Pundits have frequently called for a blanket cryptocurrency ban. Early calls for bans were based on Bitcoins role in financing ISIS, where more recent calls point to its role in energy consumption. Even yesterday, prominent voices called for cryptocurrency bans as a solution to the on-going ransomware crisis in the United States. While a ban is an attractively simple solution at face value, genuine solutions to both of these issues – cryptocurrency regulation and mitigating cyberattacks – require much more careful thought and attention to detail. Upon closer inspection, the proposal to solve ransomware attacks by banning cryptocurrencies is a difficult, if not impossible measure that would not meaningfully stop cyberattacks on US critical infrastructure.
Consider the proposed ban. First, how will this ban be enforced? Bitcoin is a simple solution because its network miners use extreme amounts of energy, which governments can monitor. But how does the US enforce a ban on proof-of-stake tokens, which do not have the same detectability through mining and can be accessed via VPN? Unfortunately for ban proponents, Bitcoin is not the only cryptocurrency in which cyberattacks are denominated, and criminals can just as easily ask for payments in cryptocurrencies that evade meaningful monitoring.
Second, who will enforce this ban? When check fraud became a serious issue in organized crime, the US took a whole-of-government approach to build enforcement capabilities across different agencies, from the Treasury to the FBI. The US cannot credibly ban cryptocurrencies without this technical knowledge and interdepartmental coordination, which requires genuine planning. The US government is, by constitutional mandate, a slow-moving machine. It is unreasonable to put the carriage before the horse and suggest, without the necessary bureaucratic infrastructure, that a ban can be credibly enforced at this time.
Third, how will a US ban matter without similar bans across the world? Proponents of cryptocurrency bans have staunch allies in countries like China, Iran, and Russia, whose bans are more symptomatic of their inability to manage cryptocurrencies without outlawing them. Much of the developed world is instead embracing the real value that cryptocurrencies provide, and in turn, are building robust regulatory frameworks to ensure that value can be achieved without too much risk. South Korea stands as an important counterexample in this argument, where the government has done the hard work of attending to technical details in cryptocurrencies and drafting regulation which balances risk with reward to the domestic economy.
Finally, beyond the difficulty of actually enforcing a ban, it will not solve the ransomware crisis. While a ban may be a short-lived supply side intervention in the financing that permits those attacks, it is the demand for ransomware attacks that matters to any effort in countering them. We know that an extensive number of cyberattacks – especially those that target critical infrastructure like gas lines and electricity grids – are sponsored by sovereign countries. While it may be convenient to try banning cryptocurrencies, the US does not have the authority to unilaterally ban central bank digital currencies, which are actively under development among a number of our peers who are less opposed to cyber warfare.
More simply, once governments that support these cyber attacks develop their own sovereign digital currencies, the demand for cyber attacks will find new supply of financing instruments. Rather than trying to solve crime by banning its denomination, US efforts are likely better directed toward identifying and stopping the actors behind attacks, not the denomination of their ransoms, or else we risk playing whack-a-mole in our responses.
Both of these crises, as noted in recent ban proposals, are new versions of familiar collective action problems. We don’t need to look very far back in history to see that unilateral bans – while appealing in their simplicity – are typically ineffective responses to collective action problems that span beyond borders. Rather, to truly manage the issues around both cryptocurrencies and ransomware, we need to do what is difficult, but likelier to succeed: build effective regulation. This is especially true in the case of cryptocurrencies, where we see a variety of non-criminal applications that genuinely improve financial inclusion and address issues in declining cash usage or government appropriation of wealth.
In this respect, while recent ban proponents are correct that lawmakers must get serious about both of these issues, the proposed line of effort is unlikely to solve the problem at hand, and is certain to forego meaningful economic opportunities in the process. Rather than borrowing policy from an authoritarian peer across the Pacific, and reacting in fear to new challenges, we should instead take the difficult steps of innovating and leading in the new digital economy. While some might think we cannot have both cryptocurrency and peace from cyberattacks, this fortunately reflects more a lack of policy creativity than a harsh reality of tradeoffs.
Tim Marple 