Cyberattackers have been holding hostage data and computer systems at American businesses, schools and hospitals until they receive digital payment from their victims, making cryptocurrency a key component of ransomware gangs’ business model.
Congress is now working to understand whether cryptocurrency is fueling the rapid spread of ransomware attacks and looking to impose new rules on the digital currency business.
Sen. James Lankford, Oklahoma Republican, said that the Biden administration’s handling of cryptocurrency is tangled, involving more than five different agencies with some jurisdiction over cryptocurrency matters, and it is causing confusion.
“This is still a convoluted mess at the worst possible moment for a company, for a hospital, whatever it may be that just had a ransomware attack,” Mr. Lankford said Tuesday at a Homeland Security Committee hearing. “And now they’re getting bombarded with all these different federal entities calling them and wanting information and details on this. There has to be a single source, I know we’re in the process of working that through.”
Cryptocurrency companies and exchanges also help catch cyberattacks, said Jacqueline Burns Koven, the head of cyber threat intelligence at the blockchain financial services company Chainalysis.
“It can be much easier to investigate cases involving the illicit use of cryptocurrency than other forms of payment,” Ms. Koven told lawmakers. “By identifying an illicit actor’s cryptocurrency wallet, for example, from a ransom payment, law enforcement can gain insight into not only the cash-out destination but also the network of accomplices and malicious tools underpinning the threat actor’s campaign.”
Ms. Koven said traditional financial crime investigations examining bank accounts are resource-intensive and time-consuming that require subpoenas and return less information than studying digital ledgers and transactions.
Some lawmakers expressed skepticism about cryptocurrency’s utility outside of criminal enterprises.
“It’s criminals that use this currency,” said Sen. Gary Peters, Michigan Democrat. “In addition to speculators, it’s criminals who seem to be using crypto.”
Cryptocurrency analysts disagree. Ms. Koven said legitimate transactions occur outside of criminal activity and businesses and services that people frequent are adopting the practice of accepting cryptocurrency.
While cryptocurrency regulation is not guaranteed, there are several different routes Congress may choose to pursue.
For example, Know Your Customer or KYC requirements for financial services professionals to know detailed information about their clients could be applied to cryptocurrency businesses. That could compel cryptocurrency entities to make additional disclosures to combat money laundering.
Sen. Maggie Hassan, New Hampshire Democrat, said the IRS has recommended increasing KYC requirements for cryptocurrency businesses.
Other lawmakers also are eyeing new cryptocurrency laws.
Sens. Kirsten Gillibrand, New York Democrat, and Cynthia Lummis, Wyoming Republican, introduced the Responsible Financial Innovation Act to create a new regulatory framework for digital assets.
The Biden administration has not waited for Congress to set the agenda on new rules governing cryptocurrency. Last year, the Treasury Department announced sanctions against SUEX, a cryptocurrency exchange that was operating in Russia, for allegedly facilitating payments to cybercriminals.
Following Russia’s invasion of Ukraine, the Biden administration imposed additional sanctions affecting Russians and Russian-connected people. Last month, National Security Agency cybersecurity director Rob Joyce suggested that the cumulative effect of sanctions curtailed ransomware attackers, according to reports.
Private cybersecurity professionals are less confident that sanctions are diminishing ransomware attacks.
“We know that ransomware incidents involving public sector entities in the U.S. appear to be down this year, but that’s about all we know,” Emsisoft threat analyst Brett Callow said on Twitter last week.
“And that’s a problem,” he said in another tweet. “If policymakers can’t measure the impact of their policies, how do they know if they’re working?”