July 26, 2021 at 5:00 am ET
The recent high-profile ransomware attacks on Colonial Pipeline and food processing giant JBS have led to knee-jerk calls to ban cryptocurrencies because the attackers demanded to be paid in Bitcoin. But would ransomware end if cryptocurrency went away tomorrow? In a word — no. Ransomware existed before cryptocurrency was popular and, if cryptocurrency were outlawed tomorrow, criminals would simply seek alternative payment methods, of which there are many.
The rise of ransomware has been horrible to behold. It is one of the rare online crimes where the impact is felt broadly by everyone. Hospitals unable to service patients. Local governments unable to support citizens. Workers losing jobs because their employers go bankrupt.
But blaming crypto for ransomware is like holding email accountable for ransomware because that’s a vector criminals use to infect victims. Neither is the cause of ransomware. What we need to eradicate this scourge is a more nuanced, multipronged strategy that gets to the root cause of the problem.
Why it’s getting worse
The growth of ransomware can be attributed to the rate at which companies are shifting critical systems online and the poor level of controls many companies have over their IT systems. When you couple those factors with the presence of ransomware gangs operating from foreign jurisdictions with relative impunity and little ability for law enforcement to drive an international response, you get a recipe for trouble.
This has led some pundits to throw up their hands and conclude the only way to fight back is to ban cryptocurrencies. But if cryptocurrencies were banned, attackers would simply fall back to traditional money-laundering methods like prepaid gift cards, money-mules, bulk cash smuggling, funnel accounts or even requiring air-dropped cash payments.
What’s more, there are many reasons cryptocurrency is good for law enforcement. Talk to law enforcement agents and those prosecuting crimes like this and they’ll tell you that cryptocurrencies are much easier to track than traditional, harder-to-trace forms of payment such as cash.
In the world of Bitcoin, while you might not be able to immediately attach a name to a transfer, the whole history of transfers, for every address on the cryptocurrency network, is preserved forever and accessible to all. Law enforcement can use these “digital breadcrumbs” to track spending patterns. Where that cryptocurrency touches an exchange like Coinbase, which collects KYC (Know Your Customer) data for customers, a subpoena or a warrant will get them a real-world identity. That stands in stark contrast to traditional money laundering using cash or commodities.
What we should be doing
If banning use of cryptocurrency isn’t the answer, what is?
That will take time, of course, so in the meantime, companies in the trenches should actively review their own security posture and figure out if and how they could recover if attacked. Most companies have backup policies, but few organizations have restore policies or regularly test their ability to restore in a real-world scenario.
Ransomware isn’t going away even if cryptocurrencies are banned. So don’t be tempted by the “easy answer,” given it isn’t really an answer at all. Let’s take the bull by the horns and focus on the hard work of putting ransomware in its place.
Philip Martin is the chief security officer of Coinbase.
Morning Consult welcomes op-ed submissions on policy, politics and business strategy in our coverage areas. Updated submission guidelines can be found here.