The massive "Wannacry" wave of crypto-ransomware cyberattacks now reported to have hit more than 200,000 computers in 150 countries shouldn’t be just another “look at how smart and cunning and horrible those cybercriminals are” headline.
Wannacry should be a call to action to the cybersecurity regulators that, when innovation — even intellectually and technologically sophisticated innovation — goes off the rails, it’s time to give a good hard look with an eye to reining it way, way in.
Who Is Frances Kelsey?
Frances Kelsey was a Canadian-born doctor who earned her Master’s in pharmacology from McGill University in 1935. A year later, she landed at University of Chicago to do research under the tutelage of one of the most famous pharmacologists of that time, who also thought he was hiring a man named Frances.
Over the next several years, her work, like many of her colleagues at the time, was focused on finding a cure for malaria. Hers took a different angle: researching the extent to which drugs could pass through a mother’s placenta and potentially endanger the health of her unborn baby. That insight would serve her well when she left academia to join the small, fledgling U.S. Food and Drug Administration in 1960.
One of her first tasks at the FDA was to review an application for an off-label use of a drug originally approved as a sleep aid and painkiller, but was being prescribed off label to pregnant women suffering from morning sickness and sleeplessness. When the request hit her desk, this drug was already approved and widely used throughout Europe, Africa and Canada and was available over the counter in Germany.
The drug was thalidomide.
Kelsey refused to grant its off-label approval for the U.S. market without further rigorous testing, citing concerns over the drug’s potential to penetrate a mother’s placenta and harm her unborn baby. Her concern was validated when researchers did, in fact, find that thalidomide taken by pregnant women resulted in serious deformities at birth: deformed eyes, hearts, limbs or no limbs at all. Only 50 percent of the more than 10,000 babies reported to have been born with such birth defects even survived.
The off-label use of the drug hailed as an innovation for mothers-to-be was never approved for that purpose in the U.S., despite many other countries already giving it a thumbs up.
Kelsey called it like she saw it and refused to cave to the intense commercial pressure to rush the drug through approval just because other countries had already done so. She was awarded the Presidential Medal of Freedom from President John F. Kennedy in 1962. Her work also drove a sea-change in the way that the FDA would regulate all drugs that still stands today. The process around more rigorous drug testing, clinical trial parameters and the marketing of drugs were all tightened as a result of Kelsey’s insistence that the government fully examine all potential risks before setting a drug loose in the U.S. market.
What Does Wannacry, Or Any of This, Have To Do With Bitcoin?
Bitcoin is a fascinating technology on the merits.
Its creator, the pseudonymous Satoshi Nakamoto, gave it all of the qualities of cash, but in a digital format: peer-to-peer transfer of a currency in the absence of any intermediary that is pretty much anonymous — only wallet IDs are shared. And, like cash, it was designed to eliminate any ambiguity in how and when this currency was transmitted — once cash is handed to someone else, it’s gone. Bitcoin uses math — and math equations that anyone can solve and see — to provide this cash-like feature.
That’s why its creator and many advocates say that bitcoin, and the blockchain technology that underpins it, doesn’t need regulation — the transparent source of truth that all can see transcends the need for an intermediary or a regulator to intervene.
The first bitcoin transaction was recorded by Nakamoto in early January of 2009 a few months after his famous paper introducing bitcoin to the world was released. Ever since, bitcoin’s been touted by the FinTech community as one of the most remarkable innovations of our time and a highly disruptive force for how money can be moved between people and institutions on a global basis.
More than $1 billion was invested in bitcoin ventures in 2015 alone and billions more in the blockchain technologies that underpin the ledgers that record bitcoin transactions. Headlines hyping its threat to existing financial systems abound, including one recently that somewhat distorts the threat that bankers feel about all FinTech startups that suggests that nearly 90 percent of bankers say they fear losing money to bitcoin startups.
Bitcoin devotees also tout that, in addition to all of its other benefits, bitcoin transactions are free, which, of course, loyal readers of PYMNTS.com know isn’t exactly true.
Since very few legitimate merchants accept bitcoin as a method of payment, bitcoins can’t be spent at many legitimate merchants. When they are used for transactions, those transactions are taking place at storefronts that have set up shop on the dark web — for a reason. These dark-web merchants take bitcoins as the preferred, and often only, method of payment to buy anything from stolen credit cards to illegal drugs and weapons to human beings sold as part of human trafficking rings.
There’s only so many things you can buy on the dark web though. So anyone who wants to use their bitcoins for legitimate transactions, from buying a beer to putting a down payment on a house, must convert it to a fiat currency that most everyone accepts for payment. That happens via an exchange — a now massive part of the bitcoin ecosystem that began to take root in 2011 and really flourished in about 2013.
That was also about the same time that we began to see the spike in cyberattacks linked to ransomware. Holding computers and data for ransom became a new and growing use case for bitcoin.
Take a look at this chart from the 2017 Symantec report on ransomware. They report that 2015 was a “banner year” for ransomware, with more than 100 new varieties introduced into the market. But since 2013, the growth of ransomware initiatives began to increase in the kind of ransomware activity that’s more devastating than those leveled in the past.
Before bitcoin, getting paid for holding people’s data and computers hostage faced a lot of frictions, and the threats, therefore, were considered more of a nuisance than anything else.
Having a cybercrook take over one’s computer and denying its use had an easy workaround — all victims needed to do was to move their backed-up files to another computer. Transaction-laundering schemes — asking victims to spend $40 for a multi-year support or a big supply of vitamins using the receipt to prove the purchase — was clunky and the commissions paid to the bad guys not worth the effort. Believe it or not, sometimes perpetrators even asked the victims to send a check to a P.O. box.
Bitcoin made it easy for criminals to make a big digital leap.
There’s now an entire cottage industry on the dark web devoted to fostering such attacks for which payment is made in bitcoin. RaaS operations — Ransomware as a Service — now flourish and make it easy for the most amateur of cybercriminals to get into the game.
It’s a game with a pretty big payoff.
In May of 2016, the FBI reported that ransomware would top $1 billion that year — they estimated $1.6 billion at the time — or slightly more than 11 percent of its $14 billion market cap then. Speaking of math, doing it helps explain that big billion dollar-plus number.
Seventy percent of businesses faced with a ransomware threat pay, and the average amount of the demand, has more than doubled year over year. In 2015, the average demand was $294; in 2016, it had increased to $679, according to Symantec’s report. Experts believe that number could double again in 2017.
The real cost, though, is much greater than that when downtime, loss of data, counter-party claims and even personal harm is factored into the calculation.
Which is the part of the cyberattack story this past weekend that inspired me to write this piece.
When Bitcoin Became the Fuel for a Weapon of Mass Destruction
U.K. hospitals, it was reported, suffered major attacks to their systems, denying doctors the ability to access patient medical records and threatening to destroy them. Many of those records relate to decisions doctors had to make in prescribing medications or adjusting their dosages to patients who are sick now, hospitalized and perhaps even in critical care and/or undergoing active treatments. In the absence of having access to that data, doctors had no choice but to stop making decisions. Many told patients not to come to the hospital for appointments, including cancer patients in the middle of radiation and chemotherapy treatments.
As only someone who’s been through both can attest, the process itself is worrisome and terrifying on a good day. Layer onto that the fear — irrational or otherwise — that data could be compromised or destroyed and interrupt precisely programmed treatments, and these attacks go well beyond those directed at commercial enterprises for the purpose of extracting money to the kind of cruel and inhumane attacks on innocent people that we, as a society, simply cannot tolerate.
The many headlines that I’ve seen since Friday talk about the availability of bitcoin and its now well-oiled and largely unregulated infrastructure as a big reason so many of these attacks now occur. Many also warn that this threat will grow even larger and affect even more people and businesses and have serious repercussions. At the same time, experts urge businesses to invest in stronger security controls to protect against the growing threat of cybercrime — clearly sound advice.
But not a single headline or article has even raised the notion that the time has come to address that big elephant in the room — bitcoin — and the need to forcefully address an innovation that may have started life as an interesting technological innovation that, absent its regulation, just makes it easier for criminals to operate at scale — and globally.
Federal law enforcement authorities and internationally renowned independent security organizations also point to bitcoin as one of the major reasons that cybercrimes, especially ransomware, have taken off. Without bitcoin, they all say, it would be much harder to operate these massive cybercriminal rings, since they’d have no way to pay or be paid for their services. Bitcoin is the capital that funds their now highly efficient and highly decentralized cybercriminal enterprises.
Will This Decade’s Frances Kelsey Please Stand Up?
It wouldn’t take much for us to change the narrative and stop this madness.
Without exchanges, there’d be no way to turn bitcoins into cash. Exchanges have become efficient money-laundering enterprises — largely free from regulatory oversight — that make it very easy to do things like move money out of countries like China, where there are capital controls, or to turn payments from illegal activities into currency that can be spent anywhere.
No ability to do that via exchanges — or making it harder to do through regulation — means no way for the criminals to get money that can be spent. No money that can be spent, no interest in being paid in bitcoin. No interest in being paid in bitcoin, and thus no demand to be paid in bitcoin.
And the beginning of one death spiral in FinTech that might be well worth watching.
Regulating bitcoin exchanges is starting to happen in other parts of the world. Japan has clamped down on them, with complaints, naturally, that regulations make it too hard for startups to operate. There are rumors coming out of China as recently as a couple of days ago that the government will soon require bitcoin users to provide their name and other proof of identity. Since more than 80 percent of transaction activity is concentrated in Chinese exchanges, that is likely to change that picture quite significantly.
Back here in the U.S. — the number one market for ransomware attacks — the regulatory environment is mixed with 37 or so states lacking clear regulations and 12 states that are deemed too tough, so most startups are advised to avoid them. The comments from many bitcoin advocates about the prospects of regulating bitcoin in the U.S. tell a very interesting story.
Here’s one from a blog post earlier this year:
“Simply selling a bitcoin from person a to person b should not be considered money transmission. This has been argued with FinCEN to no avail, and they insist that it is money transmission, since the intent of the other person (the buying party) is the key, and unless it’s a family member living under your roof where you can watch how they specifically spend that bitcoin, it’s nearly impossible to prove the intent.”
Gotta hate those Washington bureaucrats looking to protect us from people with criminal intent.
Then there’s this one, from the same blog (typo is theirs and not ours):
“Regulation isn’t a terrible thing; there is a valid case for anti-money laundering, and basic KYC compliance is useful for risk prevention as well. However, some states are going to far and requiring companies to duplicate effort they already do on a federal level, as with the New York BitLicense or requiring a full-blown money transmitting license to simply sell a damn bitcoin as with New Hampshire.”
Regulation is good, provided it’s not leveled at bitcoin.
Even in the absence of regulation, we’re starting to see big players take their own stands.
Big banks have started to deny crypto traders access, limiting their ability to withdraw funds.
Its shadiness as a currency, its anonymity when KYC and AML are regulations they are bound to enforce and its open network where privacy is tantamount is an environment that’s increasingly toxic for banks. It’s one reason why they’re pulling back from initiatives with blockchain innovations tied to bitcoin, even though their interest in exploring distributed ledger technology to enable smart contract, IP and trading innovations remains strong.
It also puts the FinTech community in something of a bind.
When bitcoin was first talked about by FinTech enthusiasts, its decentralized nature — not owned, regulated or controlled by anyone — was rationalized as a sound innovation based on the work of thousands of researchers over four decades and now applied to digital currencies. Maybe they didn’t see its potential use case as a global currency for crime, or chose not to. But today, it’s an undisputed fact that an innovation designed to turn cash — also a tried and true currency of crime — into a digital form has turned bitcoin into an off-label use case of an innovation that VCs have poured billions of dollars into, perpetuating an alternative set of “free” rails hyped as a way to transform how money is moved around the world.
Today, not quite all, but many of those blockchain innovations ride the bitcoin rails for one very good reason: The currency has critical mass. It’s been around the longest, and it has the most users. And for that reason, exchanges now exist that enable the exchange of bitcoins for currency for both senders and receivers — even if those senders and receivers are criminals or out to evade the regulations related to money transmission in their own countries.
Regulating those exchanges is something that has to happen — and it needs to happen soon. If this past weekend’s disturbing developments don’t sound a very loud wake-up call, then I don’t know what will. But when the day comes that bitcoin is subject to tighter regulation, it will undoubtedly impose costs on those exchanges — and therefore on its users — in order to comply. Those costs will force new thinking about business models and product development and lead to new questions. One big one might be why we need bitcoin in the first place when we have a global currency that people value — the dollar — and a global set of regulated rails that protect bad people from doing bad things.
Like taking hospitals and patients hostage in exchange for a couple of bitcoins.
So, that’s where we’ll need to channel our inner Frances Kelsey to move things along.
We need someone to push back, take a stand and ask the tough questions about the off-label use of a creative technology that has fueled some of the most destructive payments and financial services use cases of our time.
Even when there’s pressure from everyone else not to.