As the price of bitcoin and other crypto tokens has tumbled, even criminals have felt the pinch.
The number of ransomware attacks fell 20% sequentially in the second quarter.
The crypto crash, which has wiped out about $2 trillion in value and upended a once-fast-growing industry, has an unexpected twist: Even criminals are feeling the pinch.
Ransomware attacks have dropped sharply this year as perpetrators grapple with an economic downturn, the Ukraine war and the dramatic plunge in the prices of cryptocurrencies they’ve been routinely using to commit crimes.
“There is never any single reason why anything happens in cybersecurity [but] in this case, the thought that volatility in the crypto markets is a contributor to the drop in ransomware attacks makes sense,” said James Lee, chief operating officer of the Identity Theft Resource Center.
The number of ransomware attacks fell 20% sequentially in the second quarter, the first quarter-on-quarter drop since the ITRC began tracking ransomware attacks in 2018, the nonprofit organization said.
It’s not just the drop in the value of crypto. Enforcement efforts are having some impact, according to SonicWall, which recorded 236 million ransomware attempts globally in the first half of 2022. That’s down 23% year-over-year. On top of falling prices, “increased government and law-enforcement focus impacted both who cybercriminals chose to attack and how well they were capable of carrying out those attacks,” SonicWall said.
Ransomware had become such a big problem that the Biden administration last year urged U.S. businesses to focus more on securing their networks. Crypto’s rise has made curbing the attacks more challenging. Lee said that, since 2018, cryptocurrencies have been “the preferred method of monetizing ransomware attacks because of the difficulty in clawing back funds and the — up to recently — ever-increasing value of the coins.”
Last year, the Justice Department recovered $2.3 million in bitcoin ransom paid to DarkSide, the criminal group that hacked Colonial Pipeline. The DOJ subsequently announced the creation of a crypto enforcement team to go after criminal actors using cryptocurrencies.
Besides the drop in attacks, there are other signs of declining interest in laundering ransomware proceeds through crypto networks. Kenneth Goodwin, director of regulatory and institutional affairs at Blockchain Intelligence Group, said the crypto compliance and forensics company has recorded a decline in mixers typically used to obfuscate blockchain transactions, especially in illicit transactions.
It’s important to note that accumulating cryptocurrency itself is “not the end goal” of ransomware perpetrators, said Mark Manglicmot, senior vice president of security services at Arctic Wolf. After the victim pays the ransom, the criminals typically seek to convert it to fiat.
That becomes trickier “with fewer outlets for disposing of cryptocurrencies due to bankruptcies and reduction in crypto value,” Lee said. “It makes sense cybercriminals would look for other ways to make money that involve less risk.”
Price volatility clearly poses a problem for ransomware criminals, said Alma Angotti, a partner at Guidehouse. “They could just ask for more bitcoin, right?” she told Protocol. “They could just ask for 20 bitcoin instead of 10 or whatever. But if the price is gonna drop even further after they get it, that’s probably a factor.”
The crypto slump is definitely not the only factor, Angotti said.
Many companies have also balked at paying up in ransomware attacks “because their insurance companies may not cover it,” she said, or they could get charged for violating the law.
“You could now also be hit with a sanctions violation besides having the money that you lost to the ransomware, so that’s a problem,” she said.
Manglicmot argues that the Ukraine war probably plays a key role in the decline. “A lot of the threat actors are known to be based in Eastern Europe,” he said, which leads him to suspect that the decline in ransomware attacks is “likely because of where the attackers are based.”
Not everyone is convinced the data shows a long-term trend.
Sam Curry, chief security officer at Cybereason, said the more recent dip in ransomware attacks “might also have to do with summer slowdowns in IT — and people who might otherwise click on the wrong thing might just be on the beach with their families.”
Rick Holland, chief information security officer at Digital Shadows, agreed, saying “any perceived slowdown in extortion” should be considered “as a blip, not a trend.”
“The summer months typically see slower extortion activity,” he told Protocol. “Criminals take vacations too.”
Benjamin Pimentel ( @benpimentel) covers crypto and fintech from San Francisco. He has reported on many of the biggest tech stories over the past 20 years for the San Francisco Chronicle, Dow Jones MarketWatch and Business Insider, from the dot-com crash, the rise of cloud computing, social networking and AI to the impact of the Great Recession and the COVID crisis on Silicon Valley and beyond. He can be reached at bpimentel@protocol.com or via Google Voice at (925) 307-9342.
Allison Clift-Jennings, CTO of remote music collaboration app Tonic Audio, is in the midst of moving the business from Reno to London. For the seasoned entrepreneur, the decision came down to following the customer.
Tonic Audio CTO Allison Clift-Jennings realized London would be a better home for a music startup than Reno.
Kate Kaye is an award-winning multimedia reporter digging deep and telling print, digital and audio stories. She covers AI and data for Protocol. Her reporting on AI and tech ethics issues has been published in OneZero, Fast Company, MIT Technology Review, CityLab, Ad Age and Digiday and heard on NPR. Kate is the creator of RedTailMedia.org and is the author of “Campaign ’08: A Turning Point for Digital Media,” a book about how the 2008 presidential campaigns used digital media and data. 
Allison Clift-Jennings was already a seasoned Techstars founder when at the last minute, her latest startup, Tonic Audio, was accepted into the accelerator program’s 2022 London class. The chief technology officer and her husband, Tonic Audio co-founder and CEO Ethan Clift, trekked to the vibrant city from their home in Reno, Nevada, aiming to amp up the Tonic Audio app built for remote music collaboration.
But the temporary move planted an earworm: Move to London permanently, it echoed.
Now, the co-founders are back in Reno in the midst of logistical planning for a move back to London sometime this fall to stay. Here’s how Clift-Jennings, a veteran entrepreneur, multi-instrumentalist, songwriter and off-road dirt bike racer, made the decision to move the business and the family to London — despite the fact that she’s leaving her bike behind.
Clift-Jennings’ story, as told to Protocol, has been edited for clarity and brevity.
When you have the opportunity to actually move somewhere else, you start to consider it seriously. Accepting the program in London, even though it was a three-month time-limited commitment, let us actually explore the waters — wanting to not just see more of the world, but honestly experience different cultures in different environments and different sides of the world. I mean, we live once, so we wanted to kind of dig into it.
So when we thought about running a tech startup somewhere else besides where we live, there’s pros and cons. Where we live, it’s a smaller community. It is a three-and-a-half-hour drive to the Bay Area. We do have a small startup scene here, but there isn’t a massive momentum of startup culture here like you’d see in any major city. So, we’re not in the Bay Area. Though we’re close to it, we still have to drive to it. And that’s fine for fundraising. That’s actually very good for fundraising. You go there and take a bunch of meetings and then come back. But fundraising, while a super important part of the startup, is hopefully a thing you need to do, but doesn’t take up all of your time.
Building without knowing who you’re building for, and what you’re building, is dangerous. The thing that most startups should do, especially after having done them for, like, 20-something years, is that 80% or 90% of your time should be focused on customers and the users, and just becoming obsessed with what they are concerned with. So go where your customers are, don’t necessarily go where your investors are, right? That was our big kind of takeaway with this. To be able to really be in a city that is legendary for music. The current music scene [in London] is so indie and so raw, and so just pervasive in that culture. For us, obsessing about customers — it’s like, well, shit — this is where we should be from a customer standpoint, from a business standpoint.
There are even VC firms in London that focus on music and creative. It’s unusual to see. Generally, you’ll see there are a handful of music-centric investors. But out there, there is definitely a unique subculture that’s happening both on the commercial side of investment as well as the indie music creation side. We’ve got to get tapped into that.
That middle one, that hybrid one, I feel like it’s the most dangerous.
For Tonic Audio, we will be a distributed workplace. I’ve worked remotely off and on for most of my career. Being in Reno but wanting to work for big companies or even just startups, I’ve often had to deal with remote work. I think it’s the absolute future of work. I recognize the benefit of being in person for some things, absolutely. What we’ll end up doing is we’ll have a remote, distributed team with maybe yearly or twice-a-year get-togethers, in person.
There’s distributed — everything’s remote, everyone works remotely from wherever they want. And then there’s central — everyone comes to a single office. And there’s hybrid, which is, we have an office, but you can work remotely if you want.
That middle one, that hybrid one, I feel like it’s the most dangerous. That’s where I’ve seen the most trouble. In my own experience, it is inevitable that people who work remotely when there’s a central office become second-class citizens within that community, just by the nature of how humans communicate. You’re in the office with someone and three of you are chatting and then, “Hey, let’s go to lunch.” You go to lunch, you have a deeper conversation, you just build rapport. And the person who wasn’t there doesn’t get that, and after a while, it starts to compound.
I am into motorcycles. It’s a sensitive subject. There’s really very little off-road riding in the entirety of England. So, I’m [going to] just take a break for a while, focus on music more.
I have a dear friend who’s coming to buy my off-road racing beauty motorcycle. It’s a Honda CRF450RX — it’s a racing dirt bike, and I’ve raced many hundreds of miles on it. I’ve had a lot of very positive moments on that, pushing my body and my mind to places where I have not taken them before.
Wednesday, June 29
How I decided to exit my startup’s original business
Wednesday, July 6
How I decided to shape Microsoft’s climate agenda
Wednesday, July 13
How I decided to cap hiring at our high-growth software startup
Wednesday, July 20
How I decided to allow remote work forever at Atlassian
Kate Kaye is an award-winning multimedia reporter digging deep and telling print, digital and audio stories. She covers AI and data for Protocol. Her reporting on AI and tech ethics issues has been published in OneZero, Fast Company, MIT Technology Review, CityLab, Ad Age and Digiday and heard on NPR. Kate is the creator of RedTailMedia.org and is the author of “Campaign ’08: A Turning Point for Digital Media,” a book about how the 2008 presidential campaigns used digital media and data.
Protocol talks to Soul Machines’ CEO about the power of AI in the metaverse
GREG CROSS (CEO, Soul Machines)
GREG CROSS (CEO, Soul Machines) is one of the original tech nomads, spending his career traveling to and living in every major tech market in the world. He now lives in New Zealand but creates businesses that compete on the international stage. Most recently, PowerbyProxi, a wireless charging company he co-founded, was sold to Apple in 2017. In 2016, Greg co-founded Soul Machines to build a Human OS
Soul Machines is at the cutting edge of AGI research with its unique Digital Brain, based on the latest neuroscience and developmental psychology research. Partnering with innovative people and brands like Carmelo Anthony, Procter & Gamble, NESTLÉ® TOLL HOUSE®, Maryville University, and The World Health Organization, Soul Machines is re-imagining what is possible in the delivery and underlying economics of empathetic customer experience. Greg holds multiple chair positions, is the Sir John Logan Campbell Executive in Residence at the University of Auckland Business School, and was inducted into the New Zealand Hi-Tech Hall of Fame in 2019.
Nicklaus meets and chats online with his Digital Twin in May 2022.
Soul Machines co-founder and CEO Greg Cross and his co-founder Mark Sagar, Ph.D., FRSNZ are leading their Auckland and San Francisco-based teams to create AI-enabled Digital People
They humanize AI to create Digital People that take input from the environment — a question, a facial expression like a smile — and respond in real time. Digital People, such as the one used by Nestle to serve as a digital cookie coach on its website, allow brands to offer an empathic and ultra-personalized customer experience.
Using similar autonomous automation technology, Digital Twins take the customer and fan experience to another level. The celebrity-based avatars boast lifelike features because a real person is captured, creating a “Digital Twin” of the star’s likeness. It can answer customers’ questions with responses that are aligned with the celebrity’s expertise, background and legacy.
The entertainment and sports industries could benefit from developing interactive digital avatars, but the cross-pollination of virtual animation and AI must veer far from 2Pac-hologram territory. Soul Machines’ approach is layered with next-gen AI applications, such as its Digital Brain technology, which allows for natural-language processing and empathetic, responsive behavior. In layman’s terms, that means we could talk to these Digital Twins in real time, but in the entertainment world, that relationship could get even more compelling.
Protocol spoke to Cross to learn more about their newest release, a Digital Twin of Jack Nicklaus, the retired golfing champ who’s won a stunning 117 tournaments. Depicting Nicklaus at 38 years old, his Digital Twin represents the potential of this technology, allowing fans to ask questions and hear stories from his 60-plus years on the links.
Digital Twins will soon partner with retail brands (among others) to offer expertise and recommendations on products and services, as well. Cross takes us on a tour into a technology that may be nascent now but could soon become the competitive edge that sets successful brands apart from the rest.
Extensive capture technology maps Nicklaus’ facial expressions.
What motivated you to launch Soul Machines with Mark Sagar, and what makes your Digital People appealing to brands?
I’m a serial tech entrepreneur, and I just came out of a previous business that sold to Apple. I started looking around for my next move and, through a mutual friend, was reintroduced to Mark. I had met him before, and he blew me away with who he is as a person and his commitment to his life’s work. He’s won two Academy Awards for the animation technology he built that was used in films such as “Avatar” and “King Kong.”
We had a beer, and he talked about coming up with a new paradigm for animating digital characters, and Soul Machines began soon after, in July 2016.
As for our Digital People, we see them as the future of customer and fan engagement. We’re living in an increasingly digital world, and the major challenge for brands is creating those personal connections with fans in a more digital world. And that’s where Digital People become important.
We, as humans, are hardwired to emotionally engage face-to-face. Soul Machines technology can autonomously automate back-and-forth conversations that are each unique. We see Digital People being such an incredible way to create scalable customer interactions in digital worlds.
What competitive advantage would these avatars offer to enterprise brands?
If I create a digital workforce, all of a sudden, I’ve created a highly scalable workforce that is always on. Those customer-centric Digital People can have 1,000 or 100,000 conversations, and these are uniquely personal interactions that are hard to achieve and staff in the real world today. Conversational AI becomes that repository for the brand experience.
Also, brands get a smoother consistency of experiences with Digital People who can retain all that data from those interactions. Especially as we move into metaverse worlds of tomorrow, adopting this technology will truly offer competitive advantages to brands.
The Digital Jack Nicklaus avatar is fascinating to us. How did you create it? How did he react to the idea?
We’ve always wanted to be in the digital celebrity experience space. We first worked with rapper will.i.am in 2019 by creating his Digital Twin for an AI documentary series.
We wanted to test this concept further by having amazing CGI lead to hyper-realistic people who are autonomously animated to create the ultimate fan experience.
We are in talks with a range of different celebrities. We enjoyed the enthusiasm Jack Nicklaus and the Nicklaus Companies have for moving the brand into the future.
With Soul Machines, he wanted to extend his brand to the next generation of golfers. He wanted to be 38 again, when he was at the prime of his career, so we scanned him and his son Gary, who looks so much like him. The kind of storytelling engagement that will come from Digital Jack will build off all the tournaments he’s won and the many golf courses he’s designed.
Share your vision for how you think the metaverse will mature in the coming years, and how Soul Machines will play a role in that maturation.
We are only at the beginning of the metaverse. The hardware that brings it to life hasn’t matured yet, and isn’t defined as a tech stack now. The most important thing for us is to encourage brands to think about how investing in something today creates seamless experiences tomorrow.
AI gets stronger and better with each interaction, and that’s why Digital People provide the most personable and scalable customer experiences that will live on the metaverse and elsewhere. We envision a digital workforce that can move seamlessly between 2D and immersive worlds, and that’s really exciting to us.
This David v. Goliath fight says as much about Facebook as it does about the state of trademarks in America.
The company formerly known as Facebook is already well on its way to doing for VR precisely what it did for social media.
Issie Lapowsky ( @issielapowsky) is Protocol’s chief correspondent, covering the intersection of technology, politics, and national affairs. She also oversees Protocol’s fellowship program. Previously, she was a senior writer at Wired, where she covered the 2016 election and the Facebook beat in its aftermath. Prior to that, Issie worked as a staff writer for Inc. magazine, writing about small business and entrepreneurship. She has also worked as an on-air contributor for CBS News and taught a graduate-level course at New York University’s Center for Publishing on how tech giants have affected publishing.
In late July of 2017, thousands of sweaty concertgoers crammed into Randall’s Island Park in New York City for the three-day annual Panorama Music Festival. Headliners for the weekend included Frank Ocean, Solange and A Tribe Called Quest, but there was more than music to keep people entertained.
Beneath a bright white dome inside the park was a sensory overload of an art installation called The Lab. The VR- and AR-heavy show featured exhibits where attendees could “cover the sky in a string quartet of rainbow-colored blocks” or embark on “a warped, intergalactic survival adventure,” as one reviewer described it at the time. The Lab, which was in its second year at Panorama, was praised by Rolling Stone as a “groundbreaking virtual-reality experience.”
It also apparently had a fan at Facebook. In August of 2017, an executive at the social networking giant emailed Justin Bolognino, the founder of the small VR company that curated The Lab, to tell him how “AMAZING” and “spectacular” it all was. Before long, Facebook was teaming up with Bolognino’s company to pitch a project that would meld AR with AI.
The name of this little VR company Facebook hoped to partner with? Meta.
These details come from a lawsuit Bolognino’s company filed in July for, well, the obvious reasons. The lawsuit alleges that, despite their friendly history, Facebook (as we’ll call it in this story) willfully infringed on Meta’s trademark when it noisily renamed itself Meta in late 2021. Not only did Facebook change its name, the suit argues, but it began swallowing up Meta’s business in the live VR event space, setting up installations at some of the very same venues where Bolognino’s Meta had previously mounted shows and even featuring some of the very same artists in those shows.
Meta’s side of the story certainly fits neatly into the prevailing narrative about Facebook, which has a history of borrowing — or outright buying — its best ideas from smaller, lesser-known competitors. But Meta will need to show Facebook to be more than just a bully. The legal case may end up saying as much about Facebook as it does about the state of trademark protections today.
Researchers have found that there really aren’t many unclaimed words left to trademark, leading to a lot more dumb corporate names in the world (Who could forget Tronc?), a lot more lawsuits and a much trickier environment for smaller players, who can’t afford to trample on competitors the way Facebook can.
“We are out of good names,” said Rebecca Tushnet, a professor of the First Amendment at Harvard Law School. “This is going to keep happening. It’s not an accident that there are a whole bunch of these cases, because it’s a very crowded field at this point.” The more crowded it becomes, the harder it is for companies to defend their trademark in the first place.
Facebook didn’t respond to Protocol’s request for comment, and Bolognino declined a request for an interview. But according to the filing, Facebook has argued in negotiations with Meta — whose corporate name is MetaX — that they offer “drastically different goods and services” because Facebook is, first and foremost, a “social technology company.”
We are out of good names.
Whether Meta will be able to successfully lay claim to its name, even against another company in the VR space, will reveal a lot about how narrow trademark rights have really become. “The allegations certainly are concerning, and the claim is plausible on its face,” Tushnet said. “But whether that means little Meta has rights against big Meta is far from certain.”
Based on the complaint, Meta has a lot going for it. It’s accusing Facebook of a type of trademark infringement called “reverse confusion,” in which the company that adopts a name second — in this case Facebook — is actually bigger and more famous than the one that adopted the trademark first. To test whether Meta is correct, the court will apply an eight-part test that considers, among other things, the similarity of the products, the defendant’s good faith in adopting the name and the sophistication of the consumers who might engage with the brand.
On all of these tests, Meta comes out on top, said Alexandra Roberts, a professor of law and media at Northeastern University. When it comes to the similarity of the product, Roberts said, “It’s really hard to deny they’re basically offering the same service.” Indeed, in Meta’s complaint, the company details how Facebook, under the Meta brand, has put on live VR experiences at South by Southwest, Coachella, The Smithsonian and the Cannes Lions festival — all events where Meta had previously held VR shows of its own.
“This is not a scenario I would wish on my worst enemy,” Bolognino told CNBC when the lawsuit was filed. “When Facebook stole the Meta brand from us, it just completely decimated our business.”
The allegations that Meta and Facebook had a relationship prior to Facebook’s rebrand may also count against the tech giant, as courts assess whether it was acting in good faith in assuming the name, Roberts said. “That’s not the most important factor, but it can be important thinking about damages,” she said.
And even though the event organizers that hire Meta for its VR services might be quite sophisticated, Roberts said, the average concertgoer wandering through the event “might not be paying a lot of attention.”
When Facebook stole the Meta brand from us, it just completely decimated our business.
But while Meta’s version of events is compelling, it’s only half the story. A global tech giant like Facebook, with its army of expensive lawyers, doesn’t just dismiss the existence of another similarly situated company of the same name without giving it some thought, said Eric Goldman, a professor at Santa Clara University School of Law. “Usually in a situation like this, if there’s someone the trademark lawyers thought was a real threat, they would try to buy them out before launching the rebrand,” Goldman said. In fact, Facebook did just that when it acquired the trademark belonging to Meta Financial Group for $60 million. “I’d like to see Facebook’s answer to this,” Goldman said. “I’d like to see what is the basis on which they decided to make a run for it.”
It could be, for instance, that Facebook determined the trademark space for the term “meta” was already crowded. “When it’s such a crowded field, each trademark owner has a very small slice of the overall terrain,” Goldman said, noting that he found more than 2,500 hits for trademarks including the term “meta.” “That tells you the word meta has been used by lots of trademark owners over the course of the years.”
Another possibility, Tushnet said, is that Facebook determined the term “meta” wasn’t a very strong trademark, since it’s so closely related to the metaverse. “The theory is, if you choose something that’s really, really descriptive of what you are, you just don’t have very broad rights,” Tushnet said. “The advantage you get should be from the reputation of your product or service — not from how easy it is to understand what you do.”
Whatever Facebook’s reasoning, it’s certainly not alone among tech companies facing trademark infringement suits. Amazon settled a suit with a Springfield, Missouri-based trucking company, Prime Inc., last month, after the company said Amazon’s Prime service could cause “irreparable harm” to Prime Inc. Uber similarly settled with a cloud computing company called Uber Operations that said it was bombarded with angry messages from Uber passengers. “It’s an economy-wide problem,” said Goldman. “There really aren’t any good solutions to it. There are just solutions with tradeoffs.”
In all likelihood, experts say, Meta’s case against Facebook will end in a settlement, with Meta walking away with damages and perhaps a rebrand, and Facebook writing the payout off as a rounding error as it continues its existential pursuit of the VR business.
If that’s the case, it might be a little more painful and pricey for Facebook than it would have been if it had bought out Meta before changing its name. But it won’t do much of anything to solve the underlying concern raised in Meta’s complaint and vexing regulators and lawmakers around the world — the idea that Facebook didn’t just take Meta’s name, it’s consuming the entire industry and some of its most promising competitors. The Federal Trade Commission is, at this very moment, seeking to block Facebook from acquiring another VR startup called Supernatural, arguing that Facebook is “trying to buy its way to the top.”
The company formerly known as Facebook is already well on its way to doing for VR precisely what it did for social media. That will be true no matter what its name is or how much it has to pay to keep it that way.
Facebook may be Meta now, but it’ll always act like Facebook.
Issie Lapowsky ( @issielapowsky) is Protocol’s chief correspondent, covering the intersection of technology, politics, and national affairs. She also oversees Protocol’s fellowship program. Previously, she was a senior writer at Wired, where she covered the 2016 election and the Facebook beat in its aftermath. Prior to that, Issie worked as a staff writer for Inc. magazine, writing about small business and entrepreneurship. She has also worked as an on-air contributor for CBS News and taught a graduate-level course at New York University’s Center for Publishing on how tech giants have affected publishing.
Experts told Protocol that the Chinese government’s efforts to steal intellectual property require more attention from targeted businesses — and in some cases, a different approach to cyber defense.
China’s priorities in IP theft have shifted from defense-related technologies — such as the designs for the F-35 jet, believed to have been used in those for China’s J-31 — and into the high-tech and biotech sectors.
Kyle Alspach ( @KyleAlspach) is a senior reporter at Protocol, focused on cybersecurity. He has covered the tech industry since 2010 for outlets including VentureBeat, CRN and the Boston Globe. He lives in Portland, Oregon, and can be reached at kalspach@protocol.com.
While cybersecurity teams would be unwise to take their eyes off Russia, the evolving threat posed by China’s massive hacking operation deserves more attention than it’s getting among some targeted businesses — especially those involved in emerging technologies, experts told Protocol.
As the tech war between China and the U.S. heats up, cyber threat experts said the recent FBI warnings about the Chinese government’s efforts to steal intellectual property line up with the realities they see.
“Our government is correct: Companies actually need to pay more attention,” said Lou Steinberg, formerly the CTO at TD Ameritrade.
In recent years, threats from Russia have driven much of the cybersecurity attention and investment among businesses in the U.S. and Western Europe, especially after Russia’s invasion of Ukraine in February. Understandably, the threat of ransomware and disruption of critical infrastructure tends to provoke a response.
But when it comes to state-sponsored intrusions, China was behind a stunning 67% of the attacks between mid-2020 and mid-2021, compared to just 1% for the Russian government, according to data from CrowdStrike.
Without a doubt, China “stands out as the leading nation in terms of threat relevance, at least for America,” said Tom Hegel, a senior threat researcher at SentinelOne.
In July, the FBI and MI5 issued an unprecedented joint warning about the threat of IP theft by China. During an address to business leaders in London, FBI Director Christopher Wray said that China’s hacking program is “bigger than that of every other major country combined” and that the Chinese government is “set on stealing your technology — whatever it is that makes your industry tick.”
“The Chinese government poses an even more serious threat to Western businesses than even many sophisticated businesspeople realize,” Wray said.
During his three years as a researcher at Secureworks, Marc Burnard has seen Chinese government hackers go after customers in chemicals manufacturing, aviation, telecommunications and pharmaceuticals — to name just a few.
“It’s quite difficult to point out what the key sectors are for China, because they target so many,” Burnard said. “It’s a scale that just completely dwarfs anything from the likes of Iran, North Korea and Russia.”
One of the most brazen examples was China’s release of bomber jets with strikingly similar designs to the F-35 starting in 2011, according to Nicolas Chaillan, former chief software officer for the U.S. Air Force. Documents leaked by former NSA contractor Edward Snowden appeared to confirm that Chinese government hackers stole data on the F-35 Lightning II, which is believed to have been used in the design of Chinese jets including the J-31 and J-20.
Chaillan — who resigned in protest over the military’s progress on IT modernization amid the China threat — said the recent FBI warning on China is telling. “It takes a lot for the government to start saying stuff like that,” he told Protocol. “That usually gives you a hint that it’s really, really bad.”
China “stands out as the leading nation in terms of threat relevance, at least for America.”
Wray has made a number of public remarks on the China cyber threat this year. In a January speech, he said the FBI had 2,000 open investigations related to attempted theft of technology and information by the Chinese government. The FBI is opening a new case related to Chinese intelligence roughly every 12 hours, he said at the time.
In July 2021, the White House denounced the Chinese government over its “pattern of malicious cyber activity,” in tandem with the European Union, the U.K. and NATO. The action made it clear that the Biden administration believes China has been ignoring its 2015 agreement to cease hacking activities meant to steal the IP of U.S. businesses.
Major incidents have included the Chinese government’s widespread exploitation of vulnerabilities in Microsoft Exchange in 2021, which led to the compromise of 10,000 U.S. companies’ networks, Wray said in January.
In analyzing the Chinese cyber threat, the key is to understand the larger context for why China is targeting Western IP, said Michael Daniel, formerly cybersecurity coordinator and special assistant to the president during the Obama administration.
“China is an expanding power that fundamentally sees itself as challenging the West, and challenging the world order that the Western European system has set up,” Daniel said.
A central part of that aspiration is challenging the West economically, but China is prone to taking shortcuts, experts say.
The Chinese government laid out its “Made in China 2025” strategy, which identifies the industries that it considers to be most important going forward, in 2015. The document is extremely helpful when it comes to defending against IP theft by China’s government, said Daniel, who is now president and CEO of the Cyber Threat Alliance, an industry group.
“If your company is in one of those industries identified in that strategy, you are a target for Chinese intelligence,” he said. “It’s that simple, actually.”
Some of the industries that now face the biggest threat of IP theft from China — such as energy, aerospace defense technology and quantum computing — are already well aware of it, according to Steinberg, now the founder of cybersecurity research lab CTM Insights.
But other industries should be paying closer attention than they are, he said. Those include the AI/robotics, agricultural technology and electric vehicle sectors — which are among the industries mentioned in the “Made in China 2025” plan.
“If you’re on their list, they’ve got an army of skilled people who are trying to figure out how to get your intellectual property,” Steinberg said.
“If your company is in one of those industries identified in that strategy, you are a target for Chinese intelligence.”
Christian Sorensen, formerly a U.S. Cyber Command official and U.S. Air Force officer, said there’s been a clear shift in China’s IP theft priorities from its traditional focus on defense-related technologies — such as the designs for the F-35 — and into the high-tech and biotech sectors. For instance, in mid-2020, the U.S. accused Chinese government hackers of attempting to steal data from COVID-19 vaccine developer Moderna.
Threats of this sort can be more difficult for perennially overwhelmed security teams to prioritize, however, said Sorensen, who is now founder and CEO of cybersecurity vendor SightGain.
“Everybody pays attention to what’s right in their face,” he said. “Our intellectual property is just flying out of our borders, which is a serious strategic threat. But it’s not always the front-burner threat.”
That has been particularly the case in 2022 — the year of “Shields Up.”
Following the invasion of Ukraine, there was a widespread expectation that the U.S. and other allies of Ukraine would face disruptive cyberattacks by Russia. So far, major retaliatory attacks from Russia have not materialized — though experts believe a Russian escalation of this sort could still come as soon as later this year, depending on how events play out with Ukraine and sanctions.
America’s focus on its cyber adversaries tends to go in cycles, experts say. And even prior to the Ukraine war, Russian threat actors have been constantly in the spotlight, from the SolarWinds breach by Russia’s intelligence forces in 2020 to the Colonial Pipeline and Kaseya ransomware attacks by cybercriminals operating out of the country in 2021.
It’s not out of the question that China might pursue similar disruptive cyberattacks against the U.S. and Western Europe in the future, however, if China wants to prevent aid to Taiwan, Daniel said. It’s believed that China has been seeking the ability to strike critical infrastructure for a situation such as that, he said.
To date, however, China’s cyber activity has been “almost entirely covert cyber espionage campaigns,” said Josephine Wolff, associate professor of cybersecurity policy at Tufts University.
Whereas Russian cyberattacks are often meant to create noise and chaos, Wolff said, China’s attacks are “meant to happen undercover. They don’t want anyone to know it’s them.”
U.S.-China tensions rose Tuesday as House Speaker Nancy Pelosi visited Taiwan. Mandiant’s John Hultquist said in a statement that China is expected to carry out “significant cyber espionage against targets in Taiwan and the U.S.” related to the situation.
Notably, the Chinese government is very effective at organizing the hacking activities, said SentinelOne’s Hegel. “It’s a well-oiled machine for mass espionage.”
While China’s hacking program often does not perform the most technically advanced attacks, its sheer size and persistence allows it to be successful over the longer-term, he said.
But because China’s motives are different compared to Russia, “you’ve got to defend yourself [in] a completely different way,” said CTM Insights’ Steinberg.
The go-to technologies in these situations are data-loss prevention, data exfiltration detection and deception technologies such as tripwires, he said. Rather than expecting to prevent an intrusion every time, the key to stopping IP theft is “Can you catch it happening and shut it down?”
Businesses should also concentrate on applying special protections to systems that are hosting IP, said Burnard, who is senior consultant for information security research at Secureworks. That might include network segmentation and enhanced monitoring for those parts of the system, he said.
One way that China’s hackers have been evolving can be seen in their methods for gaining initial access to corporate systems, experts say. Recent years have seen Chinese attackers increasingly exploiting vulnerabilities, instead of just relying on phishing, said Kevin Gonzalez, director of security at cybersecurity vendor Anvilogic.
China-based attackers exploited a dozen published vulnerabilities in 2021, up from just two the prior year, CrowdStrike reported — making the Chinese government’s hacking operation the “leader in vulnerability exploitation.”
The threat actors have shown capabilities for exploiting both previously unknown, zero-day vulnerabilities as well as unpatched known vulnerabilities, Hegel said.
Additionally, China’s government hackers are now scanning for vulnerabilities “the second they pop up online,” he said — for instance, in the case of Log4Shell, a severe vulnerability in the widely used Apache Log4j software that was uncovered in December 2021. The Chinese government reportedly punished China-based tech giant Alibaba for informing the developers behind Log4j about the flaw prior to telling the government.
China has used more innovative techniques as well, such as software supply chain attacks. The compromises of CCleaner and Asus Live Update in 2017 are among the past instances.
Still, while China’s focus on IP theft makes some defenses unique from those needed to stop ransomware, there are plenty of countermeasures that can help against both Russia- and China-style threats, experts said.
Placing an emphasis on strong security hygiene, vulnerability and patch management, identity authentication and zero-trust architecture will go a long way toward defending against attacks regardless of what country they’re coming from, said Adam Meyers, senior vice president of intelligence at CrowdStrike.
Threat hunting is also a valuable investment, whether you’re concerned about threats from Russia, China or anywhere else, Meyers said. “You have to be out there looking for these threats, because the adversary is constantly moving,” he said.
But hacking is not the only cyber threat that China poses to the U.S. and the West, experts say. And it may not even be the most challenging, said Samuel Visner, a longtime cybersecurity executive and former NSA official, who currently serves as technical fellow at MITRE.
The harder question, according to Visner, is how to respond to China’s initiative to build a “Digital Silk Road” across much of the globe using exported Chinese IT infrastructure. The technology is believed to be capable of facilitating surveillance on citizens. Ultimately, the fear is that the Digital Silk Road could be used to feed information about Americans or Europeans traveling abroad back to the Chinese government, he said.
While meeting a different definition of cybersecurity, Visner said, “that is also a security challenge.”
Kyle Alspach ( @KyleAlspach) is a senior reporter at Protocol, focused on cybersecurity. He has covered the tech industry since 2010 for outlets including VentureBeat, CRN and the Boston Globe. He lives in Portland, Oregon, and can be reached at kalspach@protocol.com.
Business financing options are now drawing more interest from investors and entrepreneurs than consumer payment plans.
Business lending faces fewer regulatory hurdles than consumer financing.
Veronica Irwin (@vronirwin) is a San Francisco-based reporter at Protocol covering fintech. Previously she was at the San Francisco Examiner, covering tech from a hyper-local angle. Before that, her byline was featured in SF Weekly, The Nation, Techworker, Ms. Magazine and The Frisc.
The tumbling valuations of consumer-facing “buy now, pay later” companies in public and private markets suggest investors are losing confidence in the sector. Who can blame them, in a tottering economy? But some investors are still bullish on pay-later — if the customers are other businesses.
Business-to-business “buy now, pay later” startups are on the rise, and it’s clear why. Statista estimates that the global business payments market is $125 trillion, while the global consumer payments market is only $52 trillion. The average ticket size is significantly higher among businesses than consumers, allowing payments companies to command larger fees. Proponents say breaking up business payments over time promises more growth potential, a quicker path to profitability and less risk than catering to retail consumers.
Pay-later businesses adapt trade credit, invoice factoring or a combination of both to offer more flexible financing options than the net-30, -60 or -90 day terms stamped on the typical invoice. In doing so, they shift default risk away from sellers, absorb operational burdens and improve credit decisioning with real-time transaction data.
The companies typically make money off fees built into financing options, rather than explicit interest charges. Some follow a business model very similar to traditional “buy now, pay later,” marketing their plans through merchants who see it as a way to boost sales. Others buy invoices at a discount from sellers. Some companies, like Xepelin, do both, arguing that coordinating the entire payment flow increases efficiency.
It’s a “concept that already exists in marketplace and business lending,” said Julian Roeoes, head of Americas at Picus Capital, which has invested in three business-focused pay-later companies: Xepelin, OatFi and Billie. “The innovation is in approaching this from different angles.”
Business lending faces fewer regulatory hurdles than consumer financing: It’s exempt from most state usury laws in the U.S., and the Truth in Lending Act, which requires certain levels of transparency in lending, is geared towards consumer credit. Most lending regulations abroad don’t address business financing either.
Emerging state regulations on merchant cash advances, a non-lending financing option, may be more of a concern. New York and California have passed laws requiring more disclosures on advances. And those new rules may sweep in some business pay-later plans that share a troublesome characteristic with merchant cash advances: opaque rates and terms that can make the real cost of payments difficult to calculate.
A California law that goes into effect in December defines subject transactions as any “legally enforceable claim for payment held by a recipient for goods the recipient has supplied … but for which payment has not been made.” A spokesperson for the state’s financial regulatory agency declined to clarify if business-to-business payments would be subject to the law. Legislators who authored New York’s law did not respond to requests for comment.
Beyond regulatory compliance, the biggest challenge for these companies is underwriting the vast array of different types of businesses they aim to serve. Foundational to the concept of “trade credit” is companies’ deep understanding of a business’ reputation in a sector to accurately underwrite risk. And that’s if the company is legit: Business identity theft is increasingly common as more transactions move online, and requires different fraud analysis tools than consumer identity theft.
Mondu and Billie, two companies that have earned both buzz and funding for their B2B BNPL products, aim to serve a large swath of merchants and marketplaces across industries. Billie, founded in 2017, said its five years of experience have given it time to learn the nuances of underwriting different industries.
Xepelin, a Chilean B2B BNPL finding traction in Latin America, focuses on small and medium-sized enterprise businesses with relatively lower overhead expense. OatFi differentiates itself as an embedded finance offering, integrating directly into payroll and bill pay software from which it can obtain detailed data to underwrite the loans. And Bespoke Financial, an American B2B BNPL, focuses specifically on cannabis businesses, utilizing knowledge of specific regulatory and financing hurdles to target the niche market.
This type of differentiation is what tuned-in investors are expecting more of in the coming years. Corinne Riley, an investor at Greylock focused on B2B payments, wrote in March that she expects companies to continue to differentiate by geography due to nuances in tax reporting and payment method preferences, as well as by vertical or segment of interest. Picus Capital investor Alice Morath says that OatFi’s distinctive distribution strategy — it’s designed to embed into existing bill-pay software — drove the firm’s investment in the company.
“We’re constantly looking for this proven business model, but with an interesting angle in how it’s ultimately enabled,” Morath told Protocol.
Correction: An earlier version of this story used a shortened version of Bespoke Financial’s name. This story was updated on Aug. 3, 2022.
Veronica Irwin (@vronirwin) is a San Francisco-based reporter at Protocol covering fintech. Previously she was at the San Francisco Examiner, covering tech from a hyper-local angle. Before that, her byline was featured in SF Weekly, The Nation, Techworker, Ms. Magazine and The Frisc.
To give you the best possible experience, this site uses cookies. If you continue browsing. you accept our use of cookies. You can review our privacy policy to find out more about the cookies we use.
