Boards and blockchains.
Blockchain and related technologies are still in their infancy, but for many businesses they seem attractive, inevitable, and mysterious. Boards need help to work their way through the implications of what can be a solution in search of a problem.
Like the earlier panel on artificial intelligence and machine learning, this session dealt with a popular but poorly understood family of technologies. The moderator, Jason Cook (Managing Director, The Chertoff Group) began by asking the audience questions that evoked a sense that, indeed, they really don't have a firm grasp on what the blockchain is at all.
The panelists sought to bring some clarity to the topic. Those who spoke included Rich Baich (Executive Vice President and Chief Information Security Officer, Wells Fargo & Company), Mance Harmon (Chief Executive Officer and Co-Founder, Swirlds), and Dave Jevans (Chief Executive Officer, CipherTrace).
Some background on blockchain.
The blockchain offers the prospect of a new trust model in the form of a permanent shared general ledger. It's seen as offering several advantages: peer-to-peer transactions, built-in evidence of tampering, built-in transfer value, and a central source of truth. It constitutes a permanent public record of all transaction data in a distributed public ledger. It offers digital ownership, verifiable records (mathematically backed), built-in authenticity, and auditing. The blockchain application most people are aware of is Bitcoin, but the technology is finding legitimate application in many areas, including meeting collateral requirements, securities trading, and international transactions. (See this note for further perspective on the technology.)
Cryptocurrency is the killer app, but it's not the only app.
The most obvious reason for burgeoning interest in blockchain technology is the application it's found in cryptocurrencies. This has been the killer app, and that app isn't going away. There's currently, according to Jevans, a $150 billion market cap in cryptocurrencies, and annual growth rates are estimated at 100%. This explains the interest, but interest has far outpaced understanding. Baich flatly called the misunderstandings "massive," and said that CISOs needed to educate their boards on what this technology is, and the implications it has for the business.
Blockchain tends to be used as a shorthand expression for what is in fact a family of distributed consensus technologies. Harmon (whose company deals in another member of that family, hashgraph) pointed out that there are alternatives to blockchain, and that the security sector as a whole needs to consider distributed consensus in arriving at a definition of "bank-grade security." More important than blockchain itself would be a trust layer that can be placed over the entire Internet. "The community needs to come together on a definition of enterprise-grade distributed consensus."
Not a panacea.
But as with any new technology, it's important to disentangle myth from fact. Where does distributed consensus stand? Baich said that regulatory issues are an important piece of the problem. Blockchain itself is still in the innovation mode, he said, and Jevans agreed. The technology remains developmental, and security will be a massive requirement in its eventual deployment. Jevons asked the audience to consider: full implementation of blockchain in the financial sector would require every bank to become as secure as the SWIFT international funds transfer system.
Distributed consensus is attractive for a number of reasons, and Harmon outlined some of them. He invited the audience to understand distributed ledger technology in terms of databases. The community must agree to resolve write-conflicts. Bitcoin demonstrated that it was possible to take a master from one organization and give control of it to a different party. There's no unilateral change to history or disruption of transactions; there's no unfair influence over order of transactions.
But, as Baich argued, this concept creates a new center of gravity, and so introduces significant new inherent risk. "As happened in the early days of the Internet, we've created something we don't understand how to secure." Criminals will follow, Jevans said, and will move to this new center of gravity. Harmon agreed, and concluded that the lesson we should draw from that inevitable attraction of criminal attention is that the math itself must provide protection.
Baich recommended education to reach an understanding of the technology's inherent risks, and of extending that understanding across all the facets of a business.
Looking to the future.
Too many companies have a blockchain solution in search of a problem, according to Jevans, and Harmon agreed that the community is still immature with respect to governance and standards.
Looking to future, Jevans sees potential for smart contracts, which have been plagued by buggy code and security issues. These are legitimate use cases for a technology some of whose early adopters have been decidedly illegitimate. As Jevans went on to note, "A great deal of the underworld is fueled by cryptocurrencies."
While blockchain may be on its way to becoming what Baich called a "household name," it's not there yet. It may become an infrastructure, Jevans said, but it's not there yet. In Harmon's view, for the typical company, it's probably too early to move. "In the long term the effects will be enormous, but it's too early to know what those effects will be."
In final advice for enterprises, Baich closed on a cautionary note, urging CISOs to help their boards understand the problems the blockchain might address. "Ask what problem you're trying to solve. Is this innovation for the sake of innovation?" If so, think twice.