CryptocurrencyWhat Recent Cryptocurrency Heists Reveal About Blockchain Security

What Recent Cryptocurrency Heists Reveal About Blockchain Security

In early August 2021, blockchain-based platform Poly Network reported a hack in which malicious actors moved an equivalent of $600 million in cryptocurrencies to their private wallets. This hack was the largest ever, after the 2014 hack of a Tokyo-based bitcoin exchange, which led to the theft of the equivalent of $460 million. A few days later, DAO Maker, a decentralized finance (DeFI) crypto platform announced a hack and theft of 2,261 Ethereum (the equivalent of $7 million at the time of the hack).

These heists reveal potential security vulnerabilities in the current system for purchasing and exchange cryptocurrencies despite the general promises of security provided by decentralized cryptocurrencies.

To understand how these cryptocurrency heists occurred, it is crucial to understand how cryptocurrency functions. In particular, how certain organizations provide cryptocurrency conversion services (i.e., converting Bitcoin to Ethereum). Traditionally, forms of currency (often referred to as “fiat” currency when distinguished from cryptocurrencies) are government issued and rely on a centralized banking system to validate money transfers and accounts. Most fiat currencies are not backed by commodities, such as gold, and therefore, have no intrinsic value. Value in fiat currency derives from consumer confidence (and is subject to government manipulation).

Cryptocurrencies, such as Bitcoin or Ethereum, however, are decentralized currencies with no central banking or financial system to validate transactions. Rather, these currencies rely on a network of users to validate transactions and balances. The technology that supports the storing and validating of transactions in a database (essentially a digital ledger) is called blockchain.

Most cryptocurrencies distribute this Blockchain ledger database across its users. The users earn rewards (usually the in the form of cryptocurrency) for hosting the ledger, validating transactions in the blockchain ledger, and solving complex computational math problems.

Cryptocurrency TransferThe lack of centralization creates complexities in converting currencies. Traditional exchange services involving fiat currency are handled by financial institutions who have the capacity to receive one type of currency (i.e., U.S. Dollar) and provide the equivalent amount in a different currency (i.e., the Euro).

Performing a similar instant exchange among cryptocurrencies requires an exchange service to stockpile multiple cryptocurrencies. Of course, this type of exchange service is inherently centralized – and that centralization of decentralized currency creates the security vulnerability that led to the recent string of crypto currency heists.

The attackers targeted the code behind the accounts that convert cryptocurrencies and injected malicious code that made the exchange service believe that the attacker was the intended recipient of the converted cryptocurrency.  The attackers ultimately redirected the currency into their personal wallets.

These recent events do not mean that those interested in holding or trading cryptocurrency should entirely avoid the use of exchanges. No transaction is 100% secure, and users should understand the potential risk involved in exchanging cryptocurrencies or converting fiat currency within the current systems of exchange.

The legal concerns stemming from these incidents mirror those in traditional incidents involving consumer information or fiat funds. However, the potential risk of loss is increased by the fact that cryptocurrency transactions in certain instances are uniquely untraceable and irreversible, meaning that the exchange may not be able to recover the stolen funds. Further compounding the risk is that these crypto exchange services may not have the same financial protections, insurance, or government backing as traditional financial institutions.

These events serve as a reminder that the security provided by decentralized currency may be lost when that currency is funneled through a centralized exchange.

*Attorney advertising: prior results do not guarantee future outcomes.

Subscribe to our Newsletter.

Cybersecurity Map of United StatesCISA Cybersecurity Advisory – Chinese State-Sponsored Cyber Operations

CISA Cybersecurity Advisory – Chinese State-Sponsored Cyber Operations

On July 19th, the National Security Agency, Cybersecurity and Infrastructure Security Agency (CISA), and the Federal Bureau of Investigations (FBI) released a joint cybersecurity advisory pertaining to Chinese state-sponsored threat actors. The advisory warns of potential malicious activity targeting “U.S. and allied political, economic, military, educational, and critical infrastructure (CI) personnel and organizations.”  

In response to this increased threat, CISA suggests organizations, particularly managed service providers, semiconductor companies, the Defense Industrial Base (DIB), universities, and medical institutions, take the following steps: 

Patch your systems as soon as you can after the release of operating system and application patches.  Updates are often quickly reverse-engineered by threat actors to determine the vulnerability that is being fixed and whether it can be weaponized. 

Employ monitoring and detection technologies give you a 360-degree view of what is happening on your network.  Be sure you can see lateral movement, which may show indicators of compromise, inside-out traffic to malicious hosts, which may indicate command and control communication, and outside-in communication, which could reflect attempts at compromise from external sources.   

Implement strong preventative measures to mitigate or help prevent compromise from occurring.  These include active anti-virus and multi-factor authentication. 

Read the full cybersecurity advisory issued by CISA here. While this alert focuses on businesses that would be potential targets for nation-state threat actors, the advice above is applicable to any business. Following these best practices does not guarantee the prevention of a security incident but can make it substantially more difficult for threat actors to gain a foothold in an organization’s network and systems and can reduce detection time. 

If you suspect any malicious activity in your systems, or would like to speak to an incident response attorney to help improve your organization’s security, Beckage attorneys can be reached 24/7 via our Data Breach Hotline: 844.502.9363 or IR@beckage.com.  

*Attorney advertising: prior results do not guarantee future outcomes. 

United States Department of Homeland Security (DHS) Announces New Grant Plan to Slow Epidemic Spread of Cyber Attacks

United States Department of Homeland Security (DHS) Announces New Grant Plan to Slow Epidemic Spread of Cyber Attacks

Businesses may be able to take a little sigh of relief that some help may be coming to the persistent threat of ransomware attacks.  The DHS announced that significant funds will be provided to a number of public and private sectors to help improve the nation’s protection against data security attacks and other crises.

The Feb. 25 Announcement

On February 25, 2021, DHS announced its funding notice for several different types of cyber preparedness grants worth nearly $1.87 billion.  After noticing a rise in both the number and complexity of cyber threats faced by communities, including targeted ransomware attacks on our infrastructure, hospital, transportation systems, DHS identified five critical priority areas for attention for its fiscal 2021 grant cycle: 1) cybersecurity; 2) soft targets and crowded places; 3) intelligence and information sharing; 4) domestic violent extremism; and 5) emerging threats.  These grant programs provide funding to state, local, tribal/territorial governments, transportation authorities, nonprofit organizations, and the private sector to improve the nation’s readiness in preventing, protecting against, responding to, recovering from terrorist attacks, major disasters, and other emergencies.

The DHS announced several non-competitive grants which are to be awarded to recipients based on several factors:

  • State Homeland Security Program – The State Homeland Security Program provides $415 million to support the implementation of risk-driven, capabilities-based state homeland security strategies to address capability targets;
  • Urban Area Security Initiative – The Urban Area Security Initiative provides $615 million to enhance regional preparedness and capabilities in 31 high-threat, high-density areas; and
  • Emergency Management Performance Grant (“EMPG”) – EMPG provides more than $355 million to assist state, local, tribal, and territorial governments in enhancing and sustaining all-hazards emergency management capabilities; and
  • Intercity Passenger RailAmtrak Program – The Amtrak Program provides $10 million to Amtrak to protect critical surface transportation infrastructure and the traveling public from acts of terrorism and increase the resilience of the Amtrak rail system.

Moreover, the DHS announced several competitive grants, including:

  • Operation Stonegarden – Operation Stongarden provides $90 million to enhance cooperation and coordination among state, local, tribal, territorial, and federal law enforcement agencies to jointly enhance security along the United States land and water borders;
  • Tribal Homeland Security Grant Program – The Tribal Homeland Security Grant Program provides $15 million to eligible tribal nations to implement preparedness initiatives to help strengthen the nation against risk associated with potential terrorist attacks and other hazards;
  • The Nonprofit Security Grant Program – The Nonprofit Security Grant Program provides $180 million to support target hardening and other physical security enhancements for nonprofit organizations that are at high risk of a terrorist attack;
  • Port Security Grant Program – The Port Security Grant Program provides $100 million to help protect critical port infrastructure from terrorism, enhance maritime domain awareness, improve port-wide maritime security risk management, and maintain or re-establish maritime security mitigation protocols that support port recovery and resiliency capabilities;
  • Transit Security Grant Program – The Transit Security Grant Program provides $88 million to owners and operators of public transit systems to protect critical surface transportation and the traveling public from acts of terrorism and to increase the resilience of transit infrastructure; and
  • Intercity Bus Security Program – The Intercity Bus Security Program provides $2 million to owners and operators of intercity bus systems to protect surface transportation infrastructure and the traveling public from acts of terrorism and to increase the resilience of transit infrastructure.

Impact on Business

Private sector businesses can apply for these grants, especially if they are in the process of developing and creating cyberwarfare and other data defense tools.  Grant  information can be found here.

Beckage has responded to countless data breaches and is always comforted to see more dollars that foster collaboration between public and private sectors to help defend and protect U.S. business and more.

If you have questions about the grant dollars or how to apply, please contact a Beckage attorney at 716.898.2102.

*Attorney Advertising. Prior results do not guarantee future outcomes.

Subscribe to our Newsletter.

Data BreachUpcoming National Data Breach Notification Legislation

Upcoming National Data Breach Notification Legislation

Among growing pressure in the wake of the allegedly state-sponsored SolarWinds cyber attack , federal legislators on both sides of the isle have expressed renewed interest in a federal data breach notification law.  Currently, each state has it own data breach notification law governing notice requirements to individuals, state attorneys general, and credit reporting agencies, when personal identifiable information such as names, social security numbers, and credit card information are accessed or acquired as part of data breach.  As a result, data breach response involves a host of competing timelines for business to notify various individuals and organizations.  This can prove to be inconsistent, complex, costly, and time consuming.

In an attempt to streamline the data breach notification process, Representatives Michael McCaul (R-TX-10), ranking member of the House Foreign Affairs Committee, and Jim Langevin (D-RI-2), chair of the House Armed Services Committee’s cybersecurity subcommittee, are drafting a bill which would create a federal mandatory breach notification.  The proposed bill would involve removing sources, methods, and names out of notifications and sending them to the Cybersecurity and Infrastructure Security Agency (“CISA”).  Moreover, the proposed bill will incorporate input from the Cyberspace Solarium Commission, a group established by Congress comprised of lawmakers and other officials with the purpose of developing a strategic approach to our nation’s defense against cyberattacks.  The Cyber Solarium Commission released its first report in March 2020 calling for several government reforms including, but not limited to: issuing an update to our National Cyber Strategy; establishing a permanent House and Senate Committee on Cybersecurity; and strengthening CISA.

Moreover, the proposed bill is expected to be based on, in large part, previously drafted legislation by Rep. Langevin in 2017 entitled “Personal Data Notification and Protection Act of 2017” (“PDNPA”).  See Personal Data Notification and Protection Act of 2017, H.R. H.R.3806, 115 Cong. (2017).  The PDNPA was introduced into the house on September 18, 2017, in the wake of the Equifax breach , but died in committee as political energy began to change focus.

The PDNPA required, in relevant part, that “any business entity engaged in or affecting interstate commerce that uses, accesses, transmits, stores, disposes of, or collects sensitive personally identifiable information about more than 10,000 individuals during any 12-month period shall, following the discovery of a security breach of such information, notify…any individual whose sensitive personally identifiable information has been, or is reasonably believed to have been, accessed or acquired.”  See id at § 2(a).

Notice under the PDNPA was to be completed by one of the following methods: i) written notification to the last known home mailing address of the individual in the records of the business entity; ii) telephone notification to the individual personally; iii) e-mail notification, if the individual consented, and if consistent with the 01 of the Electronic Signatures in Global and National Commerce Act (15 U.S.C. 7001); or if the number of individuals affected exceeded 5,0000 person, notification could have been provided to media “reasonably calculated to reach such individuals”.  See id at § 7. 

Similarly, PDNPA required a business entity who suffered a data breach affecting greater than 5,000 persons to notify credit reporting agencies.  See id at § 6.  PDNPA provided authority to the Federal Trade Commission to enforce penalties; however, it also recognized state attorneys general could, in the interest of the residents of their state, bring civil action against violators imposing fines of $1,000 per day per individual whose personal identifiable information was exposed with a maximum of $1,000,000 per violation, unless the business entity’s conduct was found to be willful or intentional.  See id at §§ 8-9. 

Finally, PDNPA was to supersede all state laws regarding breach notification by a business entity engaged in interstate commerce who suffers a data breach.  See id at § 10.  Whereas PDNPA never was enacted, the proposed legislation will likely closely mirror the above-referenced terms.

The Beckage Incident Response team will continue to monitor any developments regarding a national data breach notification law and will update its guidance accordingly. Our attorneys are nationally recognized for our experience working on data breaches, including some of the most notorious cyber incidents in recent history. If your business is in the midst of navigating the complexities surrounding a recent data breach, our team can be reached anytime via  our 24/7 data breach hotline at 844-502-9363 or by emailing IR@beckage.com.   

Subscribe to our newsletter.

*Attorney Advertising; prior results do not guarantee similar outcomes.

Cyber InsuranceDFS February 2021 Guidance To Cyber Insurers

DFS February 2021 Guidance To Cyber Insurers

On February 4, 2021, the New York State Department of Financial Services (DFS) issued specific guidance to property/casualty insurers writing cyber insurance policies, known as the Cyber Insurance Risk Framework (“Framework”). The DFS promoted itself as the first US regulator in the nation to issue a specific guidance on cyber insurance, explaining the suggestions of the Framework are based on continued dialogue with the insurance industry and experts in cyber insurance regarding the shifting landscape of cybersecurity.

With the Covid-19 pandemic forcing companies to shift to an online workforce, cybercrimes, like ransomware and malware attacks, have drastically increased in frequency, severity, and cost to victimized companies. Cybercriminals use payments extorted from ransomware to fund more frequent and sophisticated ransomware attacks, emboldening them to target other organizations and widen their campaigns. The widespread use of ransomware has pressured cyber insurers to increase rates and tighten underwriting standards for cyber insurance.

The DFS advises New York regulated property/casualty insurers offering cyber insurance to establish a formal strategy for measuring cyber insurance risks that can be approved by a board or a governing entity. The Framework acknowledges that strategies should be proportionate with each insurer’s risk based on the insurer’s size, resources, geographic distribution, market share, and industries insured.  It is important to note the Framework constitutes a list of best practices and suggested approaches and does not yet constitute rules or regulations for the insurance industry.

The Cyber Insurance Risk Framework encourages cyber insurers to formalize a Cyber Insurance Risk Assessment Strategy that is managed by a governing body and establishes and/or formalizes qualitative and quantitative measures and goals for cyber risk that incorporate six best practices identified by DFS:

  1. Manage and Eliminate Exposure to “Silent” Cyber Insurance Risk

Cyber insurers should determine whether they are exposed to silent or non-affirmative cyber insurance risk, an insurer’s obligation to cover cyber incident losses under a policy that does not explicitly mention cyber incidents. The Framework suggests that insurers evaluate their silent risk exposure and take steps to minimize that exposure.

2. Evaluate Systemic Risk

Cyber insurers should conduct regular systemic risk evaluations and plan for potential losses. Increased reliance on third-party vendors has caused systemic risk to grow exponentially and thus, insurers should understand the third parties used by their insureds and model the effect of catastrophic cyber events that may result in simultaneous losses.

3. Rigorously Measure Insured Risk by Using Data

Cyber insurers should use a comprehensive, data-driven approach to assess their insured’s potential gaps and cybersecurity vulnerabilities.

4. Educate Insureds and Insurance Producers

Cyber insurers should educate their insureds and insurance producers about the value of cybersecurity measures and the need for, benefits of, and limitations of cyber insurance.

5. Obtain Cybersecurity Expertise

Cyber insurers can use strategic recruiting practices to hire employees with cybersecurity experience and invest in their training and development.

6. Require Notice to Law Enforcement

In the event of a cyberattack, cyber insurance policies should require victims notify and engage law enforcement agencies to help recover lost data and funds.

This guidance brings operational and other challenges to those in the property/casualty insurance market. It also adds new potential requirements to pass along to their insureds. For example, insureds may not know that their policy will require notification of law enforcement, and they may have reasons not to notify law enforcement, but if they choose not to it can lead to a coverage dispute.

Beckage advises those in the insurance industry on risk management, cybersecurity best practices and measures, third-party vendor management, and incident response.  Beckage also works with global clients to evaluate risk management, including opportunities to obtain various cyber and tech related coverage. We can be reached 24/7 via our data breach hotline at 844.502.9363 or IR@beckage.com.

Subscribe to our newsletter. 

*Attorney advertising – prior results do not guarantee future outcomes. 

1 2