Discover more from Principles of Bitcoin
Bitcoin and Cybersecurity
Last week, Texas A&M launched the Global Cyber Research Institute and held its inaugural summit. This cross-disciplinary institute is dedicated to taking a holistic view of cyber security. Not just the technology, but also policy, business, and social aspects. The founding donors of the GCRI are some of the university’s distinguished alumni, Ray Rothrock and Anthony Wood. Rothrock made his career as a venture capitalist with 15 deals and many exits in the cybersecurity space. Wood is the current CEO of Roku and has cyber security top of mind, with his 200 million devices deployed worldwide.
I spoke on a panel about Bitcoin and financial security. Here are my main points, aiming to connect the ideas in Bitcoin within the larger cyber intellectual landscape:
Bitcoin security mixes hard science and social science
There are two primary sources of security within Bitcoin. The first is security within each transaction, insured by cryptography, particularly digital signatures. These are the mathematics of finite fields, elliptic curves, and very large prime numbers, all of which I spend a month in my Bitcoin coding class reviewing. This hard science of cryptography forms the first line of defense and the core of Bitcoin security.
Most of the public conversation about Bitcoin ignores this area, and even prominent Bitcoin executives and users don't fully appreciate it. For example, during the Block Size Wars, some worried that a 51% attack would allow malicious miners to access anyone's bitcoins. This is not true, as the elliptic curve digital signature algorithms (ECDSA) protect transactions, even if the miner forked the chain.
The second, more novel layer of security is across transactions, on the public ledger. Everyone must agree on what transactions have occurred in the past; otherwise, the system is open to double spending. The protocol ensures One True Chain through a tournament for Bitcoin miners: miners compete for a reward to append a block onto the chain. This is a social science mechanism that traditionally has been absent from conventional cryptography. Bitcoin deploys game theory and social science to secure the public ledger, and this is an intellectual breakthrough unto itself.
Mining serves a cybersecurity function
Thus, mining secures the public ledger of accounts, ensuring everyone sees the same data and agrees on the same history. This feature of mining is universally overlooked and misunderstood in the press, which constantly focuses exclusively on energy usage. To do so is not an honest analysis, because it considers the cost but not the benefits. The legacy financial system of trust imposes implicit taxes on the economy, through bank failure, government bailouts, crony capitalism, and inflation. These costs must be included in an apples-to-apples comparison of Bitcoin to legacy finance. The benefit is the removal of intermediaries and all the inefficiency and deadweight losses therein. The mining community should more vocally articulate its role in security, and align with the cyber security narratives that today are taken as given (e.g security is a cost but necessary to unlock economic/business growth).
The security/usability trade-off
The native security of Bitcoin described above is strong. But the end user must ultimately be responsible for managing and handling this security. One consequence is that managing your private keys takes focus, planning, and organization. And the biggest downside risk of this security is not that others will obtain your bitcoin, but that you will lock yourself out of your own coins. Usability matters.
The crypto industry overall has overshot to the other extreme, where consumers left their coins on exchanges like FTX. In this twist of irony, the decentralized financial movement landed ended up with central actors like exchanges operating with impunity, under the ignorance of the consumer marketplace.
This is a slow process, but the market will find a middle ground as users learn their lessons from FTX and come to know the risks and costs of third-party custody. It remains to be seen whether the market will settle on an equilibrium with multi-signature, single-signature, or some hybrid with consumers and firms holding a mix of their keys. This is a great area of innovation and opportunity: to locate the sweet spot between security and usability, something I encourage all my students to think hard about.
Michael Flaxman, a Bitcoin expert on multi-signatures, claimed in one of his early talks at Texas A&M that Bitcoin raises the stakes for cyber security. Years ago, hackers would execute phishing attacks to get your identity to get your money. With Bitcoin they can go straight to your money, skipping the need for knowing your identity. And so, the incentives for attacks are higher, and the need for better security and management is greater. For Bitcoin, I don’t believe the security of the coin itself needs any work, but rather broad-scale adoption and education on what private keys are and how to manage them.
Lessons for Adoption
Pacific Bitcoin this week focused mostly on the sound money aspects of Bitcoin (at least on the main stage). As it should, as therein lies the chief value proposition of Bitcoin in the long game. In the short game, existing industries (energy, cyber, banking) will need to discover Bitcoin on their own turf and in their own language. And they will connect with Bitcoin on one of its many sundry faces.
The social science of Bitcoin’s security model is a big, new idea and directly relevant for the cyber industry, more so than the errors of the Federal Reserve. And this is also an opportunity to remind the cyber community of its cryptography roots, much of which get lost in the military industrial complex that occupies so much of cyber today. Let’s remember the words of the Cypherpunk Manifesto thirty years ago: “We are defending our privacy with cryptography, with anonymous mail forwarding systems, with digital signatures, and with electronic money.”