Reconciliation of anti-money laundering instruments and European data protection requirements in permissionless blockchain spaces

This article is an attempt to reconcile the requirements of the EU General Data Protection Regulation (GDPR) and anti-money laundering and combat terrorist financing (AML/CFT) instruments used in permissionless ecosystems based on distributed ledger technology (DLT). Usually, analysis is focused only on one of these regulations. Covering by this research the interplay between both regulations reveals their incoherencies in relation to permissionless DLT. The GDPR requirements force permissionless blockchain communities to use anonymization or, at the very least, strong pseudonymization technologies to ensure compliance of data processing with the GDPR. At the same time, instruments of global AML/CFT policy that are presently being implemented in many countries following the recommendations of the Financial Action Task Force, counteract the anonymity-enhanced technologies built into blockchain protocols. Solutions suggested in this article aim to induce the shaping of permissionless DLT-based networks in ways that at the same time would secure the protection of personal data according to the GDPR rules, while also addressing the money laundering and terrorist financing risks created by transactions in anonymous blockchain spaces or those with strong pseudonyms. Searching for new policy instruments is necessary to ensure that governments do not combat the development of all privacy-blockchains so as to enable a high level of privacy protection and GDPR-compliant data processing. This article indicates two AML/CFT tools which may be helpful for shaping privacy-blockchains that can enable the feasibility of such tools. The first tool is exceptional government access to transactional data written on non-transparent ledgers, obfuscated by advanced anonymization cryptography. The tool should be optional for networks as long as another effective AML/CFT measures are accessible for the intermediaries or for the government in relation to a given network. If these other measures are not available and the network does not grant exceptional access, the regulations should allow governments to combat the development of those networks. Effective tools in that scope should target the value of privacy-cryptocurrency, not its users. Such tools could include, as a tool of last resort, state attacks which would undermine the trust of the community in a specific network.

Cooperation amidst competition: cybersecurity partnership in the US financial services sector

ABSTRACT The US Financial Services Sector (FSS) is commonly regarded as one of the most successful in addressing cybersecurity through public–private partnership and as a potential model for less advanced sectors. However, how well the sector has actually fared remains poorly understood. Based on publicly available material and in-depth interviews with those intimately involved in business–government collaboration on cybersecurity in the FSS, we analyze how and why collaboration evolved into its current form. We find that considerable gaps remain, which both reveal limitations in the current policy framework for the FSS and suggest lessons for other critical infrastructure sectors.

Twenty-five years of cyber threats in the news: a study of Swedish newspaper coverage (1995–2019)

This paper explores how cyber threats are represented in Swedish newspapers. The sample comprises 1269 articles from three newspapers (Aftonbladet, Göteborgs-Posten, and Svenska Dagbladet) covering 25 years (1995–2019). The study provides a text-near and detailed analysis of the threats covered. The study analyzes these threats along several dimensions: their modality (e.g. unauthorized access or manipulation); to what extent ambiguous themes (e.g. attack, crime, and warfare) are specified in context; how cyber-threat coverage has changed over time; and the event orientation of the coverage, i.e. whether articles address topical events and, if so, which ones. There are five main findings. First, the Swedish newspaper cybersecurity discourse covers multiple threats; in total, 34 themes (present in at least 4% of articles) have been identified. Second, the representation of cyber threats varies in specificity. While generic themes such as attack and warfare are mostly specified in terms of their modality, they sometimes are not, leaving the representation vague. Third, this study, given its general approach, provides insights into media representations of particular cyber threats. For example, this study finds the meaning of “hacking” in the media to be more diversified and nuanced than previously assumed (e.g. as simply meaning “computer break-in”). Fourth, newspaper coverage of cyber threats has changed over time, in both quantity (i.e. the amount of coverage has increased) and quality, as three general trends have been observed: the state-ification and militarization of threats (i.e. increased attention to, e.g. nations and warfare as threats), the organization-ification of threats (i.e. increased attention to, e.g. government agencies and companies as threats), and the diversification and hyping of threats (i.e. cumulatively more threats are added to the cybersecurity discourse, although attention to particular threats is sometimes restricted in time). Finally, parallel to coverage of particular topical events (e.g. the “I love you” virus), newspaper representations of cyber threats largely exemplify “amplification without the event,” i.e. threats are covered without linking them to topical events, as is otherwise typical of news reports. The findings in relation to previous studies of cybersecurity discourse and the implications for informal learning and threat perception are discussed.

Breaking botnets: A quantitative analysis of individual, technical, isolationist, and multilateral approaches to cybersecurity

Malicious networks of botnets continue to grow in strength as millions of new users and devices connect to the internet each day, many becoming unsuspectingly complicit in cyber-attacks or unwitting accomplices to cybercrimes. Both states and nonstate actors use botnets to surreptitiously control the combined computing power of infected devices to engage in espionage, hacking, and to carry out distributed denial of service attacks to disable internet-connected targets from businesses and banks to power grids and electronic voting systems. Although cybersecurity professionals have established a variety of best practices to fight botnets, many important questions remain concerning why levels of botnet infections differ sharply from country to country, as relatively little empirical testing has been done to establish which policies and approaches to cybersecurity are actually the most effective. Using newly available time-series data on botnets, this article outlines and tests the conventionally held beliefs and cybersecurity strategies at every level—individual, technical, isolationist, and multilateral. This study finds that wealthier countries are more vulnerable than less wealthy countries; that technical solutions, including patching software, preventing spoofing, and securing servers, consistently outperform attempts to educate citizens about cybersecurity; and that countries which favor digital isolation and restrictions on internet freedom are not actually better protected than those who embrace digital freedom and multilateral approaches to cybersecurity. This latter finding is of particular importance as China’s attempts to fundamentally reshape the internet via the “Digital Silk Road” component of the Belt and Road Initiative will actually end up making both China and the world less secure. Due to the interconnected nature of threats in cyberspace, states should instead embrace multilateral, technical solutions to better govern this global common and increase cybersecurity around the world.

Restraint under conditions of uncertainty: Why the United States tolerates cyberattacks

The United States struggles to impose meaningful costs for destructive or disruptive cyber operations. This article argues that the United States' restrained responses stem from a desire to avoid risk in an inherently uncertain operational environment. The societal desire for risk avoidance is the prism through which policymakers address the cyber domain and deliberate responses to attacks. The article shows that two particular operational characteristics of cyberspace—its complex adaptiveness and the ease of proliferation—combine to increase the risk of misattribution and the risk of unintended effects, including collateral damage, inadvertent escalation and blowback. These characteristics present a particular obstacle for risk societies such as the United States in the application of meaningful punishments. In addition to establishing the roots of US restraint, the article traces the application of risk management practices, including preventive action, increasing resilience and consequence management, from the Obama administration to the Trump administration. The analysis reveals that risk management has underpinned the overall US approach to the cyber domain.

Attribution and Knowledge Creation Assemblages in Cybersecurity Politics

Attribution is central to cybersecurity politics. It establishes a link between technical occurrences and political consequences by reducing the uncertainty about who is behind an intrusion and what the likely intent was, ultimately creating cybersecurity “truths” with political consequences. In a critical security studies’ spirit, we purport that the “truth” about cyber-incidents that is established through attribution is constructed through a knowledge creation process that is neither value-free nor purely objective but built on assumptions and choices that make certain outcomes more or less likely. We conceptualize attribution as a knowledge creation process in three phases – incident creation, incident response, and public attribution – and embark on identifying who creates what kind of knowledge in this process, when they do it, and on what kind of assumptions and previous knowledge this is based on. Using assemblage theory as a backdrop, we highlight attribution as happening in complex networks that are never stable but always shifting, assembled, disassembled and reassembled in different contexts, with multiple functionalities. To illustrate, we use the intrusions at the US Office of Personnel Management (OPM) discovered in 2014 and 2015 with a focus on three factors: assumptions about threat actors, entanglement of public and private knowledge creation, and self-reflection about uncertainties. When it comes to attribution as knowledge creation processes, we critique the strong focus on existing enemy images as potentially crowding out knowledge on other threat actors, which in turn shapes the knowledge structure about security in cyberspace. One remedy, so we argue, is to bring in additional data collectors from the academic sector who can provide alternative interpretations based on independent knowledge creation processes.

Hacking for good: Leveraging HackerOne data to develop an economic model of Bug Bounties

We ran a study of bug bounties, programs where gig economy security researchers are compensated for pinpointing and explaining vulnerabilities in company code bases. Bug bounty advocates have argued that they are a cost-effective means for companies of all types to shore up their security posture. Our research—which analyzes a large, proprietary dataset and which leverages instrumental variables to eliminate potential sources of endogeneity—provides empirical support for this assertion. Security researchers have a price elasticity of supply of between 0.1 and 0.2 at the median, indicating that they are largely motivated by non-pecuniary factors; a company is still able to derive utility from bug bounties even if they have a limited ability to pay security researchers. Moreover, a company’s revenue and brand profile do not have an economically significant impact on the number of valid security vulnerabilities reports its program receives. However, we found that companies in the finance, retail, and healthcare sectors are notified of fewer valid vulnerabilities, ceteris paribus, than companies in other sectors, though these estimates are not statistically significant at the 5% level. We also found no evidence that new companies joining the HackerOne platform dampen the number of reports that firms receive. Finally, we find that programs receive fewer valid reports as they grow older and bugs become harder to find. This negative age effect may be dampened if the program increases the code base available for hacking.

Third-party induced cyber incidents—much ado about nothing?

Growing reliance on third-party services, such as cloud computing, is believed to increase client firms’ exposure to third-party induced cyber incidents. However, we lack empirical research on the prevalence and scale of third-party induced cyber incidents. Moreover, we do not know who pays more of the price for experiencing these incidents—the client firm and/or the third-party provider firm. We study these questions using a sample of 1397 cyber incidents in public firms between 2000 and 2020 of which 246 are third-party induced incidents. Our findings offer several novel insights. Third-party induced cyber incidents are not growing in prevalence any faster than other incidents, but they do compromise greater volumes of confidential data per incident. As to the price paid for third-party induced incidents, the picture is more nuanced. Client (first-party) firms suffer drops in equity returns that are comparable to those for homegrown incidents, while small third-party provider firms suffer significantly larger drops in equity returns and large third-party provider firms do not suffer a discernible drop in equity returns. We discuss implications of these findings for client firms and service providers.

User compliance and remediation success after IoT malware notifications

Internet Service Providers (ISPs) are getting involved in remediating Internet of Things (IoT) infections of end users. This endeavor runs into serious usability problems. Given that it is usually unknown what kind of device is infected, they can only provide users with very generic cleanup advice, trying to cover all device types and remediation paths. Does this advice work? To what extent do users comply with the instructions? And does more compliance lead to higher cleanup rates? This study is the first to shed light on these questions. In partnership with an ISP, we designed a randomized control experiment followed up by a user survey. We randomly assigned 177 consumers affected by malware from the Mirai family to three different groups: (i) notified via a walled garden (quarantine network), (ii) notified via email, and (iii) no immediate notification, i.e. a control group. The notification asks the user to take five steps to remediate the infection. We conducted a phone survey with 95 of these customers based on communication–human information processing theory. We model the impact of the treatment, comprehension, and motivation on the compliance rate of each customer, while controlling for differences in demographics and infected device types. We also estimate the extent to which compliance leads to successful cleanup of the infected IoT devices. While only 24% of notified users perform all five remediation steps, 92% of notified users perform at least one action. Compliance increases the probability of successful cleanup by 32%, while the presence of competing malware reduces it by 54%. We provide an empirical basis to shape ISP best practices in the fight against IoT malware.