Thank you very much. Before waiting, we will start the breakthrough for safer digital custody,
security and regulations. This is the panel. Introduction of our panelists.
For current digital services, founder and CDO, Mr. Aldo Flocastro.
From Huobi, Ms. Flora Lee.
From Kraken, CEO, Mr. David Ruppe.
CASA co-founder, CTO, Mr. Jameson Lopp.
Last but not least, our moderator from Georgetown University,
researcher Professor Matsuo Shinichiro, Professor Matsuo.
I will hand over the microphone to Matsuo-san.
Thank you.
The topic of this panel discussion is on the security of custodians.
In Japan, there are many mega-breaches from 2017 that happened.
For Japanese blockchain persons, security of custodians are big issues.
I would like to have a 40-minute panel discussion on how to secure a cryptocurrency exchange and custody.
Here we use the word custody instead of cryptocurrency exchange.
Anyway, let us have a great discussion upcoming for the 40 minutes.
I would like to ask each of the panelists to give a self-introduction for one minute.
I would like to ask Aldo Locastro. Could you introduce yourself briefly?
Hi, everyone. My name is Aldo Locastro.
I am the CEO of HOKAN, the digital service limited,
and the co-editor of the ISO technical report on the security management of digital asset custodians.
My main role here today is to talk to you about HOKAN. Thank you.
Thank you very much. Next, I will ask Flora to introduce herself.
Hello, everyone. I am Flora. I am from Hobi Research.
It is really nice to meet you. Thank you for inviting me to this panel.
Hobi was set up in China in 2007.
It has been seven years dedicated to the cryptocurrency area.
Besides the exchange business, we also have Hobi Wallet, Hobi Pool, Hobi Chat, Hobi Labs, Hobi College, and Hobi Research.
I am from Hobi Research. We are focused on the research of blockchain technology, application, and industry development.
Thank you.
Thank you very much. Next is David. Could you introduce yourself?
I am pleased to be here with all of you today, virtually at least.
I am the chief operating officer with Kraken Digital Asset Exchange.
Kraken is one of the earliest and largest cryptocurrency exchanges, digital asset exchanges, really in the world, operating across the majority of the countries out there.
Myself, as I mentioned, I am chief operating officer with the firm.
A little bit of backbone of myself, I previously founded a company, Glidera, in the cryptocurrency industry that was acquired by Kraken in 2016. I joined the firm at that time as COO.
Previous to that, by training, I am an engineer, so I spent some time as a software engineer and product manager, and then also spent some time at the Boston Consulting Group as a strategy consultant following my time achieving my MBA at college management at Northwestern University.
Thank you very much. Last, so I would like to James and Rob to introduce themselves.
Hi, thank you. I've been working in the Bitcoin and crypto security space for about five years.
I spent three years building infrastructure at BitGo, doing multi-sig enterprise security.
I unfortunately saw a number of mishaps happen.
We were helping to power exchanges and other enterprises and succeeded in many cases, but failed in a few others.
I have learned a lot over the past few years, sometimes through hard lessons, and now am focused on using multi-signature aspects of these protocols to help individuals secure their assets as well.
In addition to working on building these platforms for security, I also serve on advisory capacity to the cryptocurrency consortium, helping to work on standards and ability for us to create auditors and examinations and certifications to really build on top of the existing ISO certification process,
but with a more specific focus on the crypto asset space.
We certainly still have a lot of learning left to do, and it's very exciting to be here.
Thank you very much. Anyway, you look so mysterious. Where are you?
Somewhere on the internet.
Thank you very much. During today's discussion, I prepared three questions, but I would like to start with the first one.
The first one is, what is the role of the custody in the blockchain ecosystem?
We need to have a common understanding of what the digital asset custody or crypto asset custody is.
I'd like to ask Flora first. What is the role of custody in this ecosystem?
Thank you. Thank you for your question.
I think custody service is an inevitable option for the development of the blockchain ecosystem. The main utility of the cryptocurrency custody lies in the safeguarding of cryptocurrency assets.
Private keys, which are used to conduct transactions or access crypto holdings, are a complex combination of the numerics, and they are extremely difficult to remember and can be stolen or hacked.
So we need a professional institution to help us keep our assets safe.
The other important reason for the existence of cryptocurrencies custody solution is regulation.
According to American SEC regulation, as part of the Doc Frank Act, institutional investors that have customer assets worth more than $150,000 are required to store the holdings with a qualified custodian.
SEC's definition of such entities includes banks and savings associations and registered broker dealers.
Future commission merchants and foreign financial institutions are also included in this definition.
Digital custody business is a very important part to attract more investors and institutions to set foot in this cryptocurrency industry.
So for us to attach importance to this area, and we have already provided brokerage service for institutions and high-network individuals, and also taking care of customers' assets is one of our services.
Besides in Japan, we have acquired a DLT license that is distributed ledger technology in Gibraltar, which is a banking-level KYC AML standard to ensure a secure trading environment.
And this can allow us to do custody business.
Besides that, we are also working on other countries' license operations.
Although I can't share too much information about unpublished products, but what I want to emphasize is that we will provide more financial products and custody services under regulation in the future.
Thank you.
Thank you very much. And I would like to ask the same question to David.
Yeah, so I think first off, Laura had actually a very, very comprehensive answer, so I can probably just try and highlight a couple pieces there because I think it was very comprehensive and clear and covered a lot of the relevant aspects.
So I think first off, one of the things that when individuals think about custody, they think about safekeeping of assets, which is absolutely at its core, right?
So securely safekeeping of digital assets.
I think one of the things that is less top of mind for individuals is that once an institution takes on custody of those assets and secure safekeeping, that actually puts the institution in a place where they also control the means of transacting with the blockchain itself.
So literally everything depends upon being able to sign transactions in order to interact with a cryptocurrency network, from exchanging and trading assets to interfacing with more advanced smart contracts, DeFi applications, and some day the further off, longer term Web 3.0 applications.
And so inherent in that, I think once an institution could, of course, provide a simple storage service, but the richness of the blockchain certainly is tied to being able to actually sign transactions and interact with the network in a much more holistic way.
And then probably the other thing that I would point out, and I wouldn't be surprised if Jameson touches on this as well, but I think it's important to note that when we talk about securing digital assets, there's both a non-custodial path and a custodial path.
And cryptocurrency is really the first digital asset that has existed ever where individuals can actually store these digital assets in a non-custodial way, typically by leveraging some type of open source software and or hardware wallet of some sort.
So I think that's actually meaningful and a key piece of the industry. So while Kraken itself is a custodian, the non-custodial solutions I think actually play a significant role here.
So coming back over to the custodial side, I do agree with Flora that once a financial institution kind of puts itself in this position of taking custody of another individual or business's digital assets, then yes, I think this is where we see regulation coming into play.
And she did a good job of pointing out a particular example in the US where it's actually a requirement that some investment funds work with qualified custodians.
And we don't expect that to change due to digital assets.
So I think probably the last thing to touch on is that I think for a while, custody and security was a big question on was the industry going to get past these challenges given all the hacks?
I think from my perspective, I actually don't think it's necessarily holding back the industry per se. However, I do think that the increasing levels of security that simultaneously address ease of use are absolutely critical to move in this industry forward.
Thank you very much. I think that so custodians, so crypto custodians, digital custodians may play the same role as what the Internet service provider plays a role for the Internet.
This is an entry point for the end users to the ecosystem of the Internet and the blockchain ecosystem. I think that there are many important roles for the business side and the regulation side.
But so I would like to ask Jameson on the role of custody from the technology point of view or key management. So you are the technology person and could you let us know that what, why that custody is important from the technology point of view?
Absolutely. Really, like Dave was saying, security is actually pretty easy. If you want to secure something, if you want to secure keys, then all you have to do is bury them inside of a mountain where nobody can access them.
We had a service called Zoppo that was doing that and literally using nuclear bunkers and vaults to make sure that no one could get those keys. But that really misses out on a lot of the utility that these new protocols and networks are providing.
So the question becomes, can we provide security in a way where we have layers of authorization that ensure that only the correct entities are able to authorize transactions to happen on these networks?
And does that mean we need better security with traditional custodians? Certainly that's because these large custodians are very valuable targets. They may have hundreds of millions if not billions of dollars of value stored in a single entity that will attract a lot of attention from various attackers.
It also means that we need better security for individuals so that if an individual comes into this system, they don't have a catastrophic mistake that results in them losing everything and no longer wanting to use these systems. That would be terrible for adoption.
And the great thing is that now we can actually create these hybrid models. It doesn't have to be one or the other. We can create new types of collaborative custody where perhaps you have both a somewhat trusted large institution or custodial provider working in concert with the individual.
This is where things like multi-signature transactions and aspects of these protocols come into play. We can create much richer type of authorization models that can work for both automated systems and implement various business logic or require human auditors to step in whenever it looks like something odd might be happening.
So it's really our game to lose if we don't innovate in this space and create new types of custody that haven't really been seen before.
Thank you very much. That's an interesting view. I would like to jump into that detailed discussion on how to securing that custody. First, I would like to ask Flora and David on the current security challenge on your custody.
Firstly, I would like to ask Flora, what is your security challenge in organizing a hobby custody service?
Thank you for your question. I think security is the most important thing in our business. And I'm proud to say that hobby is safe running for seven years. Our customers never lose a penny.
To achieve this, we have the most professional security team. And this team is one of our biggest departments in our company.
Talking about custody security challenge, I think operational and technical considerations might be the most important parts.
First, talking about the operational considerations. First, verification measures such as multi-factor authentication should be put in place to reduce fraud risk and to confirm the process we store assets from the custody platform,
as well as procedures to approve and authenticate transactions above certain limits. And actions including technical solutions and surveillance to prevent, detect, or deter money laundering, terrorist financing, or sections risk are also quite important.
Furthermore, a third-party technological audit is needed, including in respect to risk compliance and cybersecurity.
Besides, it is also necessary to do staff management to ensure that a single person cannot execute and sign a transaction on behalf of a client. We may rely on operational and technological checks and balances to reduce risks associated with control and access to customers' holdings.
Finally, maybe dedicated insurance is also necessary to guarantee the whole business running with low risks and make sure our customers are with low risks.
Second, technical considerations. The system needs to be designed to enable a high degree of security and operational reliability with adequate and scalable capacity.
We also need a database recovery plan to deal with some unexpected server issues like system crash or attack, and a network security contingency plan to tackle with hacker attacks.
And most important, how we store the keys. We must make sure the best practice standards, like strong encryption is needed, the son of the keys required to transact are not stored in one physical location and so as to backup keys.
What I have mentioned are just a part of the security concerns. In fact, there are plenty of work to do before we are able to provide a secure and reliable custody service. Thank you.
Thank you. There are many, many problems on the security to organizing secure custody.
Dave, do you have any thoughts or additions from the Kraken point of view?
Yeah, so I think, again, great comprehensive answer by Flora. I think I'll try and keep it short because she did cover a lot of great things there.
I would break it down, you know, there are a few things with regard to the security challenge. So, I mean, there's the security itself. I would also come back to the user experience and ease of use as another key input here.
And then regulation, you know, once again, when we're talking about custodians, I think it's something that we're going to increasingly see.
So, you know, first off on the security itself, you know, at Kraken, we sometimes say that, you know, we're a security company with an exchange built on top.
And so it's definitely one of the core areas of our business as well. And one of the ones we absolutely take incredibly seriously.
And I think, you know, kind of Flora went in this direction, but it's important to note that, I mean, when we talk about security for an institution like ourselves, it absolutely doesn't stop with the technical side of things.
Yep, for sure. That's a meaningful piece. Absolutely. Product security, the systems, the data, the user security side of it. Absolutely all key. But, you know, we go beyond that and we have to go beyond that to thinking about, you know, what are the processes we have in place to build this software and deploy it.
Actually, what are all the processes we have in place as a company? You know, think about also our internal IT systems, not even the product or exchange itself, but even just our HR and finance systems, as those can be actually leveraged sometimes as attack factors.
Our vendors, suppliers, partners generally, security of our offices, you know, our employee physical security while they're traveling. So there's just every dimension you could imagine with regard to running a business as, you know, needs to have a kind of entirely different approach from a security standpoint.
And, you know, we're thinking about attackers that, you know, range from individuals to crime rings to even coordinated nation states or even our own employees as a potential threat factor. So it's really significant from that standpoint.
I think, you know, the biggest challenge is we have to, again, we have to do all of this while, you know, providing a kind of like clean and simple to use user experience for users. This is, you know, one of the things that actually makes the challenges is what it is.
And so, you know, it certainly can't be too complex or we failed in delivering what we need to. And then lastly, the third point, again, yeah, I do think, you know, we're starting to see it varies by geography, varies by country, but we're starting to see regulation become a bigger and bigger component as well.
Thank you very much. Yeah. So balancing that user experience, usability and security is usually so hard things, but it's more, it's harder for that.
Lastly, and it's time for Aldo. So I and Aldo are the core editor of that ISO technical report for the security of custodian. And so I'd like to ask Aldo to explain that the abstract of ISO technical report on the security of custodian.
Yes, thank you. So, in general, I just wanted to add that it's been mentioned before, but the ICT 307, which is holding the committee where me and you are working is has been working hard now for several years to try and define some standards for the blockchain and distributed technology
as well, which is, some of you know, and those of you who don't, is not an easy task. So, and the specific technical report is, at least in our minds, a sort of a stepping stone.
As part of a journey where at some point we would like to publish some standards in this area. So the technical report focuses on the management issues of that custodians that have been mentioned up to now face and the challenges they face, the risks.
It sort of has a sort of snapshot view of the current situation where we are at, showing with specific focus on, of course, on the custody of digital assets.
So, the particularities that this sort of category has, which, of course, focuses a lot on the key management, as we all know, the management of keys for digital assets is one of the main aspects.
And so, it talks basically about the risks, the threats, and the measures which need to be put in place by custodians to sort of mitigate and ensure the best practices that have been done and that are used in the industry up to now.
So, as I mentioned before, a technical report is not itself a standard, but it's a stepping stone, I would say, to get there.
So, we are quite happy that we are very close now for it to be published. So, fingers crossed, soon we should have this published by ISO, which I think is an important milestone.
Thank you. And so, the good news is that this technical report will be published probably next month, and so we are now calling for the next revision.
So, we are now calling for contribution for the next revision. So, I would like to ask everyone in this planet to provide some contribution for the next revision of this technical report.
And so, the last question in this part is for Jameson. So, there are many, many security problems here, but I believe that technology can help enhance the security of custodians.
So, what is your view or what is your proposal to use technology to help securing the custodians?
Well, it really has to be comprehensive. Whenever we are talking about security, especially cyber security, a single chink in your armor can result in the entire house of cards falling down.
So, even if you have excellent practices around generating, storing, and accessing the private keys, which is what most people are worried about, it's always possible for an attacker to get somewhere else in your system and essentially trick you into using those keys incorrectly.
You know, the greatest, I think, change that we're seeing over the past few years as the security standards, the practices continue to improve in this space, is that the attackers are starting to go after the only weak points that are really left, which is the humans that are involved in the systems.
So, we can create better hardware, better software to help secure these keys, but I think ultimately what it's all going to come down to is processes and making sure that every single human that is involved in the process is not a sole actor.
That they have other people who are checking on them and making sure that no mistakes are happening and that no insiders are essentially turning malicious or being tricked somehow.
So, unfortunately, you know, this is a space that is dynamic. It is always going to continue changing. It will certainly be an exciting space to continue working in, but there's certainly not going to be any silver bullet that is going to make everyone safe.
The simple way that I usually put it is that, you know, anything that can be owned can be stolen, and all we've really done here is taken something like gold or physical commodity and we've digitized it and just created a much more complex attack surface.
So, we get a lot of great utility as a result of the properties of these digital assets, but we've also created a whole slew of new problems for us to think about because they can be taken as easily as they can be leveraged by their owners.
So, it's going to require a lot of collaboration and it's going to require, I think, a lot more hard lessons of people, unfortunately, losing access to their keys or getting the keys used without their permission.
But every loss, every bad news event is a learning experience, and I do believe that we will continue to harden the system as long as we continue collaborating, working with each other to do so.
Thank you. And so we have 10 minutes left, I think, that I would like to move to the last question. The last question is quite simple but a difficult question, but this is also how we convince government and customers of the security of the custodian.
So, this is a difficult challenge, but we need to convince government and customers on the security of the custodian.
I would like to first be asked to David, so on your experience with communicating with government or customers on the security of the clerk and custodian.
Yeah, I think this is a great question and, you know, I honestly wouldn't say that I have a great solution for this challenge here, but maybe I could just state the challenge and I think some of the discussion here on standards and what Al is working on are some interesting paths.
To address some of these challenges. So, I think one of the challenges with, you know, regulator, working with regulators on the area of custody and security is with regard to transparency and information.
So, you know, regulators, as you might imagine, will often be interested in and push for more information and transparency. So, on one hand, this is entirely logical and makes sense that they would, you know, how else will they, you know, kind of ensure compliance with regulations and so forth.
However, it does present the challenge because the more, you know, detail on information that is, you know, put down on paper or communicated to more individuals with regard to the specifics and details of a particular security structure, you know, that is itself a potential path that can increase vulnerability.
To the extent that this information can be used, it gives them a potential blueprint for executing attacks. And so, there's, you know, most of the regulators that have been, you know, kind of focused on this area for some time are aware of this challenge.
And at the same time, just that simple awareness doesn't make it, doesn't mean we have, you know, great solutions for it. So, I think this is, you know, one particular area that is, you know, faces both institutions like Kraken and the regulators as well on how to kind of conduct this conversation
and how to communicate about security and where a particular institution is at. So, you know, I don't think we're there with kind of like cryptocurrency specific standards at this point in time, but, you know, I do think it's worthwhile to explore given, you know, its potential to even help with this challenge among others.
Thank you. And, yeah, I think that regulations are different among nations. So, I think that regulation in Japan, regulation in the United States or in European countries, they are very different. And so, custodians need to deal with the differences among nations.
I'd like to ask Flora on your view of the differences among nations.
Okay, thank you.
And the supervision rules for digital custody is quite different among countries.
Some countries require the new cryptocurrency business operating under its existing regulation framework, while other countries may publish new regulation rules or license for the digital currency industry. Some countries are taking active and positive action to welcome this new challenge, this new change, while others may hesitate to move forward.
For example, in America just a few days ago, the Office of the Controller of the Currency, that is OCC, has clarified that national banks and federal savings associations can provide cryptocurrency custody service for customers.
The OCC sees banks providing cryptocurrency services as a modern form of transitional bank activities related to custody service.
Besides banks, we can also provide custody service if we can get New York Bay license.
Others like Gibraltar and Bermuda could represent the countries who owns active and positive attitudes.
They have both published some policies and license especially for digital currency or virtual currency, like DLT license in Gibraltar.
It allows assets transfer and storage through distributed ledger technology, which means it allows cryptocurrency custody and exchange business.
And the Bermuda Monetary Authority has published the Virtual Currency Business Act in 2018. The company could apply for a Class F and Class N license to operate cryptocurrency custody and exchange business.
While some other countries, like in Germany, it's really difficult to set up a cryptocurrency custody business because of its strict requirements and hesitate attitude towards this new industry.
Although the attitudes among countries are very different, there is a clear trend that more and more countries are open to welcome this new industry. And this progress has been sped up already.
Thank you.
Thank you. I think that this is two minutes left, and I would like to ask Aldo the final question. So we are creating that ISO document. This is a useful tool to have common understanding among all stakeholders, including government, users, engineers, and academia.
So how we can utilize that standard to enhance understanding among all stakeholders?
Thank you. Well, standards, it's one of their main uses. One of their main points is to use them as a sort of basis for mutual understanding.
So I don't think it's a coincidence that the first standard released by TC307 was on terminology.
I mean, if you don't speak the same language, how are you supposed to then go on and work together? And especially in a, we can say relatively new space such as blockchain and DLT, it hasn't in the past, and maybe isn't even now, always easy for people even to say, you know, what is a blockchain, what is a DLT, and agree on that definition.
So you have to start somewhere. And this is definitely an area where standards can help a lot, because once you've defined those standards, then all the stakeholders can sort of at least speak the same language and understand each other.
So it works obviously at many levels, terminology, starting point, reference architecture, and of course, what we are working on, so the security aspects are the same.
So I definitely think that standards have a major role in this. And it's always difficult to find the balance, and that's always the challenge to sort of have standardization without stifling innovation.
But I definitely think that both are possible and standards will contribute a lot to making this market grow and will help the industry.
Thank you very much. And I would like to continue this discussion for one hour or more. This is an interesting discussion, but unfortunately, so we have run out of time.
And thank you for all, so we can understand how custody is important in this ecosystem, and so how that securing that custody is a comprehensive but difficult challenge, but we have some tools of the technology and standards to have better understanding among stakeholders and securing this ecosystem.
Thank you very much for joining today's discussion, and I hope that all of you and everyone staying safe, and so thank you for joining today. Thank you. Thank you. Thank you very much. Thank you.
Okay, thank you for the wonderful discussion.
This concludes the session on Breakthrough for Safer Digital Custody, Security and Regulation.
Mr. Orocastro, Ms. Lee, Mr. Ripley, Mr. Lopp, and Professor Matsuo, thank you very much.
Once again, please give them a big round of applause. Thank you very much.