Ransomware attacks are plaguing the United States. With alarming frequency, cybercriminals disrupt computer systems that control critical pieces of infrastructure and refuse to restore access until they are paid for – often in Bitcoin or another Decentralized, hard-to-track cryptocurrency.
In May, cybercriminals disabled one of the largest gas pipelines in the United States. In June, cyberattacks forced the world’s largest meat processing company to close nine beef factories. Attacks on smaller entities – the Massachusetts Steamboat Administration, the Baltimore city government – draw less attention but speak volumes about the prevalence of ransomware criminals.
The Biden administration has taken several steps to address the issue. An executive order in May directed the federal government to increase coordination on the issue. A national security memo in July outlined better security standards for US industrial control systems. And last week, at a meeting at the White House, President Biden asked the leaders of Apple, Google and other companies to do more to prevent cyberattacks.
But none of these attempts address the root of the problem. Ransomware attacks happen because criminals make money from them. If we can make it harder to profit from such attacks, they will decrease.
The United States can make it harder. By more aggressively regulating cryptocurrencies, governments can limit their use as an anonymous payment system for illegal purposes.
In the non-fiction world, kidnappings for ransom are completely unsuccessful. Between 95 percent and 98 percent of crimes involved in kidnapping for ransom cases reported to the police are arrested and convicted. Why? Partly because the moment a victim is exchanged for cash, criminals put themselves at risk of being identified and caught.
Ransomware attacks are different. Cybercriminals can “kidnap” a company remotely and anonymously and securely receive payments in the form of cryptocurrency. (Technically, the use of cryptocurrency is just a pseudonym, but in practice, the challenge of identifying users is enormous.)
What should the US government do to make it harder for criminals to use crypto? First, it should adopt and enforce regulations for the crypto industry that are equivalent to those that govern the traditional banking industry. According to a recent report by the Institute of Security and Technology, cryptocurrency exchanges, “kiosts” and “dealers” do not comply with laws targeting money laundering, terrorist financing, and reporting. suspicious activity. Those laws must be equally enforced in the digital realm.
For example, some crypto services offer a “tumbler” feature. Miners take cryptocurrencies from multiple sources, mix them together, and then redistribute them, making financial transactions harder to track. This activity looks like money laundering and would be illegal in the non-psychedelic world.
The United States should also act to ensure that overseas cryptocurrency exchanges adhere to internationally agreed rules for legal banking. Ideally, such actions would be multilateral, but given the possibility that Russia would agree to stop acting as a safe haven for ransomware gangs, unilateral action would likely be necessary.
To do this, the US banking system should deny access to cryptocurrency exchanges unless they demonstrate that they are equipped and prepared to prevent ransomware payments. It seems that crypto exchanges work for free with traditional banking, but to have full value, digital currency must also be convertible to cash, so exchanges will have Strong motivation to comply.
The US should also ban transactions with the US banking system by foreign banks that do not impose stricter regulations on cryptocurrencies. Because access to US financial markets is critically important for foreign banks, they will also have strong incentives to comply.
If greater regulation does not end the use of cryptocurrencies to pay ransoms, the US could always consider breaking a cryptocurrency like Bitcoin. Government hackers can disable the servers of cryptocurrency exchanges, intercept their internet traffic, or infect their payment systems with malware. This would be an extreme and highly drastic solution, one that would jeopardize many of the legitimate stores of value that cryptocurrencies represent.
But ransomware attacks are a serious and growing problem. The anonymous, poorly regulated nature of cryptocurrencies created the spark that ignited the ransomware fire. At some point we may have to consider stripping hell fuel.
The US doesn’t have a ransomware problem as much as it has an anonymous ransom issue. If we can change the payment system to make kidnapping less profitable, we will go a long way towards a solution.
Paul Rosenzweig (@RosenzweigP) is the founder of Red Branch Consulting. He was deputy assistant secretary for policy at the Department of Homeland Security from 2005 to 2009.
The Times is committed to publishing variety of letters for the editor. We’d love to know what you think of this or any of our articles. Here are some advice. And here is our email: [email protected].
Follow the New York Times Opinion section on Facebook, Twitter (@NYTopinion) and Instagram.