Questions and Answers with Ian Thornton-Trump, Chief Information Security Officer at Cyjax Ltd. and speaker at this year’s Cayman Islands Digital Economy Conference.
Keeping Up With the Cyber Criminals
Cybercrime put a $6.9 billion hole in the US economy last year, according to the FBI’s annual Internet Crime Complaint Centre Report and with widespread hacking events hitting some high profile crypto projects in recent months, the issue of cyber security has not been far from the headlines. Ian Thornton-Trump, CISO at Cyjax UK Ltd, has been watching these developments for years. Ian has over 25-years’ experience in IT security and information technology, having previously served with in the Canadian Forces Military Intelligence Branch, Military Police and RCMP. Ahead of the 5th annual Cayman Islands Digital Economy Conference (CYDEC) in Grand Cayman, where Mr. Thornton-Trump is among the speakers, he discusses some of the key issues dominating the cyber security space from the perspective of the crypto currency industry.
How would you characterise the environment for cyber crime in 2022?
Ian Thornton-Trump: What we are seeing today in cyber, is a situation where traditional bank fraud has been weaponised by cyber criminals, combined with a healthy dose of investment complexity with the financial instruments involved, due to a lack of understanding by some investors. For legitimate crypto currency firms in this environment the biggest issue is their reputation and the volatility in the crypto industry. If a cyber attack is directed at a bank in the UK, for example, then it will not have a negative impact on the value of the pound, but if a cyber attack takes place against a crypto exchange then the impact on the value of its digital tokens will be dramatic. With the vast institutional flows of funds in this area and the sudden destabilisation of some stablecoins we have seen recently, all with the absence of effective regulation, when you mix it all together, you have what I would describe as the richest target environment ever for insiders or malicious actors to exploit.
What I see now is a hyper-awareness problem for crypto investors and essentially a galaxy sized attack area. You can go back to asking to the old question of why do people rob banks? Well of course it’s because that’s where the money was, but it’s not there anymore. It’s all online – and now we see these ransomware attacks, including state sponsored attacks from places like Iran and North Korea targeting holders of cryptocurrency and the exchanges – in fact the entire industry eco-system.
How big is the issue of cyber crime?
Ian Thornton-Trump: The scale of the problem is staggering when you consider that in 2020, the amount defrauded in the crypto space was over $12 billion and in spite of best efforts, some 98% of cases are going unsolved. It’s such a large number and if you think about it, if there had been a $12 billion bank robbery, then you would expect the FBI to break down every door to get it back, but it really is a new frontier.
Cyber criminals don’t do surveys, so to some extent it’s hard to get inside the exact scale of the loss. What we do know, however, is Bitcoin is the currency of choice for large-scale industrial ransomware gangs. Bitcoin has a reputation problem but, you would have to say the US dollar would be the number one choice for drug dealers, so there is a vast amount of criminal use of US dollar, but with crypto there is the reputational issue and it’s very much ‘buyer beware.’
How sophisticated are some of these cyber attacks?
Ian Thornton-Trump: Really, we are seeing both sophisticated and simple attacks and it really does highlight the lack of investor understanding. We’ve all heard about these ‘get rich quick’ schemes and just as some people have made a lot of money from crypto, a lot of people have lost an awfully large amount. Again the level of understanding of the crypto sector is easily exploited when you consider, according to research by Cardify, that regardless of investor experience in the sector, most still have moderate to low levels of cryptocurrency knowledge, which makes them vulnerable to social engineering attacks
Cybercriminals are exploiting weaknesses at the intersection of finance and digitisation. The Wormhole attack, earlier this year, was one of most sophisticated attacks we have seen recently. That saw $326 million stolen from the DeFi platform, after an attacker found a bug in the code where the site was not correctly validating input accounts, allowing the attacker to spoof guardian signatures. We have seen several cases where a weakness in the code has been exploited by different types of highly sophisticated actors.
At the other end of the scale there are these simple ‘double your bitcoin’ scams, where you have people hacking Twitter accounts and impersonating them, promising that if you send them an amount of bitcoin, they will send you back double. Again it’s so indicative of investors being unaware of the risks and when you have exchanges and creators not adopting best practice, you really do have what I call a perfect storm of fraud..
What is important to change from a cybersecurity perspective – and can the industry keep up with how quickly this space is evolving?
Ian Thornton-Trump: One important point to consider is the anonymity in crypto and the fact that there are no real rules about KYC, but it’s something the EU is now talking about and I think we are going to see transformative change. Earlier this year, the Committee of Economic and Monetary Affairs (ECON) and the Committee of Civil Liberties (LIBE) voted to bring forward proposed legislation to remove privacy aspects from crypto transactions. This would mean extending AML requirements that apply to traditional payments of more than EUR1000 to even the smallest crypto payments, requiring the identification of payers and receivers. It’ s important because as things stand, even the correctly intended KYC and AML practices have done little to prevent billions washing through the traditional financial system.
In terms of keeping up with the cyber criminals, it does feel like this giant hosepipe, similar to the post 9/11 fight against terrorism. We really are on a war footing in financial services and the industry is not incentivised to spend the effort educating law enforcement, which is really focused on traditional criminals. Furthermore, the charges being brought by the SEC in this area, for example, are only the tip of the iceberg. What needs to change is that AML teams and cyber teams need to work together and adopt the FEMA model, which I mean requires plans for every kind of threat and be able to scale a response to a security incident – physical or cyber.
CYDEC 2022 – Remodelling the Future
This year’s Cayman Islands Digital Economy Conference ‘Remodelling the Future’, will take place on June 21 at The Westin, Grand Cayman. Ian Thornton-Trump will present a session on “NFTs Just a fad? Or here to stay? A discussion on the future of NFTs and what they mean for the Cayman Islands”. For further information about CYDEC 2022, and to register, visit www.cydec.ky