As crypto and cyber crime increases in complexity and scope, who is going to comprise the next generation of tech-savvy law enforcement officials and government regulators that are going to be on the front-lines to stop it?
NEW YORK — One has to feel for law-enforcement personnel and government regulators in the era of cyber crime and crypto-mania. Cyber thieves stole $6.9 billion in 2021, according to Forbes, and every indication is that 2022 will be worse, no matter what authorities do to prevent it.
Part of the reason why is that those responsible for policing cyberspace are often chasing criminals with more advanced technology and skills, and who love nothing better than devising inventive new ways to steal. As if that weren’t bad enough, dedicated cyber thugs already adept at all forms of internet crime — cyber hacks, ransomware, romance scams, SIM card swaps, extortion, fraud, etc. — have now been gifted with crypto, which not only provides thieves with more ways to commit crimes, it also makes them harder to catch.
“If you think about it from the perspective of the cyber criminals, before crypto they had to hack in, steal information, then monetize it, [which often means] hopping it through multiple accounts or cutting in other criminals, introducing risk at every stage,” said Justin Herring, Executive Deputy Superintendent in the Cybersecurity Division of the New York Department of Financial Services. “On the other hand, the monetization chain for crypto is number one, hack in; and number two, take control of the digital asset. There is no number three.”
Crypto crime rising
Herring’s remarks came during a panel on crypto crime at the Thomson Reuters Institute’s recent two-day conference, Manifest Destiny: Risk, Opportunity & Reward Around Digital Currencies. Moderated by Gina Jurva, attorney and manager of market insights and thought leadership content for corporates and government at the Thomson Reuters Institute, the panel, Internal Affairs: Managing Enforcement Actions Around Crypto Crime, explored the many risks that companies operating in the crypto space currently face, as well as efforts by law enforcement and regulators to secure crypto-based financial transactions as these transactions increasingly go mainstream.
On the law enforcement side, for example, the recent enthusiasm for all things crypto has resulted in an exponential uptick in criminal attempts to steal various kinds of virtual assets. According to panelist Elizabeth Roper, Chief of the Cybercrime and Identify Theft Bureau in the New York District Attorney’s office, her office’s tip line has received 45 reports of stolen Non-Fungible Tokens (NFTs) this year, whereas last year they only had one. “Now we have whole team just working on [NFT theft],” she said.
If you have the right system of controls and the right technical tools, you are going to be in a position to see and react to the trends in what criminals are doing.
Cyber and crypto crime has gotten so prevalent, so fast, that Roper warned financial institutions, crypto exchanges, or other online asset providers to be on guard. “You are going to be the target of some kind of cyber-attack,” she said, noting they should expect it, plan for it, “and implement the plan when it does happen.”
Part of that plan should involve developing a relationship with law enforcement before any security breach occurs, she advises, and contacting investigators if and when something does happen. “There can be a real sense of hopelessness when a cyber event happens, and a lot of individuals and businesses feel like there is nothing to be done,” Roper said. However, if the stolen asset is cryptocurrency, “law enforcement actually has a pretty good chance of freezing and ideally recovering those assets.”
On the regulatory side, efforts to adapt traditional anti-money-laundering (AML) and know-your-customer (KYC) protocols into the crypto space are underway, but according to the New York DFS’s Herring, “in many cases that’s going to require tools — such as blockchain analytics — that are different from the tools used in the traditional financial industry.”
Indeed, many of the necessary tools to regulate crypto have yet to be developed, Herring admits, but he said he sees encouraging signs that some in the crypto industry are coming around to the idea that they have a shared responsibility when it comes to protecting their customers’ assets.
Better protection “starts with the right foundation,” Herring explained. “If you have the right system of controls and the right technical tools, you are going to be in a position to see and react to the trends in what criminals are doing.”
The crypto talent wars
Of course, precisely who is going to develop and implement these new regulatory tools is somewhat uncertain, because law enforcement and regulatory agencies are also at a disadvantage when it comes to recruiting tech-savvy analysts and investigators. Tech companies pay significantly more for experienced engineers and coders, Herring and Roper both said, and there isn’t much formal training available. That means people hired by law enforcement and regulatory agencies must be “passionate” about crypto and basically be willing and able to teach themselves.
“If you are interested enough in cyber to read about it in your spare time, then we can work with that,” Herring said, noting that finding such people is a challenge.
In a separate panel discussion, Supply and Demand: Winning the Crypto Talent Wars, panelists explained that engineers who can work in next-generation internet environments such as Web 2.5-3.0 and the Metaverse can basically write their own ticket, yet the talent pipeline coming out of academic institutions is woefully under-equipped.
As a result, organizations looking for next-generation tech talent “are more open to [individuals with] non-traditional backgrounds,” said panelist Adam Posner, of NHP Talent Group — and that includes people without college degrees. “I can’t even tell you the last time I saw a degree required for any of my Web 3.0 companies,” Posner said. “They want to see what you’ve done, how you did it, and what you’re going to do for their organization.” If a candidate has a good foundation of tech skills, he added, many of these companies will put people into a six-week boot camp to “upskill” them — and in many cases, that’s all the education they need to get started.
During his lunchtime keynote speech, however, former Manhattan District Attorney Cyrus Vance Jr. struck a note of caution when he asked conference attendees to step back and ask whether implementing all the ideas under discussion was itself a good idea, considering the massive power shifts, income inequalities, and social upheaval caused by the rise of such tech giants as Facebook and Google.
“Let’s not lose sight of asking the questions,” Vance said, noting that these questions perhaps should have been asked before Mark Zuckerberg, Jeff Bezos, and other tech industrial giants reached “titan” status. “If we knew this was going to be as successful as we think it would be, what rules should we have in place before it becomes so successful that it’s simply too late to ask the questions?” Vance said.