In the wake of the ransomware attack on Colonial Pipeline, we have witnessed an assault on the payment mechanism, cryptocurrency. A recent New York Times op-ed even went as far as to suggest the use of offensive cyber warfare to disrupt cryptocurrencies like bitcoin. Earlier this summer, a Wall Street Journal opinion piece titled, “Ban Cryptocurrency to Fight Ransomware,” argued, “We can live in a world with cryptocurrency or a world without ransomware, but we can’t have both.”
At a recent Senate Judiciary Committee hearing, Dick Durbin (D-Ill.), the committee’s chairman, asked, “Cryptocurrency and bitcoin are the coin of the realm when it comes to ransomware. What can we do – what specific laws should we enact in the United States to be responsive to this and diminish the role of cryptocurrency?”
A Department of Justice official responded, “I agree that cryptocurrency has unfortunately fueled this rise of crime. It has two key aspects to it. It’s often anonymous and non-reversible. Once it passed to the criminals, it is very difficult to claw it back.”
However, the reality is quite the opposite. While cryptocurrency allows ransom payments at the speed of the internet, making it attractive to illicit actors, the blockchain – the open ledger on which crypto lives and moves – allows law enforcement to track and trace the flow of funds in real time, providing unprecedented visibility on financial flows.
For example, in the Colonial Pipeline attack, law enforcement was able to track and ultimately seize the ransom payment. That recovery was possible only because cryptocurrency was the medium of payment. In other words, cryptocurrencies, far from being anonymous, allow law enforcement and regulators visibility on financial transactions in real time. Rather than being the cause of ransomware, crypto could very well be the solution.
In the recent New York Times op-ed, Paul Rosenzweig, former deputy assistant secretary for policy at the Department of Homeland Security, opined that with “alarming regularity, cybercriminals disrupt computer systems controlling important pieces of infrastructure and refuse to restore access until they are paid.”
Rosenzweig is right; cybercriminals, terrorist financiers, weapons proliferators and rogue nation state actors have moved online, launching attacks at unprecedented speed and scale. In the wake of the Colonial Pipeline cyberattack, FBI Director Christopher Wray compared recent cyberattacks to 9/11. As we confront this post-9/11 world, one thing is certain, the battlefield has shifted to the digital space. But law enforcement also has the tools necessary to combat cybercriminals where they live.
The Biden administration has focused its efforts on the need for close interagency and public private coordination. The Department of Justice has ordered U.S. attorney’s offices across the country to coordinate cases involving ransomware and other cyberattacks with a newly created task force, raising these cases to the level of terrorism investigations. The White House, in a letter to business leaders, provided a playbook of best practices to harden cyber defenses against attacks from malicious actors.
While law enforcement and policy makers are focused on upgrading cyber defense and responsiveness, the sea of critics, instead, focus on cryptocurrency. For example, Rosenzweig argues that cryptocurrency is the root cause of ransomware attacks, allowing cybercriminals to “‘kidnap’ a company from afar and receive payment anonymously and securely.”
How should we neutralize the ransomware threat? He suggests stricter regulation, or if that doesn’t work, the use of offensive cyber warfare to hack and disrupt cryptocurrencies and cryptocurrency exchanges. Not only would that be an attack on the tens of millions of law-abiding Americans who own and use bitcoin and the many legitimate businesses that make up the cryptocurrency industry, but it would be akin to having destroyed the early web in the 1990s because criminals also abused it.
Rosenzweig’s argument, and that of the “ban crypto” set, is predicated on the conclusion that the “[t]he United States does not have a ransomware problem so much as it has an anonymous ransom problem.” However, that does not take into account the ability of law enforcement, through the use of sophisticated blockchain analytics tools, to trace transactions, and ultimately, through great police work, to identify and potentially seize stolen funds. This type of investigation would not be possible had an illicit actor used another form of payment.
Rosenzweig points to the use of on-chain obfuscation techniques, such as the use of mixers or tumblers – services that combine cryptocurrencies and redistribute them – as an example of the need for additional regulation and something that would “be illegal in the non-virtual world.”
While the use of mixers is, in and of itself, not a crime, the Department of Justice has recently prosecuted and convicted individuals who conspire to launder funds through the use of these mixers. Just like in the off-chain world, you must have the intent to commit a crime. That is also true on-chain. To be convicted of money laundering, you have to possess the intent to launder the proceeds of illicit activity. In fact, because of the nature of the open ledger, and the use of blockchain analytics, it is far easier to track and trace the flow of funds across the blockchain than it is to track cash flowing through networks of shell companies and hawalas across the globe.
Without question, we need a clear legislative and regulatory framework for cryptocurrency that mitigates the risk from illicit actors, while, at the same time, encourages and promotes innovation. Anti-money laundering and cybersecurity are critical infrastructure for this new financial system – the internet of money. However, crypto exchanges are already regulated under the same laws as other money service businesses by the Financial Crimes Enforcement Network (FinCEN) and are required to maintain robust risk-based compliance programs, which include transaction monitoring for exposure to terrorist financing, ransomware and other illicit activity.
Cryptocurrency is not the problem. In fact, it could very well be the solution. With the right tools, financial crime investigators are able to trace and track the flow of funds, build out ransomware networks and understand typologies of illicit activity on the blockchain in ways unimaginable in the fiat world.
We don’t talk about banning cash because of money laundering or bulk-cash smuggling. Instead, we focus on thwarting illicit actors behind that activity and hardening our defenses against them. There is one difference, however: In crypto we actually have the tools to follow the money.