A truly non-fiat digital currency to decentralise finance and build solutions using a peer-to-peer network was the idea behind the concept of a cryptocurrency. It emerged after the 2008 financial crisis. While it has been more than a decade since cryptocurrencies have been making news, it is only now do we see governments and regulators take keen interest in having a regulatory framework around them.
Crypto assets are built using blockchain technology, wherein a decentralised ledger keeps records of all the transactions using cryptography in a safe, secure manner with built in integrity, where once a transaction is added to the ledger, it becomes immutable, thus rendering it impossible to any change. It does away with the need of having an intermediary or a central server. While cryptocurrencies pride over the underlying security infrastructure they have been built upon, there is potential scope of security considerations to be applied. Crypto-wallets, exchanges, trading platforms, and other offerings on crypto are built using different technologies with disparate security considerations and the user community is spread across the world using different applications and devices for access and use.
|IMF calls for a global framework on national regulation on crypto 1
Government of India (GOI) had tabled the cryptocurrency bill (The Cryptocurrency and Regulation of Official Digital Currency Bill, 2021) for deliberation and adoption in the winter session of the parliament, but it has now been deferred, a second time after it was earlier tabled for consideration in the budget session of 2020. 2 The bill essentially seeks to create a framework for introducing a central bank digital currency (CBDC) issued by the Reserve Bank of India (RBI) while looking to regulate ‘private’ cryptocurrencies through The Securities and Exchange Board of India (SEBI). 3 Apprehensions around lack of monitoring and regulation was flagged both by the RBI and the Finance Ministry; the main areas of concern - investor protection and awareness which have constantly been reiterated by the government and regulatory bodies. 4 SEBI, RBI and the tax authorities’ powers to scrutinise know your customer (KYC) data of crypto exchanges reflects the government’s cautious approach towards ensuring consumer protection and awareness. 5
With time, we see more and more applications being built on the principles of decentralised ledgers and public interest in them seeing an uptick. Governments are also being forced to look at the possible benefits of having products built using this technology which could create jobs and attract foreign investments. Fintechs and other Indian tech-based startups using this technology are lobbying to get crypto assets a legal backing. While RBI has continuously stressed on the fact that crypto cannot be assigned a currency tag 6 and with SEBI’s likely appointment as the regulator, the government is likely to give cryptocurrency holders a deadline to declare their assets 7 . Crypto exchanges in India have now reached out to the government to formally set rules around crypto assets’ classification and taxation aspects; the ambiguity at present is affecting their growth 8 given that a huge amount of investor money is riding on the success of these crypto exchanges and other blockchain startups.
|Security of crypto assets a bigger concern than volatility and regulations 9
Some concerns around cyber that merits attention:
- Attackers using phishing, social engineering attacks to access personal identifiable information (PII) of customers onboarded on the platforms, spear phishing emails sent out to trading platforms citing bad or no settlement of past transactions and DOS (denial of service) attacks through exploiting vulnerabilities in the networks.
- Endpoint security concerns around hot wallets i.e, accounts where cryptocurrency is held, which are less secure than the blocks within the blockchain networks; cyber concerns would arise with threat actors introducing malware to gain access and siphon away crypto assets.
- Trojans introduced through backdoor channels, allowing attackers to initiate malicious programs to steal and transfer cryptocurrencies resulting in a complete halt to the exchange’s functioning.
- Cyberattacks can cause lengthy downtimes for firms without a proper cyber crisis and resiliency framework, causing a major disruption in operations thereby impacting revenues and public trust.
- Third-party vendors are often required to facilitate blockchain transactions, be it customer facing applications or payment processors, security considerations are often found to be weak leaving them exposed to cyberattacks.
- RBI and other regulatory and statutory bodies have issued guidelines for adhering to cyber hygiene practices, failing which huge penalties are levied for non-compliance.
Crypto exchanges, about 25-30 today in India, are now looking at mergers 10, given only a few exchanges meeting regulatory thresholds would be allowed to operate; cyber issues are likely to rise with cross party system integration and configuration.
Another consideration for these exchanges is the new data privacy law which is likely to kick in this year 11 making it obligatory for intermediaries to have IT systems audits and cyber audits in place covering multiple areas including data protection, data localisation, vulnerability assessments, review of the entire IT infrastructure and the like.
Blockchain applications must consider security at every layer of the technology stack. A cybersecurity strategy and governance framework must be well-defined roping in all stakeholders and assigning responsibilities in the organisation and running awareness campaigns sans hierarchy.
Some security considerations for blockchain applications, such as cryptocurrency, are:
|At least 7,000 people lost more than $80 million in crypto scams between October 2020 and March 2021, a 1000% increase from the previous year 12
- identity and access management (IAM), to ensure only genuine users have access to secure platforms and exchanges.
- threat intelligence and management using anti-phishing, anti-spyware monitoring tools on crypto-wallet interfaces to protect users from clicking on suspicious links.
- within cyber crisis and resilience - business continuity and disaster recovery planning SOPs (standard operating procedure) are to be defined and regular drills conducted to assess the cyber readiness, infrastructure security including cloud to assess maturity of controls.
- crypto exchanges also need to look at test of fair and equitable systems, monitor system resilience and uptime in scenarios of a crash.
- incident reporting and response mechanisms using advanced monitoring and threat correlation tools to have visibility on the entire network including digital assets and applications
Be it a coffee shop, an ATM, or a petrol pump, which may start dealing with crypto in the future, inherent risks exist in a transaction from authentication to settlement, wherein connected systems having weak APIs could be attacked, it thus becomes critical for enterprises to build on consumer awareness initiatives for the entire crypto ecosystem.
Crypto assets replacing traditional ones in their entirety is something for the future but given the use cases and ready solutions with blockchain available today the unprecedented acceptability seen in this tech-space cannot be ignored. Technocrats, retail consumers, and organisations alike are banking on the possibilities of this new age tech where trust and transformation lie at the core. Governments are increasingly reaching out to the tech community for coming up with solutions that could highly improve the efficiency of administration.
Cyber experts must keep vigil and be well updated as organisations continue to further digitise their business plugging in the latest tech; blockchain like any new technology will see increased threats with threat actors devising newer ways to attack, thus, mandating organisations to build a robust cyber posture to prevent and predict cyberattacks.
- IMF Blogs (https://blogs.imf.org/2021/12/09/global-crypto-regulation-should-be-comprehensive-consistent-and-coordinated/)
- The Hindu Businessline (https://www.thehindubusinessline.com/news/national/bills-on-crypto-banking-privatisation-deferred-both-houses-adjourned-sine-die/article38012452.ece)
- The Financial Express (https://www.financialexpress.com/market/sebi-may-get-to-regulate-private-cryptocurrencies/2384074/)
- Outlook news (https://www.outlookindia.com/website/story/business-news-cryptocurrency-a-matter-of-serious-concern-from-macroeconomic-financial-stability-perspective-rbi-chief/400444)
- The Economic Times (https://economictimes.indiatimes.com/tech/technology/crypto-bill-to-give-power-to-sebi-rbi-taxman-to-scrutinise-kyc-data-of-exchanges/articleshow/88130343.cms)
- The Freepress Journal (https://www.freepressjournal.in/business/crypto-not-currency-needs-to-be-regulated-as-asset-ex-rbi-deputy-governor-r-gandhi)
- Livemint (https://www.livemint.com/market/stock-market-news/govt-considers-giving-cryptocurrency-holders-deadline-to-declare-assets-report-11638865621036.html)
- The Economic Times (https://economictimes.indiatimes.com/tech/tech-bytes/startup-grouping-indiatech-writes-to-fm-for-clarity-on-crypto-taxation/articleshow/88756233.cms)
- Bloomberg news (https://www.bloomberg.com/news/articles/2022-01-06/crypto-security-is-biggest-concern-for-institutional-investors)
- The Economic Times (https://economictimes.indiatimes.com/tech/newsletters/morning-dispatch/crypto-consolidation-is-coming-it-minister-on-10b-chip-scheme/articleshow/88308694.cms?from=mdr)
- The Economic Times (https://economictimes.indiatimes.com/tech/technology/data-rules-will-erect-guardrails-for-digital-india-in-2022/articleshow/88655994.cms)
- US FTC Blogs (https://www.ftc.gov/news-events/blogs/data-spotlight/2021/05/cryptocurrency-buzz-drives-record-investment-scam-losses)