It’s been two weeks since the Bitfinex breach, and I’m glad to see they are up and running again. Unfortunately, the event has raised questions about the security of Bitcoin, and some suggest it may be impossible to ever secure cryptocurrencies. They’re wrong – and I’d like to tell you why.
I certainly understand the concerns, and there are clear learnings in the Bitfinex story for the Bitcoin ecosystem. But I have full faith in the underlying technology and the multi-signature model. At times like these it is easy to forget that Bitcoin has been built with privacy and security at heart. It has been fortified over time with technology advances like multi-signature protocols and hierarchical deterministic wallets. But if we continue to have events like this one, we’ll never gain the user confidence sufficient for us to reach critical mass, and Bitcoin will become a footnote in financial history.
For that reason, over a year ago, several industry leaders banded together to form the Crypto Currency Certification Consortium (C4) and establish a set of standard practices to secure Bitcoin and other cryptocurrencies. The group’s most important work is the Crypto Currency Security Standard (CCSS). The project is guided by a steering committee comprised of industry leaders, including BitGo, as well as representatives from top accounting firms Deloitte and PwC. The standard is nearing finalization, and I’d encourage you to review the current draft if you have not already. The standard includes a comprehensive list of factors required to safely store and transact in digital currencies, including the handling of keys and wallets.
Prior to the Bitfinex hack, past breaches have been litmus tests for the CCSS - would implementing the standards have prevented those breaches? The answer is generally yes. Although the investigation of the Bitfinex hack is not yet complete, I believe that in the final analysis we’ll find the same result, and that CCSS compliance, coupled with standard opsec best practices such as SOC 2 Level 2, could have prevented this loss.
So, if you’re wondering how mainstream financial institutions will ever be able to enter the Bitcoin market, the CCSS, combined with standard operational security practices, is the answer. It’s time to get serious about standards and ratify the final version of the CCSS. We also need folks like PwC and Deloitte, who are already part of the solution, to help with auditing cryptocurrency companies and help prevent future attacks. When all parties participating in the handling of Bitcoin adhere to the known best security practices, major Bitcoin breaches will become a thing of the past. Better than that, with C4’s work to transparently certify Bitcoin companies, consumers will have better visibility into which companies are taking the necessary steps to protect their Bitcoin.
As I write this, the total value of the bitcoin market is a little under $10 billion; the entire global cryptocurrency market is a few billion higher. In the context of a global financial market that measures in the trillions, our nascent market is barely a rounding error. But the potential remains to create a new store of value, one that is safer, more private and easier to use than traditional currencies. To realize that potential, users need to know that their money will be there when they need it. The Bitfinex hack was an unfortunate reminder that there is still work for the industry to do – but if the industry continues to zero in on privacy and security, it won’t stop cryptocurrencies generally and Bitcoin in particular from revolutionizing global financial markets.