Mitigating Risk, Advancing Innovation

Developing a Standards-Based DLT Security Framework for Financial Services

By Stephen Scharf, DTCC Chief Security Officer | Jun 29, 2020

Developing a Standards-Based DLT Security Framework for Financial Services
Stephen Scharf, DTCC CSO.

No, not digital linear tape, but distributed ledger technology!

The technology behind distributed ledgers, generally referred to as distributed ledger technology (DLT), provides a variety of potential value propositions for the financial industry, including strengthened identity measures, improvements in information preservation and data integrity, processing efficiencies, increased operational capacity and compliance effectiveness.

A distributed ledger is decentralized and eliminates the need for a central authority or intermediary to process, validate or authenticate transactions. But for all of the benefits, there are also risks.

As an example, let us look at DLT’s ability to deliver enhanced data integrity. Digital ledgers possess tamper-evident and tamper-resistant characteristics, thereby delivering an increased level of security and trust. Central to their tamper-evident and tamper-resistant nature is their use of cryptographic hash functions, which encrypt sensitive transaction information such as timestamps, and are critical to the security and preservation of the information being processed, stored and transferred in a DLT environment.

While these benefits are compelling, there are a number of DLT-specific security considerations related to cryptographic hash functions that have yet to be formally addressed by way of industry recommendations or best practices. While guidance for standardized cryptographic hash functions with respect to traditional IT environments has been published in the past by the ISO and The Institute of Electrical and Electronic Engineers Standards Association (IEEE), no such guidance exists for standardized utilization in a DLT environment. Yet it is important to note that cryptographic hash functions are just one area that requires exploration when it comes to security. There are a number of DLT-specific security considerations that must be addressed in order to maintain the soundness and security of the markets as DLT is implemented within the industry.

These include, but are not limited to, a comprehensive code review for DLT protocols and smart contracts; monitoring of transaction processing volumes and times; an assessment around the scalability of computational resources; a review of the key management lifecycle and cryptography; and the authentication of users and transactions via cryptographic hash functions on a distributed ledger.

Without addressing these considerations, financial institutions and other critical providers could be vulnerable to security risks including the potential theft of digital assets. In fact, one DLT-related security incident in 2019 resulted in the loss of US$2m, with the assets stolen using the private key stored on an officer’s mobile device.

As blockchain experimentation and adoption continue to increase across the financial services industry, it has become clear that traditional IT security frameworks are not solely adequate for a DLT environment. Furthermore, with the variety of uses cases for DLT—whether in smart contracts, micropayments, data sharing and integrity, supply chains or facilitating peer-to-peer transactions in the sharing economy— a DLT security framework that provides guidance to participants on how to secure their DLT infrastructure could be very useful as adoption of the technology continues.

The Role of Standards

So, what is our path forward and how can we lower the security risks around DLT implementations? The answer centers around standards and the development of a DLT security framework with those agreed-upon standards.

Standards perform several vital functions: ensuring interoperability between multiple DLT implementations; creating a shared vernacular; alleviating concerns around governance or data governance; assisting in digital identity management; and fostering end-user trust in the technology. Let us explore each of these areas.

First, when it comes to interoperability, as DLT develops and the number of DLT implementations increases, many stakeholders will likely want to interact with other blockchain platforms that operate independently from their own. If each firm develops its DLT projects in a silo, synergy will be difficult to achieve. Standards can be helpful in this area, as organizations will be able to work with others and build on top of previous infrastructure investments in a controlled and modular manner, promoting greater interoperability between multiple DLT implementations.

Second, DLT is a relatively new technology that, like many other high-tech developments, has been inevitably accompanied by lots of hard-to-understand jargon and terminology. Standards introduce a shared vernacular, creating an improved understanding of the technology and assisting with the development of robust, easy-to-understand DLT security benchmarks.

Third, new technologies like DLT often face security issues around governance or, more specifically, data governance. By implementing standards and a principles-based framework, firms can more efficiently identify potential security weaknesses in their DLT implementations. At the same time, supervisors and regulators will be able to leverage a consistent measure for understanding potential strengths and weaknesses of DLT implementations.

Lastly, standards can enable individuals to retain more control of their digital identities, which is the compilation of one’s collective actions performed online. This collection of actions can provide a comprehensive view of the individual’s reliability, interests and general personality. As a result, the introduction of standards offers individuals greater privacy and trust in the actions they perform online.

Securing DLT-Enabled Financial Services

With the speed of digital transformation within the financial services sector continuing to increase, the development of a principles-based framework to identify and address DLT-specific security risks cannot be haphazard and must be coordinated to maximize effectiveness. To start, industry participants should collaborate by sharing current best practices for DLT security; agreeing on temporary, baseline industry DLT security standards after an evaluation of best practices; measuring current baseline practices and reviewing potential areas of improvement for baseline practices; and ultimately coming to industry consensus on what the best practices should be.

As DLT-specific security risks span multiple firms and providers, a cross-sector effort is also essential to achieving a coordinated strategy, beginning with conversations between the financial services industry, DLT providers and consumers.

To promote the soundness and safety of DLT-enabled financial services implementations now and into the future, conversations and cooperation around a common DLT security framework, best practices and standards must ramp up now.

This article first appeared in CybersecAsia on May 21, 2020.

 

 

dtccdotcom