kentoh - Fotolia

Lack of U.S. cryptocurrency regulation invites risk

Daniel Allen explains how a lack of U.S. cryptocurrency regulation increases exploitation vulnerabilities, and shares his ideas for implementing regulatory oversight.

The success of cryptocurrency systems like bitcoin has been hindered by the risks that come with investment in these cybercurrency markets. The lack of sanctioned U.S. cryptocurrency regulation leaves cybercurrency vulnerable to exploitation. A further problem is that the unregulated organizations that facilitate cybercurrency transactions lack a compliance structure that leaves customers no legal recourse in the event of loss.

There have been legitimate concerns that cybercurrency could pose a serious threat to our current financial system and infrastructure. U.S. Treasury Secretary Steven Mnuchin recently suggested that cryptocurrency "is indeed a national security issue," further stating that the current administration "will not allow digital asset service providers to operate in the shadows."

The Treasury Secretary voiced his concerns about the cryptocurrency Bitcoin by claiming it is "highly volatile and based on thin air." President Donald Trump said recently that cryptocurrency should be subject to all standard banking regulations.

In an attempt to address these concerns, an international forum that includes the U.S., China, South Korea, Japan and Europe has discussed a set of proposed cryptocurrency regulation and compliance guidelines. The measures are designed to mitigate potential issues such as money laundering when cryptocurrency is exchanged.

Strict compliance to cybersecurity regulations for the cybercurrency exchanges should begin with requiring them to share information with one another regarding any malicious or suspicious activity.

To start, cybersecurity regulations should require cybercurrency exchanges to share information with one another regarding any malicious or suspicious activity. This real-time information sharing should include alerts about social engineering attempts, phishing or potential pyramid schemes.

There must be some rules or regulations set forth to compensate customers who have been victimized by a cyberattack. Exchanges must be licensed and insured. They should not be able to lawfully claim that they do not have the funds to cover victims' losses.  

All exchanges must also be personally responsible for any loss and must pay back all customers who lost funds in any disappearance of said funds within the company's means. Exchanges are considered prime targets, as exemplified by the Mt. Gox attack where hackers stole bitcoin valued at hundreds of millions of dollars.

The basics of cryptocurrency regulation

Key compliance and regulation issues that would need to be considered for a full conversion to a cybercurrency would likely include:

  • regulation of the creating origin or computer program that is responsible for the algorithms that generate the cybercurrency,
  • strict compliance with cybersecurity regulations designed specifically for each of the cybercurrency exchanges,
  • clear and concise public education program on exactly what cybercurrency is and how it works, and
  • strictly regulated cybersecurity controls applied to personal computers holding user's personal cybercurrency.

Also, algorithms that generate the cybercurrency should adhere to the five following principles:

  1. HASH value calculations should not be computer processing intensive and should be completed quickly;
  2. It should be impossible to reverse the output value to calculate the input -- the same input will always produce the same output;
  3. Minor changes in input data must produce significant difference in output;
  4. Output length of hashing algorithm must be fixed; and
  5. The computer program itself should be strictly safeguarded under very tight security controls to prevent piracy or hacks.

The consumer's role in cryptocurrency protection

Consumers themselves have a role to play in cryptocurrency protection. It's important for consumers to educate themselves about basic cybersecurity principals such as software updates, anti-virus and firewalls protections, strong passwords and data backup. 

In order for consumers to safely use cryptocurrency, a clear and concise public education program should be made available. Topics covered should include:

  1. How payments are made and finalized, including an understanding that user personal information is not tied to the transactions. Users must expect transactions to be private and secure, despite the transaction data being public. Concerns over security must be assuaged by explaining that cybercurrency is a digital currency built with cryptographic protocols that make transactions secure and difficult to fake. The public should also understand public and private key security and how it can only be accessed using what is essentially a cryptographic password that only the person knows.
  2. Strictly regulated cybersecurity controls must also be applied to personal computers holding user's personal cybercurrency in order to protect against phishing attacks, Ponzi schemes and ransomware -- all of which are widespread forms of cryptocurrency fraud and theft.
  3. Cybercurrency security is like any form of data protection on your computer. Consumers must be wary while browsing the Internet or clicking on links and email attachments. The Google authenticator can be used by mobile users, because it only uses a single IP in its whitelist and thus should be the VPN used to access these online exchanges.
  4. Exchange selection must be scrutinized, and consumers must be careful to find one that is reputable and secure. For example, repeated technical problems, unusual policies and history of withdrawal difficulties would be characteristics of exchanges to avoid.
  5. It is imperative to create backups that are kept in a secure place to protect from hardware failures and allow the ability to restore cybercurrency in case a PC or telephone falls victim to a breach. Encrypting the cybercurrency wallet and the entire device enables the creation of a password for withdrawals.
  6. Even though passwords and encryption can protect from the dangers of a stolen device, they are not able to stop malware such as key loggers. It is critical to install and keep up-to-date leading antivirus and antimalware programs.
  7. Create a new email used only for that exchange account prior to creating an account on any exchange. Two-factor-authorization should be employed, not only for login but for any transaction procedures. Caution should be exercised while on social media or forums when mentioning what cryptocurrency exchange or wallet is being used due to hackers using social engineering tactics.
  8. Increase all possible levels of security offered by your cell phone carrier. Add passcodes and PINs, secret questions and enable the "do not port" option for any new SIM card. Avoid storing all cybercurrency in one wallet or exchange as it is better to diversify your risks as it is very difficult for a thief to steal your money from several wallets at once, especially if different email accounts and passphrases are used for each one of them.
  9. Additionally, keep large sums of cybercurrency in wallets off the Internet (known as a "cold wallet"). The cold wallet works by keeping cybercurrency offline on hard drives or even in a paper, hardcopy format. Employing a "cold wallet" tactic will prevent cyberthreats from reaching your funds while the hot wallet is connected to the Internet, but should only be used for everyday transactions.
  10. Finally, strongly consider using a decentralized exchange as this type of exchange does not store your funds, so nobody can gain access to your money except you.

Consider how far along we have come with the personal computer. The PC started out as a very impractical device but eventually evolved into one of the most useful technological tools ever created. Now imagine the day when cybercurrency becomes an everyday reality. It's certainly possible, but not without some form of U.S. cryptocurrency regulations in place.

Dig Deeper on Risk management and governance

Cloud Computing
Mobile Computing
Data Center
and ESG