Last month, the United States Marine Corps prohibited the use of cryptocurrency mining applications – along with similar apps – on government-used mobile devices. The issue was one of a “privacy and security concern,” according to a Marine administrative message.
By some accounts, bitcoin and other so-called cryptocurrencies are the wave of the future. They are a decentralized form of digital money that allow individuals to make confidential transactions and can be used in international trade. To others – including most western governments – the decentralized currency could be a serious concern because it could be used for money laundering and isn’t backed up by any government. Owning bitcoin could even be problematic for a security clearance holder.
Background on Crypto
In most cases, the currency is “digitally mined,” which according to some opponents of the technology is little more than money being created out of thin air. However, the mining involves solving complex mathematical/computational problems, which allows the miner to chain together blocks of transaction – and for this service, miners are rewarded with a newly-created cryptocurrency. This mining involves serious computing power, and an extremely powerful computer – which needs to be kept cool to avoid it from overheating and crashing – that can take 10 minutes to produce a single bitcoin. For the average computer it could take months to get the same result, which is why some miners outsource some of the computing to other devices.
Unauthorized Apps
In addition, Marines are also now prohibited from having gaming, dating, or gambling platforms on their government-furnished mobile devices. Marines were told in the memo to delete any app from personal devices that the U.S. government has deemed a risk.
While many cryptocurrencies do require high processing power, less popular “coins” with smaller networks can be more easily mined on individual devices, including laptops and even mobile phones. In addition to malware concerns, one factor is that individuals would still be utilizing government resources for personal gain.
“It is inherently illegal to use government resources for self-enrichment, making me wonder why they thought they needed a specific ban and whether we’ll see a coming ban on using government vehicles for Uber rides, which would also obviously be illegal,” explained technology analyst Rob Enderle of the Enderle Group.
“Not that there would be attempts, but this ban suggests these resources weren’t being properly monitored or secured,” Enderle told ClearanceJobs. “It also suggests someone in power was arguing it wasn’t specifically forbidden, thus the new rules, but, as noted, using government resources for personal enrichment is inherently illegal, so the back story behind this rule change would suggest someone at a high level was doing this. It has both security and theft of government property implications.”
Widespread Problem?
The very fact that the USMC is only now acting on this may suggest that the problem wasn’t all that widespread.
“I would be shocked if more than a trivial number of Marines are even aware they have such apps installed,” suggested Jim Purtilo, associate professor of computer science at the University of Maryland.
“Typically it isn’t end users receiving revenue,” Purtilo told ClearanceJobs. “Cryptocurrency value is based on computation remaining expensive – very expensive. Most of us don’t have powerful enough personal machines to make any difference, but the government does. A malicious operation manufactures value by injecting malware into thousands of machines of unaware users and absorbing those resources over time.”
That has already been an issue and in 2018, it was reported that thousands of websites, including many run by the U.S. and UK government agencies were infected with a code that caused web browsers to secretly mine for cryptocurrency. In total, more than 4,200 sites were infected with malware known as Browsealoud.
“Commonly this is done by malware, which means a successful exploit offers access for all manner of other dangerous activities,” added Purtilo.
Privacy/Security Concerns
The other issue is that despite the fact that the currency is decentralized; the actual mining can be monitored and tracked. The mining software could be used to spy on an individual.
“It isn’t so much that a user profits in some way, rather, it is that these apps represent security gaps which can endanger personnel,” said Purtilo. “An innocuous looking app that consumes resources in the background is a spectacular proxy for malicious actors to track DOD activities. If an adversary regularly receives simple behavioral data from apps that were installed on Corps resources either intentionally or inadvertently, then the aggregation telegraphs much about the Corps activity and movement.”
While no adversary could openly convince a Marine to carry a tracking beacon into a fight, as it would make him a target, malware via a mining tool could be the next best thing.
“Tossing around a few crypto coins is a cheap way to buy ‘intel’ that you couldn’t win by direct means on the battlefield,” Purtilo told ClearanceJobs. “Let’s remember the Fitbit experience. Location and training information about operators was tracked by foreign actors until someone realized how much this practice of fitness enthusiasts was disclosing. That was a trivial app. Crypto mining on powerful machines is an order of magnitude more exposure.”
