Last week I wrote an article on illicit cryptomining – how hackers are sneaking cryptocurrency transaction processing software onto corporate networks, personal computers, and other devices. I attempted to raise the alarm, calling this threat the most dangerous of 2018.
I didn’t go far enough.
Upon deeper reflection, the implications of illicit cryptomining are profoundly frightening. Because this type of cyberattack is ‘relatively’ benign – for certain definitions of ‘relatively’ – it’s positioned to run amuck, taking over computers, networks, data centers, and cloud environments around the world.
Perhaps there’s a way to stop this insidious infection from killing its host, which is nothing less than the global computing infrastructure. To be sure, cybersecurity vendors are already on the job.
In my opinion, however, prevention and mitigation technologies will never work well enough. There’s only one way to slay this beast. We must make all cryptocurrency as we know it today illegal.
Permissionless vs. Permissioned Blockchain
At the heart of Bitcoin, and by extension most if not all altcoins (cryptocurrencies other than Bitcoin), is the notion of a permissionless blockchain. With a permissionless (generally known as ‘public’ or ‘open,’ with few exceptions) blockchain, anyone can create an address and interact with the network – purchasing coin, selling coin, or mining coin.
The public approach draws a stark contrast with permissioned blockchain (generally ‘private’ or ‘closed,’ again with a few exceptions). “The permissioned Blockchain is a closed and monitored ecosystem where the access of each participant is well defined and differentiated based on role,” explains Devon Allaby, COO of Design Farm Collective. “They are built for purpose, establishing rules for transaction that align with the needs of an organisation or a consortium of organisations.”
I focused on permissioned blockchains in my recent article Don’t Let Blockchain Cost Savings Hype Fool You, where I discussedIBM IBM +0.53%’s efforts with the open source Hyperledger project. If you’ve read about promising proofs of concept with global logistics and supply chain enterprises, you’re familiar with permissioned blockchain.
Permissioned blockchains aren’t the subject of this article, however. They may struggle with scalability and in the end cost too much, but they don’t have the fundamental flaw that the permissionless blockchains that underlie cryptocurrencies do.
The Problem with Permissionlessness
The problem with permissionless, public blockchains is that anybody can sign up as a miner – which means that there’s nothing stopping criminals from doing so.
Not all mining enterprises are criminal, of course. There are plenty of people building mining businesses that are perfectly on the level. But that being said, there are many different criminal pursuits that can leverage mining.
Tax evasion. Money laundering. Funding terrorism or other illegal activity not directly related to cryptocurrency. But the most nefarious of all criminal motivations: illicit cryptomining.
Why Illicit Cryptomining is So Devious
Infiltrating our computers and networks is dead simple – all it takes is one phishing victim, one visit to a malicious web page, or one person downloading a fake app from an app store, and bam! The hacker is inside.
Infiltration is a familiar first step to most corporate cyberattacks, which follow the Cyber Kill Chain – infiltrate, install malware, move laterally to a valuable target, establish a command and control (C&C) link back to the hacker, and then exfiltrate the data or funds that are the target of the attack.
Hackers follow this pattern when their goal is to steal something (in other words, ‘exfiltrate data’). As a result, cybersecurity vendors have been focusing on detecting and disrupting the steps in the Kill Chain.
Cryptomining, in contrast, breaks this mold. The software technically isn’t malware – after all, plenty of people mine cryptocurrency on purpose. There’s no need to find a valuable target, since any computer with processor cycles to spare will do.
And there’s nothing to exfiltrate. As long as the compromised computer can reach the Internet, the threat actors can cash in on their mining activity.
The most devious aspect of illicit cryptomining, however, is the fact that it can run undetected indefinitely. After all, nothing’s being stolen except excess processor cycles and a bit of electricity. In this world of far scarier threats, illicit cryptomining will always rank rather low on the list of priorities.
Until, of course, it brings your entire network to its knees.
Cryptocurrency Ethics and ‘Know Your Miner’
To combat money laundering, regulatory agencies around the globe require companies to ‘know your customer’ (KYC). In theory, if all participants in a transaction have sufficient details about the parties they’re doing business with, then it will be far more difficult for criminals to launder their ill-gotten gains.
Because anyone can become a cryptocurrency miner, it would only be logical for the same regulatory bodies to institute a ‘know your miner’ policy.
After all, if you want to conduct any kind of transaction with Bitcoin or any altcoin, you’d like to know that the miner processing your transaction isn’t a criminal enterprise who might use its share of the transaction fee to support terrorists or child pornographers, right?
In addition to the regulatory burden of instituting global ‘know your miner’ policies, therefore, there is also an ethical burden that all participants in the cryptocurrency economy must adhere to, else they risk condoning illegal activity regardless of whether they are criminals themselves.
So far, so good, except for one problem: ‘know your miner’ cannot work for a permissionless blockchain.
When you execute a Bitcoin transaction, say, who is actually processing the transaction? It’s not the merchant. It’s not the exchange. It’s not even the miner who is rewarded for such processing.
It’s every miner on the blockchain.
True, for any transaction only one miner gets rewarded, but every miner executes the transaction on its copy of the blockchain – and furthermore, this distributed, redundant transaction processing is at the heart of how blockchains work.
So, if even one of the miners is a criminal, you are supporting a criminal enterprise with every cryptocurrency transaction you conduct. And believe me, the number of criminal miners is far, far more than one, and growing every day.
How to Fix the Problem
Corporations will certainly try to prevent illicit cryptomining, but such efforts are doomed to be a losing battle – first, because it’s dead simple to mount such attacks, and second, fighting such threats will remain a low priority for the foreseeable future.
That leaves ‘know your miner’ – which can only work on permissioned blockchains.
Perhaps a cryptocurrency-based approach like Ripple that some people consider ‘semi-permissioned’ can solve this problem. (Ripple’s XRP altcoin and other permissioned or semi-permissioned cryptocurrencies are an area of active innovation and controversy which I’m sure to cover in a future article.)
However, as long as permissionless-based coins have value, illicit miners will favor those over Ripple and its brethren anyway.
The cryptocurrency world, therefore, will have two choices: switch entirely from permissionless to permissioned (or perhaps semi-permissioned) or shut down entirely.
Of course, many of the aspects of blockchain that excite the cryptocurrency world depend upon permissionlessness. Without it, all we have is a secure distributed database technology – which might very well come in handy for real business purposes, but falls short of supporting the excitement around cryptocurrencies today – including the buzz around initial coin offerings (ICOs).