Now You See Me, Now You Don't: How Cryptocurrency Regulation Can Make it Harder For Cybercriminals to Escape

Mitch Mayne: Cryptocurrency, it's emerged as the favored payment demanded by ransomware criminals who now routinely ask for millions of dollars to release a victim's data. The technology behind cryptocurrency is highly secure, but it can also make transactions difficult to trace. Criminals use cryptocurrency for that very reason, it's difficult to track, and it provides the added bonus of allowing them to quickly move funds across national borders, a combination that makes finding them and prosecuting them a tough task for law enforcement. In this episode, we sit down with Megan Stifel. Megan is the Chief Strategy Officer at the Institute for Security and Technology. Megan was part of the institute's ransomware task force that in 2021 issued five recommendations designed to help combat ransomware. Among those recommendations, closely regulate the cryptocurrency sector. We're going to take a closer look at the role regulation might play in helping make it easier to trace criminal activity and ultimately make ransomware less profitable and more difficult for threat actors. I am Mitch Mayne, and you are listening to Into the Breach. Megan, let's talk a little bit about cryptocurrency in general. We know that it's the favored currency of threat actors and your report talks about at least one of the ways that it can be obfuscated. So how easy is it for threat actors to actually hide funds and cover their trail?

Megan Stifel: The short answer is, it's altogether too easy. And the reason for that is that cryptocurrencies are as yet an unregulated space. Of course, if you do small amounts of cash transactions in the US, you can, in the early stages at least, fall below the radar as it were for the regulatory landscape that has evolved for cash as a monetary instrument. In the case of cryptocurrencies, once one reaches, I think it's$10, 000, in deposits or a single deposit of a certain threshold, that starts to trigger flags that not only the United States but other jurisdictions have adopted.

Mitch Mayne: And that's in real money, not necessarily cryptocurrency?

Megan Stifel: Yes, in real money. In real money, if you deposit certain amounts within a certain amount of time or if you reach a certain threshold in a single deposit, you will trigger potentially what's called a suspicious activity report or other types of reporting requirements that have evolved, among other things, but in particular, to advance law enforcement's ability to ensure public safety by investigating the transfer of money is likely associated with criminal activity because money motivates many criminals and many hackers. In the cryptocurrency space, that's not the case yet, and I think the yet part is one of the important points. That there is not at this point in time, a process by which the exchange of cryptocurrencies would trigger a report to a regulatory authority, whether that be the United States Treasury or some situated organization in another jurisdiction, Ministry of Finance is often the case overseas.

Mitch Mayne: It's a little bit of the wild west out there on the internet when it comes to cryptocurrency in terms of how traceable it is and how easy or difficult it is for folks to cover their trail or for us to track them. In the wake of the colonial tech, and I want to touch upon this a little bit, the FBI had some ability to actually track and recover some of their funds. And now that's got some folks up in arms saying, look at this, cryptocurrency isn't actually as untraceable as we thought. I've done a little bit of investigation into how the FBI actually was able to trace that, but do you have any thoughts there? Is this a repeatable way to track criminals? How was it actually possible for them to get to where they were and recover partial funds?

Megan Stifel: Well, you may have found more bits of the trail than I have so far. But overall, I would say, is this a repeatable process? Potentially, but certainly not in all cases. And certainly as I think was the case here, it wasn't to the full extent of the funds provided. And the idea roughly would be that there might be a relationship potentially between law enforcement and a cryptocurrency exchange or a mixer, where these cryptocurrencies pass through on their way from the victim of the ransomware attack to the threat actor or actors who are being paid in order for the victim's resources to be unlocked. Of course, there's always the likelihood that you may pay them and they may not unlock them or they may still dub your data, but that's a separate conversation. The challenge though is that, not all cases or probably in most cases so far, two things happen, one, there is no relationship and there's no disclosure to law enforcement. The payment is just made and maybe you've secured the right negotiator who maybe figures out a way to try and recoup the money, but it doesn't seem that's been the case so far. Or you do disclose to law enforcement, but they're not in the position that they were in the colonial case in order to claw back the monies.

Mitch Mayne: From the research that I was able to do, I think one of the articles that I read was titled something like, Follow the Digital Breadcrumbs, and it looked like it was a lucky break. We don't know a lot about it, but it was interesting to see that we actually were able to track it, at least to some extent. You were involved with the Institute for Security and Technology and were part of the ransomware task force or the RTF. And as part of that task force, you issued some recommendations that were in a PDF that I got to tell you, Megan, was what I think is really well done. It's called Combating Ransomware, it's available on the public IST website @ securityandtechnology. org. Tell me a little bit about the taskforce and how it got started. What was your charter as a group?

Megan Stifel: The charter was a voluntary one, so to speak. What happened is, particularly in 2020, but even before then, ransomware became and has now become one of the malwares of choice and the crime as a service of choice of criminals and potentially nation states who are engaged in what one might call offensive cyber operations. I would, at this point, be reluctant to call them cyber conflict, but in any event, particularly as the world began to respond to the pandemic, the scale and scope of ransomware grew exponentially throughout 2020.

Mitch Mayne: We saw that here too. Just had an interview with Nick Rossmann and he was explaining the same thing, that things just jumped off of the stage when the pandemic hit.

Megan Stifel: In response to that, and so you saw things like, there are facts and figures as well, I don't know that you want me to cite them, chapter inverse, but we included them in the report. As I mentioned, the scale and scope in some cases tripling in terms of the amounts that were being demanded, the amounts being paid, the number of victims and the type of victims. Going from a while ago, it would just be individuals and the individual would get this blue screen of death or whatever it was saying, your computer's been seized, you need to call this number. And actually, when I was at DOJ, the person who sat across the hall for me was one of the poor people whose phone number was stuck on those notices. So then she would say, no, you need to call IC3, which is the internet crime complaint center. While attacks against individuals were occurring earlier in the 2012, 2013 phase, it was really WannaCry that began to forecast or forebode where we saw ransomware going particularly in 2018, 19. And then especially as 2020 and the pandemic took hold, it was clear that not only were individuals being targeted but also critical pieces of infrastructure. So we saw schools and hospitals and insurers even being targeted. And in the wake of all this, a number of us led by IST, the Institute for Security and Technology, came together to say we need to build a coalition of multiple types of stakeholders and make some recommendations to begin to combat all this because we can see where this is going. And again, it's not just going to be the nuisance of identity theft, it is going to be and has become now a national security threat. And to address those types of threats, particularly because of the way the internet works and who the key players are, it's not just a government that can make up responses and manage this, and it's not just the private sector that can manage this. And it's not just one sector or the private sector that can manage this, we really need a really broad coalition. And so we were able to bring together over 60 experts, we had members of the insurance community, financial services, nonprofits, cloud providers, software providers, Microsoft. We had incident response companies, organizations, cybersecurity companies like Rapid7, Palo Alto who were involved in this and came together to identify four key recommendations and then a series of priority actions to implement those recommendations in order to make a meaningful impact against the rising national security risk that ransomware poses to not only the US economy, but the global economy.

Mitch Mayne: So you guys basically put on your prognosticator hat. And I think you are correct with the combination of both the rise in proliferation of attacks with the amount of extortion that was being demanded and with the targets becoming more and more into the critical infrastructure section, that we decided that it might be wise to look at this. Was there unanimity in your recommendations from the task force or did you guys have some differing opinions?

Megan Stifel: There was, I would say overall, almost unanimous agreement on the recommendations. The one that we did not make a recommendation on was whether or not payments should be banned. And now having been almost six months since we issued the report, there are debates that one can listen to and thankful they've had opportunities to talk about why that was the case. But other than that, and I think that's one of the things that's so remarkable about this effort, and not to pat ourselves on the back too much, but really about the community and individuals and organizations that came together, was the common recognition and desire to do something about ransomware and the idea that what needs to be done is not controversial per se. So you did see this, as I said, unanimous agreement on basically everything. Of course, there is the caveat in the report that not everyone agrees with everything, but having been involved in the process overall, there was a high degree of consensus around where we took the report.

Mitch Mayne: Well, that is pretty remarkable given the amount of people that were involved with the task force, so congratulations on that. You mentioned payments being illegal, didn't we already have some legislation or some guidance around the legality of payments? I thought they were already pretty much not to be made yet we still see victims paying the ransom. And like you said, that doesn't always necessarily mean you're going to get your data back in a usable place or usable way.

Megan Stifel: The recommendation by the government, the United States recommendation is the key word, is not to pay for a couple of reasons. First, as we talked about, you might not get your money back. But second, by paying, we are basically incentivizing additional attacks because if they see money is transmitted or provided in response to one incident here, then why would someone not pay it the next time around?

Mitch Mayne: Feeding the monster basically, so to speak.

Megan Stifel: I think the UK is a bit more out front on that and certainly former members of the cybersecurity community officials in the community have expressed opinions on that. Part of their basis for saying this ought to be prohibited, is that not only are we paying criminals for conducting criminal behavior, but those monies go to a range of societal ills. And unfortunately, we don't have a good deal of information, but there is information out there about the types of societal harms that paying ransoms support. And so it's not that we just don't want to put money in the hands of criminals, it's that we don't want to put money in the hands of criminals who are then potentially supporting other things like, you can list your parade of horribles, but transfer of weapons of mass destruction, human trafficking.

Mitch Mayne: Drug trades.

Megan Stifel: Bad things. What we essentially decided to do, was to leave that question of making payments open. And at the same time though, I think part of your question is around some of the requirements that have been placed around payments as a first step toward banning payments, which was where we ultimately landed, which was to say not making an immediate recommendation but thinking about a pathway towards banning payments. And that has to do with sanctioning certain entities and ensuring that if an organization is going to make a payment that they do not pay a sanctioned entity because then they will land themselves in regulatory jeopardy.

Mitch Mayne: And there's the nuance, it's payment to sanctioned entities, I think that is currently banned. Your task force came in with a handful of recommendations and one of which was regulation, looking at actually regulating the cryptocurrency market. That's a rather hotly contested issue with some folks out there saying that it's going to damage the market for investors. So how did you guys think about how regulation might work in a way that allows the market for investors to remain but also helps us locate criminal actors?

Megan Stifel: There are, as we talked about in the report, a range of categories of actors in the space from minimally regulated exchanges and then peer to peer exchanges over the counter types of decentralized exchanges. And the idea being, as has been the case in other types of monetary instruments, I would say this is my personal opinion, not necessarily reflective of everyone in the task force, by providing regulation, it's guardrails, that can be actually a supportive measure to enhance this marketplace. If it is, as I think you said a couple of minutes ago, with the wild west out there, that can actually be a disincentive for the average citizen or investors to potentially get involved. That may be actually the reason they want to get involved. But if we want to see cryptocurrencies become more commonplace and want to see that as a safe way to exchange money, then the idea of thinking about regulatory measures and the application of existing financial regulations to this particular type of currency is a way to do so. So things like anti- money laundering regulations, your customer requirements, the filing of suspicious activity reports around types of payments can be a first step toward actually providing more confidence in that particular marketplace.

Mitch Mayne: So this is more about the applicability of existing financial regulations and how that might be applied to the cryptocurrency market, versus coming up with some net new stuff. Because as you mentioned early on, we already have a lot of safeguards in place for the standard currency market. So if I take$ 10,001 and deposit it in the Bank of Mitch, then that automatically raises a red flag. And if that's a clean$10, 001, because it's over the$10, 000 clip rate, if that's money that I got from my grandpa as a gift, then there's really nothing to worry about, even though that flag may be raised and that form may be filed because I don't have a breadcrumb or a history of transactions like that, they just pretty much is looked at and discarded. Is that correct?

Megan Stifel: I think it's important to certainly not to paint everyone with the same brush. There are organizations who are involved in this space who are and want to be on the right side of the issue. So would not be looking to try and obfuscate this card or otherwise necessarily absolve themselves of having been in an exchange of cryptocurrencies. Then there are those who would like to remain anonymous and that's where we begin to see a large degree of concern as it relates to ransomware.

Mitch Mayne: I think the lesson here is, if you really have nothing to hide, then there's really nothing to be concerned about.

Megan Stifel: Well, that's how I would think about it, but that's a little bit too simple. I'm sympathetic to the concern to a limited extent that whenever there's regulation, there's additional costs because compliance frameworks need to be established. However, as you said a few minutes ago, we're not necessarily thinking about a new form of regulation, it's an expansion of existing regulation to cover a new type of currency.

Mitch Mayne: Well, let's talk a minute about blacklisting. Is it easier to just blacklist known accounts that are associated with criminal gangs or criminal nation states rather than try to regulate the entire market? Is that an option in your eyes?

Megan Stifel: It could be an option, but the reality is that, particularly part of this process is to pay money to an identified wallet. Like safe houses in the old days, one didn't keep always the same safe house, one doesn't use the same wallet in multiple heists. So it's a little bit difficult to just say, we'll just blacklist account XYZ or wallet XYZ because that wallet just was created and then as soon as the moneys are received, the wallet is emptied. There is a limited reuse of these in a way that makes the blacklisting of them less effective than it probably should be.

Mitch Mayne: Your point is a valid one and I think that that is true, it sounds like it would become a game of whack- a- mole then, where we're tamping down on individual accounts or individual wallets, but it's super easy for me to go back in and open up hundreds of wallets at the same time, correct? So it's like you may hit one or two of them, but then I've got 98 left. As the current administration digs deeper into the cybersecurity as a whole and certainly into the cryptocurrency market, what do you suspect we might see as the first steps towards regulation?

Megan Stifel: We're beginning to see some of the pieces form, I'm thinking in particular a little bit about the sanctions piece that we already discussed. But there were announcements in October from the US treasury less around regulatory measures, but further explanation and clarification of actions that can be taken to comply with the recent application and sanctioning of exchanges and actors. And I think the first thing to watch, is to see whether or not that process expands though if there are additional entities that may be sanctioned and individuals. And then thinking about further guidance from not just treasury but others in the space in part thinking about the SEC. But also importantly, whether we see similar types of actions from US partner governments, allies and the like. Because if the US is standing alone, the effort won't be as effective as it could be obviously when we have a range of factors as is the case in the space and elsewhere.

Mitch Mayne: Well, it's like the threat sharing analogy as well. It's like, together we're smarter than we are as individuals. So the same adage holds for looking at the cryptocurrency market. You mentioned the sanctions, those have been coming out, I think there have been a couple reports in the recent months, to make it harder for criminal actors, criminal hackers to profit from ransomware. Are sanctions actually effective and why is it being used and how will it actually work, do you think? Is it going to be successful? Is my key question here.

Megan Stifel: Well, I think it certainly acts as a deterrent because of the difficulty that we've talked about in the early part of our conversation. The difficulty of not knowing with whom one is doing business. In some cases, organizations who choose to pay are saying, well, we've done our due diligence, why will we still be subject to sanctions if we can demonstrate that? And that's actually where treasury came out the other day was, here are additional steps you can take to undertake your due diligence and if you follow these we may be affording you some degree of penalty reductions. One of the points we made in the ransomware task force report was that greater clarity needed to be given around organizations that do want to do the right thing. Because the payment of ransoms is not yet prohibited, it's prohibited to pay a sanctioned entity, what counts as sufficient due diligence such that an organization can feel less at risk from having made a payment? And so in October, the Treasury Department effect together with FinCEN gave additional guidance on those steps that can be taken to demonstrate due diligence. One of the things they also talk about is, cooperating with the government and giving notice to the government that a ransom has been demanded and that it is going to be paid. And to the extent that, that conversation and that exchange of information and the need to come forward to the government or to be afforded leniency potentially may act itself as a deterrent to payments. So where does that land an organization? That's a tough call, particularly depending on who the victim becomes. But this idea then that an organization that fails to undertake due diligence is the converse of what treasury has said will be not afforded leniency. And there's always making an example out of someone that in and of itself may be a deterrent measure against the payments, but how do we then deter the criminals? Well, if there are fewer payments, then their theory goes that if they begin to make less money, they will be less inclined to continue to undertake ransomware tax.

Mitch Mayne: There's a few voices out there who consider that double punishment for the victim. It's just like, if you pay the ransom, you've already been hit with the victim of one crime and then the government comes in and punishes you and says, well, if you've decided to pay the ransom, so now you're going to also get penalized from us, so there is a few folks out there who think that's double jeopardy for a few unfortunate folks. I want to ask you a little bit about... we talked some about how easy it is or not easy it is to hide your funds in the cryptocurrency world. What is your knowledge of cryptocurrency mixing services? Because that is, from my understanding, one of the key ways that criminals use to cover their trail.

Megan Stifel: Well, I would say in the first case, my knowledge is not as extensive as many others, including the experts in the ransom task force. The mixers themselves also add an additional level of difficulty and an additional layer of obfuscation that criminals like and law enforcement and law abiding citizens don't like.

Mitch Mayne: Well, this is why I mentioned your report because it's so well written and it's 81 pages. So for those of you out there who are listening, don't roll your eyes at 81 pages because it's 81 pages of really well written material. You talk about ransomware fund obfuscation, and you do mention a couple things like chain hopping and the mixing services and you do it in language that's really crisp and really clear and it gives the general public as well as lawmakers who may not be technical experts, a way to understand this in of a human fashion as opposed to feeling like, I have to be a PhD in engineering in order to get my head around the ransomware market and cryptocurrency as a whole. Let's talk a little bit about what your vision is, and we can talk a little bit about Megan's personal vision if you want, or the ISD task force as well. What would the ideal state for the cryptocurrency sector be in your eyes? And is it achievable?

Megan Stifel: Well, I should speak only for myself because I'm not the expert. I just had the benefit of hearing a bit of some of the expertise that was shared in the process in writing a report. But from a background in national security over there, I say two decades now, the idea that someone can exchange something of benefit... I'm also a lawyer, don't play one for any organization anymore. But in that exchange and continue to make money or continue to benefit from, at the end of the day is a societal harm, is not something that is sustainable in a global economy and certainly not in a space where we are, where everything is going digital. One might think that whether it's cryptocurrencies and we've obviously been exchanging monies through wire transfers and the like for many decades. But there is a need for regulation in this space because without it, what's to stop the demands from growing even larger tens of millions into the hundreds of millions of dollars which we're already seeing? And what's to stop the targets from having a more deadly impact? We've seen incidents on hospitals causing delays of services to individuals, which ultimately led to their death. We can think about the supply chain implications just even this summer from the colonial pipeline incident. And at the end of the day, this is all fueled by money and we're not able to follow the money as well as we can in other spaces, which has been an effective measure in combating. It's not the only measure and it's not a silver bullet, but it is an effective measure in investigating and reducing the societal harm that can come from criminal activity. That was a long winded way of saying, I think we're coming to the point where regulation needs to happen. I think it should happen in a collaborative manner. We've already, through the task force and some of the work following it, had very good early conversations with those who want to be contributing to both of the marketplace of cryptocurrencies as you identify, but also recognize the risk. And provided that it's done in a thoughtful manner that obviously tries to reduce the compliance burden but gives the maximum benefit to those who want to do the right thing, I think we need to get there and we should get there.

Mitch Mayne: Can we accomplish that? I think it's a good goal. You mentioned societal good and I'm going to touch on that in a second here. Is it achievable, and if so, how soon do you think we can get there?

Megan Stifel: The soon piece I think is one of the challenges. So thinking about the likelihood, well, I mentioned that I'm a lawyer, I have not examined this from a legal perspective about whether or not within the treasury department's existing authorities to regulate currencies as this is in currency so you can go down that rabbit hole of, is there authority? And if there is, then we need to work on what the regulations are. If there's not, then you need to go get additional authority from Congress. That of course, from Congress part is the likely source of delay if it's the latter case. If it's the former case, then you're dealing largely with not only working through the inter- agency process and ensuring that the needs of all parties in the inter- agency, so the law enforcement entities, the treasuries of the world, but also then working with industry to come to consensus around what's the right first move. Do I think it's going to happen in six months time? No. Might it happen in the next two years? Maybe, I think it depends on a number of other factors including, what trajectory do we see ransomware on? Is it getting worse, is it stabilizing, is it getting any better? And the second factor, how quickly would industry work with regulators to come to consensus? Assuming there is existing authority to do so, where is the international community? If we are able and successful in bringing additional partner nations to the table around this, and I think the meeting that happened that the White House convened in October with 30 nations is a good signal that there is interest in this. We can also look at what happens with the G7 that we might get to at least the first stage within five years. Maybe within two years, but I never want to wager on the life cycle of regulation or legislation.

Mitch Mayne: I hear your inner lawyer coming out, no wagering on the life cycle, and I understand that. But in terms of global policy or at least partial global policy, two years, five years, that's light speed, that's not a bad timeline, hopefully it's even sooner than that. You talked about the public good and what I want to touch upon a little bit is, what drives you personally in this area, in this arena of cybersecurity? I can share what drives me, but I think I have an idea of where your head is at just given your resume. And you've spent a lot of your career dedicated towards helping the public good. And you were part of this task force whose aim was to, again, help the public good. What do you like best about working in this industry and why do you do what you do?

Megan Stifel: Well, I would say at least two things, but probably many more. The first is, as I described with respect to the group of people and organizations that came together for task force, it's a very collaborative community and not a hacker in the good sense of the word, but I know a lot of them and they are a very amazing group of people. All of them in the good space, less so in the criminal space, but the true sense and the original sense of hackers is people who want to be helpful. And so what motivates me is watching them oftentimes out of their own sense of commitment and mission, giving their own time to try and help others understand what's going on to help protect critical resources. So really, doing what I can for my background and experience to help them be more effective in their work. Second thing is, I have a family and want my kids to be protected from bad guys and bad girls online and elsewhere. And as we touched on a bit, a lot of the world is going digital, so we want the future of what the policy wants, call it, information and communications technologies to be a safer one. And so if I can help contribute in any small way to that, that's also a motivation. And I think the third thing is, I have a pretty degree of loyalty to democracy in the way that it has been evolved in the United States. Certainly, some recent examples are not ones that I am proud of, but I think at its core and at the end of the day, we have a great opportunity in this country and need to continue to exercise it in a manner that is repeatable and for the benefit not only of people in our country, but for the World.

Mitch Mayne: Thank you for sharing that. That was a little bit of a glimpse into your personal mind, which I appreciate and I'm at the same mindset when it comes to... I really enjoy making the world safer and making the world a better place. And as far as your point on democracy goes, I had a professor once who told me, I'm sure this comes from some religious text or is it an excerpt from some religious text, but where much is given, much is expected. And I feel like that I personally am in that state, I've been really blessed in my life and I think in the United States we are really blessed. And so I think it's a good thing to pay that forward, so to speak. Thank you for that, Megan.

Megan Stifel: Thank you again for having me and thanks for working to help enlighten and educate the community around this issue. It's really an essential one that we get our hands around together.

Mitch Mayne: Well, where much as given. A special thanks to our guest, Megan Stifel, for her time and insight making today's episode. If you want to hear more stories like this, make sure to subscribe to Into the Breach on Apple Podcasts, Google Podcasts, and Spotify. You've been listening to Into the Breach, an IBM production. This episode was produced by Zach Ortega and Clara Shannon. Our music was composed by Jordan Wallace with audio production by Kirin Banergy. Thanks for venturing Into the Breach.