Category Archives: Network Security

Alleged cover-up leads to criminal complaint against former Uber CSO

In filing its August 20, 2020 criminal complaint against the former Uber CSO, the US Attorney for the Northern District of California issued a wake-up call to every CISO responding to a federal investigation of a data incident.  And, by stating in its press release, “we hope companies stand up and take notice”, the Justice Department has definitely thrown down a gauntlet against CISOs across the country.  

By way of background, Uber sustained a data breach in September of 2014 that was investigated by the FTC in 2016.  Uber designated its CSO – Joseph Sullivan, to provide testimony regarding the incident.  Within ten days of providing testimony to the FTC, Sullivan received word Uber was breached again but rather than update his testimony before the FTC he allegedly tried very hard to conceal the incident from the FTC.  Indeed, Sullivan allegedly went so far as to concoct a bug bounty program cover story and asked the hackers to sign an NDA as a condition of their getting $100,000 in bitcoin.

The Special Agent’s supporting affidavit swears that “there is probable cause to believe that the defendant engaged in a cover-up intended to obstruct the lawful functions and official proceedings of the Federal Trade Commission. . . . It is my belief that SULLIVAN further intended to spare Uber and SULLIVAN negative publicity and loss of users and drivers that would have stemmed from disclosure of the hack and data breach.”

In other words, a CSO allegedly spared his employer “negative publicity and loss of users” by inaccurately describing an incident and failing to disclose it in timely manner.  Even though the alleged conduct of Uber’s former CSO may have pushed the needle into the red zone, there are also potential arguments in his favor.  In coming up with one such counterargument, several Forrester analysts suggest:  “Sullivan did not inform the FTC during the sworn investigative hearing because he couldn’t have:  Sullivan learned of the 2016 breach 10 days later. To inform the FTC, Sullivan would have needed to reach out and inform them about a separate, new, but similar breach. There’s also some confusion as to whether Sullivan was under any legal obligation to do so.”

Whatever happens in this particular case, the fact remains CISOs sometime inadvertently play too close to the edge.  The underpinnings of an incident are whatever they are – no one can or should ever try to morph them into something different.  Good legal and IT counsel will mitigate loss and certain exposures but only with the assistance of CISOs and CSOs who recount events rather than fabricate them.  Not surprisingly given no company is immune to a breach, it’s only the cover-up that will ever hurt and not the incident itself. 

Ransomware Has Officially Become a D&O Problem

On April 30, 2020, ZDNet reported that there have been more than 1,000 SEC filings over the past 12 months listing ransomware as a risk factor – with more than 700 in 2020 alone.  These filings include annual reports (10K and 20F), quarterly reports (10Q), and registration forms (S1). 

Even the most sophisticated technology companies now insert the word “ransomware” into their Risk Factors section. See Alphabet, Inc., Form 10-Q, dated April 28, 2020, at 50  (“The availability of our products and services and fulfillment of our customer contracts depend on the continuing operation of our information technology and communications systems. Our systems are vulnerable to damage, interference, or interruption from terrorist attacks, natural disasters or pandemics (including COVID-19), the effects of climate change (such as sea level rise, drought, flooding, wildfires, and increased storm severity), power loss, telecommunications failures, computer viruses, ransomware attacks, computer denial of service attacks, phishing schemes, or other attempts to harm or access our systems.”).   

As reported by ZDNet, companies as varied as American Airlines, McDonald’s, Tupperware, and Pluralsight also list ransomware as a potential risk to their business. 

By inserting the word “ransomware” into a Risk Factors section, reporting companies may have elevated the relevant standard for companies who do not reference ransomware.  By way of background, in October 2011, the SEC began planting cyber risk disclosure seeds when it issued non-binding disclosure guidance regarding cybersecurity risks and incidents.  Back in 2011, the SEC wrote:  “Although no existing disclosure requirement explicitly refers to cybersecurity risks and cyber incidents, a number of disclosure requirements may impose an obligation on registrants to disclose such risks and incidents.” Seven years later, this non-binding guidance became binding.

On February 26, 2018, the SEC issued binding guidance that recognizes:  “Companies face an evolving landscape of cybersecurity threats in which hackers use a complex array of means to perpetrate cyber-attacks, including the use of stolen access credentials, malware, ransomware, phishing, structured query language injection attacks, and distributed denial-of-service attacks, among other means.”   By expressly listing ransomware two years ago in its Statement, the SEC was making it quite clear that the current threat landscape includes the risk of ransomware and that directors and officers have to address this likely risk.

More to the point, the Statement and Guidance on Public Company Cybersecurity Disclosures instructs “that the development of effective disclosure controls and procedures is best achieved when a company’s directors, officers, and other persons responsible for developing and overseeing such controls and procedures are informed about the cybersecurity risks and incidents that the company has faced or is likely to face.” 

Not surprisingly, the failure to disclose a prior ransomware attack would also be actionable.  See SEC Statement at 14 (“In meeting their disclosure obligations, companies may need to disclose previous or ongoing cybersecurity incidents or other past events in order to place discussions of these risks in the appropriate context.  For example, if a company previously experienced a material cybersecurity incident involving denial-of-service, it likely would not be sufficient for the company to disclose that there is a risk that a denial-of-service incident may occur.”).

If ransomware incidents were avoided altogether, however, there would be no liability attached to associated filings no matter what was communicated to the market. Moreover, even when attacks were not avoided, little disclosure risk would exist if the company applied best practices to avoid such an incident and provided an accurate accounting of what took place when an incident did take place. To that end, deploying proactive approaches considered state-of-the-art when dealing with ransomware risk will naturally mitigate against any potential SEC disclosure risk.

For example, there is at least one novel solution that can reduce ransomware attacks by anticipating when a compromised system’s ransomware package will be released and then neutralizing the ransomware threat before any ransomware release actually takes place.  By evaluating and deploying such cutting-edge solutions, companies will be well positioned to neutralize any potential shareholder claims – as well as satisfying the much more important task of protecting corporate data and other digital assets.  Thankfully, “it is never too late to begin importing a more robust security and privacy profile into an organization – which is the only real way to diminish the risk of a ransomware attack.”  As with most successful corporate endeavors, management buy-in will typically be the necessary first step.

Our Current Cyber Pandemic Will Also Subside

On April 17, 2020, it was reported that researchers at Finland’s Arctic Security found “the number of networks experiencing malicious activity was more than double in March in the United States and many European countries compared with January, soon after the virus was first reported in China. ”

Lari Huttunen at Arctic Security astutely pointed out why previously safe networks were now exposed: “In many cases, corporate firewalls and security policies had protected machines that had been infected by viruses or targeted malware . . . . Outside of the office, that protection can fall off sharply, allowing the infected machines to communicate again with the original hackers. “

Tom Kellerman – a cybersecurity thought leader, distills it this way: “There is a digitally historic event occurring in the background of this pandemic, and that is there is a cybercrime pandemic that is occurring.”

While there are certain internal ways of addressing cybersecurity threats arising from a viral pandemic, the exposures now faced by corporations become doubly damaging when the outside resources absolutely necessary to combat active threats are considered off-budget or not a critical enough priority. Smart companies generally survive stressful times by prioritizing with some foresight. Network security during a Cyber Pandemic should be a top priority no matter what size business.

During our Cyber Pandemic, companies recognizing and properly addressing the potential damage caused by threat actors will not only survive minor short-term hits to their bottom line caused by paying outside resources, they will likely be the ones coming on top after both Pandemics subside. There is definitely a light at the end of the tunnel for those willing to take the ride – just continue using trusted vehicles to get you there.

Addressing COVID-19 Cybersecurity Threats

When implementing COVID-19 business continuity plans, companies should take into consideration security threats from cybercriminals looking to exploit fear, uncertainty and doubt – better known as FUD.  Fear can drive a thirst for the latest information and may lead employees to seek online information in a careless fashion – leaving best practices by the wayside.

According to Reinsurance News, there has already been “a surge of coronavirus-related cyber attacks”.  Many phishing attacks “have either claimed to have an attached list of people with the virus or have even asked the victim to make a bitcoin payment for it.” Not all employees are accustomed to the risks from a corporate-wide work from home (WFH) policy given the previous lack of intersection between work and personal computers. 

One cyber security firm released information outlining these WFH risks. And,  another security provider offers a common-sense refresher:  “If you get an email that looks like it is from the WHO (World Health Organization) and you don’t normally get emails from the WHO, you should be cautious.” In addition to recommendations made by security consultants, there are privacy-forward recommendations that will necessarily mitigate against phishing exploits.  For example, WFH employees should be steered towards privacy browsers such as Brave and Firefox to avoid fingerprinting and search engines such as Duckduckgo for private searches.  A comprehensive listing of privacy-forward online tools is found at PrivacyTools.IO.    

Criminals have already exploited the current FUD by creating very convincing COVID-19-related links.   As reported by Brian Krebs, several Russian language cybercrime forums now sell a “digital Coronavirus infection kit” that uses the Hopkins interactive map of real-time infections as part of a Java-based malware deployment scheme. The kit only costs $200 if the buyer has a Java code signing certificate and $700 if the buyer uses the seller’s certificate. 

At a very basic level, WFH employees should be reminded not to click on sources of information other than clean URLs such as CDC.Gov or open unsolicited attachments even if they appear coming from a known associate.  Now that banks, hotels, and health providers are  sending emails alerting their clients of newly-implemented COVID-19 procedures, it is especially easy to succumb to spear phishing exploits – which is the hallmark of state-sponsored groups.  As recently reported, government-backed hacking groups from China, North Korea, and Russia have begun using COVID-19-based phishing lures to infect victims with malware and gain infrastructure access.  These recent attacks primarily targeted users in countries outside the US but there should be little doubt more groups will focus on the US in the coming weeks. Until ramped up testing demonstrates that the COVID-19 risk has passed, companies are well advised to focus some of their security diligence on these targeted attacks.

This does not mean employees need to be fed yet more FUD – this time regarding network security, without some good news. Employees can be reminded of the fact a decade ago we survived another pandemic. Specifically, between April 2009 and April 2010, there were 60.8 million cases, 274,304 hospitalizations, and 12,469 deaths in the United States caused by the Swine Flu. Globally, the Swine Flu infected between 700 million and 1.4 billion people, resulting in 150,000 to 575,000 deaths. Moreover, the young were a vector for Swine Flu yet are not for COVID-19. And, a large band of 25 – 35 year olds are better in two days – hardly a bad cold, for COVID-19 whereas there was no such band for the Swine Flu. On the downside, COVID-19 has a more efficient transmission mechanism than Swine Flu and we are better suited to develop influenza vaccines than we are for coronavirus vaccines.

UPDATE: April 23, 2020

The CDC reports in its latest published statistics there were 802,583 reported cases of COVID-19 and 44,575 associated deaths. Without a doubt, this pandemic is certainly much worse that the Swine Flu pandemic as previously reported by the CDC. Moreover, the current “panic pandemic” certainly shows no indications of subsiding.

Whether the governmental measures taken actually ratcheted up the body count or caused them to diminish is left for historians and clinicians to analyze. The hard fact remains the body count keeps going up and the U.S. economy is still on lock down as of April 23, 2020.

UPDATE: May 1, 2020

On April 30, 2020, it was reported Tonya Ugoretz, deputy Assistant Director of the FBI Cyber Division, stated the FBI’s Internet Crime Complaint Center (IC3) is currently receiving between 3,000 and 4,000 cybersecurity complaints daily – IC3 normally averages 1,000 daily complaints.

UPDATE: May 6, 2020

On May 5, 2020, a joint alert from the United States Department of Homeland Security Cybersecurity and Infrastructure Security Agency and the United Kingdom’s National Cyber Security Centre warned of APTs targeting healthcare and essential services.

The alert warned of “ongoing activity by APT groups against organizations involved in both national and international COVID-19 responses.”  This May 5, 2020 alert follows an April 8, 2020 Alert that warned in broader terms of malicious cyber actors exploiting COVID-19.

APTs are conducted by nation-state actors given the level of resources and money needed to launch such an attack.  Moreover, they generally take between eight and nine months to plan and coordinate before launching.  It is particularly disheartening that these recent attacks include those launched by state-backed Chinese hackers known as APT 41.  As one cybersecurity firm points out in a recently-released white paper:  “APT41’s involvement is impossible to deny.” 

Distilled to its essence, the uncovered APT41 attacks mean that before COVID-19 was even on US shores, Chinese state-actors were planning attacks targeting the healthcare and pharmaceutical sectors.  One can only hope the cyberattacks were not coordinated alongside the spread of the virus – a virus that only became public months after a coordinated attack would have been first planned.

Back to School for Ransomware

Even though the first significant uptick in ransomware attacks began over three years ago, a steady increase in frequency and severity has likely now made ransomware exploits the number one security threat faced by most businesses today.  McAfee places the ransomware growth rate for the last quarter at 118%.  Many smaller businesses were previously on notice but chose to ignore the warning signs. Thankfully, after the 2017 ransomware attacks unleashed by the Wannacry strain of Cryptolocker, some companies did address ransomware risk by implementing better employee training while others decided to upgrade legacy software and initiate offsite backups.

Those who did not adequately address this risk, however, are now facing much larger extortion demands.  Also, the risk landscape has changed dramatically over the past several years with  ransomware becoming an equal opportunity attack that will now target local governments as well as dental offices. Indeed, even first grade students are now being impacted by network security intrusions that not too long ago only previously targeted only large universities. 

Despite the recent public trend of paying these extortion demands, the FBI has long advocated not paying a ransom in response to a ransomware attack. Specifically, the FBI has said:  “Paying a ransom doesn’t guarantee an organization that it will get its data back—we’ve seen cases where organizations never got a decryption key after having paid the ransom. Paying a ransom not only emboldens current cyber criminals to target more organizations, it also offers an incentive for other criminals to get involved in this type of illegal activity. And finally, by paying a ransom, an organization might inadvertently be funding other illicit activity associated with criminals.”

Another result of this increase in activity has been an increase in insurance purchased to cover an extortion demand as well as the related expenses incurred during a ransomware attack.  For example, the City of Baltimore may soon approve spending $835,000 for $20 million in coverage but only because it previously sustained a ransomware attack that set it back over $18 million

In fact, some have argued that by having insurance for this exposure the industry itself is actually at the root of increased ransomware activity.  Those in the security industry correctly point out that what drives these actors turns more on quick conversion rates rather than whether an insurer stands behind a victim.  To suggest the insurance industry is the cause of this problem gives threat actors way too much credit while completely ignoring the benefits derived from the cyber insurance underwriting process.

In the same way it is never too late to go back to school, it is never too late to begin importing a more robust security and privacy profile into an organization – which is the only real way to diminish the risk of a ransomware attack.  As suggested in 2016:  “Given the serious threat of ransomware, businesses large and small are reminded to at least do the basics – train staff regarding email and social media policies, implement minimum IT security protocols, regularly backup data, plan for disaster, and regularly test your plans.” 

First GDPR Proposed Fine Comes in at a Whopping $229 Million

On July 8, 2019, the UK’s Information Commissioner’s Office announced its intention to fine British Airways £183.39M ($229,377,293) for data breach infringements of the General Data Protection Regulation (GDPR).  This first publicly-disclosed GDPR penalty amounts to about 1.5% of British Airways’ worldwide turnover– which is still less than the possible maximum penalty of 4%.  Alex Cruz, British Airways chairman and chief executive officer, said in a press release:  “We are surprised and disappointed in this initial finding from the ICO.  British Airways responded quickly to a criminal act to steal customers’ data. We have found no evidence of fraud/fraudulent activity on accounts linked to the theft.”

According to the ICO, the massive fine was ultimately based on the harvesting of personal data of approximately 500,000 customers only one month after GDPR became enforceable.  The ICO investigation uncovered that “a variety of information was compromised by poor security arrangements at the company, including log in, payment card, and travel booking details as well name and address information.”

Given that the ICO’s final decision will take into consideration a formal response from British Airways and other data protection authorities, the fine will likely be modified in same way – this is also likely given there were new security procedures implemented by British Airways, there is no present evidence of fraud, and British Airways has already threatened an appeal.

At the time of the attack, British Airways provided very little information regarding how it was accomplished other than to say it impacted website and app bookings from August 21 to September 5, 2018 and that it was the victim of a “sophisticated, malicious criminal attack“.  One security expert posited that malicious code was planted on the website’s payments page using a modified version of the Modernizr JavaScript library.  Others have considered this attack caused by a cross-site scripting exploit.  No matter what the attack vector or exploit, this was clearly the sort of security lapse that has dogged many companies over the years.  To now have a potential $229 million fine waiting on the sidelines can only be considered yet another massive motivation to get one’s security house in order as soon as possible.

UPDATE: July 9, 2019

A day after the British Airways proposed fine, Marriott was hit with a $123 million proposed GDPR fine for a November 2018 breach.

OCR Snags $3 Million HIPAA Settlement For Insecure Web Server

On May 6, 2019, the Office for Civil Rights (OCR) announced that Tennessee-based Touchstone Medical Imaging agreed to pay $3,000,000 and adopt a corrective action plan that includes the adoption of business associate agreements, completion of an enterprise-wide risk analysis, and additional comprehensive policies and procedures applying HIPAA Rules. Touchstone – which provides diagnostic medical imaging services, was notified in May 2014 by the FBI that one of its FTP servers allowed uncontrolled access to protected health information (PHI).  This uncontrolled access “permitted search engines to index the PHI of Touchstone’s patients, which remained visible on the Internet even after the server was taken offline.”

During OCR’s investigation, Touchstone acknowledged that the PHI of more than 300,000 patients was exposed including, names, birth dates, social security numbers, and addresses.  OCR’s investigation found that Touchstone “did not thoroughly investigate the security incident until several months after notice of the breach”.  As a result, Touchstone’s notification to individuals affected by the breach was considered untimely.   

Given last year’s summary judgment win by OCR and the facts presented by the Touchstone incident, it is not surprising that this significant settlement – which was one of the largest to date, was reached.  FTP servers have long been a threat vector – even if set up and run properly, so not unlike the clarion calls initiated for encryption and social engineering training, back office IT support should be sophisticated enough to adopt a means of file transfer that applies state of the art security.

Do ICOs have any future?

On February 6, 2018, the Senate Committee on Banking, Housing, and Urban Affairs met in open session to conduct a hearing entitled, Virtual Currencies: The Oversight Role of the U.S. Securities and Exchange Commission and the U.S. Commodity Futures Trading Commission.  The Honorable Jay Clayton, Chairman, U.S. Securities and Exchange Commission and The Honorable J. Christopher Giancarlo, Chairman, U.S. Commodity Futures Trading Commission provided lengthy and thoughtful prepared statements.  In his statement, Chairman Clayton explained why the SEC was devoting significant resources to ensure ICO founders do not skirt SEC’s regulatory oversight of security offerings and Chairman Giancarlo reaffirmed that the CFTC will similarly enforce its regulations on commodities.

Their testimony provides helpful insight regarding the enforcement direction these agencies will take in the coming months.  According to Chairman Clayton, in 2017 there was $4 billion raised in ICOs -with an unknown amount being sold in the US.   He was generally “very unhappy with ICOs” and mentioned that the SEC was “working the beat hard” to crack down on them.  Accordingly, ICOs are in the “crosshairs of enforcement” and tellingly he testified that “every ICO [he has] seen is a security” subject to enforcement.  This testimony is consistent with prior SEC pronouncements given that  Chairman Clayton previously requested that the SEC’s Enforcement Division “vigorously” enforce and recommend action against ICOs that may be in violation of the federal securities laws.   During his testimony, Chairman Clayton repeated several times that the SEC would continue to “crack down hard” on fraud and manipulation involving ICOs offering an unregistered security.

According to Chairman Clayton, the definition of a security is broad and will turn on whether someone can profit from efforts going forward by buying the token and then trade it with someone else for further profit.  Both Chairmen recognized that no one agency has any direct oversight of virtual currencies and welcomed efforts from Congress to draft new legislation that would help with their coordination efforts.

In probably the most interesting exchange during their two-hour testimony, Senator Mark Warner of Virginia recognized that the SEC went after certain ICO promoters but not others so directly asked Chairman Clayton whether the SEC “will go back [to scrutinize prior ICOs]?”  Correctly avoiding that question – given it requests insight as to future SEC enforcement efforts, Chairman Clayton instead offered that the SEC is counting on lawyers and accountants to also act as “gatekeepers” for future ICOs.

Chairman Clayton’s testimony came on the heels of the SEC’s Cease and Desist Order in the Munchee, Inc. matter that may have closed the lid on many planned 2018 ICO’s given the stringent standard set forth in that SEC Order.  By way of background, Munchee created an iPhone application for people to review restaurant meals.  In October and November 2017, Munchee offered and then sold purported utility tokens issued on the Ethereum blockchain.  “Munchee conducted the offering of MUN tokens to raise about $15 million in capital so that it could improve its existing app and recruit users to eventually buy advertisements, write reviews, sell food and conduct other transactions using MUN.”  Order at 1.

In deeming the MUN utility token a “security” subject to SEC oversight, the SEC made the following finding of fact in its December 11, 2017 Order:

Purchasers had a reasonable expectation that they would obtain a future profit from buying MUN tokens if Munchee were successful in its entrepreneurial and managerial efforts to develop its business. Purchasers would reasonably believe they could profit by holding or trading MUN tokens, whether or not they ever used the Munchee App or otherwise participated in the MUN “ecosystem,” based on Munchee’s statements in its MUN White Paper and other materials. Munchee primed purchasers’ reasonable expectations of profit through statements on blogs, podcasts, and Facebook that talked about profits.

Order at 5.

There remains hope for future ICOs given that the SEC is certainly not going after them all.  One ICO left untouched by the SEC was “gate keeped” by Perkins Coie and involves an ICO for an Ethereum utility token that raised $35 million in under a minute’s time.   See FAQ (“We and our counsel at Perkins-Coie are confident that the Basic Attention Token is properly classified as property with utility on the platform we are building, and not a security.”).  Given the subsequent Munchee C&D Order, it is unclear why the SEC does not “go back” to this ICO as suggested by Senator Warner.

The founders of Brave Software launched the “Basic Attention Token” in May 2017 seeking to improve on the current digital advertising ecosystem:   “Digital advertising is broken [with] unprecedented levels of malvertisements and privacy violations.”  The BAT token looks to fix this broken system by creating an ecosystem tied to consumer attention – which is why it is called the “Basic Attention Token”.  Such ecosystem would certainly be an upgrade from the current digital advertising scheme based on the Web ecosystem of 1995.  BAT tokens can only derive long term value by way of the Brave® Browser.   As set forth by a marketing blogger, “If Brave isn’t adopted, the new advertising structure won’t work.”

By successfully obtaining registered trademark No. 5,362,328 for BRAVE – a mark used to distinguish Brave Software’s “web browser software”, the founders of the BAT token demonstrate ownership rights in the Brave browser, that they are the source of such product, and that they will be the direct cause of the browser’s success.  In other words, buyers of the BAT ICO would necessarily profit from the efforts of Brave Software, Inc.   On the other hand, there remains utility to the BAT token.  Moreover, a utility token will likely always be at least remotely tied to the efforts of its founders – there is little reason to believe a token left in the wild would hatch into anything of value.  The fact that the SEC has not scrutinized the BAT ICO is actually an encouraging sign the SEC will temper its enforcement actions when faced with a disruptive blockchain initiative that begets true intrinsic value in the token.

State and Private Enforcement of ICO schemes

In addition to existing federal enforcement, state agencies are also cracking down on ICOs.  For example, on January 17, 2018, the Massachusetts Securities Division filed an administrative complaint against a Cayman Islands company given that the company operated out of Massachusetts and its ICO offered for sale “a security without such security being registered or exempt from registration.”  Complaint at 2.

And, to the extent state regulatory oversight may be lacking, states will try and enlarge regulatory reach by enacting new laws.  For example, California introduced a year ago the Virtual Currency Act (A.B. 1123), which would have required those involved in a “virtual currency business” within the state to register with California’s Commissioner of Business Oversight.  Even though this attempt at regulating cryptocurrencies died on January 31, 2018 due to political pressure, it may come back in a different from.    Interestingly, there was a carve out in the bill for any “virtual currency business” when it uses “[d]igital units that are used exclusively as part of a consumer affinity or rewards program”.

Class action counsel has also impacted ICOs by directly suing ICO founders in order to recoup millions for class participants.  One recent case is Davy v. Paragon Coin, Inc., et al., Case No. 18-cv-00671 (N.D. Cal. January 30, 2018).  Plaintiff class counsel sued Paragon based, in part, on the Paragon white paper characterizing its PRG token as potentially increasing in value simply based on the reduction of supply and an increase in demand.  Moreover, the paper suggests that “PRG is designed to appreciate in value as our solutions are adopted throughout the cannabis industry and around the world.”  Id. at 31.  In other words, the efforts of the founders would directly generate a more profitable investment result from the ICO.

Another ICO class action fraud case was filed in Paige v. Bitconnect Intern. PLC, et al., Case No. 3:18-CV-58-JHM (W.D. Ky. January 29, 2018).  The plaintiff’s claim of a Ponzi scheme was so strong it resulted in a TRO from the Court a day after filing suit.  Any future ICO that results in a loss in value to “investors” will likely trigger class counsel to spring into action.

The future of ICOs remains viable

Where does this trifecta of enforcement efforts – federal, state and private, leave ICOs?  If bankers are to believed, there is currently not much “there”, there.   In a report dated February 5, 2018, Goldman Sachs Group Inc.’s global head of investment research suggests that investors in ICOs could possibly lose their entire investments.  Goldman’s Steve Strongin said that while he did not know a timeframe for total losses in existing coins and tokens, he ruminated:  “The high correlation between the different cryptocurrencies worries me. . . Because of the lack of intrinsic value, the currencies that don’t survive will most likely trade to zero.”

Given the disruptive nature of ICOs on the IPO and private equity markets, it is not surprising that the global head of Goldman downplays the future of ICOs – even if he is correct in pointing out  the lack of intrinsic value in most every utility token and coin offered in an ICO.  Notwithstanding current enforcement actions and competition from traditional markets, the future for ICOs should remain viable.  Moving forward, the key to a viable and “compliant” ICO will be whether the ICO is conducted for a utility token having  demonstrated intrinsic value connected to the activities of those other than merely the ICO’s founders.

Blockchain in 2018 and beyond

Buoyed by Bitcoin’s latest price and a steady supply of Initial Coin Offerings (ICOs), the blockchain ecosystem in 2018 resembles the Web ecosystem of 1995 – an ecosystem that eventually disrupted advertising and marketing models by having companies such as Amazon, Google and Facebook outplace traditional retail sales and marketing companies.  This time around, however, the financial levers presently held by banks and related financial services firms will be retooled – as well as the present centralized server model so very important to the same companies who previously benefited from the Web ecosystem, namely Amazon, Google and Facebook.

Speculation vs. Utilization

in September 2017, Bitcoin was famously derided by the financial titan Jamie Dimon as “a fraud”.  The JPMorgan CEO went so far as to say he would fire anyone on his trading team who bought Bitcoin.  His gratuitous digs at Bitcoin did not temper the rise of Bitcoin and became noteworthy – and a likely source of friction with his traders, because the Bitcoin cryptocurrency went on to increase in value over three-fold a mere 1Q after Dimon’s public derision.   As of December 31, 2017, Bitcoin sits at a price of near $14,000 whereas when Mr. Dimon’s bold pronouncements were made Bitcoin “only” had a price of $4,115.

Similarly, another banker – Vitor Constancio, the vice president of the European Central Bank, said in July 2017 that Bitcoin “is not a currency but a mere instrument of speculation” – comparing it to tulip bulbs during the 17th century trading bubble in the Netherlands.

In the same way that the World Wide Web was never defined solely by Pets.com, the benefits of blockchain technology should never be defined solely by the latest price of Bitcoin.  Even Mr. Dimon acknowledges as much given during his tirade against the speculative nature of Bitcoin he also said he supported blockchain technology for tracking payments.

By way of background, a blockchain is nothing more than an expandable list of records, called blocks, which are linked and secured using cryptography, namely cryptographic hashes that point to each prior block and result in an unbreakable “chain” of hashes surrounding the blocks.  More accurately referred to as a distributed ledger of accounts, a blockchain ecosystem will disrupt more than one industry beginning in 2018.

The inevitable changes that will occur in 2018 spring from several unique attributes of the blockchain ecosystem.  First, because a blockchain ledger is distributed it takes advantage of the vast amount of compute power available in most every computer device.  Similar to how the Mirai botnet distributed denial of service (DDos) attack became the largest DDoS attack by simply using unsecured IoT access, blockchain technology harnesses secure unused compute power in powerful and productive new ways.  Our new IoT ecosystem – which itself is an outgrowth of the Web ecosystem, will only feed into that result.

Secondly, blockchain ledger transactions are the closest thing to an immutable form of transaction accounting we have given the transactions have been verified and cannot be changed once written to the blockchain without evidence of obvious tampering – which was always the reason Bitcoin derived any actual intrinsic value.  In other words, the promise of blockchain coupled with pure speculation has solely driven Bitcoin pricing.  By buying Bitcoin and other cybercurrencies, it is almost as if people were given a chance to turn back the clock and bet on the Web ecosystem in 1995.  Without usage for its intended purpose, namely being a trusted and immutable listing of Bitcoin transactions, Bitcoin would most certainly go to the zero valuation postulated by Morgan Stanley.  The logic is pretty straight forward – without an actual intrinsic store of value, there is no actual intrinsic store of value.  And, without some sort of intrinsic store of value there is no reason to consider Bitcoin an asset.  Accordingly, unless utilized by choice or forced to be used by a government, speculation will never be a sustainable impetus for the pricing of Bitcoin – or any other cryptocurrency for that matter.  Without utilization, tokens/app coins/cryptocurrencies will all die on the vine given external utilization will always be needed to create a store of value.

Utilization by way of Smart Contracts

Disregarding the unlikely scenario of governmental adoption, the future of any blockchain/cryptocurrency ecosystem necessarily ties directly to utilization.  Even though there are several protocols with smart contracts amendable to utilization, there is only one founded by a visionary who understands the issue of scalability and why scalability is the sine qua non of a successful blockchain ecosystem – in the same way a non-scalable Web ecosystem was always a non-starter.  An early December 2017 presentation given by that visionary – Vitalik Buterin,  talks to scalability as being the most important new initiative of Ethereum going forward in 2018.   Mr. Buterin – who will likely take the blockchain ecosystem where Gates took the PC ecosystem and Bezos took the Web ecosystem, suggests that “sharding” using a Validator Manager Contract –  a construct that maintains an internal proof of stake claim using random validators, will eventually solve the problem of scalability.  Simply put, not all blocks/shards will need to be placed under the main chain.  This is a natural evolutionary progression given as it stands now everyone seeking an Ethereum wallet needs to download Ethereum’s entire trove of over four million blocks – hardly a scalable solution for the many app tokens or coins running the Ethereum protocol.  Moreover, each Ethereum block currently also takes about 14.70 seconds to promulgateIn 2014, Buterin anticipated the feasibility of a 12 second block time so has certainly been moving in the right direction.  Given security and propagation issues, work on this remains in the infancy stage with a great deal of work necessary in 2018.  Nevertheless, in 2018 and beyond, smart contracts such as those available under Ethereum will allow for the utilization necessary for the blockchain ecosystem to thrive.

Adoption by financial markets and the Ripple Effect

Ripple/XRP surged at the very end of 2017 and quickly became a rumored stealth initiative by the regulated banking industry to combat unregulated cryptocurrencies.  Ripple promises “end-to-end tracking and certainty” for those banks using its RippleNet closed-loop network.  More than anything, this initiative demonstrates that unregulated ICOs and unregulated “currencies” may have spooked the world’s financial markets sufficiently to justify taking sides by investing in a Ripple contender – a “blockchain-like” service seeking to displace existing cryptocurrency mindshare.  Indeed, Ripple just replaced ETH/Ethereum as the second largest market cap cryptocurrency.   Even though only three financial institutions are listed as investors, that does not mean other financial institutions would not want to prop up use of this “currency” on the open market – the list of “advisory board members” is telling in that regard.  This bank-sponsored cryptocurrency certainly looks like it has more legs than most given there exists budding utilization – banks are currently already using the RippleNet network, coupled with massive speculation given its ballooning market cap.

In 2018, acceptance of blockchain technology by the financial industry will be indelible proof those mistakes of 1995 made by retail sales and marketing companies will not be repeated by the financial industry or even the server sector represented by the likes of Google – who has invested in Ripple.  More than likely, upcoming technology developments under the Ethereum protocol will beget future tokens with smarter utilization and even greater potential upside than either Bitcoin or Ripple.  In other words, the blockchain ecosystem in 2018 will be no different than the Web ecosystem as it existed in 1995.

Will Equifax be a boon for the security industry?

According to a statement issued on September 15, 2017, Equifax, noticed “suspicious activity on July 30, 2017” and “took offline the affected web application that day.”  The impacted web application was a web application supporting framework, Apache Struts, ultimately used to create java-based web applications.  After patching, Equifax brought the application back online.

Equifax claims it first became aware of the vulnerability sometime in May 2017.

By way of background, this vulnerability was widely disclosed on March 13, 2017.  At that time, both the United States Computer Readiness Team and NIST issued “high vulnerability” warnings.  More importantly, Apache actually released its open source Struts 2.5.10 General Availability release that fixed this vulnerability a month earlier on February 3, 2017.

All of this is significant given that many mid-sized and large enterprises run Open Source Software (OSS) products and unless they hire staff or retain an outside vendor specifically tasked with tracking security announcements of their deployed software products – including any OSS web-facing tools, these products will likely not be promptly patched and scenarios like what befell Equifax will continue.  In other words, what happened to Equifax can very easily happen again to any number of large enterprises.  There are ways to mitigate this risk that may likely prove a boon to the security industry.

In addition to relying on a battle-tested CIO, CISO, and IT team, there are numerous ways companies can mitigate against an Equifax sort of incident from knocking on their boardroom door.

For example,  companies can hire inside staff or an outside vendor who considers patch management not merely a compliance check off item; evaluate how OSS is deployed and confirm who has final responsibility for patching known vulnerabilities; deploy tools to scan source code on an application level; and most important of all – trade up security priorities from being compliance driven in favor of a proactive security risk management approach that takes into account the type and amount of sensitive data processed,  maintained, and transferred.  There are many other ways of mitigating an Equifax risk but the above approach tends to be the one that best follows a cost-effective 80/20 approach that also satisfies regulators.  Information security funds can also be wisely spent deploying a kill chain approach that  actually works given it deliberately considers the evolutionary nature of security threats.

And finally, be mindful that when going out to market for new technical vendors, firm size has little correlation to the beneficial capabilities of the vendor.   Some smaller security vendors have the capacity to deploy unique skills and tools unavailable to larger vendors – that has always been a little known secret of the security industry.  The most effective players in this industry prefer working in small packs so it is no surprise vendors employing them often lose them within the first year after getting gobbled up by a larger vendor.

Update:  July 23, 2019

On July 22, 2019, Equifax entered into a global regulatory settlement that is valued “at least $575 million, and potentially up to $700 million.”