时间:2024-01-12|浏览:243
当我和世界其他人一起等待第一个比特币 ETF 获得批准时,有一件事一直困扰着我:除了包括 Fidelity 和 VanEck 在内的少数例外,几乎每个现货比特币 ETF 的申请人都打算使用 Coinbase 作为其保管人。
David Schwed 是 Halborn 的首席运营官。
作为专注于区块链的网络安全领导者,这种风险的集中、加密货币托管固有的高风险性质以及安全最佳实践仍在不断发展的性质让我犹豫不决。
让我担心的并不是 Coinbase 本身。 该公司从未遭受过已知的黑客攻击,这解释了为什么如此多的传统机构信任其专业知识。 然而,不存在不可破解的目标——只要有足够的时间和资源,任何人和任何人都可能受到损害,这是我在网络安全和资产管理交叉领域的职业生涯中学到的教训。
让我担心的是资产极端集中于单一托管人。 考虑到加密资产与现金类似的性质,这种情况本身就令人担忧。
另请参阅:Gary Gensler 的比特币 ETF 小丑秀
也许是时候重新考虑“合格托管人”的指定了,这是一种监管签字,其目前的形式不一定能确保基于区块链的风险资产必然(或最好)受到保护。 此外,理想情况下,数字资产托管人应该受到比现在更严格的州和联邦标准、训练有素的监管机构更多的监督。
如今,大多数合格的托管人都保护股票、债券或数字追踪的法定余额,所有这些从根本上来说都是合法协议,不能简单地“窃取”。 但比特币 [BTC] 与现金和黄金一样,是所谓的不记名票据。 一次成功的加密货币黑客攻击就像狂野西部的银行抢劫一样,一旦落入小偷手中,钱就消失了。
因此,对于加密货币托管人来说,只要犯一个错误,资产就会完全消失。
我们还知道,全球加密货币犯罪的力量是强大且坚定的。 仅举一个臭名昭著的例子,朝鲜的 Lazarus Group 黑客团队据信在过去六年中窃取了价值 30 亿美元的加密货币,而且没有任何停止的迹象。 预计第一个交易周流入比特币 ETF 的资金将超过 60 亿美元,这使得这些基金成为主要目标。
如果 Coinbase 最终在其数字金库中存有数百亿比特币,朝鲜可以轻松组织一次价值 5000 万美元的行动来窃取这些资金,即使这需要多年时间。 像俄罗斯 Cozy Bear/APT29 组织这样的威胁参与者也可能会发现,随着这些资金池变得越来越大(可能会更大),追捕机构加密货币越来越有吸引力。
This is the level of threat that major banks prepare for. One widespread model of risk management for financial institutions utilizes three layers of oversight. First, the business management layer designs and implements security practices; second, the risk layer oversees and evaluates those practices; and third, the audit layer makes sure that risk mitigation practices are actually effective.
On top of that, a legacy financial institution will have external auditors and external IT oversight, as well as numerous state and federal regulators looking over their shoulders. Many, many eyes will examine every aspect of risk and security.
But these multiple levels of redundancy and nesting failsafes require one deceptively simple thing: headcount.
During my time as global head of digital assets technology at BNY Mellon, the investment bank had roughly 50,000 employees, of whom around 1,000 – or 2% – were in security roles. Coinbase, even after recent expansion, has fewer than 5,000 employees. BitGo, also a qualified custodian certified by the State of New York and other jurisdictions, has only a few hundred.
This is not to impugn the intentions or skill of any of these organizations or their employees. But real oversight requires redundancy that these new institutions may struggle to provide at a level appropriate for securing tens of billions of dollars in bearer instruments.
See also: Bitcoin ETFs: The Bull Case
Before those numbers get even bigger (and more enticing for the bad guys), it is well past time to refine the cybersecurity standards for qualified custodian designation. Right now, the designation accompanies trust or banking licensing, overseen by state and federal regulators. These are financial regulators largely focused on traditional banking, not cybersecurity experts, and certainly not crypto experts. They understandably focus on balance sheets, legal processes, and other financial operations.
But for crypto custodians, those aren’t the only kinds of oversight that matter, or even necessarily the most important. There are no industry-wide standards for cybersecurity and risk management practices by crypto custodians specifically, meaning that “qualified custodian” status isn’t quite as reassuring as it might sound. That exposes not just investors but an entire nascent sector to opaque risk with potentially dire consequences.
The approval of a cast of bitcoin ETFs is just the latest step in the continued integration of digital assets into the financial system. You don’t have to trust crypto partisans on that prediction – just ask Blackrock, a legacy giant that championed the ETF. As these developments continue, regulators truly interested in investor protection will focus on adapting to this new world: one in which rigorous cybersecurity standards are just as important to financial stability as honest disclosures and financial audits.