當我和世界其他人一起等待第一個比特幣ETF 獲得批准時,有一件事一直困擾著我:除了包括Fidelity 和VanEck 在內的少數例外,幾乎每個現貨比特幣ETF 的申請人都打算使用Coinbase 為其保管人。
David Schwed 是 Halborn 的營運長。
作為專注於區塊鏈的網路安全領導者,這種風險的集中、加密貨幣託管固有的高風險性質以及安全最佳實踐仍在不斷發展的性質讓我猶豫不決。
讓我擔心的並不是 Coinbase 本身。 該公司從未遭受已知的駭客攻擊,這解釋了為什麼如此多的傳統機構信任其專業知識。 然而,不存在不可破解的目標——只要有足夠的時間和資源,任何人和任何人都可能受到損害,這是我在網路安全和資產管理交叉領域的職業生涯中學到的教訓。
讓我擔心的是資產極端集中在單一託管人。 考慮到加密資產與現金類似的性質,這種情況本身就令人擔憂。
另請參閱:Gary Gensler 的比特幣 ETF 小丑秀
也許是時候重新考慮「合格託管人」的指定了,這是一種監管簽字,其目前的形式不一定能確保基於區塊鏈的風險資產必然(或最好)受到保護。 此外,理想情況下,數位資產託管人應該受到比現在更嚴格的州和聯邦標準、訓練有素的監管機構更多的監督。
如今,大多數合格的託管人都保護股票、債券或數位追蹤的法定餘額,所有這些從根本上來說都是合法協議,不能簡單地「竊取」。 但比特幣 [BTC] 與現金和黃金一樣,是所謂的不記名票據。 一次成功的加密貨幣駭客攻擊就像狂野西部的銀行搶劫一樣,一旦落入小偷手中,錢就消失了。
因此,對於加密貨幣託管人來說,只要犯一個錯誤,資產就會完全消失。
我們也知道,全球加密貨幣犯罪的力量是強大且堅定的。 僅舉一個臭名昭著的例子,北韓的 Lazarus Group 駭客團隊據信在過去六年中竊取了價值 30 億美元的加密貨幣,而且沒有任何停止的跡象。 預計第一個交易週流入比特幣 ETF 的資金將超過 60 億美元,這使得這些基金成為主要目標。
如果 Coinbase 最終在其數位金庫中存有數百億比特幣,北韓可以輕鬆組織價值 5000 萬美元的行動來竊取這些資金,即使這需要多年時間。 像俄羅斯 Cozy Bear/APT29 組織這樣的威脅參與者也可能會發現,隨著這些資金池變得越來越大(可能會更大),追捕機構加密貨幣越來越有吸引力。
This is the level of threat that major banks prepare for. One widespread model of risk management for financial institutions utilizes three layers of oversight. First, the business management layer designs and implements security practices; second, the risk layer oversees and evaluates those practices; and third, the audit layer makes sure that risk mitigation practices are actually effective.
On top of that, a legacy financial institution will have external auditors and external IT oversight, as well as numerous state and federal regulators looking over their shoulders. Many, many eyes will examine every aspect of risk and security.
But these multiple levels of redundancy and nesting failsafes require one deceptively simple thing: headcount.
During my time as global head of digital assets technology at BNY Mellon, the investment bank had roughly 50,000 employees, of whom around 1,000 – or 2% – were in security roles. Coinbase, even after recent expansion, has fewer than 5,000 employees. BitGo, also a qualified custodian certified by the State of New York and other jurisdictions, has only a few hundred.
This is not to impugn the intentions or skill of any of these organizations or their employees. But real oversight requires redundancy that these new institutions may struggle to provide at a level appropriate for securing tens of billions of dollars in bearer instruments.
See also: Bitcoin ETFs: The Bull Case
Before those numbers get even bigger (and more enticing for the bad guys), it is well past time to refine the cybersecurity standards for qualified custodian designation. Right now, the designation accompanies trust or banking licensing, overseen by state and federal regulators. These are financial regulators largely focused on traditional banking, not cybersecurity experts, and certainly not crypto experts. They understandably focus on balance sheets, legal processes, and other financial operations.
But for crypto custodians, those aren’t the only kinds of oversight that matter, or even necessarily the most important. There are no industry-wide standards for cybersecurity and risk management practices by crypto custodians specifically, meaning that “qualified custodian” status isn’t quite as reassuring as it might sound. That exposes not just investors but an entire nascent sector to opaque risk with potentially dire consequences.
The approval of a cast of bitcoin ETFs is just the latest step in the continued integration of digital assets into the financial system. You don’t have to trust crypto partisans on that prediction – just ask Blackrock, a legacy giant that championed the ETF. As these developments continue, regulators truly interested in investor protection will focus on adapting to this new world: one in which rigorous cybersecurity standards are just as important to financial stability as honest disclosures and financial audits.