.
T

he perceived linkage between the growth of cryptocurrencies and the rising specter of industry-crippling ransomware attacks is a reminder that just because two events may be correlated, it does not mean they are linked to causality. While there is no doubt certain cryptocurrencies have been connected to illicit activity, the fact remains the rise of ransomware says more about the underlying cybersecurity vulnerability of certain sectors, critical infrastructure and, perhaps entire economies (in a world bent on connecting everything to the internet), than it does about a nascent digital assets industry. In short, an air gap between critical systems and internet connectivity is a feature not a bug.

Arguably, the vector of attack for cyber ne'er-do-wells is a vast seen and unseen array of internet-connected devices, endpoints and relationships, including the human connections between the proverbial keyboard and chair. By this measure, email and phishing attacks (including whaling, which are phishing attacks targeting big named individuals such as company CEOs), as well as a vast and deeply complex series of automated malware attacks powered by bots, are the tip of the ransomware spear. We would be wise to remember that the advent of a financial market, including customer service standards and a certain honor amongst cyber thieves, does not eliminate the even darker specter of cyber terrorism or warfare, for which an economic motive is not on the table. The lack of clarity on “to pay or not to pay” policies, along with the growth of the somewhat checkered cyber and breach response insurance market also have a hand in stimulating growth of economically motivated ransomware. Against these types of threats, the fundamental cyber resilience of blockchain-based systems including compartmentalization of data, decentralization, public auditability, cryptography, and encryption, among others, represent gains in cyber resilience.  

The Sony Entertainment cyber-attack of 2014 demonstrated the art of the tragic possible and the ease with which not only a business model could be held hostage, but an entire value chain, as movie theaters and actors were also threatened with reprisal if The Interview film was aired. The recent Colonial Pipeline ransomware attack upped the ante, but the fundamental pattern and fundamental vulnerabilities remain the same, in this case compromised passwords were the backdoor. Cyber threats like bank runs, need to be viewed as systemic risks rather than idiosyncratic ones where companies and industries are left to fend for themselves. Just as the failure of any single bank erodes confidence in banking, the failure of the Colonial gas pipeline created deleterious cascading effects, including the fear-induced prospects that the Northeast U.S. would run out of gas. For cyber terrorism and warfare to work, inherent cyber vulnerabilities are where the threat begins and fear and panic is where the real costs end. As with bank runs, mutualizing both the costs, the countervailing measures and threat information sharing, among other areas, calls for new structures for strategic risk sharing and resilience.

Email does more harm in spreading ransomware than cryptocurrencies and yet it would seem foolish to make calls to ban email. As an example the 2017 WannaCry attack, which crippled entire industries and spread to more than 150 countries over a weekend, began as an automated email attack and eventually leveraged backdoors in vulnerable and out of date operating systems. The real exploit, however, was made possible by a leaked government created offensive cyber weapon known as EternalBlue, which was designed as a subterfuge around vulnerabilities in widespread operating systems. Here too, simple cybersecurity measures such as routine software patches, password management and endpoint-level threat detection and basic human cyber hygiene can be low-cost, high-impact ways of improving resilience. The caveat of course is that for managing a risk that evolves according to Moore’s law, the bad actor (whether human or automated) must be right once, and you must be right 100% of the time. Fundamental technologies like public blockchains alone cannot stop unchecked cyber risks, but they can limit the damage by compartmentalizing data in distributed, encrypted and privacy-preserving ways.

Indeed, that the WannaCry exploit was made possible by government technological spy craft that fell into the wrong hands and was freely traded in dark web markets, says a lot about the complexity of playing offense and defense with systemic risk. Other areas of cyber vulnerability include the lack of veritable air gaps between critical systems and the ever-perilous internet. Industrial controls, SCADA systems and both the hardware and software that power so much of the world’s critical infrastructure, makes keeping the lights on, gas pipelines running and even the prospect of safe, potable water, hard to guarantee in the age of rampant cyber threats. That there is now a means of low-friction payment for many of these attacks is not nearly as dire as the underlying and persistent cyber vulnerability.

Arguably, cryptocurrency payments for illicit finance and ransomware are leaving a critical money trail (traceable for all eyes on the internet) from source to destination. This trail of financial bread crumbs, which leverages one of the superpowers of public blockchains that permanently and publicly record microtransactions, are producing law enforcement breakthroughs, including in combating U.S. election interference. In fact, the efficacy of cryptocurrency forensics tools and the harmonization of financial crime compliance standards across blockchain-based payment systems and digital assets, is giving cyber criminals few places to hide on the open internet of value. In re-architecting and upgrading core financial infrastructure, the reliance on honeypot data bases such as consumer credit bureaus as the basis for financial access and mobility, along with dated and analog single source of failure payment rails, is itself a major vulnerability in the global financial system.

Looking a little deeper into illicit activities on blockchain-based payment systems, even if denominated in entirely decentralized cryptocurrencies such as bitcoin, reveals the link between crime and crypto may be overstated. First, the good actors in the system are not only fighting back by harmonizing financial compliance standards alongside global financial integrity bodies, such as the Financial Action Task Force, or FATF. Together with law enforcement, the digital assets industry is armed with increasingly sophisticated and effective blockchain analytics and forensics capabilities, which penalize bad actors as opposed to putting the burden of trust for basic financial access on consumers.

The firms powering a global early alert tripwire system that a crime may have taken place where crypto was the criminal thrift are able to track and trace illicit money flows in profoundly new, transparent, and effective ways. This is not possible with the analog and opaque financial ledgers of the traditional banking and payment system, which contributes to billions of dollars in money laundering and illicit activity each year, even among the best run banks. Open financial ledgers such as public blockchains that record micropayments with the type of accounting fidelity that would make big auditing firms blush are increasingly hard places to abscond with money. This is true because the ability to track and trace illicit money flows in near real time, including with ill-gotten ransomware payments, can help trigger a dragnet of intervention and coordination to not only trace funds, but potentially retrieve them, as was the case in the Colonial Pipeline attack. A veritable digital fire brigade now exists and companies such as TRM Labs, Chainalysis, and Elliptic, among others, are helping the digital assets industry and law enforcement fight back against illicit actors, preserving the prospects of an open internet of value versus futile attempts to shut decentralized finance down.

This auditing and transactional fidelity of cryptocurrencies was a key feature in the indictment of 12 Russian nationals following 2016 election interference in the contentious U.S. presidential elections. Similarly, despite the massive 150 country WannaCry dragnet, a comparatively small haul of bitcoin worth at the time between $50,000 and $70,000 was paid and ultimately traced to specific digital wallet addresses, while the second order costs were estimated to be as high as $4 billion. Indeed, because of the power of collective witness of financial transactions on public blockchains, laundering ill-gotten funds from crypto crime is not only proving costly, it is proving time consuming (at the current rate) because the world’s eyes are trained on suspect wallet addresses. As this public auditability and transaction recording continues to grow, alongside the adoption of digital identity and biometrics, the basic premise of financial inclusion not coming at the expense of protecting the integrity of the financial system can evolve in lockstep.

Against this backdrop, along with real possibilities of breakthroughs in privacy-preserving digital identification, the cost of cybercrime payable in cryptocurrencies is going up for bad actors, while the availability of novel, low-cost financial innovations are powering new markets and new forms of financial access. The evolution of these new markets - now more than 10 years in - is not risk free. No wave of financial innovation ever is, whether countries were transporting stolen gold from the “New World” on risky galleons, or moving money around on vulnerable stage coaches or carriages in the U.S. westward expansion, the movement of money in all its forms comes with risk. Increasingly, the responsible actors in the digital assets industry are coalescing around standards of compliance and harmonizing approaches on combating illicit finance, including anti-money laundering (AML) efforts, countering the financing of terrorism (CFT) and, critically, pushing back against the scourge of ransomware. Blaming one of many potential payment mechanisms as the cause of ransomware, rather than looking in the mirror of cyber vulnerabilities smacks of convenience, as much as it misses the mark.

About
Dante A. Disparte
:
Dante A. Disparte serves as the Chief Strategy Officer & Head of Global Policy for Circle. He is a member of FEMA’s National Advisory Council and serves on the World Economic Forum’s Digital Currency Governance Consortium. He is also a member of Diplomatic Courier’s editorial advisory board.
The views presented in this article are the author’s own and do not necessarily represent the views of any other organization.

a global affairs media network

www.diplomaticourier.com

Crypto and Ransomware: Correlation Does Not Equal Causation

Image via Adobe Stock.

September 28, 2021

The perceived linkage between the growth of cryptocurrencies and the rising specter of industry-crippling ransomware attacks is a reminder that just because two events may be correlated, it does not mean they are linked to causality, writes Circle's Dante Disparte.

T

he perceived linkage between the growth of cryptocurrencies and the rising specter of industry-crippling ransomware attacks is a reminder that just because two events may be correlated, it does not mean they are linked to causality. While there is no doubt certain cryptocurrencies have been connected to illicit activity, the fact remains the rise of ransomware says more about the underlying cybersecurity vulnerability of certain sectors, critical infrastructure and, perhaps entire economies (in a world bent on connecting everything to the internet), than it does about a nascent digital assets industry. In short, an air gap between critical systems and internet connectivity is a feature not a bug.

Arguably, the vector of attack for cyber ne'er-do-wells is a vast seen and unseen array of internet-connected devices, endpoints and relationships, including the human connections between the proverbial keyboard and chair. By this measure, email and phishing attacks (including whaling, which are phishing attacks targeting big named individuals such as company CEOs), as well as a vast and deeply complex series of automated malware attacks powered by bots, are the tip of the ransomware spear. We would be wise to remember that the advent of a financial market, including customer service standards and a certain honor amongst cyber thieves, does not eliminate the even darker specter of cyber terrorism or warfare, for which an economic motive is not on the table. The lack of clarity on “to pay or not to pay” policies, along with the growth of the somewhat checkered cyber and breach response insurance market also have a hand in stimulating growth of economically motivated ransomware. Against these types of threats, the fundamental cyber resilience of blockchain-based systems including compartmentalization of data, decentralization, public auditability, cryptography, and encryption, among others, represent gains in cyber resilience.  

The Sony Entertainment cyber-attack of 2014 demonstrated the art of the tragic possible and the ease with which not only a business model could be held hostage, but an entire value chain, as movie theaters and actors were also threatened with reprisal if The Interview film was aired. The recent Colonial Pipeline ransomware attack upped the ante, but the fundamental pattern and fundamental vulnerabilities remain the same, in this case compromised passwords were the backdoor. Cyber threats like bank runs, need to be viewed as systemic risks rather than idiosyncratic ones where companies and industries are left to fend for themselves. Just as the failure of any single bank erodes confidence in banking, the failure of the Colonial gas pipeline created deleterious cascading effects, including the fear-induced prospects that the Northeast U.S. would run out of gas. For cyber terrorism and warfare to work, inherent cyber vulnerabilities are where the threat begins and fear and panic is where the real costs end. As with bank runs, mutualizing both the costs, the countervailing measures and threat information sharing, among other areas, calls for new structures for strategic risk sharing and resilience.

Email does more harm in spreading ransomware than cryptocurrencies and yet it would seem foolish to make calls to ban email. As an example the 2017 WannaCry attack, which crippled entire industries and spread to more than 150 countries over a weekend, began as an automated email attack and eventually leveraged backdoors in vulnerable and out of date operating systems. The real exploit, however, was made possible by a leaked government created offensive cyber weapon known as EternalBlue, which was designed as a subterfuge around vulnerabilities in widespread operating systems. Here too, simple cybersecurity measures such as routine software patches, password management and endpoint-level threat detection and basic human cyber hygiene can be low-cost, high-impact ways of improving resilience. The caveat of course is that for managing a risk that evolves according to Moore’s law, the bad actor (whether human or automated) must be right once, and you must be right 100% of the time. Fundamental technologies like public blockchains alone cannot stop unchecked cyber risks, but they can limit the damage by compartmentalizing data in distributed, encrypted and privacy-preserving ways.

Indeed, that the WannaCry exploit was made possible by government technological spy craft that fell into the wrong hands and was freely traded in dark web markets, says a lot about the complexity of playing offense and defense with systemic risk. Other areas of cyber vulnerability include the lack of veritable air gaps between critical systems and the ever-perilous internet. Industrial controls, SCADA systems and both the hardware and software that power so much of the world’s critical infrastructure, makes keeping the lights on, gas pipelines running and even the prospect of safe, potable water, hard to guarantee in the age of rampant cyber threats. That there is now a means of low-friction payment for many of these attacks is not nearly as dire as the underlying and persistent cyber vulnerability.

Arguably, cryptocurrency payments for illicit finance and ransomware are leaving a critical money trail (traceable for all eyes on the internet) from source to destination. This trail of financial bread crumbs, which leverages one of the superpowers of public blockchains that permanently and publicly record microtransactions, are producing law enforcement breakthroughs, including in combating U.S. election interference. In fact, the efficacy of cryptocurrency forensics tools and the harmonization of financial crime compliance standards across blockchain-based payment systems and digital assets, is giving cyber criminals few places to hide on the open internet of value. In re-architecting and upgrading core financial infrastructure, the reliance on honeypot data bases such as consumer credit bureaus as the basis for financial access and mobility, along with dated and analog single source of failure payment rails, is itself a major vulnerability in the global financial system.

Looking a little deeper into illicit activities on blockchain-based payment systems, even if denominated in entirely decentralized cryptocurrencies such as bitcoin, reveals the link between crime and crypto may be overstated. First, the good actors in the system are not only fighting back by harmonizing financial compliance standards alongside global financial integrity bodies, such as the Financial Action Task Force, or FATF. Together with law enforcement, the digital assets industry is armed with increasingly sophisticated and effective blockchain analytics and forensics capabilities, which penalize bad actors as opposed to putting the burden of trust for basic financial access on consumers.

The firms powering a global early alert tripwire system that a crime may have taken place where crypto was the criminal thrift are able to track and trace illicit money flows in profoundly new, transparent, and effective ways. This is not possible with the analog and opaque financial ledgers of the traditional banking and payment system, which contributes to billions of dollars in money laundering and illicit activity each year, even among the best run banks. Open financial ledgers such as public blockchains that record micropayments with the type of accounting fidelity that would make big auditing firms blush are increasingly hard places to abscond with money. This is true because the ability to track and trace illicit money flows in near real time, including with ill-gotten ransomware payments, can help trigger a dragnet of intervention and coordination to not only trace funds, but potentially retrieve them, as was the case in the Colonial Pipeline attack. A veritable digital fire brigade now exists and companies such as TRM Labs, Chainalysis, and Elliptic, among others, are helping the digital assets industry and law enforcement fight back against illicit actors, preserving the prospects of an open internet of value versus futile attempts to shut decentralized finance down.

This auditing and transactional fidelity of cryptocurrencies was a key feature in the indictment of 12 Russian nationals following 2016 election interference in the contentious U.S. presidential elections. Similarly, despite the massive 150 country WannaCry dragnet, a comparatively small haul of bitcoin worth at the time between $50,000 and $70,000 was paid and ultimately traced to specific digital wallet addresses, while the second order costs were estimated to be as high as $4 billion. Indeed, because of the power of collective witness of financial transactions on public blockchains, laundering ill-gotten funds from crypto crime is not only proving costly, it is proving time consuming (at the current rate) because the world’s eyes are trained on suspect wallet addresses. As this public auditability and transaction recording continues to grow, alongside the adoption of digital identity and biometrics, the basic premise of financial inclusion not coming at the expense of protecting the integrity of the financial system can evolve in lockstep.

Against this backdrop, along with real possibilities of breakthroughs in privacy-preserving digital identification, the cost of cybercrime payable in cryptocurrencies is going up for bad actors, while the availability of novel, low-cost financial innovations are powering new markets and new forms of financial access. The evolution of these new markets - now more than 10 years in - is not risk free. No wave of financial innovation ever is, whether countries were transporting stolen gold from the “New World” on risky galleons, or moving money around on vulnerable stage coaches or carriages in the U.S. westward expansion, the movement of money in all its forms comes with risk. Increasingly, the responsible actors in the digital assets industry are coalescing around standards of compliance and harmonizing approaches on combating illicit finance, including anti-money laundering (AML) efforts, countering the financing of terrorism (CFT) and, critically, pushing back against the scourge of ransomware. Blaming one of many potential payment mechanisms as the cause of ransomware, rather than looking in the mirror of cyber vulnerabilities smacks of convenience, as much as it misses the mark.

About
Dante A. Disparte
:
Dante A. Disparte serves as the Chief Strategy Officer & Head of Global Policy for Circle. He is a member of FEMA’s National Advisory Council and serves on the World Economic Forum’s Digital Currency Governance Consortium. He is also a member of Diplomatic Courier’s editorial advisory board.
The views presented in this article are the author’s own and do not necessarily represent the views of any other organization.