Two Modest Proposals for Improving Cybersecurity
May 1, 2019
Post by Robert Hansen
I tend to think about security at a macro level these days. It occurred to me there might be a few interesting ways to help improve cyber security online. I like the idea of increasing costs to adversaries, so both of these are about introducing friction to the ecosystem of cyber crime.
The first idea involves cryptocurrency. Let’s say there is a ransomware event, where some cryptocurrency is sent via the Internet to an attacker. That cryptocurrency and all subsequent transactions from the account are easily calculated. So why doesn’t the government (for example) have a lookup list – for any known addresses that were ever involved in illegal transactions, or have done business with an entity that has illegal transactions in the past? Once someone pays their ransom and gets the unlock key for the cryptolocker malware, they could send the information to the government. The government could then track and publish that payment address, and all future transactions. Anyone who does business with that address or any other addresses that it does business with, are also added.
That way the money and all subsequent accounts are “tainted” and can never be cleaned through any legitimate means. If the cryptocurrency remains within the confines of the online world, it can be traded for services. But from that point forward all transactions related to it would be carefully monitored. No legitimate cryptocurrency exchange would risk allowing the transactions, for fear of being complicit in aiding and abetting after the fact. That would make it significantly more difficult for cyber criminals to transact online, because there would be precious few safe ways to extract the funds out of the cryptocurrency and back into fiat currency. That in turn would greatly increase the costs of doing cyber crime.
Malware/Spam Information Exchange
The second idea involves creating a clearinghouse – for information that might lead to the arrest and incarceration of any individual who has sent more than X amount of spam (ex: 100k unsolicited emails) or compromised more than Y amount of machines (ex: 100). If the information you send to the clearinghouse leads to the arrest of the individual, you get paid some amount of money. The payment can be in whatever form that you wish, crypto currency or otherwise (ex: $100k, just to throw a number out there). So let’s say you are a malicious hacker who just compromised a bunch of machines. Typically you’d sell them or the data to someone else. But in this world, it’s much less safe to have any partners. Because every one of them could easily decide to remove you from the pool, and make a quick $100k in the process. That would add a huge amount of friction to the ecosystem for attackers because they would no longer be able to trust one another. Hacker infighting would get to be an extremely real and dangerous liability, far beyond what it is today. That additional friction would dramatically increase the costs and risks associated with doing business for anyone who relied on others to make money.
I think both of these ideas may need some work and fine tuning, but both seem to add the right types of friction to the adversaries for a relatively low cost. It’s things like this that that could really change the landscape. They are relatively low-tech, but extremely easy to implement and relatively inexpensive. Once things like this exist, it really just makes the best outfits that much better because it removes the lowest common denominator. We might be left only with nation states, cartels and uber-hackers. So like anything, I’d propose doing a thorough risk analysis. Unintended consequences are everywhere.