Bitcoin or bust: Why regulating cryptocurrency wouldn't stop the ransomware crisis
A holistic perspective
I’ve been meaning to write this post for a long time, and finally getting around to it around the Thanksgiving holiday.
Ransomware has obviously been the talk of the town (that town being infosec and broader natsec policy circles) for years, but even more so since the 2021 disruptive Colonial pipeline ransomware hack that caused real-world, trickle-down effects to the petroleum supply chain especially in the Southeastern United States.
Among the solutions being heralded, sometimes among infosec pundits, sometimes by regulators who actually have influence or authority in such matters and may also have a pre-existing incentive to enact such regulation, is a “ban” on cryptocurrency in some form. This could take the form of an outright ban, transaction amount ceilings (or floors for reporting transactions to the tax authorities), or increasing know your customer (KYC / AML) requirements, which already exist to a large extent in major US exchanges.
The visceral response from regulators about ransomware attacks, such as an intrusion into IT service provider Kaseya that enabled ransomware deployments to that provider’s customers (for the second time), emphasized Bitcoin as scapegoat.
Coinbase, with a clear interest in avoiding such regulations to the extent possible (note that Coinbase is already KYC) posted a defensible argument that eliminating cryptocurrency will not solve the ransomware crisis.
Obviously Coinbase has a vested interest in this position, but this is still a good take that raises some good points, pointing out factors such as poor IT security controls causing ransomware to proliferate, and that “traditional” forms of monetary transaction are still not impervious to fraud and abuse. They still call for “common sense, existing regulations to be applied evenly”, such as KYC requirements.
I've generally been of the impression that the emphasis of policy and regulatory response on cryptocurrency regulation as the clearest solution to the ransomware problem to be a justification for preexisting aims by a certain segment that wishes to have Cryptocurrency more tightly regulated writ-large. It also represents an absence of other (proposed) good solutions to the problem. It is a difficult problem, but there likely are other avenues that could be pursued around regulatory enforcement of a number of IT security controls (the Center for Internet Security CIS Controls has a good breakdown of types of basic controls) that have generally been missing in cases of successful Ransomware intrusions.
It is also worth noting that analysts speaking from an intelligence and national security perspective have astutely pointed out that foreign policy responses to ransomware sometimes overestimate the direct involvement of foreign adversarial governments in directing and conducting ransomware operations.
A trip down memory lane
Ransomware is not a new problem. Not since the Colonial Pipeline event, nor the repeated attacks through 2019-2020 that affected major cities and municipalities, nor the 2017 Wannacry event that was facilitated by the use of a leaked, wormable zero-day exploit that was developed and “hoarded” at Ft. Meade.
Ransomware has a long history in other forms. It’s actually a subset of a broader category of malware that could be labelled “extortionware” or “scareware”, a piece of executable code that infects computers and “scares” if not “extorts” the user or organization for some form of payment.
The form I first encountered, and which was partially responsible for my interest in infosec and malware, was more common around the 2008-2013 timeframe prior to ransomware as we know it today becoming big on the scene. This was fake antivirus (or system repair), a program that exploits people’s fear, with a pop up claiming your computer is either critically broken somehow or infected with a myriad of trojan horse viruses requiring that you pay a small fee for them to remove it, when in fact that program was the malware (and possibly deployed other malware).
So what?!
The point is that these programs generally demanded traditional credit card payment or bank Wire transfers from victims to facilitate the extortion. If blanket cryptocurrency regulation were enacted to curb ransomware, the ransomware operators would likely simply switch to forms of payment that are within the “traditional”, more established and regulated financial system, and another game of fraud prevention whack-a-mole would ensue without doing much to proactively curb ransomware attacks.
Zooming Out: the Global Neoliberal System and the Incentives for Ransomware Production
What are the macro global economic conditions that create the incentives for ransomware, which generally comes mainly from post-Soviet Eastern European and CIS countries?
Since the collapse of the Soviet Union in the early 1990s, and ensuing craziness, the post-Soviet world found itself incorporated somewhat into the global market system, but not fully. Aims to reinvigorate NATO at the end of the 1990s further isolated the post-Soviet world from the global system, and triggered a sense of a continued arms race between East and West, in the post-Soviet mind one that was driven by Western conceit.
These are the conditions under which ransomware is facilitated at economic scale: a neoliberal global market system that creates an environment where there are economic incentives for ransomware to operate as a way to make money for individuals and national economies that feel themselves otherwise being left as second-class citizens in the global market system.
In a sense, ironically, cryptocurrency can actually serve as a legitimate workaround for this, giving less enfranchised persons in the Global South and other regions of the globe an ability to gain financial freedom and participate in a global market system at a level they otherwise wouldn’t have.
Mitigating the global macro conditions that create the incentive for ransomware will require a more equitable global economic system in a true and very real sense, not simply notions of “equality” internal to the US or the West, but externally equitable, transcending political nation-state conflicts.
"Ransomware attacks will continue until global economic system improves."