A hack of the world’s largest meat producer is ratcheting up pressure for greater regulatory oversight of cryptocurrency’s role as a preferred method for ransom payments that are difficult to trace.
The U.S. Treasury Department should ramp up its enforcement of anti-money laundering laws and adopt reporting rules for cryptocurrency transactions following the hack of meat processor JBS SA—the latest to spotlight ransomware as a national security issue, according to cybersecurity consultants, lawyers, and former government officials. Cracking down on cryptocurrency payments would make it more difficult for hackers to profit off of foreign ransomware attacks.
Heightened public awareness of follow-on effects from such cyberattacks, like potential shocks to meat supply, could spur policymakers to add regulations for cryptocurrency transactions, they say.
“De-anonymizing payments would create a huge disincentive for criminals to continue these ransomware extortion schemes,” said Dmitri Alperovitch, former chief technology officer at cybersecurity company CrowdStrike Inc. and current co-founder and executive chairman of think tank Silverado Policy Accelerator. In ransomware schemes, hackers demand payments after locking victims out of their computer networks.
Alperovitch said hackers have embraced digital currencies as a way to avoid regulations within the traditional financial system. Applying similar anti-money laundering rules to cryptocurrency transactions would aid in identifying cyber criminals, he said.
Expanding analysis of cryptocurrencies is one of the steps the White House is taking to curb cyberattacks, White House Press Secretary Jen Psaki told reporters Wednesday.
Crypto Cash-Out
Disclosing who’s using a digital wallet and where they’re sending cryptocurrency is “a natural starting point” for regulation, according to Lee Reiners, executive director of Duke Law’s Global Financial Markets Center.
In addition to wallet providers that let users send cryptocurrency, there should be added oversight for “on and off ramps” where cryptocurrencies are being exchanged for other currencies like U.S. dollars, he said.
“Those are the pressure points I’d like to see Treasury crack down on,” said Reiners, who used to work at the Federal Reserve Bank of New York.
Still, U.S. financial rules wouldn’t reach overseas venues where criminals cash out their crypto coins, according to Bill Siegel, CEO and co-founder of Coveware Inc. The company collects data on ransomware attacks and helps companies respond to such incidents.
“The issue is the cash-out process,” Siegel said. Foreign crypto exchanges are “out of reach” for U.S. regulatory enforcement, he said.
Alperovitch suggested that U.S. authorities use sanctions to prevent exchanges from transacting in U.S. dollars unless they participate in a crypto reporting regime.
The cyberattack on meat processor JBS is the latest to hit the U.S. commodities supply chain, following an earlier attack on Colonial Pipeline Co., a major gasoline supplier for the East Coast.
The events drive home how large-scale hacks can affect average Americans with higher gas prices and shortages, said Michael Borgia, the Washington, D.C.-based leader of Davis Wright Tremaine LLP’s information security group. Increased public scrutiny could spur policy action on cryptocurrency and other issues tied to ransomware, he said.
“Consumers are starting to link these hacks not just with inconvenience but with larger national security issues,” Borgia said. “You’re seeing a lot more calls for mandatory regulations.”
Treasury Rules
Treasury in late 2020 proposed a rule that would require banks and exchanges to report on transactions of more than $10,000 involving digital wallets not hosted by a financial institution, echoing existing rules for cash withdrawals over that threshold. The reporting rules are intended in part to assist law enforcement in tracking money flows for cyber crime, the department’s Financial Crimes Enforcement Network, or FinCEN, said at the time.
Crypto exchanges already have to report on customers’ suspicious transactions. The proposed rule would add reporting for when unhosted wallets are involved, regardless of whether the transaction is considered suspicious. Unhosted wallets are like anonymous bank accounts.
Treasury’s reporting proposal came after its FinCEN unit warned companies that pay ransoms to hackers risk running afoul of U.S. sanctions. The advisory has had the “side effect” of encouraging ransomware victims to cooperate with law enforcement, Siegel said, because those that do could be shielded from liability for mistakenly paying an entity on the sanction list.
Some have called for the government to go further and discourage hack victims from paying ransoms altogether.
“The guidance that has been issued doesn’t send the clearest sign to industry that they shouldn’t pay a ransom—there’s just increased legal risk and compliance risk in doing so,” said Trisha Anderson, a cyber-focused partner at Covington & Burling LLP who previously worked at Treasury, the Justice Department, and the Federal Bureau of Investigation.
The proposal for reporting crypto transactions “is actively moving through the rulemaking process” after the Treasury Department received thousands of comments, an agency spokeswoman said in an email.
While there is increased attention on regulations for topics ranging from cryptocurrency to cyber insurance to information sharing and disclosure, bolstering security should also be a priority, said Amy de La Lama, the Boulder, Colo.-based chair of Bryan Cave Leighton Paisner LLP’s data privacy and security practice.
“Companies should focus on security and prevention to stop these types of attacks in the first place,” she said. “Then companies won’t be in the position of having to pay a ransom or negotiate in cryptocurrency to begin with.”
