It’s almost impossible to make a bank fully cybersecure. Ouida Taaffe talks to Daniel Prinz – cybersecurity expert from First Digital Asset Group and a Maintainer of Diem – about risks, the cloud and automation.
What are the main risks that cybersecurity failures pose to banks?
The main problems tend to arise from the implementation layers.
The basic theories behind cryptography are sound and well understood, but making them function as a product is notably more difficult. If anything in the whole system is implemented incorrectly, it can be exploited.
The second risk, which is an extension of the first, is ensuring that every human involved is a redundant step in the process to eliminate human error.
Humans will always make mistakes, so human-dependent steps need to be kept to a minimum. Where they’re unavoidable, there need to be fail-safes – even if it's just multiple people – that will catch a human error before it causes problems.
What are the advantages of the cloud?
One is the ability for cloud platforms to be quickly and automatically updated. Such a system could easily collect various signals and data from users and analyse them to reach security conclusions 24/7.
This means exploits, viruses, etc could be detected in near real time. And patches that defend against any discovered problems could be pushed to users much more quickly than in the current systems.
Is there any data that should not be put on the cloud?
Traditionally, all storage was held locally because there was no other way. Now, however, everything is moving to the cloud. Even here, though, there has been some pushback to keep personal information local as well.
Whatever happens, we will likely never go back to the old way completely. But it’s possible that a hybrid solution could be implemented where some info will be local, and some will be on the cloud.
‘Personally identifiable information’ (PII) should be kept off of blockchains specifically because once something is on a chain, it will be there forever. Even if the data is encrypted, while it may be currently impossible to break, that may not be the case forever.
This could be a major security issue, especially for public chains.
To what extent can cybersecurity be automated?
Automated systems offer users more abilities, but security issues can arise from poor implementation. This could be especially problematic if applied to high-stakes processes.
For example, should any money transfer ever be automated? Some probably can be, yes, but users and companies will want control for larger monetary moves.
One possible solution here would be hybrid systems that need authorisation above a certain threshold that could be set by the user.
What systems are needed to automate cybersecurity?
Currently, blockchains and smart contracts offer some options for automation. However, there are limitations – not just the risks mentioned, but the fact that connecting blockchains to real-world systems can be tricky.
Let’s say I make a purchase. A blockchain can undoubtedly handle the transfer of funds and even perform escrow services.
The problem arises in how to verifiably let the blockchain know that I actually got the goods or service? Or the inverse, I don’t get them. Again, how can that be contested?
At what point should banks stop spending money on cybersecurity?
“Never! Cybersecurity is always evolving and is basically an art of the unknown. That being said, in practice, companies need to find their own balance. Just don’t expect that one day you’ll reach the ultimate security solution, you need to keep removing old systems as well as not doing the same things we did yesterday.”
Daniel Prinz is CTO at First DAG and leads the teams building blockchain tools and APIs for developers.. Prior to that, he was the CTO of the Cyber Division in the Israeli Secret Service, and a Software Architect at SAP and Applied Materials. He's also a Maintainer of Diem, playing an instrumental role in the development of a robust technical governance framework for the Diem Association’s open-source blockchain project.
See our Centre for Digital Banking and Finance
See our Centre for Governance, Risk and Regulation