Computer criminals armed with ransomware were able to hold U.S. drivers hostage earlier this month. The Colonial Pipeline attack had such dramatic real-world results that the simmering ransomware crisis has boiled over. It’s impossible to ignore now. But what does that really mean? Ransomware criminals are raking in the money...er, the cryptocurrency, anyway. According to security firm Elliptic, the Bitcoin wallet associated with ransomware gang DarkSide -- the oil pipeline hackers -- received transactions valued at $17.5 million since March…and even more over its lifetime.
This seems like a logical place to start. Stop the flow of crypto, change the economics of ransomware, and you’ll see the crime wave recede. So why isn’t anyone talking about that? Even President Biden’s executive order reacting to the pipeline attack didn’t mention cryptocurrency.
So here at In Conversation, we decided to have this very important conversation. Back with me are: cybersecurity consultant John Reed Stark, along with Duke professors Lee Reiners and David Hoffman.
(If you are new to In Conversation, I am a visiting scholar at Duke University this year studying technology and ethics issues. These email dialogs are part of my research and are sponsored by the Duke University Sanford School of Public Policy and the Keenan Institute for Ethics at Duke University. See all the In Conversation dialogs at this link.)
FROM: Bob Sullivan
TO: John, Lee, David
The connection between the rise of cryptocurrency and the rise of ransomware can't be ignored any longer. It's a pretty common policing tactic to choke off a gang's money supply to smoke out the criminals. In the case of ransomware, criminal gangs wouldn't exist if it weren't for (nearly) untraceable cryptocurrency transactions. What should be done to rein in crypto as the fuel for ransomware gangs? Particularly when the kind of regulation one might be tempted to try might very undermine the entire premise of cryptocurrency and kneecap a lot of investors?
FROM: Lee Reiners
TO: John, David, Bob
My wife and I flew back from a long weekend in Florida yesterday and couldn’t get an Uber or Lyft home. We ended up calling a traditional taxi service and paying $50 to get to Durham (normally, Uber is less than $25). According to our driver, it was a combination of the gas shortage/hoarding plus Uber drivers enjoying expanded UI payments that led to the shortage of drivers.
While our situation was clearly not a big deal, it did hammer home the fact that at this point, nearly every person has been impacted by ransomware in some way or another.
We all know that without cryptocurrency there would be no ransomware, and to his credit, John Reed Stark has been shouting this argument for a while now. But I am struck by how few policymakers and other “talking heads” are taking the next logical step and arguing for more regulation, or even an outright ban, on crypto. In fact, it seems like the opposite is happening judging by the “Dogefather’s” appearance on SNL. To me, it’s pretty clear that the societal damage of crypto-fueled ransomware attacks vastly outweighs whatever benefits we get from crypto. But there’s something about the American ethos and our embrace of “innovation” – without ever defining real innovation – that makes banning something a bridge too far. Of course there are other steps we can take before banning crypto, such as tightening the crypto-fiat on and off ramps, but the fundamental essence of the technology that permits crypto will always be attractive to nefarious actors. Perhaps the best we can hope for is the crypto bubble bursts and policymakers sweep in and say “ok, fun’s over.” But I am not hopeful.
FROM: John Reed Stark
TO: Lee, David, Bob
Very well said Lee!
A reporter asked me today what I thought of outlawing insurance companies from making ransomware payments or even outlawing the tendering of ransomware payments altogether (thereby eliminating the moral hazard).
While well-intentioned, that kind of simplistic thinking could trigger a series of crushing economic catastrophes.
First off, the answer is not to blame the victim and call for stronger cybersecurity standards. Cybersecurity is an oxymoron and always will be. I love the President’s 34-page Executive Order. However, the Executive Order may help shore up some systems, but for the most part, it won't likely put a dent in ransomware-as-a-service subscription-based platforms and toolkits and a slew of other attacks. Legions of soldiers and criminals wake up every morning with the sole purpose to hack into U.S. networks and systems and no one can stop them all.
The crux of the issue is painfully obvious — stop the flow of crypto and ransomware attacks stop. Period. End of story. While I can appreciate the potential benefits of blockchain technologies and would always encourage its technological development, I cannot say the same for crypto here in the U.S. In fact, I cannot conjure up a single benefit that crypto provides for a U.S. citizen i.e. a single task or process that crypto makes easier, better, cheaper or faster. Meanwhile, I am outraged by the inherently conflicted crypto-promoters who all stand to profit handsomely by fueling their self-serving crypto-mania. I guess if I owned a cache of bitcoin I would feel the same way. After all, who cares about the reasons, just get more people to want crypto so the value of my crypto-stash increases and I will get richer and richer. The lack of credibility and extraordinary bias of bitcoin and other crypto promoters cannot be overstated. It’s maddening.
So how do you stop the flow of crypto? 1) By enforcing AML regs and regulating crypto-marketplaces like any other financial marketplace (onerous registration requirements; mandatory audits and examinations; transparency and record-keeping of all transactions; cybersecurity requirements for all platforms; compliance policies, practices and procedures; whistleblower provisions; licensure; and all of the rest). 2) By encouraging governments, retail, services and other outlets not to accept crypto as a form of payment; 3) By discouraging investment in crypto and taking a stand against its use and the gamification of investing. Bitcoin is poison and being used as a tool in one grand get-rich-quick scheme. Like Elon Musk’s character admitted on SNL Weekend Update, it's one big hustle.
Anonymity of transactions might seem like a libertarian’s dream, but it is actually more akin to a nightmare. Just ask anyone trying to find gas in North Carolina earlier this month — or calculate the losses associated with the many intended and unintended economic consequences the Colonial Pipeline attack has caused.
I get it — anonymity of financial transactions will always have some appeal to just about everyone. But is it worth the cost of the global spread of terrorism, crime and economic chaos? Not to me and probably not to most people.
Hopefully the Colonial Pipeline attack will wake up the government, and prompt an even more thoughtful response, beyond a 34-page Executive Order. How about an Executive Order denouncing crypto? I can only dream.
TO: John, Lee, David
It's amazing what happens when there's a little attention paid to a problem.
Brian Krebs reporting that DarkSide claims to be disbanding and its Bitcoin stash had been seized. Brett Callow from Emsisoft warned me it might be just an exit scam -- it probably just means the group felt too much heat from this incident and will lay low for a little while, then re-form as something else. Still, heat can impact ransomware gangs.
FROM: David Hoffman
TO: John, Lee, Bob
Now this makes me want to learn a lot more about cryptocurrency mixers like BitMix and to think about whether those companies might be a good place to start with regulation. Is there any legitimate purpose for those services?
TO: Lee, David, Bob
The President, Treasury Secretary, Attorney General, IRS Commissioner and SEC & CFTC Chairs should use this opportunity to make a public statement from the White House steps announcing the President’s intention to:
1) Sign an Executive Order that no federal entity will accept crypto as payment for goods or services or do business with any entity that transacts in crypto;
2) Form a Task Force to target crypto-trading platforms with AML, regulatory and other legal violations;
3) Emphasize the dangers of cryptocurrency (i.e. how the pseudo-anonymity of crypto has created extraordinary opportunities for terrorists and global criminals);
4) Preach the perils of crypto-investing (i.e. how relying on the greater fool theory is the wrong way to invest); and
5) Reprimand the recklessness of organizations who accept crypto as payment (i.e. they are enabling crypto-using criminals).
This would cost nothing; This would not take an act of Congress; This would not stifle blockchain innovation; This would not require any resources; and This could serve as the most effective and immediate defense against ransomware.
As I have stated over and over again, I can’t think of a single U.S. societal benefit (social, economic or otherwise) of crypto and the untraceable financial transactions it facilitates. Meanwhile, the self-interested cadre of promoters shilling crypto are only doing so for one reason: to enrich themselves. And don’t call me anti-innovation. Being anti-crypto does not mean I am anti-blockchain, the two philosophies are too often mistakenly conflated.
Remember the Reagan Administration slogan “Just Say No” to stop drug use. How about the Biden Administration adopting this simple catch-phrase to defeat crypto: “Stop the Hustle.”
TO: John, Lee, Bob
I can sign up for all of that. I very much like “Stop the Hustle” as the tag line!