This is how hackers bring down American companies — why won’t Senators talk about it?

The private sector can’t stop the dark money that serves as the lifeblood of state-backed cybercrime, no matter how much some might want it to

Gary Kalman
New York
Tuesday 08 June 2021 20:14
comments
<p>Cybersecurity Colonial Pipeline</p>

Cybersecurity Colonial Pipeline

On Tuesday morning, a bipartisan group of Senators finally acknowledged what millions of Americans across the east coast already know: we have a national cybersecurity problem. There was just one sticking point — facing a sprawling problem, lawmakers never once addressed the one thing that makes destructive hacks possible.

Joining the Senate Homeland Security Committee was Colonial Pipeline President and CEO Joseph A. Blount, Jr., who thrust his company into the national spotlight this year after agreeing to pay a $4.4 million ransom to Russia-based hackers who seized control of the company’s east coast pipeline network.

That destabilizing attack was the work of a small group of hackers — but state actors like Russia and China are actively exploiting lax American laws that allow foreign entities to move illicit money to even more dangerous hacker groups, all without technically breaking the law. Unfortunately, the Senate’s cybersecurity-focused view of the problem remains too narrow to fully address the problem.

“I don’t trust the government to keep [security] standards up to date,” Republican Sen. Ron Johnson said. “I think this is something best done by the private sector.”

But the private sector alone can’t stop the dark money that serves as the lifeblood of state-backed cybercrime. Every day, bad actors funnel millions of dollars through shell companies whose sole purpose is to launder dirty money — but alarmingly, their impact on international cybercrime was never mentioned at Tuesday’s hearing. These “businesses” don’t really exist: they have no physical location and don’t do any actual work. Instead, they are laundering hundreds of millions of dollars that governments like Russia are using to finance sophisticated cybercrime campaigns.

If the United States wants to address the rising threat of cybercrime and turn off the uncontrolled flow of illicit money through bogus businesses, the Treasury Department needs to use its newfound authority under the US Corporate Transparency Act (CTA) to identify the real owners of anonymous shell companies. That means writing strong rules to guide the Financial Crimes Enforcement Network’s (FinCEN) implementation of the CTA.

My colleague Nate Sibley of the Hudson Institute’s Kleptocracy Initiative notes that, “Experts have sandwiched the United States between [Switzerland and the Cayman Islands] as one of the worst financial secrecy jurisdictions in the world.” The results have been disastrous: last year, Russian government-backed hackers spent eight months infiltrating hundreds of organizations around the world, including multiple branches of the United States government, in what is likely the most damaging cyber-espionage incident in American history.

Much of that cybercrime is funded through that web of anonymous shell companies designed to cloak payments to hacker groups. But thanks to  the CTA, FinCEN now has the authority to require companies to disclose the name of each true, or “beneficial,” owner of most companies formed in the US.

With the Treasury now writing the rules that will determine the scope of FinCEN’s enforcement, it’s more important than ever to get this right. That means taking a broad view of ownership. FinCEN should not narrow the law’s comprehensive definition of ownership or create loopholes that shady actors can exploit. In particular, the rules cannot allow stand-ins or “front” people, such as a lawyer, employee, or other representative who has no relationship with the true owner or owners, to be listed as a company’s beneficial owners.

When cracking down on anonymous shell companies, the devil is in the details. Right now, exemptions to the CTA are carefully written to exclude only very specific types of companies from reporting standards. We should keep it that way. The United Kingdom learned after it exempted certain types of partnerships that seemingly small omissions can open up enormous possibilities for exploitation. The United States must avoid that costly mistake.

But ownership information is only useful to financial regulators and police if we can trust its accuracy. FinCEN needs to also verify the information provided to its new directory of ownership information, such as through automatic crosschecks with existing passport and drivers’ license databases.

Fortunately, there’s no need to reinvent the wheel when it comes to implementing these technologies. FinCEN could, for example, use the same technology that payment processors use to run instant checks on online shoppers’ credit cards. The CTA expressly charges FinCEN with ensuring the information it collects is “highly useful” to law enforcement and others who have access to it. Making that data trustworthy and easily accessible will be critical.

Verifying the accuracy of the information immediately has the additional benefit of making life easier for companies complying with the new rules. Correcting inadvertent mistakes in real time means companies avoid later embarrassment and delays when opening a bank account or applying for a loan or other credit.

US financial regulators can’t address problems they can’t see, and the CTA offers the best opportunity in a generation to shine a disinfecting light on the corrosive impact of anonymous shell companies and masking of beneficial owners. FinCEN has an opportunity to cut off the flow of anonymous money to cybercriminals — but only if they get the rulemaking right.

Gary Kalman leads the US Office of Transparency International

Join our new commenting forum

Join thought-provoking conversations, follow other Independent readers and see their replies

View comments