EI-ISAC Cybersecurity Spotlight – Cryptocurrency
What it is
Cryptocurrency refers to a form of currency that is only available in a digital format. It relies on cryptographic algorithms to record financial transactions in the absence of a central regulatory or clearing authority. These cryptocurrencies rely on distributed ledger technology to track transactions of the currency, usually through blockchain technology. The cryptography allows for secrecy of who is actually making the transaction. To imagine how this works, think of a shared checkbook that records the serial numbers of every dollar transacted, but (in most cryptocurrencies) masks the names of who did the transacting. Every transaction is recorded and verified by multiple entities and linked to all previous transactions, making it extremely difficult to counterfeit currency.
Depending on who you ask, cryptocurrency may be described as property, security, or a digital asset. Bitcoin (BTC), the first cryptocurrency to see widespread use, emerged in 2009. Today, there are hundreds of alternatives to Bitcoin. Popular alternatives include Litecoin (LTC), Ethereum (ETH), Bitcoin Cash (BCH), and Ripple (XRP). This independence can grant companies and individuals the freedom to transfer funds directly to one another and makes it extremely difficult to trace. Some cryptocurrencies, such as Monero, emphasize anonymity, making those currencies both difficult to track and ideal for cyber threat actors (CTAs) involved in illicit activities. Alternatively, not all cryptocurrency transactions are anonymous, and in some cases identities are revealed through transaction records.
Managing cryptocurrencies relies on public-private key pairs. Like all public-private key pairs, the public key is like a mailbox and the private key is like the key to the mailbox. Anyone can know the mailbox and can submit to it, but only the holder of the private key can retrieve messages, or in this case retrieve the cryptocurrency. If someone has your private key, they have full access to your cryptocurrency. If there is no backup and your private key is lost, then you permanently lose access to the funds.
In cryptocurrencies, the public key is used to form an address, like a bank account number. The private key is used to digitally sign the currency for a transaction. In this way, you can specify an address and digitally sign the currency to validate that you are the owner and wish to send it. This transaction is conducted on an exchange, validated, and then added to the ledger. The references to the currency (i.e., the serial number of each would-be bill) and the private key are maintained in a digital wallet. There are multiple types of wallets: software wallets (stored locally by the owner, typically in an app), web wallets (hosted by a third party), and cold storage wallets (stored offline). Protection of private keys is essential as CTAs often target unsecured wallets and exchanges to steal funds.
Why does it matter
As the use of cryptocurrency increases, election offices are encountering malware designed to steal or mine cryptocurrency, or their systems are infected with ransomware, locking them down until the affected entity pays the ransom, which is payable only via cryptocurrency. Additionally, some state and local governments are exploring the use of cryptocurrency to automate smart cities and some have even begun accepting tax payments in bitcoin. Due to these developments, election offices are increasingly likely to encounter cryptocurrencies in their day-to-day operations.
What you can do
Consult with your legal department prior to accepting or purchasing cryptocurrencies, as laws and regulations may make it difficult for government entities to own cryptocurrency. Even with legal clearance, there are major strategic and security considerations, meaning governments (and individuals) should proceed with caution. Election offices must also be wary of scams as some online tutorials are ploys to steal cryptocurrency. When purchasing cryptocurrency, it is important to consider how to keep it secure. If using a third party, perform a review of the provider to verify that it is reputable. Election offices should never store private keys on a shared network such as those at your organization or other public venues and secure wallets and private keys with additional protections such as unique, complex passwords and multi-factor authentication.
The EI-ISAC Cybersecurity Spotlight is a practical explanation of a common cybersecurity concept, event, or practice and its application to Elections Infrastructure security. It is intended to provide EI-ISAC members with a working understanding of common technical topics in the cybersecurity industry. If you would like to request a specific term or practice that may be of interest to the elections community, please contact firstname.lastname@example.org.