DarkSide Steps Into the Spotlight, and How Public Policy Is Likely To Change After the Pipeline Hack

May 19, 2021 America replayed the entire 1970s last week with a huge inflation print (4.2% YoY), armed conflict in Israel, and the astonishing sight of cars lined up in response to a gasoline shortage. The latter was a result of a system compromised by the “ransomware as a service” group DarkSide, a group of hackers believed to be based in Russia or a former member of the Soviet Republic, who took hostage the business records of Colonial Pipeline.  The company shut down its pipeline operations out of an abundance of caution before eventually paying the 75 BTC ($5 million at the time) ransom and restarting the pipeline last Wednesday evening. 

There is a long history of cybersecurity incidents in industrial control systems (ICS), beginning in 1903 with the notorious hack of inventor Guglielmo Marconi’s demonstration of secret wireless transmissions. Before the demonstration, the brass projector lantern for Marconi’s slides began clicking in Morse code.  Sounding to the audience like a minor technical difficulty, the transcribed message was a obscene rhyming ditty accusing Marconi of misleading the public. British magician Nevil Maskelyne admitted to the hack in a letter to The Times a few days later.  The sense of cheek and self-aggrandizing public exposition of the hack became de rigeur in the hacking community, which has nonetheless professionalized a data ransom business model that appears quite effective. 

DarkSide and other ransomware groups have been around for years, but usually stop short of taking down critical infrastructure.  For example, DC’s Metropolitan Police are currently dealing with ransomed personnel files.  Reported exploits typically target under-funded and under-protected government entities (e.g., Richmond Community Schools, Pittsburgh Unified School District, City of Racine, etc.).  Commercial targets are not usually that splashy, and have included Travelex, Oman’s largest insurance company, and smaller firms down to individual medical practices. Many larger firms have likely quietly paid to avoid controversy (see this Brian Krebs piece, for example). 

There was an unusually swift consensus among both the “white hat” (ethical hackers operating within the boundaries of the law) and “black hat” (exactly the opposite) communities that DarkSide may have gone a step too far. For its part, DarkSide came to the same conclusion and posted a non-apology promising to better moderate their client requests before acting again, re-iterating their stance as an apolitical group saying, “our goal is to make money, and not creating problems for society.”  The press release was not sufficient to stave off swift consequences. As of Friday, the group had lost access to its own blog and payment server, and most of its funds (113.5 BTC or $5.6 million as of Friday) had been withdrawn to an unknown account. Responsibility for the shutdown has not yet been attributed, but most believe the U.S. government was the primary actor. 

We think the event is likely to serve as a catalyst for two long-simmering areas ripe for advances in public policy:

1. Cybersecurity:  In response to the hack, President Biden issued a sweeping executive order to reform federal contractors’ security practices.  The order removes contractual barriers to cyber incident reporting by government contractors, and then require reporting of incidents by those contractors. The order also creates a commission to investigate major hacks (the first of which will be SolarWinds), directs government cloud users to move towards Zero Trust Architecture, and directs the National Institute of Standards and Technology (NIST) to create additional cybersecurity standards for software supplied to the federal government and develop consumer cybersecurity information labels for software and Internet of Things (IoT) devices.  In addition to the order, federal cybersecurity legislation is under active discussion. Any such bill is likely to include mandatory reporting of cybersecurity incidents to the federal government. 

2. Cryptocurrencies: DarkSide and other online extortionists demand payment in bitcoin (BTC) or other cryptocurrencies.  Cryptocurrency is also used in “dark web” markets to sell illegal drugs, fake ids, and other illicit items.  Although the value of cryptocurrencies is volatile (e.g., BTC is down nearly 20% this week), they are useful for moving very large sums without any of the regulatory touchpoints available in the banking system. Treasury’s Financial Crimes Enforcement Network (FinCEN) has already proposed to lower the threshold for reportable transactions (i.e., the “Travel Rule”) to a level that would ensnare US crypto providers in difficult reporting requirements. We expect Congress and Treasury to make additional noise in the space in light of the Colonial hack. 

We believe real regulatory movement on both fronts are now within the “realm of the possible” given this week’s events and may have unanticipated consequences for technology and financial services companies. 

Capstone will be following these issues closely and helping investors understand the consequences. To keep up with our analysis, contact sales@capstonedc.com.