59.7 F
Washington D.C.
Tuesday, May 21, 2024

The Need for Speed to Respond to Ransomware in Tomorrow’s Money System

For those currently living on planet Earth who are not paying attention to trends in macroeconomics, it does not look pretty for the future of global financial transacting – specifically for the return-on-investment of the typical investor’s money in the face of negative interest rates, a trend making its way through global markets. [i] Normally, interest rates – which were typically assumed to be positive – allowed investors to receive some return (regardless of how small) on whatever monies these stakeholders had enough mettle to risk for greater gains. Negative interest rates, however, represent an assured loss, locking this forfeiture in for the lender as soon as the contractual arrangement is made.[ii] In other words, the lender is handing over money to someone with the full knowledge that they (the lender) will be receiving LESS money in the future, and they (the lender, again) presumably approve of this arrangement.

The reader may now be thinking: “What lender would ever agree to this action?” The answer: for one, mortgage lenders who wish to drum up immediate demand for homes sitting idle that would otherwise remain unsold if it were not for contractual terms such as these that ostensibly benefit first-time home buyers of questionable credit worthiness. Based on the way banks view these idle homes (read: liabilities), less interest overall would still produce some profit. This situation would also allow the banks to record the loan as an asset instead of a liability “on their books.” This financial tactic increasingly used by global, central and retail banks to pull in previously unseen demand – to bolster growth in the present – is likely to continue growing.[iii] However, in this article we will focus on the economic activities of lending institutions, the average person, AND the small-to-medium enterprise that might demonstrate more detriments than benefits from negative interest rates, depending on one’s particular financial situation.

Add to the situation outlined in the previous paragraphs the move toward a “cashless society.” This concept is global banking’s ongoing push to capture all assets on telecommunications infrastructure with very few, if any, alternative physical transacting media to be offered including cash (i.e., currency, cash equivalents) or physical wealth preservation such as money (i.e., precious metals).[iv] [v]

When these two aforementioned factors are combined, we get a system where the mediums of transacting we all use to live (hereafter, referred to in totality as currency) are “contained” and cannot be easily withdrawn to ensure against any loss. This containment occurs WHILE the time value of that currency is continually decreased – at the fastest rate ever seen in history during a non-hyperinflationary period – the longer the currency remains unused (read: unspent). (*Note: Only currency, and NOT money, is created using the fractional reserve system in place today and the system toward where we may be evolving.)[vi]

The assumption made by most persons, if they are even aware of this macro-level situation and the implications, is that nothing will keep them from gaining access to their currency, given the ubiquity of banking access points and the evolution of data transmission speeds. One assumption I will make in this missive is within this cashless system, people will try to spend the currency as soon as it is received in their holding/banking accounts to ensure the greatest purchasing power possible.

What does any of this have to do with cybersecurity?

Enter: Ransomware.

Ransomware is a malicious cyber attack against a victim’s data whereby that data are illegally encrypted and will be decrypted only once the victim pays a fee to the perpetrators who have the sole decryption key needed to get the data back to a usable form.[vii] There is normally a deadline associated with the demand for the ransom. Once the deadline is met, the data is ostensibly lost forever if the ransom is not paid.

Formation of a Perfect (Digital) Storm? 

When the (possible) proliferation of ransomware, a cashless society, AND negative interest rates are combined, one plausible outcome, in my opinion, is the following: a situation where one is targeted for a ransomware attack, but one CANNOT:

  1. Move their currency or assets out of the targeted information network system;
  2. Execute transactions because the data is unreadable;
  3. Avoid the loss of purchasing power which diminishes every single second the desired transaction does NOT go through.

Whether due to vocation, avocation, or sheer curiosity, I often scan the Internet for news on malware, ransomware (of course) being a type. The recent explosion of ransomware is exceeded only by the extent this malicious activity is currently projected to grow in the future.[viii] The statistics are not promising for anyone with assets to protect.

As one who tries to remain attuned to cybersecurity issues, I am very concerned with the situation I have illustrated above where asset holders – whether large financial corporations or individuals – appear to be ring-fenced for imminent attack. Add to this the pressure of having assets that have been held by malefactors in abeyance for “too long” being worth much less upon their return due to the extent the currency is being depreciated.[ix]

As I often teach to my college students, problems have solutions, and crises have outcomes.[x] In my humble opinion, this is a crisis, and therefore the situation must be managed to minimize the losses that can be avoided, and not worry about those which cannot. Further, there may be a group of people already working in the financial sector who are quite adept at helping in this regard: Actuaries.[xi]  

Getting Help to Make an Undesirable ‘Business’ Decision

*Note: Before moving on, let me say that I do NOT necessarily condone compliance with demands from purveyors of ransomware, but until it is considered illegal by U.S. law to negotiate with these malefactors, it is up to those individual victims or leaders of victimized enterprises to decide how to respond to these threats. The following simply expands on those possible responses. 

Anecdotally, it is interesting to see how decision-makers of victimized institutions typically appear to consider potential losses from ransomware attacks. It is often in terms of negative effects to operational control over that data they need to further productivity as defined by their respective enterprises’ missions. However, what happens when the data IS the digital representation of one’s currency assets? In other words, an enterprise’s profits or operating expenses transiting networks to be stored as entry in accounts receivable, to service a debt, or to pay for raw inputs. The metrics I have seen often do NOT appear to take into account losses when it is the enterprise’s CURRENCY or MONEY itself which is tied up via ransomware.

To calculate loss, or in this case potential loss, one must first know the value of the asset at risk. In the past I have seen some data and IT assets given valuations by using the following metrics:

  • Value Retained from Cost of Creating the Information Asset
  • Value Retained from Past Maintenance of the Information Asset
  • Value Implied by the Cost of Replacing the Information
  • Value from Providing the Information
  • Value Acquired from the Cost of Protecting the Information
  • Value to Owners
  • Value of Intellectual Property
  • Value to Adversaries
  • Loss of Productivity While Information Assets Are Unavailable
  • Loss of Revenue While Information Assets Are Unavailable

Again, the builders of these metrics assume the data being withheld is that needed for enterprise operations (i.e., inventories, Human Resources documentation, performance evaluations, balance sheets, etc.), and is not THE data representing the “(digital) operating cash” of an enterprise. If “ransomed,” the value of this asset could be expressed easily – when added to the list above – as Loss of Purchasing Power WHILE Digital Representation of Cash is Held in Abeyance. Consequently, how are the managers of a (financial or other) enterprise victimized in such a way supposed to gauge where the “red line” lies that defines the difference between acceptable and unacceptable loses as precious minutes elapse?

To my knowledge, there is no easy answer (right now) to this challenge.

As I alluded to previously, actuaries could assist in making calculations beforehand, which allow those put in the unenviable position of decision-maker of a victimized enterprise to make a fast-enough call that losses of purchasing power (from one’s continually devalued digital currency) are greatly limited. The hope is that an “in-house actuary” could conduct the cost-benefit analysis that would inform leadership of “the exact amount of time” (read: minutes or hours, and NOT days) when trying to mitigate the ransomware hack would be more costly over time than simply complying with demands immediately. Speed is the key.

Perhaps redundancies and greater processing power, in reserve, is enough to ensure the encryption used in such attacks can be broken after enough time. Yet, time is the most merciless adversary of the cybersecurity professional, especially regarding this particular type of hack and within proposed financial system. Again, speed is the key.

In sum:

  1. An enterprise’s leadership can choose to design protocols directing immediate compliance with ransomware demands;
  2. An actuary’s analysis can provide guidance as to how long countermeasures should be given to show a lack of effectiveness before compliance with ransomware demands should occur;
  3. Processing power could be brought to bear against encryption used in this type of hack.

However, regardless of the choice(s) made in response, one thing seems to be clear: the proliferation of the cashless society and negative interest rates coupled with the growth of ransomware attacks necessitates the need for speed in decision-making and processing power at heights rarely seen today. This need for speed will be a REQUIREMENT for the sake of an individual’s financial health, as well as for the profitability and maybe even the long-term existence of a victimized business enterprise depending on the frequency and scale of ransomware attacks against it.

Previously, it was said “a penny unspent was a penny earned.” Thanks to the growth of this type of cybercrime in our evolving financial system, a penny unspent may soon be a penny lost (forever).

[i] Das, Satyajit; Bloomberg.com; The World Better Get Used to Negative Rates; Date of article: 29 March 2019; Accessed at https://www.bloomberg.com/opinion/articles/2019-03-30/why-negative-interest-rates-may-soon-become-the-norm; Date sourced: 2 August 2019.
[ii] Keogh, Bryan; Theconversation.com; ‘Guaranteed to Lose Money’: Welcome to the Bizarro World of Negative Interest Rates; Date of article:  11 July 2019; Accessed at http://theconversation.com/ guaranteed-to- lose-money -welcome-to-the-bizarro-world-of-negative-interest-rates-119994; Date sourced: 2 August 2019.
[iii] Wienberg, Christian; Bloomberg.com; Bankers Stunned as Negative Rates Sweep Across Danish Mortgages; Date of article: 23 May 2019; Accessed at https://www.bloomberg.com/news/articles/2019-05-23/bankers-stunned-as-negative-rates-sweep-across-danish-mortgages; Date sourced: 31 July 2019.
[iv] Pritchard, Justin; Thebalance.com; The Pros and Cons of Moving to a Cashless Society; Date of article: 25 June 2019; Accessed at https://www.thebalance.com/pros-and-cons-of-moving-to-a-cashless-society-4160702; Date sourced: 31 July 2019.
[v] Maloney, Mike; Goldsilver.com; Hidden Secrets of Money (Youtube Video Series); Dates of videos: varies; Accessed at https://www.youtube.com/playlist?list=PLE88E9ICdipidHkTehs1VbFzgwrq1jkUJ; Date sourced: 2 August 2019.
[vi] Ibid.
[vii] Cybersecurity and Infrastructure Security Agency (CISA); U.S. Department of Homeland Security; Ransomware; Date of article: 2 August 2019; Accessed at https://www.us-cert.gov/Ransomware; Date sourced: 2 August 2019.
[viii] Dobran, Bojana; PhoenixNAP; 27 Terrifying Ransomware Statistics & Facts You Need To Read; Date of article: 31 January 2019; Accessed at https://phoenixnap.com/blog/ransomware-statistics-facts; Date sourced: 29 July 2019.
[ix] Zang, Lynette; ITM Trading; What Negative Rate Bonds are Revealing (Youtube Video); Date of video: 31 July 2019; Accessed at https://www.youtube.com/watch?v=BH2pOmz-z9g; Date sourced: 31 July 2019.
[x] In the courses I teach at Johns Hopkins, I demonstrate that the biggest mistake most people make when engaging a cybersecurity issue is NOT deciding whether they are facing a problem or a crisis. For brevity, a problem has solutions which can extinguish the problematic variable(s) with the least amount of negative impact felt. A crisis has negative outcomes which are already cascading and which must be managed. Further, in a crisis there has already been a substantial loss, with the sole job of the affected manager now being to contain the situation to limit further loses. Confusing problems and crises can result in too few or too many resources being deployed with little positive or a disproportionately negative effect on outcomes. I credit Dr. Chris Martenson, of Peak Prosperity, with the introduction of this simple conceptual model used in crisis management.
[xi] Actuary: a person who compiles and analyzes statistics and uses them to calculate insurance risks and premiums.
author avatar
Hector Santiago
Dr. Hector Santiago entered civilian government service after serving in the US Army for almost nine years. Starting his post-military career in 2006, Dr. Santiago has since worked throughout the intelligence community with a specialty in cyber threat analysis and telecommunications infrastructure security. He is currently the lead for Data Analytics Programs at the DHS Intelligence & Analysis Cyber Mission Center.
Hector Santiago
Hector Santiago
Dr. Hector Santiago entered civilian government service after serving in the US Army for almost nine years. Starting his post-military career in 2006, Dr. Santiago has since worked throughout the intelligence community with a specialty in cyber threat analysis and telecommunications infrastructure security. He is currently the lead for Data Analytics Programs at the DHS Intelligence & Analysis Cyber Mission Center.

Related Articles

Latest Articles