The cryptocurrency industry is both beloved and feared for being the so-called Wild West of finance.
Beloved because of minimal regulation and at least a measure of anonymity. Feared because of minimal protection. There is no Federal Reserve to set a value, no FDIC to guarantee at least a portion of what you have stored in your digital wallet. And no reimbursement if your cryptocurrency exchange or wallet gets hacked.
But all that may come to an end a lot faster than it took to settle, and govern, the American West. A number of countries worldwide are looking at imposing new regulation, or tightening existing regulation, on cryptocurrency exchanges. And the United States is among them.
Not that the exchanges are entirely free of oversight now. The Securities and Exchange Commission (SEC) and the Commodity Futures Trading Commission (CFTC) both investigate and prosecute alleged fraud, theft, and other crimes. There are various state standards in place as well. And Sen. Chuck Grassley (R-IA) proposed a bill last year titled the Combatting Money Laundering, Terrorist Financing, and Counterfeiting Act that would target virtual currencies.
But there is not, as was made clear in a congressional subcommittee hearing earlier this month, a comprehensive framework of regulation, as there is for the conventional financial system.
As Motherboard reported, early in the hearing Rep. David Scott (D-GA) reminded fellow members of the Subcommittee on Capital Markets, Securities, and Investment that the heads of both the SEC and CFTC have said that there is no federal regulatory framework for cryptocurrency markets, which they think should be regulated in much the same way as conventional financial markets.
SEC Chairman Jay Clayton has said in the past that cryptocurrency markets offer “new opportunities,” but he has also issued multiple warnings to investors of the dangers of cryptocurrency fraud and initial coin offerings (ICOs) that he has said were scams in many cases.
Hence the Wild West images. Fortunes have been made and lost—or stolen. Bitcoin, the best-known and biggest of more than 1,500 cryptocurrencies, rocketed from a value of less than $1,000 at the start of 2017 to nearly $20,000—and then back to $7,500 this past week.
Great if you got in early. Not so great if you bought during the bubble.
Not to mention cyber bandits who have hacked exchanges and made off with hundreds of millions—$500 million in digital tokens in the recent hack of the Japanese exchange Coincheck, plus the infamous theft from the Mt. Gox exchange, also Japan based, which in 2014 “lost” 650,000 Bitcoin worth about $400 million.
As Naked Security blogger Paul Ducklin put it more than 3 years ago, since cryptocurrency is not conventional currency, “generally speaking, it’s not covered by any of the laws relating to currency trading, brokerage, banking and so on.
“In other words, if the company to which you entrusted your precious Bitcoins suddenly tells you, ‘So sorry, they seem to have vanished,’ then, well, that’s that: you’re out of luck.”
That is among the things lawmakers say they want to fix, through compulsory standards for cyber security, on behalf of their constituents. Of course, there is also their intense desire to make sure the government gets its share (in taxes) of whatever investment profits people make. An anonymous financial system makes that difficult.
Which is a major reason the Internal Revenue Service (IRS) sued Coinbase—the largest U.S. digital currency exchange—in late 2016, seeking transaction data to track potential tax cheats.
The agency won a court order last November ordering Coinbase to comply, and the exchange sent notices to about 13,000 customers who had conducted transactions collectively worth $20,000 or more per year from 2013 to 2015.
Ironically enough, Coinbase chief legal and risk officer Mike Lempres was a member of the panel at the subcommittee hearing.
Still, it doesn’t appear that any comprehensive regulatory framework is imminent. Neither of the offices of subcommittee Chairman Bill Huizenga (R-MI) or Democratic Ranking Member Carolyn Maloney (D-NY) responded to calls and emails seeking comment on the progress and substance of any framework.
But based on the testimony, what cyber security regulations do exist are uneven and localized. Lempres was asked if Coinbase was required to comply with any federal cyber security standards, such as the Graham-Leach-Bliley Act, which applies to conventional financial institutions.
Lempres said no but added that Coinbase does comply with a New York state law called BitLicense.
But BitLicense is generally disliked so intensely by cryptocurrency startups that Ron Kim, a New York assemblyman, has proposed legislation that he says will make it less onerous for startups while still protecting consumers.
The cyber security components, meanwhile, get mixed reviews from experts, who say the law doesn’t set a very high security bar.
“I’m not too impressed,” said Stark Riedesel, senior consultant with the Synopsys Software Integrity Group (SIG). “It does seem like a bare minimum, though I’m not sure what to expect coming from a state law.”
He pointed to a part of the law that requires exchanges to audit the security of their software, but the section that requires penetration testing doesn’t say it has to be done by an external auditor.
“Coinbase sees $580 million of monthly volume,” he said. “This is well within the realm of ‘needs external auditing.’ Unfortunately this is a one-size-fits-all policy that is intended to apply to any company that accepts digital currency for payment.”
Steve Giguere, sales engineer with Synopsys SIG, said the need to make software security more rigorous by any means, regulatory or otherwise, is obvious.
“Cryptocurrency technologies, be that the currency itself, the digital exchanges, or the online services like hot wallets, are playing with fire,” he said. “The fact that Coincheck wasn’t regulated by something like BitLicense is a reason but not an excuse for it being hacked.”
Giguere said he is certain that the exchanges, even those that are unregulated, are doing some form of cyber security and risk mitigation, “but it’s proven time and time again that without accountability for what that means, in many cases it is insufficient to the point of negligence, given the extremely high value of the target for hackers.”
He said a good thing about BitLicense is that it does have an accountability component “in the form of regular reporting to a governing committee or board of directors by the CISO, to show that the policies and processes for a good cyber security program are in effect and are regularly reviewed.”
Another encouraging sign, he said, is that the catastrophic breaches of Japan-based exchanges have prompted the exchanges to form their own self-regulatory body.
That, he said, could happen in the United States as well. There are numerous templates for improving cyber security, including the BSIMM (Building Security In Maturity Model), which lets organizations in various industries compare their own software security initiatives with what others in the same field are doing.
No government regulatory framework is likely to require more than the basics of cyber security. But as experts in the field have been saying for decades, the basics are way better than nothing.
Taylor Armerding is an award-winning journalist who left the declining field of mainstream newspapers in 2011 to write in the explosively expanding field of information security. He has previously written for CSO Online and the Sophos blog Naked Security. When he’s not writing he hikes, bikes, golfs, and plays bluegrass music.