Security Expert Roderick Jones: “I Am Personally Worried About the Safety and Security of the American Electoral System”br>
Roderick Jones is a former member of Scotland Yard’s Special Branch and the founder of the cyber security firm Rubica, a San Francisco-based company that deals with cryptocurrency and blockchain issues.
He talked with Block Tribune in the wake of recent attacks on the ethereum blockchain and increasing concerns about the overall protections afforded data in a world that is removing paper from its record-keeping.
According to Jones, the real issue is not with the underlying technology of ethereum. Rather, those using the ethereum network are not protected from hacks. Additionally, Jones points out that the cryptocurrency users must secure themselves more than those operating on the mainstream banking system.
BLOCK TRIBUNE: You’ve stated that the real problem is not the underlying theory and technology behind blockchain. It’s users and their lack of knowledge. Can you dive into that a little bit and explain?
RODERICK JONES: I think there’s two current recent kind of hacks or vulnerabilities that have been exposed that I think come from a similar cultural pool. And so you have the issue with the encrypted applications becoming seemingly insecure after there was a series of tools released on the Internet from the Shadow Brokers (editor: a hacking consortium) and things like that have been stolen from NSA and CIA.
And the reason that kind of freaked people out, they’re like, “Oh, since you’ve using encrypted chat apps. I thought I was golden. I thought I was really secure.” But, of course, if you have control of the phone with malware downloaded on it or get control of the device, you have control of that and can see what’s on the screen, then of course you have no security. So I thought that was interesting. And why I thought that was a sort of interesting is it is very similar to the cryptocurrencies, because people think rightly that the actual underlying technology behind crypto is unbreakable. I mean, it’s in the name. The kind of blockchain technology means that you can’t replicate bitcoin and other kinds of crypto that run off the block chain. But that’s not the problem. It’s the fact that this security architecture around the commerce and these currencies work in a system. Trading systems and wallets and things like that. Those necessarily sit on devices, which are then potentially insecure.
Now if you’re talking about cryptocurrency, you should do more cybersecurity, because the downside risk of you losing control of your wallet on your phone through your crypto is absolute. There’s no known way of recovering it. And I was actually looking up if anyone had actually been prosecuted yet for theft of bitcoin or theft of any kind of cryptocurrency. And we couldn’t find anything other than the federal agents that had stolen the money from Silk Road.
BLOCK TRIBUNE: When are we getting to that point where we might be able to identify hackers and then perhaps bring them to justice? Are we years away?
RODERICK JONES: I’ll answer that by saying, “How far are we from being able to prosecute hackers from stealing American dollars?” We’re a long way from that. And a part of that is because the way that cybercrime is investigated or even dealt with is that nothing is co-located. In the physical world, if you commit a murder or a robbery, the criminal investigator and evidence is all in one place. So that’s how all our traditional law enforcement systems work. In cyberspace, all of those things are disparate and the actual perpetrator is probably in a country where we don’t have a treaty or international relationship to do anything to them. But even if we wanted to, the evidence is probably dispersed over numerous different networks. So we know where the victims are. They’re typically in the wealthy West. But everything else is dispersed. So just even in a dollar sense, I think, recovering stolen dollars moved out of bank accounts, we’re a long way from that.
But specifically cryptocurrency, I’ve seen a couple of systems out there that people are trying to start building some of the fraud detection systems that were developed around credit card fraud. Detection where you’re looking for pattern analysis in transactions and things like that. I think there’s some very early attempts to do that in cryptocurrency. I know people are thinking about it, but are a long way away.
BLOCK TRIBUNE: Are companies being pro-active as far as the security standards they should be meeting? I would imagine that your phone rings off the hook after big hacks like this.
RODERICK JONES: That is an interesting question because the cryptocurrency companies are generally new to the game of financial security. So the large financial institutions globally have spent multiple, multiple millions in cybersecurity code over the past 10 years, and in the United States, it is actually designated as critical infrastructure. So they have to do some of these things. The cryptocurrency companies, the ones that are responsible for trading and holding the coins and things, I think they’re moving into it. But they didn’t design with some of those things in mind. So I think it’s a new world for them to figure out what their security looks like. And some of that is physical security. And some of that is online security. So I think it seems like pretty much still the kind of wild west in that sense.
BLOCK TRIBUNE: What do you believe that they should all know at this point?
RODERICK JONES: The price of all these currencies goes up after large attacks where their currencies are used. So the WannaCry attack is a perfect example that all the crypto prices pretty much jumped after that, because people were needing to buy the currency to deal with the ransomware.
Now what we saw is what happened next, which was once that price had gone up, the people that are the most active users of this, or certainly one of the biggest groups of the active users, are cybercriminals. And they then saw the opportunity to target the holders of those currencies because the prices had gone up. And so they are in the environment and were aware of who is holding large stacks of cryptocurrency. And they actually went after them, and I think were quite successful in stealing the personal holdings of quite a few individuals that had decent sizes of sort of cryptocurrency on them. And it was that sense of using malware to get on devices, get on phones, and get on laptops and things like that to attack the infrastructure holding the crypto.
BLOCK TRIBUNE: One of the big concerns that’s been bandied about is that the terrorists will use bitcoin through a network and move funds around. But I recently read something that said they prefer cash. What’s the truth?
RODERICK JONES: The terrorist groups have long, long used alternative remittance systems for financing. That is not news. There’s nothing new about that. There’s systems of terrorist financing that involve just tearing pieces of paper in half and having the promissory notes in one country that is garnered in another. That is a long, long established system. So I think terrorist groups use all kinds of ways to fund their operations and certainly alternative remittance systems, virtual currencies have been long in use in that space.
And it isn’t just cryptocurrency. I was involved in studies 10 years ago that were looking at virtual world currencies. I mean, for people with longer memories, when World of Warcraft gold could be traded on eBay. Guess what? That was used by bad guys as well. So I don’t think that’s a crypto specific issue. I think that’s simply an issue of people engaged in nefarious activity like nefarious payment systems. Or unusual payment systems.
BLOCK TRIBUNE: What security issues keep you up at night?
RODERICK JONES: Right now, I am personally worried about the safety and security of the American electoral system. I think because of the way the United States is set up, the individual states have responsibility for their electoral system. And they are not receiving federal help because, in many cases, they’re rejecting it. Even though the Department of Homeland Security designates the electoral system as critical infrastructure, they are not in receipt of federal funds and help to secure the electoral system. I think it’s very vulnerable. And I think that even suggesting it’s vulnerable damages our essential democracy.
And the fact that this doesn’t seem to be a priority for the current administration and doesn’t seem to be a priority for the current Homeland Security chief really bothers me. Because I think once you affect the integrity of our key feature in this country, which is the electoral system, you’re doing generational damage. Because people stop voting and stop taking that seriously. So I actually am quite concerned by that. And it is a matter of extreme interest to me, how this is sort of front page news all the time. I mean it is, in a slight offbeat way with the Russian hacking stuff. But it’s not like, “Hey, our electoral system needs protecting.”
BLOCK TRIBUNE: You come out of a background at Scotland Yard where you worked in the terrorism field. Do you ever look over your shoulder? Because of the knowledge you possess, do you take extra precautions? Do you do anything to insulate yourself?
RODERICK JONES: Yeah. We do a lot of security around individuals and, obviously, I use that myself as well. But I think also part of my job for a long time has been explaining the difference between imagined and real risk to people. And I think part of the problem of security is if you’ve focused on things that aren’t going to happen or just unlikely events or big macro, say, “I’m worried about a nuclear attack from North Korea,” you’re sort of missing some of the things you should be doing around your own life to keep yourself a little safer.
Actually, that’s an interesting point in that when we’re talking about hacking and transfer of cash out of people’s accounts, I think one of the things we could really do a better job of as a society is if we all keep ourselves secure, that money’s not going to fund evil organizations on the other side of the world. There’s a real effort there that can be made by the citizenry to kind of shut that down. But I think there needs to be a cultural change before that.
BLOCK TRIBUNE: Is there a public enemy number one in hacking, the Osama bin Laden of cryptocurrency?
RODERICK JONES: That’s an excellent question, and I think that speaks to the new nature of the crime. People like global bad guys like that because it kind of makes it real for them. But if you think about bin Laden’s genius, it was to set up a network of operatives. And the network survived, to some degree, without his day-to-day involvement in it and actually metastasized into ISIS. And I think that what we should be concerned about now is that cybercrime and cyber-hacking and further all of the various cyber negative things are the networks.
These networks are becoming more and more powerful. And each individual in these networks might not necessarily know the overall piece of it. That the person doing the crypto hack might not know the person doing the financial transfer from the Cayman Islands, might not know the person taking the money out of ATMs in third party countries. But it’s a network. And I think that’s the real concern here is that these networks are building and becoming more powerful without necessarily there being strong leadership within them. And as we’ve seen, those networks are very robust because they take some serious effort to take them down. And I think that sounds like a more kind of science fiction answer to your question. But I think that’s really what is harder for individuals to get their head around. But I think that’s the real danger, it’s these increasing criminal and global networks that even use the terrorist networks in many cases. And they’re becoming more and more powerful. And they’re hard to take down. We can go and take an individual down. We can’t take down the world.