When situations develop in a predictably bad direction and some people including yours truly saw it coming, at least in broad outlines, and pretty much no one took basic steps to change the trajectory, it’s hard not to marvel at our collective stupidity. I sent a little rant to our Brexit group, which is overweight in experts in banking, IT, and regulatory matter, on the Colonial Pipeline hacking debacle and the role of crypto in it.
Note that as of yesterday, gas shortages were starting to stick. Local contacts said nearly all gas stations around Atlanta were out of gas, for instance. From the Wall Street Journal:
Last night, Colonial announced it was “restarting” its service. I’m not the only one who noticed the paucity of details such as when they expected to be back to normal.
Can someone please explain to me why Colonial Pipeline, which supplies almost half the fuel consumed on the East Coast, doesn’t have to disclose a thing about the ransomware attack, whether it paid the attackers, or what steps it’s taking to prevent another attack?
— Robert Reich (@RBReich) May 13, 2021
Officially, per Reuters, Colonial is making no comment as to whether it paid or might pay a ransom. However, it appears Colonial is trying to have it both ways. From the article:
Colonial Pipeline does not plan to pay the ransom demanded by hackers who have encrypted its data, according to sources familiar with the company’s response on Wednesday.
“Does not plan to” is not “will not”. For instance, from Colonel Smithers:
Soon after new year, a client of [Euro TBTF[ in the US was held to ransom. After some high level discussions with regulators, it was decided to engage a negotiator to facilitate the ransom into crypto. It was interesting to hear from our US counterpart that negotiators who specialise in this shadow exist and numbers are growing.
On your last point. It’s the talking point of govts “you don’t negotiate”.
The reality is, that they do, most of the time. As long as the ransomers are smart enough to keep under radar (i.e. not to attract media). When at LBS, we had a couple of sessions with professional negotiator, it was fun and one learned lots of interesting tidbits.. (like what is the precise weight of $10k in $100 notes)
Now let’s step back a little:
1. No one saw this coming??? Did all of these big infrastructure providers, and more important, their government dependents miss Stuxnet and Iran? That was 2010, dudes. Of course, we are now generations into software and hardware where security was never a high priority in design (witness default user IDs and passwords of “admin/admin”). Retrofitting is much much harder than building it in from the get go, but we are well past where that’s attainable. And that’s before you get to corporate cultures where inconveniencing workers is a career limiting move for an IT professional.
Regarding Stuxnet, I’m surprised that a commercial version, as opposed to state actor v. critical facilities, took this long to happen. Of course, this does have to have more features, since presumably you need to turn it off w/o leaving [more] fingerprints.
2. The ransom ($1 billion) has to be due in crypto. Yet no one is saying this is confirmation that letting crypto run wild was a bad idea? And on top of that, the $1 billion ask has now focused the minds of all sorts of criminal mischief-makers as to how profitable holding the right actors hostage could be.
By contrast, if anyone tried to move $1 billion through the banking system, even to a bank in a supposedly-beyond-our-reach country, Gina Haspel and every sadistic mercenary in US employ would be on the list for the team to capture and render that bank’s execs. We’d find it imperative to make an example of them. We’d probably settle for car bombings and strangulations in bathtubs since the Khashoggi treatment is a tad uncivilized.
3. Worse I see crap like this, from a Politico newsletter:
Lawmakers could crack down on the anonymity of cryptocurrency marketplaces by requiring them to collect more information about their users. But that effort, too, would provoke strong opposition from the cryptocurrency industry, which is assembling a growing army of lobbyists.
So what next, a syphilis lobby? It’s not just “marketplaces,” it’s the whole damned premise.
Banks had to have known that the use case was criminal, which to them means high margin. They stupidly thought they could wind up owning enough of the market for it to make for a decent profit center. So they didn’t oppose it and many supported it. As Colonel Smithers pointed out:
When pack horses like DB and BNYM, so not just the thoroughbreds, are raring for a piece of the action, you know it won’t end well.
I get the impression that financial institutions see this like dark pools and the opportunity to trade away from regulatory scrutiny.
Even my chiropractor in Pelham, Alabama has worked out what crypto is about. I saw him yesterday and he was asking about Bitcoin and Dogecoin. He said friends were in it, had made some money, and were pressing him to buy. He said he didn’t like the volatility (and said they’d got in around $4000, saw it run to over $16,000, and then fall way back and they sold out at a bit over $5,000. I assume they got back in at a higher price).
More important, he said he didn’t see what you could buy with it and was unfamiliar with the tax issues (which I explained). And he said he didn’t like investing in something that had no real use and was mainly good for crime (!!!) and he wanted his investments to be in things that were productive.
And vlade pooh poohed the idea that it would be hard to reduce the use of crypto to nuisance/hobby level:
Your points re crypto. All I can say is “death to crypto!”. It’s literally the worst invention of humanity, ever. There is not a single positive element (even if you look at it as a wealth-redistribution lottery, lotteries already exist and are at least more transparent). Even leaded petrol and nuclear fusion had some positives.
The response to this should be “fuck crypto, let’s outlaw it, right now” *). Instead we’ll get handwringing from Politico and similar crap.
*) you could start by making it a crime to be in any blockchain that includes a wallet that can be tied to a known criminal use, as participation in money laundering. Just the uncertainty of that would kill crypto.
To add to what vlade said, there is no legitimate purpose for crypto that isn’t done as well or better by existing financial services products. It’s only use case is for crime.
Finally, Elon Musk’s reversal on Bitcoin as a means of payment for Teslas is oddly timed. Musk’s professed excuse, that he had no idea what an energy hog Bitcoin is, is laughable. One theory is that Musk is enjoying showing his power by whipsawing crypto prices.
But my pet and unprovable belief is that Musk realized or even was quietly told that his legitimation of Bitcoin and therefore crypto generally didn’t sit well with key players in the defense/intel state. They may now feel they sat pat for too long and are now playing a rearguard game to curb its use. While Musk has no inhibitions about pushing around a weak regulator like the SEC, he needs the cooperation of the Feds for his SpaceX plans to advance. There are all sorts of plausibly deniable ways to hold up projects like that, such as protracted safety inspections.
The time is overdue to crack down on this socially destructive complex. But absent bloody-minded measures like the one vlade suggested, the officialdom will be playing whack-a-mole.