Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Partner Perspectives  Connecting marketers to our tech communities.
SPONSORED BY
10/26/2017
10:00 AM
David Holmes
David Holmes
Partner Perspectives
Connect Directly
Twitter
LinkedIn
RSS
50%
50%

5 Reasons Why the CISO is a Cryptocurrency Skeptic

If you think all you need is technology to defend against bad guys, you shouldn't be a CISO. But technology is all cryptocurrency is, starting with Bitcoin.

“Are we doing anything with Bitcoin?” You’ve probably heard that question from a board member. When they ask, maybe you say something noncontroversial like “We’re looking into it.” But seriously, anyone with a risk management background should be a cryptocurrency skeptic. Here are five reasons why.

Reason 1. Volatility
The recent rocket-like rise of the conversion value of Bitcoin to $4,000 will have even more board members (or directors or bartenders or barbers) asking you the same question in the months to come. But has everyone forgotten that just three years ago, Bitcoin was the worst-performing currency in the world, losing 56 percent of its value?

The meteoric rise in the value of Bitcoin comes from the perception that the Bitcoin community has solved the years-long "block size" problem, which had led many to claim Bitcoin was a failed experiment. The main Bitcoin fork introduced Segregated Witness (SegWit), which allows offline transaction chains. A new fork of Bitcoin introduced in August 2017, called Bitcoin Cash, increased the blockchain block size. Both of these improvements should speed up transaction verifications, though it would be nice if they were the same fork. (Thanks, guys!)

Speculators are now resuming their irrational exuberance. Sure, volatility is an aspect of currency; in real life (IRL, as some say), arbitrage markets exist to absorb that risk. And you’re not dabbling with them, are you?

Reason 2. Maturity
There are thousands of ways to steal real money IRL; fraud, impersonation, counterfeit, embezzlement, and money laundering are just the big ones.

IRL, we have infrastructure to deal with these schemes. Laws, for one. And courts, insurance, Federal Deposit Insurance Corporation (FDIC), double-entry accounting, and regulation. What does cryptocurrency have? Not much. Just some blockchain stuff running on volunteer computers. Sure, the blockchain verification sounds like built-in accounting, but if you can be anonymous, what exactly is the point of all that accounting? What is the point of cryptographically proving that someone stole your Bitcoin and spent it on a Samsung TV, but you have no idea who it was?

In Pennsylvania this summer, a man admitted to stealing $40 million worth of Bitcoins. The authorities didn’t charge him with theft, because while Bitcoin is money, it isn’t legal tender.

Reason 3. The Nation State
One of the supposed benefits of Bitcoin and other cryptocurrencies is that they aren’t tied to any particular nation state. This prevents Bitcoin assets from being frozen by the state, and gives consumers the freedom to do anything they want with their money. State sponsorship of a currency has obvious benefits, though. Consider, in the 1990s, George Soros nearly single-handedly destroyed the pound sterling by betting that it was overvalued. To keep the pound from a precipitous fall, the UK government had to raise the interest rate to 15%. Pledging the resources of 80 million Britons kept the pound afloat. Had the defense failed, however, the pound would have fallen against all other currencies, possibly leading to a nationwide depression. Who’s going to defend cryptocurrency from the next Soros?

In the United States, the Secret Service has only two jobs: protecting the president, and protecting the currency (mostly against counterfeiting). Where is the Secret Service for cryptocurrency?

Reason 4. All Those Flipping Thefts
For a currency that was designed to make theft impossible, Bitcoin has a terrible and ironic history of constant, massive thefts. You can read the entertaining Blockchain Graveyard list of 44(!) cryptocurrency bank failures, most due to theft. Mt. Gox, the world’s largest repository of Bitcoins, failed after 744,000 Bitcoins (representing 6% of the worldwide total) were stolen. Today’s market value of those Bitcoins is $3 billion. They are still out there somewhere, and they haven’t been used.

IRL, banks fail. Occasionally it is due to mismanagement, but often it’s just market forces at work. The FDIC in the United States guarantees the first $100,000 in deposits for each customer in any failed bank, and then ensures the easy transition of assets as the failed bank is folded into another bank. After 4,000 years of banking, the financial community still hasn’t figured out how to avoid bank failure—but at least there’s a process for cleaning it up. Cryptocurrency banks appear to fail all the time as well, but there is no depositor guarantee. The associated monies just vanish.

If, IRL, bank failures are inevitable, why would anyone think that it would be different for cryptocurrencies?

Reason 5. Quantum Expiration
Bitcoin and most other cryptocurrencies seem like the bleeding edge of cryptographic technology, but they are actually heavily dependent on asymmetric encryption algorithms that are decades old. And those underlying algorithms are not resistant to quantum computing, should a quantum computer ever be built. Bitcoin private keys are just 256-bit Elliptic Curve Digital Signature Algorithm (ECDSA) keys, so a quantum computer with just a few thousand qubits could, in theory, find every wallet’s private key in the Bitcoin universe. Won’t that be a fun day!

Infrastructure Isn’t Just Technology
The financial community has the largest cybersecurity budgets in the world. And even with regulation, nation-state support, security teams, threat intelligence, and every security inspection device imaginable, they are just barely capable of keeping hackers from stealing all the monies. The CISOs for those companies know that they need more, way more, than just technology to secure a bank.

On the other hand, if you think all you need is technology to defend against bad guys, you shouldn’t be a CISO. But that’s all cryptocurrency is: technology.

Get the latest application threat intelligence from F5 Labs.

 

David Holmes is the world-wide security evangelist for F5 Networks. He writes and speaks about hackers, cryptography, fraud, malware and many other InfoSec topics. He has spoken at over 30 conferences on all six developed continents, including RSA ... View Full Bio
Comment  | 
Print  | 
More Insights
Comments
Oldest First  |  Newest First  |  Threaded View
US Turning Up the Heat on North Korea's Cyber Threat Operations
Jai Vijayan, Contributing Writer,  9/16/2019
Preventing PTSD and Burnout for Cybersecurity Professionals
Craig Hinkley, CEO, WhiteHat Security,  9/16/2019
NetCAT Vulnerability Is Out of the Bag
Dark Reading Staff 9/12/2019
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Current Issue
7 Threats & Disruptive Forces Changing the Face of Cybersecurity
This Dark Reading Tech Digest gives an in-depth look at the biggest emerging threats and disruptive forces that are changing the face of cybersecurity today.
Flash Poll
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2019-3738
PUBLISHED: 2019-09-18
RSA BSAFE Crypto-J versions prior to 6.2.5 are vulnerable to an Improper Verification of Cryptographic Signature vulnerability. A malicious remote attacker could potentially exploit this vulnerability to coerce two parties into computing the same predictable shared key.
CVE-2019-3739
PUBLISHED: 2019-09-18
RSA BSAFE Crypto-J versions prior to 6.2.5 are vulnerable to Information Exposure Through Timing Discrepancy vulnerabilities during ECDSA key generation. A malicious remote attacker could potentially exploit those vulnerabilities to recover ECDSA keys.
CVE-2019-3740
PUBLISHED: 2019-09-18
RSA BSAFE Crypto-J versions prior to 6.2.5 are vulnerable to an Information Exposure Through Timing Discrepancy vulnerabilities during DSA key generation. A malicious remote attacker could potentially exploit those vulnerabilities to recover DSA keys.
CVE-2019-3756
PUBLISHED: 2019-09-18
RSA Archer, versions prior to 6.6 P3 (6.6.0.3), contain an information disclosure vulnerability. Information relating to the backend database gets disclosed to low-privileged RSA Archer users' UI under certain error conditions.
CVE-2019-3758
PUBLISHED: 2019-09-18
RSA Archer, versions prior to 6.6 P2 (6.6.0.2), contain an improper authentication vulnerability. The vulnerability allows sysadmins to create user accounts with insufficient credentials. Unauthenticated attackers could gain unauthorized access to the system using those accounts.