Attempting to prohibit the use of cryptocurrency for ransomware payments is a headline that sounds good on the surface, but it misses the bigger picture and will not reduce the number of hacking incidents.
In today’s market, many of the headlines about cryptocurrency can be classified into one of several categories. To begin with, there are supporters and proponents of continued blockchain and cryptoasset adoption and implementation across various economic sectors and for a variety of underlying business purposes. Regulators and policymakers, on the other hand, appear to be taking a harsher and more skeptical stance on the future of continued expansion of crypto offerings across a variety of jurisdictional lines and boundaries.
A third group contends that cryptocurrencies are not legitimate currencies, but rather speculative investable instruments, with increasing vocal support and endorsement from top-level policymakers in the United States and the European Union (EU). The growing use of crypto as a payment method for ransomware is reinforcing this viewpoint, regardless of personal views on the subject. Moves to prohibit organizations from paying in cryptocurrency to unlock or retrieve information and data may appear to be a reasonable way to combat illegal activity, but they are a short-sighted solution that ignores the real problem.
It will have no effect on hacking attempts.
The most obvious consequence of such a blanket ban is that hacking and other data breach attempts will not simply disappear as a result. Years before cryptocurrencies became mainstream, hacking, data breaches, and other technology-driven breaches were commonplace, and had been for decades even before computers took over the majority of data processing functions. Individuals and organizations will seek access to data that is valuable to the criminal sector for as long as it exists.
Every organization’s lifeblood is data, and the value and importance of this data is only increasing; these facts will not change simply because one country decides to prohibit crypto payments from unlocking organizational data. Dollars and other fiat currencies, after all, can be used just as easily and are often more difficult to trace.
It is possible to track crypto.
The ease with which law enforcement can – and does – trace payments denominated in crypto is almost always lost in the frenzy that accompanies news of a data breach or a crypto ransomware payment. Several recent examples, including the Colonial Pipeline hack, payment, and subsequent recovery, demonstrate law enforcement agencies’ ability to track down and recover these funds. Aside from law enforcement efforts, policymakers are increasingly displaying market-equivalent levels of knowledge expertise on these topics.
The trend is unmistakable, whether it’s the Internal Revenue Service (IRS), the Securities and Exchange Commission (SEC), or any of the other regulatory agencies. The ability to track, trace, and enforce laws and compliance initiatives related to crypto is improving, and this does not appear to be slowing down. Why would governments want to force criminals – and the innocent organizations held ransom – to use less transparent, traceable, and well-understood payment mechanisms?
Subvert payments by moving them underground.
The reality is that hacking attempts, data breaches, and other information-related losses and issues will continue to exist indefinitely. Data and information are far too valuable, cybersecurity is still a developing concern for most businesses, and human errors do – and will – occur. Objectively, the number of companies willing to pay or do almost anything to 1) unlock data or 2) restore customer services and functionality is unquestionably close to 100%. Information leaks and dissatisfied customers are the last things any company wants, and paying the ransom demands is a necessary part of that process. This is an unpleasant part of the process, but it is necessary in order to restore services and customer functionality.
If governments, whether in the United States or elsewhere, prohibit the use of cryptocurrency for ransomware payments, the frequency of such attacks will not decrease. Instead, it will simply move these payments and related actions to the Dark Web or another technology platform that is less transparent and accessible to mainstream market participants. A government policy that makes the process of restoring normal functionality and services more difficult, complicated, and time-consuming should not be implemented.
The law of unintended consequences is an economic, business, and life principle that is frequently overlooked until it is too late. Attempting to punish and/or punitively restrict actions by private sector actors appears to be more aligned with blockchain and crypto regulation and rule-making than fostering innovative and creative use cases. Furthermore, simply imposing a top-down prohibition on the use of cryptocurrency to pay ransomware demands will not eliminate, prevent, or mitigate the underlying threat of a lack of cybersecurity policies across the board. Instead, such a ban will simply drive payments underground, reduce the level of support available to organizations, and do nothing to deter cybercriminal activity.