In fact, the escalation of cybercrime is a far more pervasive problem than terrorism. As we connect more and more things to the Internet, all of us become more and more vulnerable to hackers, who can compromise any person or business though the Web and steal their data or freeze them out until they pay a ransom. The pandemic accelerated the transition to a digital economy — and thus accelerated cybercrime. By one estimate, ransomware attacks tripled in the past year.
We don’t know the true extent of the problem, because much of it remains unreported. Many companies, large and small, keep mum out of fear of inviting bad publicity, future attacks and legal consequences. Cybersecurity Ventures estimates that global ransomware damage will reach $20 billion by the end of this year, which is 57 times the number just six years ago.
One CEO who works actively on cybersecurity told me that ransomware attacks are now operating with a reliable business model. Cyberattackers typically cripple a network, then set a ransom that is high but affordable for the targeted organization (particularly if it has insurance). Once the ransom is paid, the attackers follow up on their end of the bargain.
But there is one point in these transactions where law enforcement has leverage. Virtually every cybercriminal demands payment in cryptocurrencies such as bitcoin. This makes sense, because a crucial feature of these currencies is that they are largely untraceable — at least until very recently.
Every successful technology fills some need or solves some problem. What is the need that cryptocurrencies fill? It’s not to buy and sell on the Web, or to move money electronically. All that can be easily done using traditional financial institutions as well as newer interfaces such as PayPal and Apple Pay.
But none of these can replace shadowy transactions that take place in the analog world — the kind in which one person hands another a bag of cash. That transaction is inefficient but secret and largely untraceable. Cryptocurrencies allow you to do something similar, but digitally.
Note that this is not a matter of a private, discreet payment — say, a man who wants to book a hotel in Paris for a weekend without his wife knowing. There are plenty of ways for that to happen, such as with prepaid credit cards. But with these new digital transactions, the identities of people involved are being kept secret from even financial institutions and the government.
Not so secret, it turns out. This week’s news about the recovery of a ransom indicates the way forward. The Justice Department and the FBI were able to track and recover most of the bitcoin paid by Colonial Pipeline during the recent ransomware attack that paralyzed fuel supplies for much of the East Coast. They seem to have managed this with extraordinary forensic work, digital savvy and some good luck. Such success is rare.
There is no reason it needs to be so hard. The Internal Revenue Service chief has asked Congress to give the agency the authority to collect information on cryptocurrency transactions of more than $10,000. That would be a good start, putting cryptocurrency on the same level as a bank account, rather than giving it a special pass on legal scrutiny.
Many of cryptocurrency’s most ardent advocates see it as the way of the future, a decentralized and seamless monetary system that offers an alternative to national currencies. But none of that requires that it be anonymous. If those broader goals are what bitcoin is really about, it should stay strong even while its illegal use is reined in. If, on the other hand, the crucial, distinctive and unique property of cryptocurrency is that it can be readily and efficiently used for crime, why exactly should governments around the world allow this?