What is the Cryptocurrency Cybersecurity Information Sharing Act and What does it Mean for Security Risks?

Do you hear the word cryptocurrency and immediately think about cybercrime? Repeated headlines about hackers and Bitcoin have led the public to believe cybercriminals use cryptocurrencies to hide their ill-gotten gains. As more cryptocurrency platforms become cybercrime victims, sharing information about these attacks can help strengthen the world’s cybersecurity infrastructure. This is why US Legislators are looking to amend the 2015 Cybersecurity Information Sharing Act to include cryptocurrency. Before explaining the rationale and details of the pending Cryptocurrency Cybersecurity Information Sharing Act and what it means for security risks, let’s explore some of the background.

What is Cryptocurrency?

Understanding how cryptocurrency platforms pose security risks requires a basic knowledge of how cryptocurrency works. This is important because according to a report released by Chainalysis in August, $1.9 billion worth of cryptocurrency was stolen in hacks during the first seven months of 2022. This was a 60% increase from the same period in 2021. Although Bitcoin is the most well-known, other crypto platforms include Ethereum, Tether, and Dogecoin. These digital currencies are not tied to a physical asset such as a US dollar or an EU euro. They are secured through cryptography using decentralized networks and blockchain technology. In most countries, cryptocurrency operates as an investment, much like stocks. The value fluctuates based on the market demand. Crypto-advocates want the currencies to become legal tender, allowing people to pay bills and purchase items using cryptocurrencies. However, their unregulated status prohibits their integration into a country’s financial system. Only El Salvador and the Central African Republic have recognized a cryptocurrency (Bitcoin) as legal tender. Their unregulated status means these crypto platforms have no mandatory reporting requirements unlike those currencies operating on the stock market that must adhere to the Securities and Exchange Commission (SEC) standards. If additional information is requested, it is provided voluntarily.

What is Cryptocurrency Cybersecurity?

Cyberattacks on digital security platforms focus on cryptocurrency platforms, associated solutions, such as exchange companies, and individuals or businesses using the platforms. Cybersecurity refers to the measures taken to protect the cryptocurrency ecosystem from cybercrime. These measures are designed to address such risks as the following:

Data Breaches

Crypto wallets hold encryption keys to the cryptocurrency stored in the blockchain. With their private keys, users can access their currencies. As long as users stay within the currency’s platform, it’s difficult to trace transactions to a single user in the real world. However, once the currency is moved to an exchange platform for converting to a currency such as US dollars or UK pounds, the person’s identity is recorded according to “know your customer” laws. Ledger sells hardware wallets (think USB drives) to users for storing keys to their crypto wallets. In June 2020, the company’s customer database was hacked, and the personal information of 270,000 users was published. Although the users’ cryptocurrency was not touched, the information has been used in scams that demand a ransom. In some instances, physical harm is even threatened because the stolen data included physical addresses.

Stolen Currency

The most obvious risk is the loss of funds through stolen cryptocurrency. Ploy Network, an exchange platform, was hacked in 2021 for a loss of $600 million in cryptocurrencies.

• $267 million in Ether currency
• $252 million in Binance coins
• $85 million in USDC tokens

When the theft was discovered, the company made an online appeal to the hackers to return the currencies. Poly Network indicated the stolen funds came from individuals. Many customers went online to indicate what the theft cost them. Eventually, the hacker returned the funds. The bad actors leveraged a vulnerability in the platform’s code that allowed them to hijack transactions. After each contract call (transaction), the hackers routed the transaction to their accounts.

Ransomware

Ransomware that stipulates payment in cryptocurrencies forms a subset of malware known as crypto-ransomware. Because cryptocurrency transactions are difficult to trace, many cybercriminals demand payment in Bitcoin or other such currencies. Regardless of how the ransomware was delivered, a message displays when the virus is activated, telling the victim how and where to pay the ransom in cryptocurrency.  As of 2021, ransomware payments made up 7% of all cryptocurrency deposits or about $21.4 billion in transfers. The Bitcoin platform received the most ransomware payments. Two 2020 payments alone amounted to just over $90 million. The latest statistics show a decline in the number of ransomware attacks but an increase in the average payment.

What is the Cryptocurrency Cybersecurity Information Sharing Act?

The original Cybersecurity Information Sharing Act was passed in 2015. It directed the Secretary of Homeland Security to devise a plan for sharing cybersecurity information with the private sector. It also gave the Department of Homeland Security grants to help enhance eligible entities’ cybersecurity. The act, along with recent executive orders, has paved the way for an exchange of cybersecurity information among government agencies and then with the private sector to strengthen the US security posture. The knowledge gained from the shared information enables organizations to better prepare for cyberattacks.

Cryptocurrency Amendment

An amendment to the 2015 act aims to improve the information sharing of cryptocurrency cyberthreats between private and public entities. It would direct the Director of National Intelligence to conduct a risk assessment of the impact of cryptocurrencies on cybersecurity. As part of the amendment, the act’s name would change from its original Cybersecurity Information to the Cryptocurrency Cybersecurity Information Sharing Act (CCISA). The draft legislation allows companies using distributed ledger technology or digital assets to report cybersecurity threats to the government for possible assistance. These threats could include network damage, data breaches, ransomware attacks, and other cybersecurity threats. If passed, the Cybersecurity and Infrastructure Security Agency (CISA) and the Financial Crimes Enforcement Network would issue policies related to cryptocurrency firms. All reporting would be voluntary.

Opponents

Although the bill has bipartisan support in Congress, not everyone in the industry is for the new legislation. Privacy advocates view the act as a surveillance bill. They see it as a backdoor wiretap that violates an individual’s privacy. These groups do not see adequate oversight to prevent privacy abuses. Because the sharing of information is voluntary, opponents do not believe that crypto companies will disclose information. Given that many data breaches and ransomware attacks outside the crypto ecosystem go unreported, what is the likelihood that crypto threats will be shared? Privacy advocates believe it is an ineffective approach to fighting cybercrime with significant opportunities for abuse. Some within the industry feel the legislative branch lacks the technical expertise to create cybersecurity regulations that have value in the real world. These industry opponents do not see the resulting policies and procedures as having the necessary rigor to ensure adequate protection. They believe the private sector is better positioned to address cybersecurity regulations.

Proponents

Legislators have long felt that cryptocurrency should fall under government regulations and not just for cybersecurity. Many government agencies see Federal regulations as necessary to protect consumers, investors, and the financial system. They say there are few protections against manipulation and theft in the cryptocurrency market. Their concerns are that the ecosystem is ripe for criminal activities such as money laundering, tax evasion, and extortion.  For many proponents, cybersecurity regulations are just one step in the effort to protect consumers and minimize risk to the country’s economy and national security. Sharing data on attempts to breach a cryptocurrency entity alerts others to possible attack vectors. Providing details on how those attempts were countered gives others the tools to strengthen their cybersecurity. By building a knowledge base of cybercrime tactics, the public and private sectors can enhance the country’s cybersecurity posture. Cooperation between crypto companies and government agencies can minimize the impact of cybersecurity breaches against advanced persistent threats (APTs) such as nation-states. In 2022, North Korean government-backed hackers stole $620 million in crypto from online Axie Infinity, which the US believes is being used to fund their nuclear weapons program.

Will the CCISA Mitigate Cryptosecurity Risks?

Although cybersecurity experts agree that a comprehensive knowledge base of attack vectors will improve cyber defenses, many organizations fail to report compromises or breaches unless penalties are in place for failure to comply. Given that the CCISA is voluntary, the crypto’s willingness to comply depends on several variables. These include:

Revenue

If part of the reporting means flagging questionable transactions, some crypto companies may hesitate. Although ransomware payments only make up 7% of cryptocurrency transfers, $21 billion is still a significant revenue stream. Just as there are financial institutions that facilitate money laundering, there may be crypto businesses that will do the same for ransom payments. At the same time, active participation can give companies access to added resources for combating an attack or retrieving stolen funds and data. Plus, there’s a level of “good will” associated with helping protect other organizations’ data and financial resources.

Reputation

Cryptocurrencies may not be part of a regulated financial system, but they do offer financial services. That means a successful attack can damage a company’s reputation. Even though investors recognize that cryptocurrencies come with risks, they do not expect the risk to come from hackers.  Blockchain technology is considered one of the most secure and is used as a selling point for cryptocurrency protection. A security compromise would pose a reputational threat to any organization using blockchain. A successful attack weakens customer confidence in any business since most people believe it is the company’s responsibility to protect their digital assets.

Regulation

Cryptocurrencies such as Ether or Bitcoin want to become legal tender in G7 countries like the US. That means they would be used to pay bills and purchase items like US currency. Some US companies, such as Microsoft and AT&T, accept bitcoin as a form of payment; however, the currency is not recognized by the Federal Reserve. To become legal tender, cryptocurrencies must be regulated and comply with government regulations regarding banking services. Failure to participate in the CCISA’s voluntary program might be viewed as an unwillingness to comply with regulatory requirements, making regulators hesitate to recognize the currency as legal tender.

Risk

The CCISA can potentially improve information sharing by reporting cyber attempts and compromises. It can provide a simplified path for sharing how crypto companies defended their assets and what tools were used. The added data increases the cybersecurity community’s ability to counter the growing number of sophisticated attacks. It can help protect against APTs initiated by nation-states. Incorporating the crypto industry into cybersecurity data sharing opens the door to better methods for protecting everyone from cyberattacks.

CCISA and Your Business

Cryptocurrencies are not the only sector looking at new cybersecurity regulations. As cybercrime becomes more of a threat to national security and critical infrastructure, businesses of all sizes need to ensure they are well protected from threats. If you haven’t assessed your cybersecurity posture recently, let’s talk about how we can help protect your network from intrusion.