Caveat 3.30.23
Ep 166 | 3.30.23

Measuring the competitive advantage of compliance.


Metin Kortak: Just because you're compliant with one framework doesn't mean that you are 100% secure. The compliance frameworks, they do not touch on every single threat out there. There is only so much that they can cover.

Dave Bittner: Hello everyone, and welcome to "Caveat," the CyberWire's privacy, surveillance, law and policy podcast. I'm Dave Bittner, and joining me is my co-host Ben Yelin from the University of Maryland Center for Health and Homeland Security. Hello, Ben. 

Ben Yelin: Hello, Dave. 

Dave Bittner: Today, Ben shares news of a Biden executive order on commercial spyware. I look at export controls and whether they really make a difference when it comes to invasive software. And later in the show, my conversation with Metin Kortak from Rhymetec cybersecurity solutions. We're discussing compliance and whether it makes a competitive advantage. While this show covers legal topics and Ben is a lawyer, the views expressed do not constitute legal advice. For official legal advice on any topic we cover, please contact your attorney. 

Dave Bittner: All right, Ben, let's jump into our stories here. Why don't you start things off for us? 

Ben Yelin: So my story comes from The New York Times, entitled "Biden Acts to Restrict U.S. Government Use of Spyware." And this was big news that came out just the day before we're recording this. So the president signed an executive order restricting our government and our federal agencies from using commercial spyware. And as we've talked about, commercial spyware gives governments the power to hack mobile phones of private citizens, to extract data, to track location and movements. Obviously, there is a massive global market for this, and some people are getting very rich off of it. We've talked a lot about Pegasus... 

Dave Bittner: Yeah. 

Ben Yelin: ...Made by the Israeli firm NSO Group. And these spyware tools have not only been used against foreign governments, for which, you know, sometimes there are justified uses, but also against our own government. And that's something that the Biden administration is very cautious about and concerned about. So this executive order prohibits any federal department from using commercial spyware that might be abused by foreign governments or spyware that could target Americans overseas or could pose security risks if installed on our networks. This only covers spyware developed and sold by commercial entities. So if our government agencies are building their own spyware tools... 

Dave Bittner: And we can pretty much know that they are (laughter). 

Ben Yelin: Yeah. I was just going to say that. I think that's a pretty safe assumption. 

Dave Bittner: Right. 

Ben Yelin: ...Then that's acceptable, if it's our own agencies developing their own spyware. 

Dave Bittner: OK. 

Ben Yelin: But this is just a ban on commercial spyware on which we just have - we don't have a sufficient level of control. There are also a bunch of exceptions. So agencies can use commercial spyware in isolated cases. One of the examples they give in this article is that our Drug Enforcement Administration has been deploying a spy tool as part of a counternarcotics operation. And the officials involved in this investigation don't want to terminate the DEA's use of this tool because they're apparently getting good intelligence from it. 

Dave Bittner: Yeah. 

Ben Yelin: So it's not a universally applicable ban. It's just a general policy against having this type of spyware on federal government devices. This is something that the Biden administration is doing for a couple of reasons. For one, there's kind of an international relations element to it. President Biden is hosting, this week, a summit for democracy and the White House, in promulgating this executive order, said the order, quote, "demonstrates the United States' leadership and commitment to advancing technology for democracy, including by countering the misuse of commercial spyware and other surveillance technology." So that's certainly one reason for it. 

Ben Yelin: And then just protecting the security of our government and our government agents. That's, of course, the primary reason. But having this type of technology deployed against us and having it potentially create vulnerabilities on our own devices and networks is a major motivation by this executive order. So it's big news. This is the - I think, the most broad action we've seen any Western government take against commercial spyware. So it certainly caught my eye when I saw it come down yesterday. 

Dave Bittner: Now, we've seen some recent stories about - for example, you know, the FBI caught some heat for purchasing data about people - right? - on the open market, right? So to do an end-around on a warrant, they were purchasing data in the open market, which anybody can do. 

Ben Yelin: Right. 

Dave Bittner: And they caught some heat for that. This is different from that, right? 

Ben Yelin: Yes, it is 'cause there's - this is spyware, which contains capabilities that go beyond just purchasing data. It's more of a live surveillance tracking tool and not something that's retrospective, where you're purchasing information about somebody's purchase history or historical cell site location information. That's different than spyware, which is spying on somebody - hacking a phone, whether it's a government official or a private citizen, tracking their movements, tracking their keystrokes. These are the type of things that we see with spyware technology. So it's a - I think, a larger threat than what you're describing. 

Dave Bittner: And who is this most likely to affect in our government? 

Ben Yelin: So that's what's kind of mysterious here. I mean, we don't have reliable information about which agencies are - had been using commercial spyware prior to this executive order. Obviously, we know that the DEA is one of those agencies 'cause it's mentioned in this article. From just rumors and, I guess, reasonable guesstimates, our intelligence agencies, particularly the ones involved in international espionage, like the CIA and potentially the NSA - I would guess they are culprits for the use of this commercial spyware technology - but also agencies like the Department of Homeland Security, Immigration and Customs Enforcement. You would think that since these tools exist and since they were not banned on government devices prior to yesterday, it would be helpful for any type of counterintelligence investigation or criminal investigation to deploy what's a very useful tool. 

Ben Yelin: I mean, there's a reason the Pegasus people have made a lot of money is that governments see the value in it. It's kind of a cheat code for both counterintelligence and criminal investigations. It's extremely useful, which is part of what makes it so dangerous is that there's a lot of motivation for governments around the world to forgo their constitutional processes in terms of obtaining warrants and getting judicial approval and just going straight for this spyware, which is kind of screwed up... 

Dave Bittner: (Laughter). 

Ben Yelin: ...To put it in colloquial terms. 

Dave Bittner: Well, doesn't the notion of spyware in general just run counter to the Computer Fraud and Abuse Act? In other words, if you're - if I'm engaging with a company to install spyware - let's say, you know, you done me wrong, Ben, and I want to put some spyware on your phone. And I call up Bob's House of Spyware and I say, ha-ha, I want you to put some spyware on Ben's phone. Haven't I asked them to commit a crime? 

Ben Yelin: So the Computer Fraud and Abuse Act, though frequently invoked, is just - it's kind of like Swiss cheese, it has a lot of holes in it. 

Dave Bittner: (Laugher) OK. 

Ben Yelin: You know, generally, the government itself can be exempt from certain provisions in the Computer Fraud and Abuse Act for doing legitimate law enforcement or counterintelligence work. 

Dave Bittner: I see. 

Ben Yelin: I mean, I think that's a good point, I just think the Computer Fraud and Abuse Act, prior to this executive order, was not going to stop our government agents from installing the spyware. 

Dave Bittner: Right. 

Ben Yelin: We know that it hasn't in the past 'cause there's been widespread reporting of the use of this commercial spyware. So it's just something that, theoretically, is a tool, the Computer Fraud and Abuse Act, but I just don't think deploying it would be our way out of the situation there. 

Dave Bittner: Yeah. So there's deference there. The same way - like, you and I have talked about the FCC gives deference to law enforcement when it comes to Stingrays. You know, they're - it's just the way it is. 

Ben Yelin: Yeah, I mean, for, I think, good reasons, the government - and people may disagree with this - but the government is treated differently from Bob's Spyware Shop. 

Dave Bittner: Right (laughter). 

Ben Yelin: Even though the government is purchasing spyware from - maybe it's not Bob's Spyware Shop but a - you know, these large corporations... 

Dave Bittner: Yeah. 

Ben Yelin: ...Who have developed the software. But our government is authorized to do all certain types of things that nobody in the private sector would ever be able to get away with. I mean, nobody besides a TSA agent could give us a full-body pat down at the airport. Nobody besides a law enforcement agent would be able to detain us and bring us into custody on the street. So it's just - there are different standards for law enforcement and for everyday Americans. 

Ben Yelin: And that's what's interesting here, is that the only restraint in this case - this executive order - is the administration putting a policy restraint on itself and on its own agencies, which is, frankly, pretty admirable 'cause it could break up some of our core capabilities as it relates to the work of intelligence officers. And I can guarantee you that there are officials at some of our intelligence agencies who did not sleep well last night because they've been making use of this tool and they're concerned that this ban is going to affect their operations. So I think that's definitely part of the story here. 

Dave Bittner: And is - to what degree do you think this is messaging and diplomacy versus anything else? 

Ben Yelin: I think a large part of it is diplomacy and setting a worldwide example. We - not to sound like a sappy Ronald Reagan here, but... 

Dave Bittner: (Laughter). 

Ben Yelin: ...We try to be that shining city on the hill... 

Dave Bittner: Right, right. 

Ben Yelin: ...Examining the best qualities of small-L liberal democracies and looking around the world and seeing other governments use this type of technology to spy on not just people who are threats, but political dissidents, human rights activists, journalists. And we've talked about this in all different types of countries. El Salvador was one of the ones we talked about. To set - I think it's important for us to set this example. And it's also one of those things where if other countries see that the U.S. is willing to do this, given that the U.S. faces some unique intelligence threats - i.e., a lot of people out there dislike us and are itching to do us harm. And I think that that can serve as a valuable inspiration example for other Western governments. 

Ben Yelin: I also - I have no evidence of this, but there is political turmoil in Israel at the moment, and this, in some ways, is a story about the NSO Group. And the NSO Group has a very close nexus with the Israeli government, and the Biden administration is not happy with the Israeli government right now for complicated reasons related to proposed reforms to their judiciary that allegedly go against their democratic ideals. So I'm not saying that this executive order is a direct reaction to that, but I think it might have factored into consideration of this policy. 

Dave Bittner: Have we seen any reaction from Congress on this? People seem to be on board? 

Ben Yelin: It's a little early in the game. 

Dave Bittner: Yeah. 

Ben Yelin: I think we will see action from Congress. I think this is something - given what we know about the views this Congress and, frankly, the last Congress had on issues related to data privacy and cybersecurity, I don't think you'll see an overly partisan reaction to this. And we have lawmakers in both parties considering a ban on TikTok as a social network. 

Dave Bittner: Right. 

Ben Yelin: I think the least of their concerns would be an administration executive order that puts limits on commercial spyware at government agencies. I wouldn't expect to see major pushback from it. I think there are a limited number of lawmakers who have, like, a post-9/11 mindset that we need to use every single tool at our disposal. That's the type of viewpoint that's kind of out of fashion at this point. 

Dave Bittner: Interesting. Yeah, yeah. Right. Congress is busy asking TikTok executives whether their app uses Wi-Fi (laughter). 

Ben Yelin: Yeah. That was so sad. That whole hearing was just deeply depressing. And I'm sure we'll talk about this in other contexts, but I would not have wanted to be that TikTok executive. 

Dave Bittner: Yeah. 

Ben Yelin: He probably went home and cried himself to sleep in his pillow. It did not go well for him. 

Dave Bittner: (Laughter) No, not at all. All right. Well, we will have a link to that story in the show notes. My story this week comes from the folks over at Lawfare. This is written by Winnona DeSombre Bernsen, and it's titled "Export Control is Not a Magic Bullet for Cyber Mercenaries." And this sort of slots right into what we're talking about here. And it really talks about the notion of our federal government using the tools that they have for export controls to control spyware and whether or not that makes a difference. And this article talks about NSO Group and its famous, you know, Pegasus software. 

Ben Yelin: All a coincidence, by the way - we did not - there was no collusion prior to this podcast. 

Dave Bittner: No, no. This is just different related things that caught our eye. 

Ben Yelin: Yeah. 

Dave Bittner: And how difficult it is to tamp down on these sorts of things - this article points out that if an organization finds themselves on an export control list, very often, they'll just go and reorganize as a new entity to - and, presto change-o, they're no longer on the list, you know, that sort of thing. What do you make of this, Ben, this notion of using the - first of all, I guess, let's back up a little bit. Can you give us a little primer on what the Entity List is? 

Ben Yelin: Yeah. So the U.S. maintains this so-called Entity List. This is maintained in the Department of Commerce. Any company that's placed on this list could no longer receive certain U.S. exports, including technology products. And this is actually something that was mentioned in the other article we just discussed, but the NSO Group was placed on this vaunted Entity List in 2021. So as a result of that policy, the NSO couldn't legally purchase laptops with a Windows operating system or iPhones without explicit, expressed consent from our government. So that's generally what the Entity List is. You don't want to be on it if you're a foreign company. 

Dave Bittner: Right. And that's kind of a poison pill for them, right? I mean, that's limiting if you can't buy the main - the two major operating systems in the world, right? 

Ben Yelin: Yeah. You're kind of screwed. 

Dave Bittner: Yeah. 

Ben Yelin: And I think companies that find themselves on the Entity List certainly realize that this is going to be a company-killing action. So you have to go into survival mode. And the way they go into survival mode is some of the things you talked about. You regroup or reform under a different name so that regulators can't recognize you. You try to offer the same product. I mean, a lot of this, frankly, sounds like mafia drug activity, where... 

Dave Bittner: Yeah. 

Ben Yelin: ...You're laundering money; you're putting up front organizations... 

Dave Bittner: Right. 

Ben Yelin: that you're not caught as the entity that was put on this Entity List. So that's why all these cyber mercenary companies have been put on this list and have been forced to reorganize after appearing in the public eye. And there are all these examples of this happening in the past. So these export controls are necessary, but just certainly not sufficient to quell the threat of these nefarious international actors. 

Dave Bittner: It strikes me that the export controls, like many things when we're talking about technology and software in particular - it's kind of a legacy tool that's struggling to keep up with the modern world. And where my thought is going with this is if you're manufacturing a widget - right? - let's say, I don't know, you're Cisco, and you're, you know, manufacturing some kind of network switch. Well, that's a piece of hardware. 

Ben Yelin: Right. 

Dave Bittner: And you can say, you're not allowed to ship that piece of hardware over there. And everybody knows what that hardware is. And if you slap a different label on it, somebody can say, oh, no, this is still the Cisco hardware. What - you know, knock it off. Software is a little trickier than that. 

Ben Yelin: Right. It is. It's not the type of thing you can do with hardware where it's like, oh, that's not Superman. It's Clark Kent... 

Dave Bittner: Right, right. 

Ben Yelin: ...Who took off his glasses. 

Dave Bittner: Right, right. 

Ben Yelin: Yeah. And I think, really, the question is, what can be an alternative to this whack-a-mole approach of trying these export controls on mercenaries and then the mercenaries responding to the whack-a-mole by reinventing themselves? 

Dave Bittner: Yeah. 

Ben Yelin: And this article brings up a few, I think, promising potential policy solutions. One of them is that we should partner with our European allies to call out, whether it's through laws or statements or policy, which types of business decisions or behavior remains inbounds versus those that will result in some type of sanction. And if these are done with some of our international allies, then there can be more uniform standards. 

Dave Bittner: Yeah. 

Ben Yelin: So companies will have a very clear idea of what type of activity will get them put on a certain list, so that we're not monitoring mercenaries as individuals. We're monitoring them for this type of illicit activities. And then, in a similar vein, the second solution here is to clarify what makes a good customer of offensive tools and what makes a bad customer of offensive tools. So there are ways to responsibly use these types of espionage - this type of espionage technology, certainly for national security protection, narcotics investigations. 

Ben Yelin: But we can't, as an international community, accept the use of these tools for political persecution of minorities or using it on journalists, etc. So I think by clarifying these standards and putting them into some type of binding regulation, that would be a more long-lasting, effective approach than just throwing somebody on a list that they can relatively easily evade. 

Dave Bittner: Yeah. It's, you know, like we've talked about, though, so many times. It seems like governments want to stay fuzzy when it comes to cyber. When it comes to drawing lines in the sand with cyber, they - it seems like there's intentional fuzziness there. They don't want to make it clear. They want to leave the ambiguity there. And I can understand why, but it makes it hard when you bump up against things like this. 

Ben Yelin: Yeah. It is frustrating. I mean, this is not the only domain where we see that kind of ambiguity where they don't want to take broad action. I mean, we end almost every segment on our podcast with, there ought to be a federal law for this where we have uniform standards, and we lay out what's acceptable behavior, what's legal, what's illegal. And I think there are a variety of reasons that we don't do that. One is that we have a relatively dysfunctional legislative branch that has a hard time doing anything. One is the limit of technological knowledge and know-how on the part of our policymakers and our regulators who would be charged with implementing these types of regulations. There is, I think, still an institutional gap there. 

Ben Yelin: So when you combine those factors, it's not as easy as just, hey, somebody should develop this policy and not rely on export controls, which is just leveraging a tool that already exists. I think if these export controls were part of a - what this article calls a wider, more holistic set of policies that would prevent these tools from falling into the wrong hands, that's fine. But it doesn't really address the behavior of the individuals who are propping up companies to be able to do the things that we disfavor on the part of these foreign mercenaries. 

Dave Bittner: Yeah. From Lawfare's point of view, to put out an article like this, I mean, is this a - basically an editorial just saying, you know, hey, we've been thinking about this, and from our own position of expertise, we think this is something that deserves some attention? 

Ben Yelin: Yeah. I mean, I think it's a very well-written, persuasive piece. The author is a nonresident fellow at the Atlantic Council, spent five years in the cyberthreat intelligence industry and is now receiving her joint MPP/JD degree at the Harvard Kennedy School in Georgetown Law. So certainly... 

Dave Bittner: No slouch there (laughter). 

Ben Yelin: Yeah. Certainly no slouch. 

Dave Bittner: Right, right. 

Ben Yelin: Doesn't mean I'm jealous of her professional success. I'm just mentioning it. But, yeah, I mean, that is all this is. 

Dave Bittner: Yeah. 

Ben Yelin: It's not like it's a representative from DHS or CISA writing a statement of policy. It is just an editorial expressing a policy viewpoint. 

Dave Bittner: Yeah, yeah. But I - so - we shouldn't be so dismissive as to say just though. Like, Lawfare... 

Ben Yelin: I agree with you. I mean... 

Dave Bittner: Lawfare is respected. 

Ben Yelin: It's a very serious publication. 

Dave Bittner: Yeah. 

Ben Yelin: And oftentimes, we need thought leadership from academics in the private sector before anything can be done at the federal level. Sometimes it's that type of op-ed and research that incentivizes or motivates policymakers to make changes. So I think I've talked to - before about how people kind of laugh at academics as sitting in their ivory towers. But a lot of the operational ideas that end up being enacted into policies via statute or executive order start with somebody writing an op-ed somewhere. 

Dave Bittner: Yeah. All right. Well, again, this is from Lawfare, article written by Winnona DeSombre Bernsen. It's titled "Export Control is Not a Magic Bullet for Cyber Mercenaries." We will have a link to that story in our show notes. 

Dave Bittner: Ben, I recently had the pleasure of speaking with Metin Kortak. He is from Rhymetec cybersecurity solutions. And our conversation focuses on compliance and how maybe organizations need to look at it as an advantage rather than a burden. Here's my conversation with Metin Kortak. 

Metin Kortak: I think especially recently when we're working with our clients, they have to also work with other SaaS vendors, or they may have their other clients, and whenever they're about to be purchased, like, their products are about to be being purchased, one of the first things that come up is, do you have a certification, or do you have any sort of compliance reports such as SOC 2 Type 2, ISO 27001? So because this question has been coming up a lot, a lot of our clients are getting concerned, and they want to become compliant. 

Metin Kortak: They have some - they want to have some security reports in place - such as any SOC 2 reports, ISO certifications - so that they can provide that to their clients in order to expand their business. And this obviously becomes a competitive advantage because if your competitors do not have any compliance reports, any certifications, then potential clients that you have will likely choose someone else who has those type of security certifications. 

Dave Bittner: So the notion here is to have these sorts of compliance elements already in place so that if someone asks for them, you're not caught having to catch up and provide it. 

Metin Kortak: Exactly. And I think it also creates this network of organizations that are all compliant, especially when we are going through - like, an example would be if we're going through a SOC 2 Type 2 audit, the auditors will ask us how we have conducted security assessments, security reviews on the potential vendors. And one of the first things that they also ask for is that, do your vendors have a SOC 2 Type 2 report? 'Cause if you're going through a SOC 2 type two audit, they will want to make sure that the vendors that you're providing sensitive information to are also compliant with these frameworks. So that ends up creating this large network of a bunch of organizations that are all SOC 2 Type 2 compliant because they all have to go through the same audit process. 

Dave Bittner: I see. Well, can you give us some insights as to what this process is actually like? When someone decides this is a path they want to go down, what are they in for? 

Metin Kortak: Well, when you need to become compliant with any type of a framework, one of the first things that we recommend to our clients is that you need to understand the control listing and the exact requirements from the compliance frameworks. And a lot of the compliance frameworks, unfortunately, are not very clear on their requirements. So security professionals tend to have to go through security trainings, or they have to take certain online courses, to learn about what these compliance frameworks actually require. And obviously, experience definitely helps with that. 

Metin Kortak: The - one of the reasons why our clients like to use our services is that they - we have a lot of this experience. We know exactly what these audits look like, so we are able to provide them with that type of knowledge. But that will be one of the first things that we would have to do if we're about to get one of our clients compliant with one of the compliance frameworks that they have selected. The second thing would be to identify some type of a gap assessment to understand, do you actually have those controls in place? Are you actually compliant with any of these controls based on whichever compliance framework that you have selected? - and then obviously, the implementation of the compliance controls. 

Dave Bittner: And what should they expect in terms of the amount of time that this would take and the relative expense? 

Metin Kortak: I think it depends on the compliance framework that you are selecting. If you were to go through a SOC 2 Type 2 audit, for example, the implementation process can take anywhere from three to six months up until you receive your certification. And this can be very different for other compliance frameworks. For example, if you're going through PCI certification, that process can sometimes take up to one to two years, depending on where you're at. So it's really difficult to give some type of a timeline. 

Metin Kortak: In terms of the cost, that's also going to depend on the auditor that you select, because majority of the costs of the compliance will actually go to your auditor who will actually provide you with the certification or the compliance reports, and the rest of it will be through implementation and various use of tools. But it's definitely going to cost somewhere between, like, I would say, 10 to 40,000 in a year, but that could obviously be higher based on the size of the organization. 

Dave Bittner: Yeah. You know, we often hear folks refer to sort of checkbox compliance, you know, that an organization will go through the process just to be able to say that they've done it. But it strikes me that there's more to it than that and that even going through the process itself can help you, as an organization, really understand where you stand when it comes to your security. Has this been your experience as well? 

Metin Kortak: Yes. This comes up a lot. Sometimes our customers will work with us. We will get them to the finish line. We will get them their SOC 2 Type 2 report, and then afterwards, they are going to be like, OK, well, we have our report; we don't have to do anything else now. And they're going to kind of just drop the ball and everything, and they're not going to do any other improvements until they have to go through that audit again the following year. I would consider that very much just like a checkbox audit because the customer is just doing it for the purpose of getting that certification, but they're not really using the things that are required by that compliance framework as a way to improve their security posture. 

Metin Kortak: So I always tell my clients that compliance is not just a checkbox effort. This is going to be an ongoing effort moving forward if you want to maintain that compliance. And that's also why we always encourage continuous monitoring. Like, our customers have to be aware that you need to monitor your infrastructure on a daily basis. You have to have continuous monitoring solutions. So that way you're not just checking the box, becoming compliant, you're actually maintaining that compliance even after you receive your compliance reports. 

Dave Bittner: And I would imagine, if you were a leader within an organization, it can kind of help back up these efforts among your employees to say, listen, you know, this is for our own good. But also, this is going to help keep us compliant. And that's good for everybody. 

Metin Kortak: Exactly. However, I think it's also important to know that just because you're compliant with one framework doesn't mean that you are 100% secure. The compliance frameworks, they do not touch on every single threat out there. There is only so much that they can cover. I think complying with SOC 2 Type 2, ISO 27001, it absolutely helps you improve your security posture. But I would say that there are other security best practices out there that are not covered by these compliance frameworks that organizations should always think about implementing as well. 

Dave Bittner: So what is your advice for organizations who are heading down this path? How do you come at this and make it as easy a process as possible? 

Metin Kortak: I think one of the easiest way to become compliant is to utilize certain continuous monitoring tools. There are a lot of tools out there. I know now even some hosting providers, they have their own built-in compliance monitoring tools that they provide. And these tools will essentially integrate with your production systems and with any other SaaS products that you're using to store and process sensitive data. And these tools will also identify any sort of compliance issues within these platforms. We really like to use these tools at Rhymetec because it helps us identify and create a gap assessment, identify any controls that are not in place. So that way we can use those tools to continuously monitor our clients' infrastructures. And it will also give us a clear understanding of where our clients stand, if the controls are implemented, at what percentage they're implemented. It really helps us track the whole process. 

Dave Bittner: Ben, what do you think? 

Ben Yelin: It makes me - so it was a really interesting interview. I mean, it makes me more sympathetic to some of these small organizations. Compliance is - you know, I think everybody wants to avoid compliance being a box-checking activity. And that's one of the things you talked about. 

Dave Bittner: Right. 

Ben Yelin: But to do a thorough audit, you really need significant resources. He mentioned a price range from $10,000 to $40,000. I mean, that's - if you're a small business, that's just not an easy cost to absorb. 

Dave Bittner: Right. 

Ben Yelin: So I'm sympathetic to those companies who want to do the right thing but just aren't able to because they don't have the resources. One of the guests that we recently spoke to - and I think the episode aired a few weeks ago - had a solution to this problem where in order to incentivize compliance, you can have some type of tax credit or business tax credit for engaging in proper compliance. So that's - that would be one way out of this problem. But that's something that stuck out to me about the interview. 

Dave Bittner: Yeah. Yeah. I remember - you know, this is a while back. I was talking to a friend of mine, who was a local banker. And... 

Ben Yelin: Hopefully not with Silicon Valley Bank. 

Dave Bittner: Not with Silicon Valley Bank, no. 

Ben Yelin: All right. 

Dave Bittner: But different locality. But they were just saying that they thought that there were going to be fewer and fewer small, local banks because of the increasing burden of compliance. It just wasn't - the numbers just didn't make sense. They could not keep up and compete with the larger banks, who had, you know, huge compliance organizations in place. So that's a reality, right? 

Ben Yelin: Absolutely. It is. Yeah. 

Dave Bittner: Yeah. All right. Well, our thanks to Metin Kortak from Rhymetec Cybersecurity Solutions for joining us. We do appreciate him taking the time. That is our show. We want to thank all of you for listening. The "Caveat" podcast is proudly produced in Maryland at the startup studios of DataTribe, where they're co-building the next generation of cybersecurity teams and technologies. Our senior producer is Jennifer Eiben. Our executive editor is Peter Kilpe. I'm Dave Bittner. 

Ben Yelin: And I'm Ben Yelin. 

Dave Bittner: Thanks for listening.