I have resisted writing about cryptocurrency heists and ransomware attacks, but the trend is concerning.
Like everyone else I had been reading about the millions that were abstracted – stolen – from crypto exchanges. The most recent example is the equivalent of $600 million from Poly Network, a platform that links multiple digital ledgers. This is a sophisticated coup and an evolution of many light-years over something, say, the Beagle Brothers would be able to pull off. If those dastardly Disney robbers of the 1950s were to steal that much money in $100 bills, that would be about 6,000 kilos. Not exactly something they could even fit in a big bag.
But $600 million in cryptocurrencies is weightless. Stolen amounts of any value can just vanish into thin air. And it's happening all the time.
Some of us may have been victims of simple cyber attacks and have lost cute cat or family pictures, access to social media accounts or even to our hard drives. If that happened to you, you were not alone. Sophos, a security software company, reports that the average ransomware attack recovery costs now well over $1.8 million, most companies that pay the ransom do not recover their data and the majority of attacks are too complex for in-house IT departments to handle. And this is likely just the beginning.
For some time I dismissed, or rather explained, these phenomena as just part of the digital systems we have developed over the decades.
I was taking French philosopher Paul Virilio’s view: “When you invent the ship, you also invent the shipwreck; when you invent the plane you also invent the plane crash." He understood that with each new innovation comes the counterpoint of inevitable failure - a sort of fatalistic meditation on Newton's third law of motion.
It’s easy to see how an accidental shipwreck happens, or a plane crash results from engine failure. However, digital theft is proactive and complex. And, except for the weight differences of the booty, digital and analogue thievery is of similar ilk.
Let’s look back to look forward. Ransomware attacks – the clue is in the name – is about taking something away and return it only when a ransom is paid. Today it’s data or access to systems and information, back in the day it was people.
Kidnapping of people had become a lucrative business in Italy between the late 1960s and early 1990s and one of the most famous cases was the abduction of John Getty in Rome in 1973. He was eventually released, minus one ear, for $2.2 million. It is estimated that 694 people were kidnapped for ransom in that period and that the equivalent of 400 million euros were paid. The digital age allows for more ransom to be demanded from more people: in 2020 alone, some $350 million are estimated to have been paid in ransom – a three-fold increase on the previous year. While it’s dangerous to make predictions, this may signal a direction of things to come.
The largest bank robbery on UK soil occurred in 2006 and the equivalent of $83 million were stolen. This involved guns, disguises, abductions, heavy vehicles and physical violence. The Poly Network theft had none of those hallmarks of a highly choreographed crime. The digital money just, well, vanished.
What’s important to note is that attacks or thefts are becoming more systemic, and therefore more debilitating and expensive: it’s one thing to lock out one person from their email. It is quite another shutting down or compromising a server that affects millions of people. It’s one thing to block access to information and another to shut down health providers or other essential services. Bigger, bolder and more brazen attacks are going to happen.
We’ve identified that trend line in a research document the Dubai Future Foundation has published with Dubai Police. We examined the impacts of a broad and crippling attack on the financial system and list preventive action to minimise fallout, but it is a continuous race.
Data and digital infrastructure are as central to our lives as bridges or hospitals. The big prize in ransomware attacks is affecting the greatest number of people at the most basic core: imagine if supermarket shelves were empty because deliveries are disabled; if sewage plants stopped operating; if electricity distribution stopped; or if navigation and GPS systems were totally disabled.
The harm to us and our ability to live and work would be so great that we would be collectively held hostage. The collective aspect is important: the Great Train Robbery of 1963 was a loss for Royal Mail alone and those directly involved, but that’s it. With digital-everything, we’re in this together and exposed by virtue of using water, food, health care and Google Maps.
There is urgent need for collective or even public effort to countering digital currency theft. Soon we will all have such money – and must improve our ability anticipating and securing against attacks. The baddies no longer have any bags of cash to heft. Their bounty is weightless, but must still carry weight.