[2:01] How Cyber in the 21st Century Protects Critical Infrastructure

Rachael: Joining us today is Combiz Abdolrahimi, a National Security Lawyer, Emerging Technology and Innovation Leader at Deloitte. He's a former financial regulator, a policymaker, and a cyber and tech citizen diplomat. He has served across the government at the U.S. Departments of State, Treasury, Commerce, the White House, and the U.S. Senate. Welcome to the podcast, Combiz.

Combiz: Thank you for having me.

Eric: We're going to talk about cybersecurity today.

Rachael: One of the really hot topics right now that I'm really fascinated about is, how do we protect critical infrastructure, particularly in the U.S.? Reading some interesting articles, too, about food sources or supply chain critical infrastructure. You're starting to see a lot of ransomware attacks from those operators as well.

I would really be interested in your perspective, because you've had a frontline seat of policy and regulation in your various roles. How do you see the threat landscape changing? What additional measures can we start taking to ensure the security of our nation's most vital resource?

Combiz: We have seen and experienced all of these cyber attacks, and it's nothing new. Just the number of cyber attacks, especially on our critical infrastructure, have just been growing exponentially. It's not every day, but it's often, so you don't have to look that far back to see SolarWinds or look at JBS. It was that global meatpacking giant that a few months ago showed that our food system is vulnerable also to digital threats.

More Automation, More Technology, More Internet

Combiz: Especially as we have more automation, more technology, and more internet. More connectivity playing a bigger part in our food supply chain. There was Colonial Pipeline as well. Maybe a year ago, we never thought that some cyber attack could essentially force the largest supplier of gasoline on the East Coast offline.

Eric: But we should have thought about it.

Combiz: I agree.

Eric: Some people thought about it. We didn't do anything.

Combiz: If we're talking about sort of power or energy, the electric grid, these systems were built many years ago without contemplating the need for a cyber defensive posture. So it was not as if they were designed with cybersecurity in mind, and that has changed. Right now, systems are being more automated. They are leveraging technology innovation.

They're being plugged into the internet so that teams could have remote access into those systems. For want of convenience, for want of connectivity, it has led to greater cyber attacks, cyber intrusions, cyber incidents.  So we do need to be much more proactive than we have been. Again, these cyber attacks show that on our critical infrastructure, no industry is off limits. All of these industries that make up our critical infrastructure, food, gas, energy, utilities, chemicals, transportation, financial just show that really, nothing is off-limits.

We have to think like them. But it's like these cyber attacks and cyber incidents, the sophistication that we're seeing, and the technologies that they're employing are evolving. Our responses, our strategies, our approaches need to evolve as well. We can't be thinking like the 20th century with 21st century cyber attacks.

We’ve Got to Think Differently About Cyber in the 21st Century

Eric: As you say that, I'm thinking about the prelude to Star Wars, "In a galaxy far, far away." I'm thinking about that like, "Wait a minute, here." We've got to think differently about the problem because everybody is susceptible to attack. Everybody is out there and has to change.

The industries, the critical infrastructure sector across the globe clearly aren't evolving fast enough. What we observed is it does evolve quickly when it's connecting things to the internet. Ease of use, convenience, but protecting from the internet is something that has not evolved.

Combiz: We weren't thinking that cyber attacks could harm public safety and could, at some point, derail trains. Could they lead to releasing chemicals contaminating the water supply or shutting down the grid? These things, maybe not the sort of derailment of trains or this other stuff, but definitely the shutting down of the power grid. It has happened in other countries like Ukraine, in 2015 or something.

Eric: We saw MeteorExpress, the Iranian train system.

Rachael: Yes, causing delays. It's an interesting point, too. There are all of these worst-case scenarios and we haven't necessarily hit them yet. It's the toe in the water. It is like the Florida water treatment plant employee who saw someone taking over his desktop. The kind of thing, "I'm going to stop that," so we have all of these near misses.

Combiz: Was that the one with the lye? Just update your operating system. Get with the times. It's not that difficult. Some of this stuff, it's just mind-blowing at how companies, organizations, they have those resources, those capabilities. But they're not thinking with cybersecurity in mind.

Cyber in the 21st Century Is Suddenly Very Personal

Eric: It's almost similar to people who build a house right on the beach where you know you're in a hurricane zone. You know you're in a flood zone, but you do it anyway because that enjoyment or that capability is there. Maybe you have flood insurance, maybe you just like a new house every 20 years.

In the case of ransomware protection, "It's not going to happen to me. Oh, it's not a big deal." Then, you go to evacuate, the big storm comes in, and you sustain massive damage. Hopefully no loss of life or anything, but all of a sudden it's very personal. Colonial Pipeline.

Meatpacking, very personal. You shut someone's water off or contaminate water, very personal. But otherwise, if it's not impacting me, we don't do a whole lot. We don't do it with disinformation, misinformation, we don't do it around ransomware. I'm not saying it's easy, but there are basic steps. There are things you can do, there are risk management frameworks out there. There's a lot that you could look at that the average American company does not prioritize. Different sectors more than others.

Combiz: It comes down to resources and capability and teams. Do they have the cybersecurity awareness, knowledge, information that will help them identify, "These are the critical assets that our company has, these are the vulnerabilities?" Doing some baseline assessment of, "These are the problems that we could foresee with the potential cyber incidents. This is why we need to be proactive. We need to apply those frameworks."

[10:30] Cyber in the 21st Century Have Mandatory Cyber Standards

Combiz: If we're in an industry that has standards, a lot of these industries and critical infrastructure sectors, whether it's dams, maybe less so with healthcare. I would assume that there would be minimum waste water systems. They may not have those mandatory cyber standards.

In the food example and in agricultural businesses, I don't think there's any sort of cybersecurity rules that govern that. There's very little federal oversight. Not to say that that's something we need more of. I'm of the opinion that we do.
Eric: It's a critical infrastructure sector.

Combiz: Yes, that's one of the 16. There's basic cyber hygiene that companies ought to be aware of, especially if they're in the critical infrastructure sector. To practice and be ahead of and apply those software patches, apply those updates that come on your system.

Say you're using some sort of proprietary software that is provided by the third party to do some due diligence on what that software is and what permissions you give it. Maybe at some point in the conversation, we'll talk about zero trust. I don't really like the word "zero trust." Never trust but always verify would be stronger. Some of this is just common sense.

Eric: Part of it is cybersecurity, part of it is IT, part of it is also policy. Part of it is also diplomacy. When you were at the Treasury, controlling the money system, and protecting it is some of the work you did. What would you think about a problem like this? We'll take Colonial Pipeline for a second. So attacked by a foreign set of actors, maybe, maybe not with the permission and the authority of a nation-state.

There’s Some Level of Ownership in Cyber in the 21st Century

Eric: Treasury isn't going to protect a pipeline. That's not their job. But Treasury does deal with the money supply, Treasury does deal with currencies, in this case, cryptocurrency. There's some level of ownership or control there. How would you, as a policymaker, think about this? Recognizing you're not the person on the keyboard saying, "Okay, Colonial Pipeline," or it really doesn't matter.

Pick your target of choice, "This is what you need to do from a cybersecurity perspective." How does the government look at that from a policy perspective and think through that problem in helping the American companies?

Combiz: Treasury is the lead when it comes to the financial sector, not only the U.S., but global financial critical infrastructure. So any sort of touchpoints of the financial sector, treasury is often the lead agency. Tasked with, find the problem, collaboration, sharing with, say, members of the iFax.

We have the information sharing and analysis centers in different industries and one on financial services. So to emphasize that, in terms of policy, and then you mentioned ransomware, you mentioned crypto. Over 90%, maybe more now, of ransomware attacks, they ask for cryptocurrencies and Bitcoins because it's easy.

Eric: Beats a sack of cash under the park bench when you're away.

Combiz: It definitely does. Although there's sort of back-and-forth on whether cryptocurrency is truly anonymous in nature. It's more pseudo-anonymous because they're able to identify and trace the origins and where money is.

Eric: Well, in the Colonial Pipeline, they did. 80-some percent came back.

Combiz: Exactly. These agencies who are the lead on that particular critical infrastructure, say, transportation.

Information Threat Intelligence Sharing

Combiz: Obviously, the transportation critical infrastructure sector is doing what they need to do. A lot of it comes down to, Treasury is plugged into a lot of the financial institutions, information threat intelligence sharing. So they're trying to quickly get at and share that information about, say, other companies in the space have experienced. They can share that information with the government. The government can basically provide that information through alerts to the other financial institutions or the financial sector companies.

When it comes to policies, looking at it from a holistic lens is what we need to do. Again, when I was in government, when I was at Treasury, I looked at coming up with any solutions. Coming up with, "How can we better help and collaborate with the financial critical infrastructure, our global community, our regulators, our other regulators?" A lot of the issues, the challenges, the pain points come from the data, and data sharing and collaboration is not optimal. We're nowhere near where it should be.

Eric: Maybe you know and maybe you don't know, but is there a taskforce at Treasury that's focused on ransomware? From what we've read publicly, they are focused on cryptocurrency. "Hey, this is our role in this ransomware challenge that the world is going through." Is there a group working on that?

Combiz: There's no shortage of task forces in the federal government, so we've been in this space. I guarantee you there is a task force on ransomware at Treasury, perhaps even within the White House. This has grown exponentially over the past two years. No, there is.

Cyber in the 21st Century Contemplates Sanctions on Ransomware Operators

Combiz: It was publicly reported a few days ago in The Wall Street Journal and The Washington Post. Treasury is contemplating sanctions on ransomware operators. It will feed off of the recommendations that this task force puts together. There’s a lot of sort of interagency within the department. It has a phenomenal mission, connected with so many other federal agencies, federal, state, local, international.

Then we have the Bureau of Financial Crimes enforcing that work, which is FinCEN, that promulgates regulations. We talked about crypto, on technology innovation as it pertains to the financial sector, and critical infrastructure. Working with them, they have a very strong, very smart cyber. I've learned so much from just a one-hour conversation with a friend at FinCEN than I had in a month of working elsewhere.

They have so much talent and expertise to offer and they're leveraging that. When you're thinking about the hundreds of trillions of dollars, I don't even know the exact estimate of money just flowing through our financial system. All of these ransomware operators, they're targeting this. That's where all of the money is going, all of the money is flowing.

It's a small group at Treasury that's powering this really important work. So the collaboration that we'll need to have and hopefully will have with the private through these either consortiums or through these public-private partnerships are critical. Like the JCDC, which was just recently announced, it's from CISA.

Eric: Yes, because the riches are there. The target of these ransomware I'll call them gangs, groups, whatever you want to call them, organizations. There's no question that the Treasury as we used to say, the target, it's there.

[20:51] Cyber in the 21st Century Empowers Cyber Law Review

Eric: What do they have? They've got investment money. They probably have political air cover, they have infrastructure, and then their people. The Treasury and the government has a role in that political air cover dealing with that. You can't operate within Russia without consequence or whatever the country maybe. But also, looking at, where is the money source? How are they getting their money? What are they doing? As we saw with some operations out there, going after their infrastructure, taking that offline, but it's guaranteed to come back.

Combiz: There is that sort of cyber offensive. There's that debate whether you want to empower either companies or agencies. I don't know if you were necessarily going in that direction, but empowering them to have the cyber law review.

Eric: I wouldn't want commercial companies. I don't want to get into hacking back.

Combiz: Exactly. I wrote a law review article on hacking back and the constitutionality of it. That was so many years ago, but I need to find it and review it. See if it still holds true today, but yes, there is definitely that part of it. You were talking about ransomware. Yes, it's a big issue and it's something that became personal, too. My parents had a small business.

They had a book business and they had a couple of locations. I was their IT guy. As a kid, I would just play with computers and open things up and see how they worked. Try to put them back together, but horribly and mess it up. I'll never forget, I'm actually in the Treasury Building. This was like 2013, 2014.

What Do You Know About Ransomware

Combiz: My parents called me up. I'm in D.C. and my parents are in California. That's where their business is. They call me up and they say, "What do you know about ransomware, like ransom?" I'm like, "What are you talking about?" They experienced a ransomware attack, and it wasn't super sophisticated.

Eric: This was 2013?

Combiz: This was 2013, 2014, I just joined Treasury. I was working on The Hill before for Senator Levin, and then I came over to Treasury. I'm by no means, this now, I'm not the cybersecurity expert. One of the first things that I was tasked to do for Treasury, for my boss then-Secretary Lu, was put together a memo. He was getting asked about what our take is. What is our policy position, say on cryptocurrency?

Then, also, these ransomware attacks were starting to appear, very small scale. They weren't like we're seeing with Colonial and others, nothing sophisticated. Just more of an informational memo for the secretary but for the department on what this is, and how it works. I just immersed myself into this. Then, lo and behold, a few weeks or a few months later, my parents had a ransomware attack in their business.

It wasn't as if they weren't applying their software patches or things like this. No, because I'm the IT guy. I always made sure that everything was up to date and was secure as best it could be, with my limited IT capabilities. We were able to get it from under these ransomware operators because we had sort of a backup, but we lost out.

How Ransomware and Cyber in the 21st Century Works

Combiz: It was like our business was down for two or three days. I flew back to California to see if I could figure it out because I couldn't do it remotely. I’ve had remote access before, but because of the ransomware, it just locked up everything. I was just going on virtual online forums chatting with the experts, the white hackers, and those who had some understanding of how ransomware works. We came up with this rudimentary basic solution that worked.

In the end, it worked, but it was all this time it was concerned with all of this data. Let's just say the files that my parents had would be kept from them and they would never have access to it. They were only asking for a couple of Bitcoins. It wasn't like a big ask.

Eric: Bitcoin was cheap in 2013. 

Combiz: It was cheap, exactly. I'm a little fuzzy on the date. It could have been 2014, but it was like in my first year or two at Treasury. So we just decided not to pay them. There was no guarantee that we would get the information back. 

How do I trust these criminals? I don't know of another word for them, and then also, they might ask for more. You give them some and they're like, "Okay, you have money. Let's ask for more." Then, I was able to apply that fix and we had it back up. It wasn't as if we were backing it to the cloud. This is a basic, rudimentary, not sophisticated IT guy. What do I know about IT?

Eric: How many stores?

Combiz: We had five bookstores in California.

How Cyber in the 21st Century Impacts Our Business

Eric: A decent income. Took your income offline for a while and you couldn't order inventory or anything else. It was impacting your business.

Combiz: Economic impact on our business.

Eric: Who did you call from the government side? Did you call the police, the FBI? What did you do while you're playing as a new IT person?

Rachael: Like law enforcement.

Combiz: I'm at Treasury. So I'm working with the FBI of Treasury, our intel groups. I definitely did mention, did tell them. There wasn't this formal, "Okay, we can help you. Send us whatever information you can and we will do this." It was more like, "I'm so sorry, that's just awful." I don't want to criticize, ever. This was early stages, this was in the first years. What is ransomware? I don't know. I think WannaCry was later.

Eric: WannaCry was May of 2016.

Combiz: No, it wasn't WannaCry, but it was like one of these. Some crazy name and the government, they're still getting up to speed with what ransomware is.

Eric: You're in the inner circle essentially. You're talking to the FBI and DHS

Combiz: I'm talking to my counterparts because I really want to help my parents figure out what to do. It's just more, "This is just awful. It's horrible."

Eric: Very empathetic.

Combiz: Go to sort of an external variant. In hindsight, looking back, I would like to see, I don't know if this is something that exists now but with the ransomware attacks on the rise, doing a public campaign is critical. A book business is not a critical infrastructure. But some of these, say, utility companies or small business, small private sector-owned, they may not.

[29:17] Would You Get a Different Response from Cyber in the 21st Century?

Eric: You could have been a small meat packer. You could have been a small electric utility. I don't think it would have been materially different, like, "Hey, I'm Combiz's "Electric Shop. I'm calling you in, it’s the FBI here. Help me out." I don't see that happening. It's 2021. If the same thing happened today, do you feel you would get a different response from the U.S. government? Do you think you would have different outlets to go and try to seek help?

Combiz: I think I would see more outlets, and I am seeing more outlets. There's definitely more outlets out. There's more awareness, but we still have quite a way to go in terms of making this more seamless. To have this, "I am a small business. I'm that small meatpacking plant or facility and I've experienced this." I know right away who I need to call, who I need to email, who can help me. Provide me with some sort of technical assistance or guidance. It's complicated. That's the ideal scenario and situation, but think about how many ransomware attacks happen across the U.S. every day. I don't know if there's any study, but there could be thousands of these attacks.

Eric: They're certainly growing.

Combiz: The government is limited when it comes to resources and staffing, but that's still no excuse. There could be and should be a more coordinated call center.

Eric: I just looked it up quickly. If you type in "ransomware and FBI," first of all, you get a whole bunch of vendor links from Google. Bing would probably do the same thing but you can go to the fbi.gov website on ransomware.

The FBI’s Internet Crime Complaint Center

Eric: It says, "Contact a local FBI Field office or submit a tip online." Or you can file a report with the FBI's Internet Crime Complaint Center, IC3. I don't know where that goes, I don't know how seriously it's taken.

Combiz: I don't know what that does, either.

Eric: If you're Colonial Pipeline and the President starts reaching out saying, "We got a problem. What are we going to do about it?" It's different from something that doesn't hit the parent price.

Combiz: If you're a small Mom and Pop, yes. If you're a small business, say you're in the critical infrastructure sector, but maybe you're not. I don't know how comfortable you're going to be to reach out to the FBI Local Field Office and want to report this. Not everyone is going to be comfortable doing that. If it's not FBI, maybe CISA could be empowered to play a role here.

Now, obviously, they're more focused on the bigger picture and infrastructure than they would be the Mom and Pop business that faces a cybersecurity attack. But there could be more of a civilian agency, maybe even Treasury could be more conducive to people reaching out, and feeling comfortable submitting a complaint. Maybe they could set up some sort of portal, some system where businesses that face these. It's not one event that happens one time and then that's it. It'll happen multiple times to that business.

Eric: Well, it strikes me that if you're a local bookshop, book retailer, and somebody breaks your window, steals some books or steals your cash register drawer, you call the local police.

The Probability of Success of Cyber in the 21st Century

Eric: The local police will deal with it and the probability of success is, I bet it's relatively high that the police will do something about it. They'll take a report. You file insurance, you go through that process. If somebody locks up all of your systems via ransomware, I don't know what happens. You file a report with the IC3 or you call the FBI. I don't think the local sheriff's office is going to know what to do much.

Maybe they'll take a report and you can file an insurance claim, but you're still dealing with interruption of operations. You're dealing with potential customer data loss. The larger the organization, let's extrapolate that out to an electric utility or an oil or gas or a critical manufacturer. I don't think we're quite there yet. We are seeing more progress. We've got the new executive order from the Executive Branch.

Combiz: I agree, but looking at the perspective from a small business, a small business just wants to get the problem fixed. They want to quickly regain access to their system, so what's the quick-fix solution? Filing a police report and all of that is fine and great, but that's not really going to solve the problem. The challenge, which is, "How do I regain access to my systems, to my data?"

It's more of the law enforcement side, yes, but what is needed is more of, "Here's technical assistance, here's guidance. Here is the support that the government can offer to help some of these small businesses." Because they can't afford to hire a major cybersecurity vendor company to help them. These small businesses just don't have that capability to do that.

There’s More Attention and Awareness in Cyber in the 21st Century

Combiz: Now, obviously, the bigger companies, the JBSs and the Colonials, yes they can afford it. They have that ability, but it's a complicated situation. I'm hopeful because there's a lot more attention and awareness, being paid to this space. That's important for everyone's awareness and how it can lead to the executive order on cyber, which is pretty ambitious. It could be very effective and lead to improved security standards and security performance if it's done and implemented correctly.

Eric: It'll lead to some regulatory type of requirements. Theoretically, the government's going to provide some additional funding to critical infrastructure sectors to help them out. With your background in the White House, Congress, Treasury, and all of the organizations you've worked with, what's their perspective?

Combiz: The alphabet soup of governing agencies. Basically, all of them.

Eric: What's the perspective you've seen on things like deterrence? You can deal with it after the fact. This is how the government's going to help you as an organization. But if we look at something like deterrence, what's the role of the government in preventing it from happening in the first place? You're a bookseller in California.

The fact that we've got some organized crime group in Russia reaching into your coffers, into your systems, not a lot you can do about that. The local police aren't doing anything about that, so what do you see on deterrence from the government? Like getting ahead of it almost?

Combiz: Definitely there's global cybersecurity communities, regulators in the critical infrastructure states that work on cyber standards, but in enforcement internationally. There are those engagement at the highest levels of our government with other governments.

[37:59] Engagement with the Allies

Combiz: Oftentimes, that engagement is mostly with our allies. You would think that our allied governments are not the ones that are launching these cyber attacks against our critical infrastructure, which is correct for the most part. At the same time, it's those not-so-allied governments that are allowing, creating a space for non-state actors in the sense that they're not directly tied to the government.

The government is not really doing anything to clamp down on all of these ransomware operators or cyber criminals that are operating from that country. It does require many levels above my pay grade, having those conversations with our counterparts in those forums.

Those settings that could really get at the heart of this, which is the, "Yes, these cyber attacks have grown more frequent." Some of them have been state-sponsored and there needs to be some accountability, some enforcement capability.

Treasury has the sanctions authority. They have the ability to sanction these governments and these operators. Part of the problem is the attribution piece. It's really hard to attribute who these attacks are, where these attacks are coming from, and by who. You can't just sanction an entire country or an entity without really having the proof.

Eric: They could put regulation in place to monitor all cryptocurrency payments. There are things they could do proactively. I'm not the lawyer here, so maybe they can't, but they do it with banks.

Combiz: There's some when it comes to financial reporting.

Eric: If you could make it difficult to get to that treasure, that money, that reward because we keep seeing it grow. The number of attacks, the cost of attacks, it's growing. It's only growing because the benefit outweighs the cost, the risk.

Having Regulations in Cyber in the 21st Century

Combiz: You raise a really good point about having regulations on financial institutions. That if you deposit over $10,000 into your account, there's a report, there's a filing. They call in the Suspicious Activity Reports. What has happened, unfortunately, is that banks have gotten to the habit of filing those for the sake of just meeting that regulatory requirement without having the suspicion that, "Hey, this is actually a legitimate transaction." But they'll just file it anyway to have some liability protection or something.

Legally-wise, it doesn't necessarily mean they’ll be able to mandate or require cryptocurrency transactions. This is definitely something for counsel. I've worked on regulations, with the general counsel of Treasury, and with the interagency. It comes down to, "Okay, here's the problem. Here's what we're trying to solve. Could we do it within our existing authorities that the Treasury or the department has?" If we cannot, we would have to obviously go to Congress. Get some legal change of the law essentially.

Eric: Things changed with the law essentially.

Combiz: But there are broad powers that the government has, as we all know, that these agencies have. That could, in fact, fashion some regulation around cryptocurrency payments. It all comes down to the source of funds and the transfer of funds money. These ransomware operators, they're doing it for money.

I'm sure that the task force at Treasury and others in the government are thinking about this. But at the same time, we don't want to stifle. Easier it is oftentimes, everybody says, but it's true. We work in this innovation space. You don't want to stifle innovation.

Eric: No, just crimes. It's all I need.

Combiz: Yes, but you need to have work.

Crime Versus Innovation

Eric: To prove that it's crime versus innovation.

Combiz: A lot of this is something that could be corrected or fashioned now. A lot of these agencies who have the responsibility for overseeing critical infrastructure, they often rely on information that is voluntarily shared. It's not this frequency of data sharing that we need to have greater situational awareness.

Could we have those companies that are working in the critical infrastructure sector to require them to share more rather than it being a voluntary basis? These attacks, companies will face them and oftentimes they go unreported. We need to have a mechanism or a solution in place where we have a reporting requirement, particularly for ransomware. We may not understand where they're coming from and how many attacks are happening because companies are not informing those federal agencies of these attacks.

Eric: There's a multi-faceted solution to this growth. There's a more costly problem that we definitely need as a nation, as a globe, a global economy to spend more time on.

Combiz: Yes, it's a digital economy. It's all interconnected.

Eric: It's almost like the old days when there were pirates on the seas and you were trying to get your cargo from somewhere. You had to avoid the pirates because it was just attacks on the system, so we need a digital Navy.

Combiz: I love that. I should bring that up.

Eric: Free rights and licenses just give me a little attribution to use that. We need a digital Navy to protect the American citizens from ransomware pirates.

Combiz: I'm going to tell them that. Exactly that, and I'll attribute that to you.

Eric: He'll say, "Who is Eric?" I’m going to listen to the podcast.

The Stone Age

Rachael: So sad. This is such a great conversation. Combiz, thank you so much for joining us on the podcast. It has been such an interesting conversation, and it just underscores the complexity here. There's clearly no easy path forward.

We're obviously not going to unplug all of our systems and go back to the Stone Age. The price of progress, it's great to be able to talk through these things. At some point, we're going to unearth a path forward that makes sense for the time that we're in. It just takes a lot of discussion. Thank you so much for your time.

To all of our listeners, thank you for joining us for this week's episode of To The Point. Hit that subscribe button and get a fresh episode delivered to your email inbox every Tuesday. Until next time, stay safe.

About Our Guest

Combiz Richard Abdolrahimi is a National Security Lawyer, Emerging Technology & Innovation Leader at Deloitte. He's a Global Account Executive supporting the U.S. Department of State, a former financial regulator and

policymaker. He is a cyber and tech citizen diplomat. Combiz has served across the government at the U.S. Departments of State, Treasury, Commerce, The White House, U.S. Senate. He is a senior innovation executive with 15 years of public and private sector experience.

He’s been helping governments and Fortune 500 firms to run data-driven digital transformation projects, manage multi-billion dollar budgets and tech investments. To harness the power of data and new or emerging technologies to meet consumer and mission needs. He has scaled data-centric and technology-powered systems to modernize, secure, and advance U.S. innovations. From energy, trade, export controls, national security, regulatory compliance, consumer protection, critical infrastructure, to cyber programs.

He has worked with industry and government leaders in shaping the business, policy, legal, ethical, regulatory, and tech dimensions of AI. Of blockchain, crypto, payments and banking, government IT, Zero Trust Architecture, cloud and edge. Also with quantum and IoT, cybersecurity, FinTech and RegTech, 5G, digital connectivity and identity/ICAM/IdM.