Security Notes
Picture this: We’re all standing in line at the American Express travel bureau. We hand over our U.S. dollars and take away American Express Traveler’s checks. I do it, you do it, the banks do it, the merchants do it. We all carry American Express travelers’ checks.
Unfortunately, the hackers are still there, as always, only there are even more of them, since business is so good. They do their thing and outwit us, cyberswiping our money. But now we, the victims, have recourse: We call up American Express and get reimbursed dollar for dollar, cent for cent.
Whether individuals, banks, or merchants, we all are made good. We have shifted the problem to American Express. It’s now in their court, it’s their issue. American Express makes us whole, and shoulders the full measure of the cyber attack.
Sounds nice, right? But consider this: Since when is kicking the can down the road a winning strategy? Down the road lives the 800-pound gorilla. So a fundamental transformation takes place in our relationship with financial-services companies. It’s as if all the wimps in the neighborhood were to run to Superman to help them face off the bullies. In war-theory parlance, we have redrawn the battle lines around a single fortified center—the issuer of the money.
Digital money can be cryptographically tethered to its owner (see my book, “Tethered Money: Digital Currency & Social Innovation”), and this makes the digital mint the fortified center the hackers will need to crack. Can they? They have been impressively successful so far, so why wouldn’t they defeat the mint?
Here is a cold reality nobody wants to talk about. Our credit cards are being violated at the merchant with the least protection. Money is being stolen from the financial institution defended by the C-student security professional. In other words, the smartest hackers today find and face off against our dumbest defenders. Hackers compromised Home Depot, for example, through a loose supplier. Once we redraw the lines so that the smartest hackers must face the best and brightest on our side, the odds tip our way!
As early as 1936, when computers were only a thought experiment, Alan Turing disappointed pure mathematicians who believed in their foresight. He proved that you cannot generally “look” at software and data and deduce what will happen. You must actually run it. Mathematical proofs don’t have an expiration date. You cannot build a firewall with oodles of smarts to infallibly determine whether the incoming data contain malware. We must build security through expensive parallel interpretations of computable numbers. Only when two or more computing routes agree can we develop solid confidence in our digital results.
It’s similar for ciphers. The main algorithms we use today are covered by a solid mathematical proof that they are breakable. We use them only because we assume that it will take too long for our adversary to compromise them. This works—as long as the hacker agrees not to be too smart. New equivocation-based ciphers wait in the wings (e.g., U.S. Patent 6,823,068).
These unspoken realities work in favor of the hackers. The means to fight back are very sophisticated and very expensive. To prevail, we must do away with today’s cybersecurity architecture that allows the hackers to defeat us by scrutinizing our very long financial front lines and penetrating through our weakest link. We can’t deploy ace security people in every regional, parochial financial institution.
The winning strategy is to draw the hackers to our fortified fortress, the mint, and engage them on our terms! We must roll up our sleeves and exercise the amazing trading benefits of digital money through a centralized mint (e.g. BitMint). The mint will be protected with all our firepower. Hackers will no longer be able to sneak in through remote loose ends, and then crawl up to our central databases. Instead, they will have to defeat our top people, who will be armed with our state-of-the-art security tools.
When it comes to security, too many people these days benefit from hype, silence, and lies. They offer false hope from incremental steps aimed at “degrading,” “curtailing,” and “weakening” our cyber enemies.
Look, we cannot wish the cyberwar away. Let’s win it fair and square. Let’s turn the digital mint into the victory hill where legions of hackers meet an inglorious defeat. It’s time to ask, What would Churchill have done?
Gideon Samid • Gideon@BitMint.com