The disabling of the Colonial Pipeline after a reported ransomware attack early this month has renewed U.S. interest in cybersecurity – messing with Americans’ gasoline has quite a focusing effect. Unfortunately, the fact that cryptocurrency played a role in the hack has helped channel much of that interest in the wrong direction.
Yesterday we got a sterling example of this misdirection in the form of a Wall Street Journal editorial arguing that banning cryptocurrency is a reasonable step in the fight against cybercrime. The piece’s author, Duke University financial regulation researcher Lee Reiners, argues cryptocurrency has no real-world utility and that “ransomware can’t succeed without cryptocurrency,” so we should just get rid of crypto. If it’s too hard to ban outright, Reiners argues on-ramps such as exchanges should be outlawed as a proxy.
There are many nuanced reasons to reject this argument. You could compare it to demanding a ban on cheese because your house is infested with rats. You could say that it is a massive category error that mistakes a tool for a cause. You could point out, as many have, that cryptocurrency should be a massive gift to law enforcement because it leaves a permanent and public record of criminal activity. You could make the point that even the most beneficial new technology always has unexpected negative side effects, and that dealing with them as they arise has always been a major element of modern societies (38,000 Americans, for example, are killed in motor accidents annually, more than a century after mass adoption of automobiles).
You could make those arguments, and more. But they can be left for another day. Because even on its own terms, the argument for banning cryptocurrency as a cybersecurity measure fails so pathetically it’s hard to imagine it’s intended seriously.
Why? Above all, because ransomware is not the only kind of hacking. And the same measures needed to protect against ransomware will still be needed to protect against other kinds of attacks, even if we ban cryptocurrency. Further, while banning cryptocurrency would likely put downward pressure on ransomware attacks, it wouldn’t stop them – we know because they predate the invention of crypto. So if the goal is to improve cybersecurity broadly (and we need to), banning crypto would be a massive effort with limited impact.
Most of the worst hacks of recent years haven’t involved cryptocurrency ransoms. In 2013, hackers stole credit card and other personal data of 40 million Target customers. In 2017 Equifax, which holds financial data on a huge proportion of American adults, was robbed of 147.9 million consumer records. The terrifying Solarwinds hack, in which allegedly Russia-backed hackers spied on dozens of U.S. entities, where they may still have footholds, was revealed just last year. None of these hacks involved cryptocurrency ransoms.
Solarwinds may be the most important example here because state-backed espionage has no strategic overlap with ransomware – the entire point is to remain undetected. The Target and Equifax breaches are also useful reference points because just like most ransomware attacks they were aimed at accessing data. But that data was ultimately most likely monetized via identity theft and loan or credit card fraud, not crypto ransom. Does that mean we should ban credit cards?
Even ransomware is not, as the Journal piece argues, impossible without cryptocurrency. Ransomware schemes with names like Gpcode, Cryzip, and Krotten were all up and running before Bitcoin was invented, with ransoms paid through a variety of channels, including plain old money orders (hat tip to Dr. Vesselin Bontchev). Cryptocurrency certainly makes ransomware crimes safer and easier, but getting rid of it wouldn’t fix the problem.
Actual cybersecurity experts seem to agree. The Institute for Security + Technology, a cybersecurity coalition and think tank supported by companies such as Microsoft, has released a list of anti-ransomware recommendations that highlights the role of cryptocurrencies. But the report makes no suggestion that crypto should be banned, and emphasizes that blockchain can leave investigators more evidence to work with than traditional finance.
All in all, the incoherence of the “ban crypto” argument is so striking that it invites questions about the motives of those making it. It’s tempting, and in some cases certainly correct, to assume that it’s an appealing position for those who dislike cryptocurrency for unrelated reasons.
But a more generous explanation is that cybersecurity is a very scary and difficult challenge with no obvious solution in sight, so there’s a strong temptation to highlight seemingly simple answers – even if they’re misguided. It’s a bit like the joke about the old man looking for his glasses under a streetlamp: “I dropped them in the alley, but I’m looking here because the light is better.”
A more substantive suggestion to address ransomware is to make paying cyber-ransoms illegal, just as paying kidnapping ransoms or bribes is in some countries. This would reduce the motive for ransomware attacks by making them less profitable. It would also push more system administrators to set up robust backup and recovery plans, which they should have in place anyway, and which would mitigate against other types of cyberattacks, not just ransomware.
More broadly, cybersecurity experts are pursuing a vision of what they call “zero-trust architecture.” The basic approach of zero-trust cyberdefense is to assume that your system will be breached, and set it up in a way that limits the potential damage of a breach. (Though the term might sound familiar to cryptocurrency fans, the idea has little technical relationship to the “zero trust” principle of blockchains.)
At this point it’s unclear whether zero-trust will have a major impact on cybercrime, but it’s where experts are focused. Reiners, author of the Journal piece, lists two years as an Army communications specialist in the mid-2000s as his only obvious cybersecurity-adjacent experience. Yet, he dismisses efforts like zero-trust as “pro forma and inadequate,” saying banning cryptocurrency is “simpler and more effective” for stopping ransomware. Simpler and more effective than, you know, actually improving cybersecurity.
That’s ultimately why “ban crypto” is not just a misinformed or disingenuous argument, but a dangerous one. It’s a distraction from the real cybersecurity challenge facing the U.S. and the world, and from the solutions in which actual experts believe.