So long as cryptocurrency remains largely unregulated in the U.S. and most of the rest of the world (and even once regulations proliferate), the industry must remain aggressive in planning for attacks.
FTI Consulting’s Todd Renner, Adriana Prado and Preston Fischer co-authored this article.
Notorious bank robber Willie Sutton famously said “because that’s where the money is” in response to why he robbed banks.[1] Today, many threat actors view cryptocurrency and other digital assets in the same light. The lack of regulation and security controls provides opportunities for lucrative gains for criminals, resulting in increased cyber attacks on cryptocurrency exchanges and the supporting infrastructure. This issue was significant enough to garner the attention of the U.S. government.
The FBI, the Cybersecurity and Infrastructure Security Agency (CISA) and the U.S. Treasury Department released a joint advisory in April warning of cryptocurrency-related cyber threats from a nation-state-sponsored threat group.[2] Observations from the U.S. government include “cyber actors targeting a variety of organizations in the blockchain technology and cryptocurrency industry, including cryptocurrency exchanges.”
Putting this threat into actual numbers, in four separate cyber attacks from December 2021 to June 2022, about $960 million of cryptocurrency was stolen. Between the success of these attacks and the large amount of funds that cryptocurrency exchanges possess and handle, it has become imperative that organizations in the cryptocurrency market become better prepared for a potential cyber attack and the ensuing crisis.
Unlike traditional financial organizations, cryptocurrency users usually do not have the ability to recoup their funds. In most cases, once they are gone, they’re gone. In turn, as the entire cryptocurrency industry faces increased global scrutiny, both from a regulatory and security standpoint, reliability and trust are becoming increasingly important to investors and customers. As in the wider financial services and fintech industries, reputational and competitive resilience now requires strong cyber readiness to support organizations in preventing or quickly recovering from an incident and subsequent, irreversible damages. Since mandatory cybersecurity standards to combat threat actors and protect customers’ funds and privacy do not exist, adopting a robust, proactive approach to cyber readiness can become a competitive advantage.
Global cryptocurrency expansion
In September 2021, El Salvador became the first country to make Bitcoin legal tender. The government correspondingly released a national Bitcoin wallet, Chivo, for its citizens. The strategy behind the decision was that it would boost the economy and the job market, but so far, the results have not been as desired. The majority of Chivo’s users have already abandoned the app.[3] Making matters worse, the International Monetary Fund (IMF) is encouraging El Salvador to remove Bitcoin as legal tender because of the risk cryptocurrency poses and the difficulty the country would face in obtaining an IMF loan.[4]
Despite this test case, in April 2022, the Central African Republic (CAR) became the next country to adopt Bitcoin as legal tender, “driven by the need to solve currency and exchange rate challenges.”[5] It is too early to determine how this decision will impact CAR’s economy and if it will create new opportunities for businesses and its citizens. Regardless, cybersecurity should be front of mind for the country, as cyber actors are not constrained by borders or politics and will take advantage of an opportunity if they see one.
Regulatory response
Although Brazil is in the process of “regulating the domestic cryptocurrency market,”[6] it’s possible leaders are taking a wait-and-see approach before this bill is signed into law or eventually enforced. Instead, Brazil may decide to see how other countries, such as the U.S., decide to handle cryptocurrency regulation and use the outcome as a basis for adoption in their own country. Judging by recent actions in the U.S., cryptocurrency and its risks are a top concern.
President Joe Biden signed an executive order in March focused on digital assets, aimed at “addressing the risks and harnessing the potential benefits of digital assets and their underlying technology.”[7] More recently, the SEC announced “the allocation of 20 additional positions to the unit responsible for protecting investors in crypto markets and from cyber-related threats.”[8]
These decisions, coupled with regulation, could help tackle an unsustainable issue. Some exchanges that have cryptocurrency stolen rely on emergency funds to pay back their customers, but these resources are not limitless, and those without this backup plan are likely to go out of business. Regulation potentially helps with these issues, as government agencies and law enforcement would have firmer legal footing to track down cyber actors responsible and recover funds. Further, regulation offers the potential to help address other criminal actions, e.g., money laundering, and reduce investor risk. Existing Know Your Customer (KYC)[9] and anti-money laundering (AML) controls at major U.S. cryptocurrency exchanges have helped thwart fraud and cyber crime, and regulation would build on these successes.
Preparedness is key
Before becoming the next cryptocurrency exchange to suffer an attack and have funds stolen and in turn create a loss of confidence in the currency, harm brand reputation, enter fiscal insolvency and face regulatory fines, organizations in this industry must evaluate their cybersecurity and data protection programs immediately. This includes but is not limited to security protocols, technology stacks and documented data governance policies and procedures. This process should also involve establishing a robust incident response plan to protect the business and reputation in the event of a cyber attack.
The preparedness process should involve the following:
- Assess wallet protections, wallet process, source code review, blockchain protocols, third-party vendors, and blockchain infrastructure to mitigate risk from code manipulation, vendor security gaps and gaps in infrastructure interoperability for transfers of value.
- Implement fraud protections to ensure compliance with global regulations, including, AML and KYC.
- Identify and assess evidence of anomalous, suspicious, fraudulent, or otherwise illicit activity associated with cryptocurrency assets.
- Determine if cross-border data protection issues exist.
- Store backups and wallets offline. Cold storage — a wallet not connected to the Internet — provides a safer alternative to hot storage, which can be susceptible to theft.
- Conduct operational and product roadmap assessments to evaluate potential risks introduced through innovation and handling of transfers of value. Are there gaps in the operational elements of the product or business roadmap that would not align well with new technologies?
- Ensure a robust communications preparedness plan is in place, which includes: organizational preparedness audit; cybersecurity preparedness playbook and response plan; and cyber attack simulations and table-top exercises.
- Conduct assessments of digital identity and access management to ensure robust data security and limited data access
Cryptocurrency’s future
Even if cryptocurrency regulation is passed, it should not be viewed as a complete solution to the problem. The inherent anonymity of cryptocurrency means there is no guarantee organizations will be able to recover stolen cryptocurrency. Organizations will continue to rely on their reputation to attract investors, and in the meantime, customers will expect business to continue as usual and will demand restoration of their stolen funds. Without proper preparedness programs and protocols implemented ahead of time, cryptocurrency exchanges and organizations in the digital asset ecosystem will have significant challenges to overcome when technical issues occur, or when threat actors and nation-states target them.
References
[1] https://www.fbi.gov/history/famous-cases/willie-sutton
[2] https://www.cisa.gov/uscert/ncas/alerts/aa22-108a?mod=djemCybersecruityPro&tpl=cy
[3] https://restofworld.org/2022/el-salvador-chivo-bitcoin-wallet/
[4] https://www.bbc.com/news/world-latin-america-60135552
[5] https://qz.com/africa/2160520/bitcoin-becomes-the-official-currency-in-the-central-african-republic/
[6] https://www.bloomberg.com/news/articles/2022-02-22/brazil-s-senate-takes-first-step-toward-regulating-crypto
[7] https://www.whitehouse.gov/briefing-room/statements-releases/2022/03/09/fact-sheet-president-biden-to-sign-executive-order-on-ensuring-responsible-innovation-in-digital-assets/
[8] https://www.sec.gov/news/press-release/2022-78?utm_medium=email&utm_source=govdelivery
[9] https://www.swift.com/your-needs/financial-crime-cyber-security/know-your-customer-kyc/meaning-kyc