Financial institutions are prime targets for hackers, but there may be one species of prey even more appealing: digital currencies.<\/p>\n
The value not only of bitcoin but of the entire market for blockchain assets has exploded in the past six months, and one of the upstarts is taking no chances that its system can be compromised.<\/p>\n
The creators of Dash, a bitcoin rival, have hired the San Francisco-based security company Bugcrowd to run a \u201cbug bounty\u201d program on its behalf, enticing independent security researchers to pore over the cryptocurrency\u2019s code and paying them for every flaw they find.<\/p>\n
\u201cAs an open-source project, all of our code is available to be audited by anyone. But this will really bring a set of highly professional eyes to the code and make sure that it is as robust as possible,\u201d said Ryan Taylor, CEO of Dash\u2019s core team, which is run like a for-profit startup.<\/p>\n
Talk to cryptocurrency insiders like Taylor\u2014individuals who have helped create and secure these unique pieces of software\u2014and they will tell you that banks could learn a lot from open-source projects like Dash about how to build applications and secure their networks.<\/p>\n
After all, the time for pretending that it is possible to make an app or network impregnable from the get-go\u2014if it ever existed\u2014is long gone. The new security paradigm is one of \u201cpersistent threats,\u201d in which the safest assumption is that a malicious actor has already penetrated your system.<\/p>\n
Ryan Taylor, CEO of the core team behind the cryptocurrency Dash
\nHave at it
\n\u201cRather than trying to hide the flaws,\u201d says Ryan Taylor of the Dash project, \u201cwe try to give as many people as possible the opportunity to find them and then fix them.\u201d
\nWhether the code underlies a bank system or an internet currency, \u201cvulnerabilities are inherent in how software is created,\u201d said Casey Ellis, chairman and chief technology officer of Bugcrowd. \u201cThey\u2019re a fact of life.\u201d<\/p>\n
This is so because people design things to do what they\u2019re meant to do, he said. Software developers aren\u2019t necessarily thinking about how to make their applications secure, merely effective.<\/p>\n
What Bugcrowd wants to do for the Dash team, as for all of its clients, Ellis said, is to \u201ccreate a feedback loop between people who think like builders and people who think like breakers.\u201d From this process arises a resilient product.<\/p>\n
That resiliency has become ever more essential as Dash\u2019s value has skyrocketed. On Aug. 26 it set a record high of about $400 per coin, an increase of some 3,384% since Jan. 1. Dash\u2019s market capitalization briefly touched $3 billion over the weekend before settling back to about $2.8 billion in the early morning hours of Sunday.<\/p>\n
\u201cGiven that this is a financial product, it\u2019s extremely important that we explore all avenues possible in order to make the network as secure as possible,\u201d Taylor said.<\/p>\n
Dash is self-funded: The Dash community finances ongoing software and business development for the cryptocurrency with a portion of the new coins that are created at regular intervals through \u201cblock rewards.\u201d Dozens of developers and support staff are now on the team\u2019s payroll.<\/p>\n
As the cryptocurrency\u2019s value mounts, the block rewards become more lucrative. That made it easy to set aside $200,000 for the bug bounty pool. The money will be shared among any researchers who detect and report a bug. The more severe the impact of that vulnerability, the higher the reward\u2014up to $10,000 for the most critical flaws.<\/p>\n
Bugcrowd plans to start small with the bounty program, initially revealing Dash\u2019s code only to a few dozen highly skilled security experts, before ramping it up over time. Ultimately, all of the 60,000 researchers in Bugcrowd\u2019s network will have a chance to participate.<\/p>\n
To bankers, accustomed to the demands of proprietary software, the approach can only seem a radical one.<\/p>\n
\u201cRather than trying to hide the flaws,\u201d Taylor said, \u201cwe try to give as many people as possible the opportunity to find them and then fix them.\u201d<\/p>\n
Lessons for banks<\/p>\n
This radical transparency has worked wonders for bitcoin.<\/p>\n
Although the digital currency\u2019s network hasn\u2019t been compromised in years, says Taylor, in August 2010 there was an incident in which a hacker exploited a flaw in the code to create 92 billion bitcoins out of thin air\u2014massively inflating the supply of a currency that was supposed to have a hard cap of 21 million. Bitcoin\u2019s pseudonymous creator, Satoshi Nakamoto, was forced to do an emergency \u201cfork\u201d of the code to fix the issue.<\/p>\n
Since then, dozens of developers have improved upon and countless outsiders have examined the code. For a long time, Ellis himself was skeptical regarding bitcoin\u2019s security. He figured that a catastrophic exploit would be found sooner or later, and the cryptocurrency\u2019s value would drop to zero. But that never happened.<\/p>\n
\u201cThe result is pretty astounding when you think about it. Bitcoin is completely open-source, yet the last significant hack of it took place [seven] years ago,\u201d Taylor said. \u201cYou end up with a highly secure system despite not funding any firewalls, not funding any security staff to try to prevent people from accessing it, not funding any detection systems. None of that is necessary if you design it in a way where it\u2019s essentially hack-proof.\u201d<\/p>\n
While bitcoin wallets and bitcoin exchanges have been compromised many times, the network itself has proven to be a model of what the author Nassim Nicholas Taleb calls antifragility\u2014it has become more resilient by withstanding attacks.<\/p>\n
This sort of design ethos is anathema to banks, which have traditionally relied on secrecy\u2014keeping their code private, whether it was developed in-house or written by vendors such as Fiserv, FIS or Jack Henry\u2014and trying to deny access to hackers in order to keep their systems secure.<\/p>\n
To be fair, this has been slowly changing in recent years as a number of banks, including Citigroup, BBVA, JPMorgan Chase, Wells Fargo and Capital One have opened up developer hubs that give third parties access to some of their code and data. Some large banks use bug bounty programs, though they don\u2019t like talking about them, and some are seriously testing and considering open-source blockchain technologies, including Hyperledger and Quorum, for certain purposes such as derivatives clearing. And there are a few open-source core banking initiatives, such as the Open Bank Project and Apache Fineract, though they haven\u2019t been widely adopted in the United States.<\/p>\n
Yet even if they can\u2019t, or won\u2019t, fully adopt the open-source mindset of security through transparency, financial institutions can learn from its best practices. One step might be to embrace wholeheartedly the practice of rewarding coders for finding and patching bugs.<\/p>\n
\u201cProgrammers like creating stuff,\u201d Taylor said. \u201cIt\u2019s far less sexy to comb through legacy code that has existed for years and attempt to find vulnerabilities in it. And it\u2019s unlikely that their bosses are going to pat them on the back for spending a chunk of time looking for bugs and not finding them. And if they do find them, [their managers] generally say, \u2018OK, great, good for you.\u2019 But there\u2019s no incentive there. If they fail to find anything, they\u2019re scolded; and if they do find something, it\u2019s viewed as luck.\u201d<\/p>\n
Building bug-hunting bonuses into the pay structure of engineers, for instance, would send the message that software quality is more important than quantity.<\/p>\n
\u201cIf you incentivize programmers to find and resolve bugs, it will change behavior,\u201d Taylor said.<\/p>\n
Banks could also start open-sourcing certain parts of their systems, suggested Alex Waters, a former bitcoin quality assurance engineer and the chief technology officer of the stealth startup GetKelvin.<\/p>\n
\u201cThere are aspects of their applications that probably should be open-source\u2014things like authentication and communication,\u201d said Waters. \u201cWhich is not to say that they\u2019d be open-sourcing the underlying data. Of course not. It\u2019s just they\u2019d be making available for public review the methodology for authentication, for example.\u201d<\/p>\n
Taylor agrees, with the caveat that any software providing a true competitive advantage should be kept under wraps. But for commoditized functions and services, banks could actually reduce their security risks by using open-source software, he said. \u201cAnd I don\u2019t think that is ever really a consideration for them. I think they blindly use closed-source, or commercial, software for everything.\u201d<\/p>\n
Nothing banks can\u2019t handle<\/p>\n
Waters, who has consulted for banks, is convinced of the open-source approach\u2019s benefits.<\/p>\n
\u201cGenerally speaking, large open-source projects are far more secure than in-house, private software,\u201d he said. \u201cAnd within the realm of large open-source projects, cryptocurrencies\u2014because of their inherent nature as being based on cryptography\u2014tend to be the most secure, and security-conscious, groups.\u201d<\/p>\n
What, then, of banks working with cryptocurrencies themselves? Asked whether financial institutions are right to be wary of these new technologies, since by and large they can\u2019t be centrally controlled, Bugcrowd\u2019s Ellis says no.<\/p>\n
\u201cI don\u2019t consider crypto to be a unique or a special case from a vulnerability standpoint,\u201d he said.<\/p>\n
You can count on any software being attacked at some point, he clarified. What does make digital currency unique is that \u201cthe [monetary] value is inherent in the code,\u201d so major flaws in the code can be financially catastrophic. Extra care and attention is required, and that is where his company\u2019s crowdsourced security comes in.<\/p>\n
\u201cYou don\u2019t build a three-foot fence to defend against a 10-foot attacker, because that would be ineffective,\u201d he said. \u201cBut you also don\u2019t build a 10-foot fence to defend against a three-foot attacker, because that would be economically irrational.\u201d<\/p>\n
Ultimately, the security challenges posed by cryptocurrencies are nothing banks can\u2019t handle, Waters said, provided that they \u201capply everything they already know. What better industry to work on custody, settlement and clearing for cryptocurrencies than the banking industry, which has been doing [these things] for years? They\u2019re totally equipped to understand all of the various risks and how to mitigate them.\u201d<\/p>\n","protected":false},"excerpt":{"rendered":"
Financial institutions are prime targets for hackers, but there may be one species of prey even more appealing: digital currencies.<\/p>\r\n","protected":false},"author":1,"featured_media":0,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"_acf_changed":false,"inline_featured_image":false,"footnotes":"","_links_to":"","_links_to_target":""},"categories":[216],"tags":[],"acf":[],"yoast_head":"\n