On 19 July, a network of thieves stole USD 85mn in cryptocurrency – for safekeeping. The White Hat group, which foiled a similar hack last summer, temporarily confiscated the funds from digital wallets containing Ether, the value unit of the Ethereum smart contract platform, which is a more complex alternative to Bitcoin. The group held the deposits while patching a vulnerability in the system that had allowed hackers to steal USD 32mn from multisig (multiple-signature) accounts earlier that day.
The incident was a standout episode in a summer of cyber security breaches following the WannaCry ransomware attack in May and the Petya hack that debilitated Ukrainian infrastructure in June. These attacks also highlighted growing acceptance of “white hat” ethical hackers, who aim to expose vulnerabilities in systems before their “black hat” counterparts can get to them. White hat hackers still apply their skills in ambiguous regulatory environments, without the protection of the law: in July US authorities arrested Marcus Hutchins, the UK national who identified the kill switch for the WannaCry malware, for creating and allegedly attempting to sell Kronos, a banking trojan, earlier in 2014. Mr Hutchins had been attending the annual DefCon ethical hacking conference in Las Vegas.
DefCon also provides an opportunity for government officials and private sector actors to learn from the white hat community and improve their resilience to attacks, which can train on a range of targets including data, elections, and the internet of things (IoT). IoT attacks are potentially life-threatening, as these can affect anything from cars to public infrastructure to personal medical devices.
Both private and public sector bodies now offer regular “bug bounties” in which groups of hackers test systems for varying rewards, depending on the value and originality of their findings. These can be a cost-effective alternative to hiring private security consultants to audit programmes. In 2017, the US Department of Defense’s “Hack the Pentagon” event revealed flaws within 15 minutes, and awarded a collective $75,000 to the white hats who found the bugs. Separately, the Internet Bug Bounty (IBB) trust incentivises security analysts to detect vulnerabilities in open source software and core components of the internet. Prizes are funded by corporations including Facebook and the Ford Foundation. These analysts are expected to accrue additional influence over the next decade, buttressing defenses both as formal corporate consultants and in groups of freelancing professionals.
Bug bounty events in the public and private sectors indicate that digital vulnerability is universal, even under stringent protocols. This presents both a liability and an opportunity for insurers, who must secure their customers’ data, but can also expand coverage for clients concerned about security breaches. Let’s hope they’ve retained their own white hats.