Crypto security: Is it different from ‘regular’ cybersecurity?

This year, revenue in the cryptocurrencies market is expected to reach USD $37.87 billion – with the current average revenue per user coming to $56.19. Estimates count more than 420 million crypto users worldwide in 2023. And with the global crypto market growing at a CAGR of around 11.1% up to 2028, user penetration will continue to rise.

Cryptocurrencies and the systems through which they’re distributed need to be secure. But is crypto security the same as cybersecurity in general? And is the inherent transparency in crypto a blessing – or a curse?

At Black Hat MEA 2022 five panelists got together for a live debate about exactly this.

The speed at which crypto projects come to market is a key challenge

Caleb Sima (Co-Founder and COS at Robinhood) suggested that security in crypto isn’t as mysterious as it might seem. “A lot of people, when they think about cryptocurrency, [think] you have to have very specific skill sets,” Sima said. “I’d say that 98% or 99% of the time there’s nothing specific around cryptocurrency. When you look at the flaws, these are just business logic flaws.”

But while Andrew Morfill (CISO at Komainu) agreed that as much as 90% of the fundamentals might be the same, he argued that the last 10% shifts gears dramatically – requiring a more crypto-specific approach.

For Robert Dudley (CTO at Coinshares) one of the major challenges for security in crypto is, quite simply, speed – he noted that “some of the classic Web3 projects bring real challenges in terms of [the] rapidity with which they cross your desk.”

Nils Anderson-Röed (Head of Intelligence & Investigations at Binance) agreed: “What we’re seeing with Web3 projects is that basically anyone can create their own project. And especially the past year, when there was a huge rise in cryptocurrency-related activities, a new project over the course of a couple of days or weeks could become very popular.”

“If it’s been built very quickly, maybe the security checks or security audit hasn’t taken place at all,” Anderson-Röed added, “and there have been plenty of examples where projects had vulnerabilities which were exploited. Sometimes the funds could be recovered, sometimes they couldn’t be recovered. There are some projects which are very successful and haven’t been hacked – but the speed of creating the projects and implementing changes in a project…it’s a very fragile space.”

Saying no is an important function of a crypto security team

As the panellists discussed whether or not the tooling exists to secure cryptocurrency architecture, Morfill made the point that security teams aren’t just about tech – they also have a responsibility to communicate when the technology just isn’t in place to secure a system.

“It is the role of all security teams to say: ‘that’s not secure so we’re not going to go to market with that,” he said. “It’s difficult when you’re building in this space, and from a product development point of view. To say – from a security perspective – we’re regulated; that isn’t secure; we need to slow that down.”

“On the flipside of that, you then become irrelevant and less business-focused as a security team,” Morfill added. “So it’s having the balance. It’s not necessarily a tooling thing.”

Instead, it’s a more holistic view of the scope of the situation: blending tech talent and regulatory understanding with communication and leadership, in order to stand your ground when something isn’t secure – even if it might slow down your speed to market.

Sima agreed that pace is a serious challenge for cybersecurity teams working in crypto – and that diving in quickly without a solid understanding of the safety and risk involved is leaving companies (and users) exposed. But while he stood by the notion that the principles of crypto security are more or less the same as in any other cybersecurity practice, Philip Martin (CSO at Coinbase) shared a different perspective:

“I agree with you that the mindsets are very similar. But the tooling focused on cryptocurrency – how do you monitor a blockchain, how do you evaluate a smart contract, how do you track unsafe function indications of a smart contract on blockchain – none of that exists.”

“The interesting piece of this,” Martin added, “the principle involved here, is when you’re in an industry like ours that is moving really fast, it’s critical to be able to step back and say: ‘that piece right there — that I need to put a bunch of effort into. These pieces I don’t need to; I can buy that; someone else has done that and I can steal the idea.’”

“A lot of us can get very involved in the…we’re going to build this. We’re going to build it all because we have the expertise and we’re so good at this, and whatever else. And I think being very focused on the 5% or 10% that is unique, and that needs focused attention – that is a critical skill here.”

The pros and cons of transparency

Speaking on the division between ‘regular’ cybersecurity and crypto security, Dudley said: “A difference is a lot of this is distributed entirely in the open. In some ways presumably the openness makes it more vulnerable, but also provides opportunities to make it more observed. More visible.”

So is transparency a good thing for the security of cryptocurrencies – or not?

“Little bit of both,” Morfill said. “In a finance space it is a curse because assets are leaving and you’re not getting them back. But if we’re talking blockchain rather than DeFi, open transparency and peer-review at a code level is nothing but a good thing.”

“I would say it is a benefit,” Martin said, “and the reason is because it shortens our learning cycle. There is no backstage to DeFi, there’s nothing going on behind the curtain, and so when we see bad things happen it’s very apparent to the entire industry what happened, why it happened, and how to avoid that happening to you — in a way that I think just doesn’t exist in any traditional spaces.”

Sima agreed – largely because of what happens after a cryptocurrency hack. When you look at the response, and how many hackers have actually managed to steal or launder or use money, “in many of these cases they’ve not – because of transparency. Once it occurs, everybody can see where that money went. And there’s a coordination of people who go, ‘we’re not going to touch it.’”

In short, while transparency might create vulnerabilities, it also provides in-built security: because it’s very hard to move stolen crypto funds without being noticed.