Ransomware attacks are plaguing the United States. With alarming regularity, cybercriminals disrupt computer systems controlling important pieces of infrastructure and refuse to restore access until they are paid — typically in Bitcoin or another decentralized, hard-to-trace cryptocurrency.
In May, cybercriminals disabled one of the largest gasoline pipelines in the United States. In June, cyberattacks caused the world’s largest meat-processing company to shut down nine beef plants. Attacks on smaller entities — the Steamship Authority of Massachusetts, Baltimore’s city government — attract less attention but speak to how common ransomware crime has become.
The Biden administration has taken some steps to address the problem. An executive order in May directed the federal government to enhance coordination on the issue. A national security memorandum in July outlined better security standards for America’s industrial control systems. And last week, at a meeting at the White House, President Biden asked the leaders of Apple, Google and other companies to do more to prevent cyberattacks.
But none of these efforts tackle the problem at its root. Ransomware attacks occur because criminals make money from them. If we can make it harder to profit from such attacks, they will decrease.
The United States can make it harder. By more aggressively regulating cryptocurrencies, the government can limit their use as an anonymous payment system for unlawful purposes.
In the nonvirtual world, kidnappings for ransom are wildly unsuccessful. Between 95 percent and 98 percent of criminals involved in cases of kidnapping for ransom that are reported to the police are caught and convicted. Why? In part because at the moment when the victims are exchanged for cash, the criminals put themselves at great risk of identification and capture.
Ransomware attacks are different. Cybercriminals can “kidnap” a company from afar and receive payment anonymously and securely in the form of cryptocurrency. (Technically, cryptocurrency use is only pseudonymous, but in practice the challenge of identifying a user is formidable.)
What should the U.S. government do to make cryptocurrency harder for criminals to use? First, it should adopt and enforce regulations for the cryptocurrency industry that are equivalent to those that govern the traditional banking industry. Cryptocurrency exchanges, “kiosks” and trading “desks” are not complying with laws that target money laundering, financing of terrorism and suspicious-activity reporting, according to a recent report from the Institute for Security and Technology. Those laws ought to be enforced equally in the digital domain.
For example, some cryptocurrency services offer a “tumbler” feature. Tumblers take cryptocurrencies from many sources, mix them up and then redistribute them, making financial transactions harder to trace. This practice looks like money laundering and would be illegal in the nonvirtual world.
The United States should also take action to ensure that offshore cryptocurrency exchanges abide by internationally agreed-upon rules for lawful banking. Ideally, such actions would be multilateral, but given the unlikelihood that Russia will agree to stop serving as a safe haven for ransomware gangs, unilateral action will probably be necessary.
To do this, the U.S. banking system should refuse access to cryptocurrency exchanges unless they demonstrate that they are equipped and prepared to prevent ransomware payoffs. It may seem as if cryptocurrency exchanges operate free from traditional banking, but to be fully valuable, digital currency must also be convertible to cash, so the exchanges would have a strong incentive to comply.
The United States should also prohibit transactions with the American banking system by foreign banks that do not impose stricter regulations on cryptocurrency. Because access to the American financial market is vitally important to foreign banks, they, too, would have a strong incentive to comply.
If greater regulation does not put an end to using cryptocurrency to pay ransoms, the United States can always consider disrupting a cryptocurrency like Bitcoin. Government hackers could disable the servers of cryptocurrency exchanges, block their internet traffic or infect their payment systems with malware. This would be an extreme and highly aggressive solution, one that would jeopardize the many legitimate storehouses of value that cryptocurrencies represent.
But ransomware attacks are a serious and growing problem. The anonymous, poorly regulated nature of cryptocurrency provided tinder for the ransomware fire. At some point, we may have to consider depriving the inferno of fuel.
The United States does not have a ransomware problem so much as it has an anonymous ransom problem. If we can change the payment system to make the kidnapping less profitable, we will go a long way toward a solution.
Paul Rosenzweig (@RosenzweigP) is the founder of Red Branch Consulting. He was the deputy assistant secretary for policy at the Department of Homeland Security from 2005 to 2009.
The Times is committed to publishing a diversity of letters to the editor. We’d like to hear what you think about this or any of our articles. Here are some tips. And here’s our email: firstname.lastname@example.org.