Attempting to ban cryptocurrency to be used for ransomware payments is a headline that sounds productive, but misses the broader point, and will not diminish the frequency of hacking events.
GettyMoment Editorial/Getty Images
Many of the headlines around cryptocurrency in the current marketplace can be categorized into one of several categories. Firstly there are proponents and advocates of continued blockchain and cryptoasset adoption and implementation, across different economic sectors and for a variety of underlying business purposes. On the other hand there are regulators and policymakers who – across an array of jurisdictional lines and boundaries – are seemingly taking a harsher and more skeptical stance on the future of continued expansion of crypto offerings.
A third group, with increasingly vocal support and endorsement from top level policy makers in the United States, and the European Union (EU) is that cryptocurrencies are not legitimate currencies, and are simply speculative investable instruments. Reinforcing this perspective, regardless of personal views on the matter, has been the rising utilization of crypto as a vector for ransomware payments. Moves to ban organizations from paying in crypto to unlock or retrieve information and data might sound like a reasonable step to crack down on these illegal activities, but is a short-sighted attempt that misses the real issue.
Let’s take a look at some of issues that a blanket ban on crypto for ransomware payments could lead to.
It will not stop hacking attempts. The most glaringly obvious point that such a blanket ban will result in is that hacking and other data breach attempts will not simply go away as a result. Hacking, data breaches, and other technology driven breaches were occurring years before cryptocurrencies became mainstream, and in fact, had been occurring for decades even before computers took over the bulk of data processing functions. As long as there is data that is valuable to the criminal sector, there are going to be individuals and organizations seeking to access it.
Data is the lifeblood of every organization, the value and importance of this data is only becoming more important; these facts will not change simply because one nation chooses to ban crypto payments to unlock organizational data. After all, dollars and other fiat currencies can be used just as easily, and can actually be more difficult to trace.
Crypto can be traced. In the frenzy that almost always accompanies news of a data breach or a crypto ransomware payment is the ease with which law enforcement can – and does – trace payments denominated in crypto. Several recent examples, notably the Colonial Pipeline hack, payment, and subsequent recovery, illustrate the capacity of law enforcement agencies to trace and recover these funds. In addition to law enforcement efforts there is also the reality that policymakers are increasingly showcasing market equivalent levels of knowledge expertise around these subjects.
Be it the Internal Revenue Service (IRS), the Securities and Exchange Commission (SEC), or any of the other regulatory agencies, the trend is unmistakable. The ability to monitor, trace, and enforce laws and compliance initiatives as they connect to crypto is on the upswing; this does not appear to be diminishing in any manner. Why would governments want to force criminals – and the innocent organizations held ransom – into other payment mechanisms that are not as transparent, traceable, or as well understood?
Drive payments underground. The reality is that hacking attempts, data breaches, and other information-related losses and issues are going to continue to exist for the foreseeable future. Data and information is too valuable, cybersecurity remains an emerging issues for most organizations, and human errors do – and will continue to – occur. Objectively speaking, the number of organizations that will pay or do just about anything to 1) unlock data, or 2) restore customer services and functionality is assuredly near 100%. No organization wants to have information leaks and dissatisfied customers, and paying the ransom demands is an integral part of this process. An ugly part, but one that must occur to restore services and customer functionality.
If governments, be it in the United States or in other jurisdictions, ban the utilization of crypto for ransomware payments this will not eliminate the frequency of this occurring. Rather, it will simply push these payments and affiliated actions into the Dark Web or some other technology platform that is not as transparent nor as accessible to mainstream market actors. A government policy that makes restoring normal functionality and services more difficult, complicated, and time-consuming is not a policy that should be implemented.
The law of unintended consequences is a law of economics, business, and life that is often overlooked until it is too late. Blockchain and crypto regulation and rule-making increasingly seems more aligned with attempting to punish and/or punitively restrict actions by private sector actors versus fostering innovative and creative use cases. In addition, simply mandating a top-down ban on using crypto to pay ransomware demands will not solve, prevent, or mitigate the underlying threat of weak cybersecurity policies across the board. Rather, all that a ban of this sort will do is force payments underground, reduce the level of support available for organizations, and do absolutely nothing to deter cybercriminal activity.