Last February, President Obama issued an Executive Order establishing the Commission on Enhancing National Cybersecurity within the Department of Commerce. The Commission is charged with “recommending bold, actionable steps that the government, private sector, and the nation as a whole can take to bolster cybersecurity in today’s digital world, and reporting back by the beginning of December.”
The Commission is composed of twelve individuals from the world of business, technology and academia. Former national security advisor Tom Donilon and former IBM CEO Sam Palmisano serve as chair and vice-chair respectively.
To gather the necessary information for its short- and long-term recommendations, the Commission is holding public meetings around the country, each focused on a different sector of the economy. On May 16, it met in New York City to discuss the challenges and opportunities facing the financial sector. The meeting included three panels, one on finance, one on insurance, and the third on research and development.
I was a member of the R&D panel, along with MIT professor Sandy Pentland, IBM Fellow Jerry Cuomo, and Greg Baxter, head of digital strategy at Citigroup. During our 90 minute panel, we each made introductory remarks based on our previously submitted briefing statements and then answered the commissioners’ questions.
In my introductory remarks I noted that, arguably, nowhere is the challenge of cybersecurity greater than in the financial industries. As I’ve learned since becoming involved with digital money ecosystems ten years ago or so, money makes the world go round, as the famous song from Cabaret succinctly puts it, - and it’s been doing so since time immemorial.
Money has played a central role in human affairs through the ages, facilitating transactions, trade and commerce. Gold coins were first developed around 2,500 years in Asia Minor. For a long time, money was embodied in precious metals like gold and silver. But with the introduction of banknotes, - most likely around 1000 AD in China, - money started to decouple from physical objects with intrinsic value.
Today, money is mostly intangible. Digital funds dominate the vast majority of the money supply, flowing over our digital networks as payments for our increasingly digital economic transactions.
The world’s financial community has developed a very sophisticated ecosystem, including the global payment infrastructures, the management of personal identities and personal data, the global financial flows among institutions and between institutions and individuals, the government regulatory regimes, and so on.
This financial ecosystem has served us well so far, but its rather complicated, inefficient and inflexible. We rightfully worry that it may not be up to the scalability, security and privacy requirements of our 21st century digital economy, especially when you include the additional few billion people around the world conducting financial transactions over their smartphones, let alone the 10s to 100s billions IoT devices whose transactions have to be carefully validated given their potential impact on our health and safety.
Transforming this highly complex ecosystem has proved to be very difficult. It requires the close collaboration of its various stakeholders, including a large variety of financial institutions, merchants of all sizes, government regulators in just about every country, and huge numbers of individuals around the world. All these stakeholders must somehow be incented to work together in developing and embracing new financial innovations. Not surprisingly, change comes slowly to such a complex ecosystem.
I then mentioned some pertinent lessons that I’ve learned over my long career in the IT industry. In the early decades of the IT industry, different vendors brought to market their own proprietary systems and networks. Just sending an e-mail using a particular vendor application to another user in a different institution using another vendor’s application was quite cumbersome.
The Internet changed all that. Once the Internet was widely embraced in the 1990s, it became no harder to send an e-mail between companies as within a company. Everyone was using the same standards, including open source implementations of key protocols. Rather than developing their own proprietary networks and struggling to interconnect with those of others, institutions now collaborated on developing the common Internet architecture, - and Internet-based applications like e-mail and the Web, - that they all now used.
Much of the success of the Internet, the Web, Linux and other widely used technologies is due to the close collaborations between universities, research labs, companies and government agencies around the world in their development and governance. These collaborations have led to the creation of standards, open source software and governance processes embraced by all participants.
Something similar is beginning to happen with blockchain technologies. The blockchain first came to light around 2008 as the architecture underpinning bitcoin, the best known and most widely held digital currency. Over the years, the blockchain has developed a following of its own as a distributed data base architecture with the ability to handle trust-less transactions where no parties need to know nor trust each other for transactions to complete.
Blockchains hold the promise to revolutionize the finance industry and other aspects of the digital economy by bringing one of the most important and oldest concepts, the ledger, to the Internet age.
Ledgers constitute a permanent record of all the economic transactions an institution handles, whether it’s a bank managing deposits, loans and payments; a brokerage house keeping track of stocks and bonds; or a government office recording births and deaths, the ownership and sale of land and houses, or legal identity documents like passports and driver licenses. Over the years, most institutions have automated their original paper-based ledgers with sophisticated IT applications and data bases.
But while most ledgers are now digital, their underlying structure has not changed. Each institution continues to own and manage its own ledger, synchronizing its records with those of other institutions, - a cumbersome process that often takes days. According to a 2014 report by the Bank of England, the classic ledger has not changed much since the 16th century. The report called the evolution toward a blockchain-based distributed ledger “a major technological innovation not only for payment systems but for the finance industry as a whole.”
I finished my remarks to the Commission by noting that the emergence of an innovative disruptive technology can serve as a catalyst to propel change forward by bringing key stakeholders together, - as has been the case with the Internet, the Web and Linux. We’re hopeful that blockchain could now be such a catalyst for transforming our global financial systems. But, it’s still a bleeding edge technology lacking the robustness of existing payment systems. The evolution of our complex, global financial infrastructures will be a tough and lengthy undertaking, no matter how innovative and exciting the new technologies might be.
Let me now briefly discuss some of the remarks of my fellow R&D panelists.
Jerry Cuomo, - IBM VP of Blockchain Technologies, - reminded us that 80 years ago, “IBM helped the United States government create the Social Security system, which, at the time, was the most complex financial system ever developed. Today, as financial transactions become increasingly digital and networked, government and industry must once again combine forces to make the financial systems of the future more efficient, effective and secure than those of the past. And, just as an individual’s Social Security number became the key to proving identity and accessing that system for generations of Americans, today’s institutions must collaborate to create new methods for establishing identity and managing other aspects of digital transactions.”
Cuomo then added: “At IBM, we believe that blockchain technology is becoming an essential tool as business and society navigate this shift - with the potential for transforming commerce and the interactions between governments and individuals. Blockchain has inherent qualities that provide trust and security, but, to fulfill its promise, the core technology must be further developed using an open source governance model to make it deployable on a grand scale.”
He listed four key areas where government, technology companies and industries should work together:
- Proof of Identity. “The Social Security number has been a mainstay of our society for decades, but it’s not secure and certifiable enough to serve as the building block of identity in a blockchain ecosystem. So we believe a new identity management system must be created.”
- Data provenance. “To make organizations and individuals comfortable exposing their data through the use of blockchain applications, the systems must automatically track every change that is made to data, so it’s auditable and completely trustworthy.”
- Secure transaction processing. “While the parties in a transaction managed using blockchain are known to other participants in the system, the actual details of the transaction should be visible only to those involved (or others who are granted permission). So we have to enable the entities that monitor blockchain transactions to verify that contracts are being fulfilled but without revealing confidential information to them.”
- Sharing intelligence. “Amid a rising tide of cyber-crime and fears of cyber-terrorism, the White Hats of the world are under pressure to change the game. Blockchain has the potential to do just that. Not only is it inherently more secure than other types of networks and financial management systems, but blockchain has the potential to be used by multiple parties to share cyber-threat intelligence.”
MIT professor Sandy Pentland talked about the need to develop a 21st century data ecology. Among his various activities, Pentland oversees the Internet Trust Consortium, an MIT initiative whose antecedents created the widely used Kerberos authentication protocols.
“Today’s data ecology is transforming due to the exponential growth of mobile and ubiquitous computing, together with big data analysis,” said Pentland. “These shifts are having a dramatic impact on people’s personal data sharing awareness and sensitivities and on their cybersecurity… We need a new deal on data where security concerns are matched with transparency, control and privacy, and are designed into the core of any data-driven service.”
“In order to demonstrate that such a sustainable data ecology is possible we have developed Enigma, a decentralized computation platform enabling different parties to jointly store and run computations on data while keeping the data completely private. Enigma enables a sustainable data ecology by supporting the requirements that data be always encrypted, with computation happening on encrypted data only, by allowing owners of the data to control access to their data precisely, absolutely, and auditably, and by reliably enabling payment to data owners for use of their data…”
“Since users in Enigma are owners of their data, we use the blockchain as a decentralized secure database that is not owned by any party. This also allows an owner to designate which services can access its data and under what conditions, and so parties can query the blockchain and ensure that it holds the appropriate permissions. In addition to being a secure and distributed public database, the blockchain is also used to facilitate payments from services to computing parties and owners, while enforcing correct permissions and verifying that queries execute correctly.”
Citigroup’s Greg Baxter reminded us that as the digital revolution transforms financial services, we will see “significant opportunities to provide access to financial tools and products that can facilitate individual and collective progress and prosperity… However, the migration to digital also brings new, sophisticated and rapidly growing cyber risks…”
“As innovation changes experiences, journeys, products and platforms, there is a shift in financial services from vertical products to horizontal services, integrated into open, digital ecosystems. While banks may have traditionally operated and protected core platforms and saw edge devices as channels, with distinct cybersecurity implications, the new reality is a much broader ecosystem with many more points for digital access and cyber threats.”
“To protect people and their assets requires new ways of identifying and authenticating customers and devices, new approaches to managing and using payment credentials and more sophisticated monitoring capabilities.”
Baxter recommended three key areas for close collaboration between the public and private sectors:
- Intelligence sharing. Increase the speed and quality of two-way information flows, “which is essential for developing an intelligence led approach to cyber protection, and for mounting a holistic defense.”
- Research and development. “We need to dramatically increase the speed and scale of cyber innovation in both the private and public sector.”
- Workforce development. Companies face a serious shortage of cyber trained personnel. “We need to increase and maintain the available workforce, which may require greater educational capacity and incentives.”
“From buying products to running businesses to finding directions to communicating with the people we love, an online world has fundamentally reshaped our daily lives,” said the White House in the Fact Sheet accompanying the President’s Executive Order. “But just as the continually evolving digital age presents boundless opportunities for our economy, our businesses, and our people, it also presents a new generation of threats that we must adapt to meet…”
“The President believes that meeting these new threats is necessary and within our grasp. But it requires a bold reassessment of the way we approach security in the digital age. If we’re going to be connected, we need to be protected. We need to join together - Government, businesses, and individuals—to sustain the spirit that has always made America great.”