be a vulnerability. We're going to get on to some emerging threats, but right now we're talking about current day threats. And as you can get a sense, you know, security vulnerabilities and software are deeply deeply technical things. But even more serious than that are human vulnerabilities. And this is another dayto-day challenge that CISOs and security leaders are really challenged with. Um, look, we've got the founder of an L1 here now tackling PQC, which we'll talk about in a second. We've got an exchange. We've got, you know, Binance US. We've got Robin Hood. Each of these um members of the Crypto Isac and stakeholders have their lens on security. But there's one thing that I hear every single day at Crypto Isac. It's nation state threats targeting humans. Anyone got anything to offer um as it relates to nation state threats, DPRK, others? >> Yeah. Uh so obviously the the the people problem is security's sorry security has to be everybody's problem but at the same time security has to not depend on any individual and so uh a lot of what we're doing in terms of security as an industry is coming down to uh prevent prevention and depth. Um if you are vulnerable to a single person walking in the door and getting your corporate laptop and that ruins your key management infrastructure that's bad. That's really bad because it means that you only had to get one like false employee to to ruin your entire day or your entire operation. So I I think that what we're seeing right now is this acknowledgement that like there are people who are going to get in the front door eventually. They're going to they're going to be your employees eventually and they are going to be trying to work against you and your infrastructure from the inside. And that it's more important now than ever to have extreme depth and extreme preventive measures because in crypto uh there is no undo. you can't take back money that leaves that leaves your wallets. Um, and so it's extremely important that that one person doesn't ruin your entire operation. >> Yeah, I mean I I agree with that. I I think for us it's, you know, just this whole paradigm shift now of hiring and the processes you have to put in place and even after that, you know, if you get some confidence, I mean, it's a tough challenge to to, you know, if you feel like someone's going to get through that door and it's still a pretty new problem. I don't there's no magic bullet for this yet. Um and and so I think you know this is where crypto isac really comes in help. We share different CTPs and just different profiles of of of potential you know DPRK or or confirmed DPRK uh thread actors. So I think just this is a >> I really hate this problem as a CEO because you know it's it's such a human very hard to solve. >> Yeah it is. It is >> human weaknesses. So sorry go ahead. Oh yeah, just just very quickly um you know nation state level attacks are something I think about a lot mainly just because in the quantum uh world you know the only entities with whether the resources to fund these efforts are nation states either directly or indirectly the companies building the systems are often like in these government programs right and um you know I think I guess what I would say about that is that nation states are kind of unique threat actors right they're not necess necessarily economically driven all the time and there are potentially, you know, as it pertains to Bitcoin and uh crypto. Different nation states view it as uh in different ways, right? And in terms of what kinds of attacks that uh potentially they would consider, you know, again, there could be objectives that are beyond simply economic gain, right? that could be disrupting this system that serves as potentially an alternative uh to people that live in whatever country to circumvent capital controls or have you know the ability to gain financial freedom against the repression that that very same government is basically applying to its citizens. So I I think it's a I guess you know really I I'll close by saying it's a complex vector that um that CISOs like these guys have to consider and I think it'll get more complex as we enter the world or the you know the era of of quantum computing as a potential uh weapon. >> So hopefully that that helps demonstrate that a CISO not only has to have that technical depth that we talked about but we've got these other human threats, we've got other types of risk uh that we're thinking about on the operational side. um even on the physical security side where we've seen you know executives being targeted at crypto companies and beyond. Um so there's a wide wide set of responsibilities that fall under the mandate of a security leader in a crypto company. So these are quite these are these these are day-to-day threats that we're tackling putting out fires but we're also looking over the horizon just a little bit at emerging threats and one of them is postquantum cryptography um and its resilience um as it as it compares to pre-quantum cryptography. Clearly this is not part of my dayto-day yet but for Alex here it is. So, Alex, would you like to talk the audience through real quick what PQC is all about and why is this a security um consideration as we look forward to the resilience of of Bitcoin infrastructure in the future? >> Yeah, just quick clarification. I don't actually run an L1. I sadly do not have a Lambo parked anywhere in this expo. Um so, don't look for it. Um but yeah, I so okay, so quantum computers uh potentially are going to be great for many things, but one thing that we know they can do is break basically the foundation of modern cryptography. And as that pertains to Bitcoin in particular, you know, the way we transfer Bitcoin back and forth between each other is these digital signatures, right? So if if I have the private key, I can sign a message with that private key and then I I have this this signature that's associated with a public key that you can know which can kind of be my address. And then, you know, that's how the network basically uh tracks who owns what. And um what a quantum computer lets you do is basically go the wrong way on that oneway road, right? So with a public key or someone's address, you can effectively go backwards and get their private key and then sign messages on their behalf. So that's kind of the simple way to think about it. So that's obviously uh potentially very devastating for a network that's built around cryptography to ensure that you know to to basically define what ownership means. Um okay, so the national the natural inevitable question that always comes up is when, right? And and the when thing is kind of tied back to my comments earlier around the nation states, right? Right. So nation states have been pursuing this for a long time for both scientific as well as intelligence reasons. Um and so I think one aspect of this that I I want to point out and you know maybe one other thing to just quickly note is that you know talking about quantum I don't think should be viewed as FUD. I mean I'm very happy to be on this panel with these CISOs who think about this more dayto-day but this is just a risk right? this is a risk that we have to consider in terms of how likely is it and how uh you know how how big is it and so I think you know quantum is just one more risk and I think with regards to timelines but based on the fact that you know this can effectively used to break cryptography that's also used to secure very sensitive information there's not a lot of incentive for the folks that are funding it certainly to reveal how far or not far along they are and I think this uncertainty around this risk is I one of the biggest problems because we on one hand we have time-t tested the the the cryptography used in the Bitcoin network in some ways is the most impressive cryptography on the planet secures trillions of dollars of value and has never been broken. Nothing in the realm of postquantum cryptography has anything close to that track record. And I think it's hard because you don't want to throw away what has worked but there is a risk that it may not work against this specific kind of weapon. So, you know, I think again this is just a risk that we have to consider among many other risks and and triage appropriately. >> We we talked a little bit about software updates as it as it relates to vulnerabilities and patch management. There's also a a concept of updating Bitcoin to be quantum resilient. Am I right? >> Yeah, exactly. So all blockchains including Bitcoin are going to have to upgrade effectively the underlying cryptography that they use. And then because this is a decentralized network where you know it's not your keys not your crypto or only your keys should should be only your crypto every every user or every wallet has to also migrate to that new secure cryptography. So it's kind of a two-step process. So you've got that every user is going to have to migrate to this new up upgraded Bitcoin infrastructure to be quantum safe and that so this is when we talk about impact this is not so much well it will it will be an institutional impact but it will also be a user an investor and a consumer impact as well dealing with this particular type of threat. I mean my question to you is who when who who who do we talk to about this you know when when do we start considering it right we've talked about backstage we've been we you know I'm we're continually talking to quantum security experts and just trying to get a feel for what's available what could we be doing now what do we need to be thinking about as time goes on what are the indicators that you know this might be getting closer um you know I would ask you where do we get those insights who's going to be making those decisions >> yeah I guess that my answer would be um you know again I risk here is uh we want to mitigate the potential worst case outcome and so maybe we should I think I would advocate for everyone in the digital asset industry including you know the companies that you guys work for to be proactive in preparing uh where necessary but not overly you know there's no doesn't have to be a fire drill know we don't need to like throw everything out that's worked but I think proactive preparation like it like it sounds like exactly what you're describing is is absolutely the right approach and thankfully I'm I'm very happy to say I was here last year and I was talking about this and everyone kind of gave me weird looks and uh I'm I'm happy that this year I think it's it's it's much more of a topic dure and and I'm happy that the conversation is happening. >> Yeah, I think one of the more interesting risk parts of the PQ discussion is that um it's about it's it's not going to happen instantaneously, right? It's not going to be it's not going to be next Tuesday that's it that's it for Olympic curve signatures. But uh at the same time, you have to ask yourself for each year going forward, is this the year? And are you 100% sure of that? because in the year that you are not 100% sure of that uh you kind of need to do the migration because if you are wrong the cost of being wrong is tragic the cost of being right means you get to pro protect the funds going forward but so it's it's this constant balance and I think being where we are right now and not having the world's clearest view of if when is the less than 100% year going to be that puts us in a very tough position for risk management it's a uh it does feel like it's not a fire drill but it is coming is what it feels like >> yeah I agree So, as in all panels, we need to talk about AI. And in this case, I'm just going to throw it over to the three of you. Um, you know, AI for offense, security offense, AI for defense. Uh, there's a lot of you AI for operational um efficiency, which is certainly what we're doing at the crypto isac. Um, Alex, we want to start with you like thoughts on um the convergence of AI and crypto infrastructure. >> I I have initi I you know AI is certainly not my area. So I don't want to pretend like I'm an expert at all, but I do think one one area that's maybe underappreciated or talked about is I think there's a lot of AI models that are out there that people are are kind of focused on solving math problems, you know, and and you know, winning these various awards or solving these long unsolved problems. I mean that's you know ultimately cryptography is math and so I think there's a really rich unexplored area to uh you know to to apply these models to developing or at least testing uh kind of the new up and cominging cryptography like postquantum cryptography so that we can help gain confidence in that so that when when the time comes for these gentlemen to migrate their systems you know maybe they they can feel more confident that this has been battle tested in a way that it couldn't have been before the era of AI. Welcome to predict. The world is a market. Everything is a market. Every headline moves the line. Every moment is your market. Call the moves. Bet on your instinct, your prediction, your edge. Dual bits. Predict where everything is a market. there's this concept of crypto meaning cryptographic algorithm um agility now so that you know we're going to we've been stuck on a few proven algorithms for many decades for a really long time and I know NIST has come out with um post-quantum resilient algorithms to take us forward but to your point Alex with AI and its input you know and maybe future algorithms cryptographic algorithms that we as humanity have not identified yet. We need to be able to be agile enough to roll our infrastructure over to these newer algorithms maybe not get quite so married to one particular algorithm as we have been in the past. >> Yeah, I think it's a little different for us. You know, I think for for me for technically exchange, I think the industry at large is seeing a huge uptick in AIdriven attacks and just again creating more noise and us trying to leverage AI to eliminate the noise and focus on what's uh you know, really important um and what we need to spend our time on and then you know internally you know trying to ramp up the tooling for for for the business and for all aspects of the business but keeping that secure so we're not using AI irresponsibly. Um, I think it's a little bit of a different challenge and use case for us than than how you're using it, but I love it and I hate it. >> Yeah, I know there's a lot of CISOs out there who are really um challenged with internal integrations leveraging AI and all of the um API permissioning um complexity that goes along with that. There's a few CISOs that are members of the cryptoac that um share their headaches with me because I think that's a real challenge right now. Integrating a lot of this AI infrastructure and making sure it's done safely for an enterprise as a problem. >> Yeah, the uh I I like I like the model of thinking of AI as increasing the intensity but not necessarily the complexity of the security problem. So um if you look at there was uh recently publication about uh some attacks that occurred in South America. they were the attackers were using AI as part of their toolkit. And if you look at the traces, it's not that the attackers were super intelligent, but the AI was persistent and the AI didn't sleep. And so they they have tools where they you could kick off some agents and go to bed and tomorrow come back and take a look at your output. That kind of stuff. Uh I I think that this is what we're going to end up facing is um not necessarily super skilled attackers, but so many more attackers who have like $2 worth of token spend to to to throw at a at a company. uh very different from the postquantum side of things where it has to be somebody who has$2 billion dollars to throw at your at the problem. Uh but it's it definitely still like a a real and present threat to the to the industry. >> Security offense at scale thanks to AI. What about defense? You know, within the security vendors that are out there, have you seen um much in terms of leveraging AI to improve defense? >> Oh yeah, absolutely. I even internally we have uh we're using AI for some of our internal prioritization and uh like sock type operations. We have some filtering that that happens there for AI. A lot of a lot of vendors are fully on the AI train. Absolutely. In terms of using it for for defense, um I think that there's still kind of a trade-off that's being made where it's like uh yeah, you could probably find interesting things using AI in your defense stream, but at the same time, you're also going to spend a lot of money on tokens doing that. I think that still having like a first tier of high signal prioritization that is not that's traditional or policy based uh is still very important before you hand it off to the to the models to to assess. But I absolutely do think that it is going to be it is and will be the the future of a lot of the defense aspects of of security. >> Yeah. Yeah. I mean, we're seeing the tools just get better and better, and I think this is going to make the, you know, the the market for uh defense tools a lot tighter and, you know, just going to really up the game across the board. But I also like we starting to leverage it to build um tools in that are specific to our business and how we operate day-to-day. So, we're actually able to uplevel our internal security um controls and measures just there's no tools that, you know, will absolutely hit every, you know, need for us. So, it's it's it's it's helped us be able to build our own tooling, which is nice >> chance to customize to your own risk culture. >> That's right. >> Yeah. Yeah. So, on that note, we're coming up to our close, so I'm going to just go down the line here and give you all a quick chance to give the folks in the room here a reason to feel confident in the future and the resilience and the security of crypto and Bitcoin specifically. Alex, any thoughts? Uh, Bitcoin is an amazing thing that I think in in many ways is the you know just a testament to what cryptography can do and applied cryptography and again the amount of money that has been secured for as long as it has in the way that it has with so many decentralized you know in the kind of the decentralized way is is I think spectacular and I have no doubt whatsoever that Bitcoin will survive any threats that get thrown at it in some form. I think obviously there has to be work to be done to mitigate these threats. But um you know I think I think Bitcoin specifically and you know blockchain based rails generally are are here to stay in finance. >> Yeah. I would think is what I could say is as as much as there are bad guys out there, there's also good guys who care, who want to keep this safe, who really believe in in Bitcoin and and what you know what it you know what it stands for and what we could do with it. Um so yeah, I think it's not just bad people out there. There's also good guys on the fight, too. >> Yeah. And it's definitely uh one of the technologies that has like stood the test of time and has evolved over time. It's it's been really fascinating to see that over the years. So I do think that like Bitcoin absolutely has a future postponed too. >> Thanks. So hopefully that gave you a bit of an insight into the complexity um and the and the multifaceted aspects of the day-to-day life of security leaders in the crypto and Bitcoin um ecosystems. Security is not an end state. It is not a goal that we reach and we're done. It is risk management. It is a continuous journey just as you are all managing risk as you invest in Bitcoin or you otherwise leverage Bitcoin. You're making risk informed decisions based on the information available to you. So do these guys. They belong to the Crypto Isac. Uh Robin Hood, BinanceUS, Alo, Project 11 and others. Um you can check out Crypto Isac. we have the um most mature security teams in industry working together dayto-day. So my my takeaway for you all would be please don't think of things like this a a code audit um as a sort of a promise of security. No, it's a journey of risk management. Really the signal you should be looking for is leadership and governance like this in the platforms that you're looking at in the infrastructure that you're looking at. It's this kind of uh leaning in uh and thought around risk assessment and transparency. By the way, the fact that these um leaders got up on a stage today and talked about their security programs, that's what you want to be looking for. Thank you so much for joining us. Enjoy the conference. >> Thank you. Thank you. Thank you. Every year this community comes together to celebrate, to debate, to build what comes next. And every year the stage gets bigger. Sound money center stage. So, where do you go to celebrate the next chapter in Bitcoin history? You come home. Nashville, July 2027.