A year into my stint at the Bank of France, I was still struggling to understand why they employ cryptographers. One day, I saw them huddled around a white board for a few hours and struck up a conversation. They walked me through their highly sophisticated key management solution that included everything from certificate signing mechanisms to deep traffic inspection contraptions. Baffled by the complexity of it all, I resorted to my go-to cryptographer question - “So, where are the keys?”. The key storage, as it turned out, was outsourced to “a cool startup here in Paris.”
Keep your key storage in house. There are very few reasons to outsource the security risks associated with storing and managing your encryption keys. However, this what often happens at companies dealing with digital asset custody. These companies overgrow with analytics, support, marketing, and administrative personnel, but end up relying on BitGo and others to sign their transactions.
Crypto custody is hard. BitGo will never care about your keys as much as you do. Snowden taught us the importance of end-to-end encryption, but we still failed to understand the fundamental problem with outsourcing encryption. We’ve put too much trust in Google employees who did not care about their client’s privacy enough to encrypt traffic between their data centers.
Encryption was being worked on prior to Snowden but it didn’t seem like a high priority because there was no evidence it would achieve anything useful, and it rquires a lot of resources.
CS degrees are no guarantee of expertise. Cryptographers are as good at implementing protocols as interior designers are at laying brick. You also can’t hire astrophysics PhDs hoping that they’ll figure it out on the job. They will sit there for a year reading articles and dreaming up time locks for your cold wallet. Neat idea, until Pearl Harbor happens on Sunday or Vitalik decides to fork Ethereum on Friday evening.
Amateur key management setups have plagued existing crypto custody providers and stopped others from joining the market. Some are straight from spy novels and TV shows. Others will likely make their way to DEFCON slides in the coming years.
Gemini founders like traveling around the country with pieces of paper to address Armageddon risks.
A few basic things to remember. Swiss mountains don’t add an extra security layer. Airgapping cold wallets without proper access and emergency procedures is useless. IP address attribution and SMS as a second factor authentication are fundamentally broken. Hardware wallets aren’t any more secure than a regular smartphone, but attract way more attention to their users. Rubber-hose cryptanalysis exists. So does deniable encryption.
Talk to your local key management professional. What you really need is a team of highly experienced software and infrastructure engineers led by security professionals, preferably the ones that haven’t lost all their data at their last place of employment. Getting them won’t be easy. The post-Snowden IT security job market has been vacuumed by armies of corporate and government recruiters. Big IT companies and three-letter agencies catch talented kids well before they graduate college. Anyone who doesn’t have the time or expertise to grow talent internally is mostly out of luck.
Think outside the box. There are still plenty of people who are unable or unwilling to pass security clearances or pee in the cup. You can also pick up whole teams by looking outside the crypto space. Unlike what you’ve been told, blockchain is not magic. It’s a decentralized system like many others, and we have plenty of hustling security-oriented startups staffed with talented network, database, and systems engineers.
Open up and focus on fundamentals. Anything and anyone who doesn’t need to have access to your keys can and should be outsourced. Establish relationships and offload your headaches to professionals in their respective areas. Unless you plan to bribe officials with coconuts, you will need to put KYC and AML programs in place. Regulators will ask you to watch hundreds of metrics and produce dozens of reports every day, but they will not say which ones upfront. You are better off letting someone else argue with them about the methodology of calculating the price of a 51% attack. Your IT department will thank you for it.
Separate auditing and compliance. While the goal of a compliance team is to produce good-looking reports for the regulators, an auditor is there to show you weak spots in your setup. Hire an outside Red Team and give them sizeable bonuses for discovering vulnerabilities. Security by obscurity only works to a certain point - publish your security designs and openly talk about your failures. Create an open bug bounty program and let people gradually poke holes in your systems. Hacker t-shirts and the ability to laugh at yourself go a long way in saving you public humiliation.
Remember, it’s a marathon. Any asset custody is about reputation and companies that shift their security risks to others will not last long. When their assets under management reach critical mass, many of their security mechanisms will fail at once. When someone robs a bank, getting to the vault is only the beginning. Getting away with the loot and spending it is an equal problem. There’s always a chance of catching the thief and getting the money back. Not so much in crypto. Bitcoin money laundering services cost 1-4% of the total sum. Hackers will start looking into yachts the second they get to your private keys.