—The Treasury Department’s sanctions against Tornado Cash are having more bite than the U.S. government may have anticipated. What’s music to the ears of some, is nails on a chalkboard for others.

HAPPY MONDAY, and welcome to Morning Cybersecurity! This weekend, my editor’s favorite team, the Eagles, crushed my favorite team, the Giants. Yet here is the newsletter.

Who thought the era of bipartisanship was dead?

Got tips, feedback or other commentary? Send them my way at [email protected]. You can also follow @POLITICOPro and @MorningCybersec on Twitter. Full team contact info is below.

Nothing urgent in cyber policy land.

TORNADO CASH, TORNADO CRASH — An unanticipated upshot of the Treasury Department’s controversial ban on cryptocurrency mixing service Tornado Cash is alarming privacy advocates and energizing crypto skeptics, nearly five months after the Office of Foreign Assets Control announced the government’s first-ever sanctions on autonomous code.

What’s happening? — For the last three months, roughly two-thirds of all Ethereum validators — the infrastructure providers who store, process and add new transactions to the blockchain — have refused to run transactions that include Tornado Cash wallet addresses, even though it is unclear whether OFAC intended the sanctions to extend to the protocol layer of the Ethereum blockchain.

At issue is whether services that operate the core of the Ethereum network can, and therefore should, prevent criminal abuse of the digital currency, or whether the entities have a responsibility for neutrality, akin to the companies that run the internet or telecommunications backbone.

Camp 1: Bad news bears — It’s worrying that “it’s so easy for the government to get Ethereum validators to censor transactions with the threat of sanctions,” said Matthew Green, an associate professor of computer science at Johns Hopkins University.

Green, who helped develop another privacy-enhancing digital currency, ZCash, called the ambiguity of OFAC’s sanctions “a feature not a bug” of the government’s crypto bully pulpit.

“Nobody really believes that validators have to censor,” said Green. But the threat of OFAC penalties is so high “it creates a chilling effect” for them and anyone else who might develop a Tornado Cash-like service in the future.

Camp 2: Good riddance — Intentionally or not, Ethereum validators are shining a light on the lie that the blockchain is uncensorable, said Nick Weaver, a computer science lecturer at UC Berkeley.

Weaver argued that cryptocurrency businesses have fallen back on that argument because the major revenue source for the industry is crime.

The Tornado Cash trial balloon is important, he said, “because it disrupts both the talking point that validators can’t enforce anti-money laundering policies and the criminal appeal” of pseudonymous digital currency.

Common ground — Depending on whom you ask, the Tornado Cash blacklist represents a dangerous encroachment of state authority or a long-overdue cleaning up act for crypto.

But all agree on one thing: with the likes of Lido, Coinbase and Binance running much of the capital-intensive infrastructure that powers the network, Ethereum is far less open — and far more vulnerable to government control — than many once thought.

“The entire point of open networks like this is that they’re supposed to be hard for governments or other parties to control,” said Green. “What we’re seeing here is that that’s not necessarily the case.

Want to receive this newsletter every weekday? Subscribe to POLITICO Pro. You’ll also receive daily policy news and other intelligence you need to act on the day’s biggest stories.

THREE (OTHER) THINGS TO WATCH — With the recent drip-drip of stories previewing the now-imminent national cyber strategy, it's become common knowledge that the Office of the National Cyber Director is ready to cast off the decades-old “volunteer model” of federal cyber security policy — and opt in on the heavy hand.

But there’s been much less discussion of the other note that the White House, CISA and a few others have been sounding for several months now: the desire to shift the burden of security away from the helpless saps like you and me who want to call in the National Guard whenever we need to airdrop a photo.

Here are three “burden-shifting” things you’ll want to keep an eye out for when the document drops:

Head in the cloud — Cloud providers are seen as critical infrastructure in pretty much every corner of the security world but the two that really count: law and policy.

Expect that to change with the new national cyber strategy, as there’s no better way to push security upstream from end-users than to send it up into the cloud. The only question is: how?

The strategy isn’t likely to declare cloud services a new critical infrastructure sector, but it might gesture in that direction. At a more tactical level, there’s also a possibility it’ll call for revamped know-your-customer practices for cloud services providers — an initiative from the Trump White House that the Biden administration dropped without explanation after October 2021.

Liability, liability, liability — A limited liability regime for software vendors would be to security diehards what this year’s Blink182 tour is to every sentient human born within a rounding error of 1990: long overdue, and so, so welcome.

Yes, there's only so much the White House can do in this realm absent a vote of confidence from Congress. But it’d be a huge step for the Biden administration to officially flip a decades-old security script and call on software vendors to do more to ship secure, transparent and sustainable products — or suffer the consequences.

Power of the purse — One of the White House’s best tools for affecting system-wide change is the federal procurement process. By setting rules for how other executive branch agencies dip into the federal piggy bank, the folks at 1600 Pennsylvania Ave. can drive the adoption of more rigorous security standards among the vendors that compete for government dollars.

To a certain extent, the Biden administration already played its procurement trump card in the form of its May 2021 cyber executive order. But there’s nowhere else where the ONCD wields more authority, meaning the strategy’s guidance on securing the federal executive branch will be a key barometer of how serious it is about burden-shifting.

CYBER BLINDSPOT? — IP protections set by manufacturers of security devices are preventing companies from spotting malware infections, potentially creating a blindspot within government and defense industrial base networks.

That’s the not-so-subtle subtext of a Thursday report from Google-owned Mandiant, which found likely Chinese hackers exploiting a zero-day in a Fortinet-made VPN to deploy custom malware inside a European government and an African IT company.

The problem — To protect their IP, enterprise security products like those made by Fortinet “may not allow for [the installation of] additional security products” and often prohibit third parties from peering beneath the hood of the device to search for a problem.

The upshot, if you parse Mandiant’s understandable reflex for euphemism, is a poetic muck-up in which companies selling security are themselves becoming a source of insecurity.

“It is very hard to measure the scope and extent of malicious activity that results from exploiting internet facing network devices,” writes Mandiant, “as we have little to no information that can indicate those devices are compromised.”

Why that matters — Managed security devices like those made by Fortinet have long drawn the attention of foreign intelligence agencies.

In part, that’s simply because the devices connect straight to the internet. But security vendors have a historically poor record on security, even though their technology is popular with the security-conscious entities that state hackers pursue.

One solution? — Device manufacturers don’t have to open up their devices to everyone, but they might want to provide it to certain customers, like the government or other security companies.

If Mandiant’s right, that might help pull back the curtain on a host of unrecognized activity.

PEOPLE ON THE MOVE Lauren Zabierek is joining CISA as a senior policy adviser. She previously worked as the executive director of the Cyber Project at Harvard Kennedy School's Belfer Center.

The Tweet of the Weekend isn’t a single Tweet but a series of ’em: NSA’s Rob Joyce took to the bird site this weekend to do some recruiting from the sidelines of the ShmooCon security conference, and it was an absolute joy to behold:

— Ukraine will join NATO’s cyber defense center of excellence. (The Record)

— Cyber crime gangs’ earnings slide as victims refuse to pay. (BBC)

Chat soon. 

Stay in touch with the whole team: Maggie Miller ([email protected]); John Sakellariadis ([email protected]); and Heidi Vogt ([email protected]).

~~~~~