Cybersecurity--at least, in industry--is all about the economic incentives. In a capitalist economy, companies only care about security so far as it affects their bottom line. Before cryptocurrency, that meant companies didn't care about cybersecurity at all. Why? Because there were no meaningful economic incentives, and the negative externalities were born by society at large. Why spend a ton of money on a security program if it's not going to make you money and not even going to save you any money? For a corporation driven by profit motive, that's the definition of stupidity.

What is the financial value of a single piece of breached consumer PII? Close to zero, unless government regulation creates a regulatory cost for a data breach. This turned cybersecurity risk (impact: low financial loss) into regulatory risk (impact: higher financial loss from a fine or class action lawsuit). This is the lens through which Stewart Baker is looking at the world in his recent essay for Lawfare. But cryptocurrency cybersecurity is fundamentally different than its predecessors. So-called "responsible disclosure" of cryptocurrency security flaws looks different. The economic incentives look different. And the negative externalities are primarily internalized by the company breached.

The dramatic shift in how cybersecurity works in the cryptocurrency space has profound implications for national security readers concerned about North Korea or organized crime stealing cryptocurrency for use in ways contrary to US foreign policy interests.

As the CISO of Ava Labs, a multi-billion dollar cryptocurrency company based in New York City, I find it striking how much Baker's analysis does not match my lived reality. Let's unpack where he goes astray.

Economic Incentives Align, Like Planets in the Sky

If a pre-cryptocurrency corporation gets popped, in most verticals that means a breach of consumer PII. Maybe some ransomware to keep things spicy. Theft of trade secrets, if you're doing cutting edge R&D. But all of these threats come with vague price tags: consumer PII has no intrinsic value, ransomware you can solve by paying the ransom (ssh!), and you may never even realize your company trade secrets got popped--until a Chinese company suddenly starts competing against you.

But my employer, and its competitors in the cryptocurrency space, are properly incentivized to care about security, because there is a direct, immediate, and visceral financial impact to our bottom line. If we get popped and lose a couple billion dollars, we go bankrupt! If our layer one blockchain gets exploited--or one of the mission-critical smart contracts we rely on--then we are toast! Who cares about the regulatory risk, the cybersecurity risk trumps the regulatory risk by several orders of magnitude.

Who cares about the regulatory risk, the cybersecurity risk trumps the regulatory risk by several orders of magnitude.

It is certainly true that many cryptocurrency companies today have atrocious security. But that is not a static situation, rather a rapidly evolving one. What we are seeing today is natural selection at work in its horrible glory--cryptocurrency companies that don't double and triple down on security are going to get destroyed. The rest of us survive.

We may lament the bleed of cryptocurrency to state and non-state actors who we'd really rather not possess it. But this is a passing early phase of cryptocurrency, and the ruthless brutality of the race for companies like mine to survive is a far greater taskmaster than any government regulation could impose.

Cryptocurrency Cybersecurity Regulations--LOL, WUT?

If my employer gets popped and we lose billions of dollars of cryptocurrency, we go out of business. Is a paltry couple million dollar fine by the FTC supposed to scare me? SRSLY? Are you going to try to fine companies billions of dollars--after they've already gone bankrupt?

This makes so little sense to me that it makes me laugh. I am a working practitioner responsible for the security of billions of dollars of crypto. I am not speaking here from theory but from raw, lived reality.

Worse, any misguided attempt to mandate cryptocurrency cybersecurity controls would be counterproductive. Consider how the last decade's worth of cybersecurity regulations have done nothing but create a vast army of "security compliance professionals", adept at checking bureaucratic boxes of security controls--controls that good hackers sidestep without breaking a sweat. If all I do is meet the poor minimum bar that is security compliance, then I am guaranteed to get rekt sooner than later. And less security conscious crytocurrency companies will get lulled into a false sense of security, thinking that "being compliant" will somehow save them.

"Responsible Disclosure" in Cryptocurrency

To repeat, cybersecurity is all about the economic incentives. This means disclosing security flaws to cryptocurrency projects is fundamentally different to traditional industries.

Consider bug bounties. Prior to cryptocurrency, a good-faith security researcher had two choices: disclose an 0-day to Microsoft or Apple (for example) and receive a token reward, maybe $50,000-$100,000 max. Or they could sell the bug on the grey market for much more--but for use by the secret police in places like Burma or the Emirates where their 0-day will be used to spy on, disappear, torture, and murder journalists and political dissidents.

Since most security researchers are not sociopaths, they follow the path of their conscience and do the right thing.

The economic incentives in cryptocurrency upend this way of thinking. A security researcher who finds an exploitable security flaw in a DeFi protocol that lets them steal $100 million could, you know, like, just steal the $100 million!

Which brings us to blood diamonds. Blockchain tracking outfits like Chainalysis are able to quickly taint any stolen coin, block fiat offramps at exchanges, and work with law enforcement around the world to make any thief's life painful.

This means a security researcher has a choice between stealing $100 million (for example), spending the rest of their life on the run from the law, trying to launder blood diamonds that no one will touch with a ten-foot pole, and certainly not for the face value of the token or coin in question--or take a nice fat bug bounty to report discreetly to the project in question.

How much should a cryptocurrency bug bounty be? Somewhere between "you can buy an expensive house in cash" and "you can retire and never work again." 10-15% of the total amount exploitable has become the de facto norm. For this reason bug bounties of $1-2 million are now the cryptocurrency bug bounty table stakes for most projects.

Over the last year the startup ImmuneFi has built a successful business as the "HackerOne of the cryptocurrency space". This is not an endorsement of ImmuneFi but rather pointing out the clear emerging trend towards properly incentivizing disclosure of cryptocurrency security flaws--and also how quickly the space is maturing.

Stop Worrying and Learn to Love the "Crypto"

As a cybersecurity professional, it's driven me crazy for two decades watching companies not care about security. Failing to protect their users. Forced only grudgingly by government regulation to actually do the bare minimum in security spend.

So it's a joy to see economic incentives properly align for good cybersecurity in the cryptocurrency space. My employer, like all cryptocurrency survivors, cares about security. This serves our shareholders, our customers, our clients, our token holders and end users (who aren't surveillance capitalist serfs).

Properly aligned security incentives also serve the interest of the government, which doesn't want to see organized criminals or sanctioned nation-state stealing cryptocurrency for use in ways contrary to US foreign policy.

Free market economies prize creative destruction. The only difference is that I'm not competing against other companies, I'm competing against North Korea and the Russian mafia. It's like the old security metaphor of the bear and two campers: "You and a friend are camping in the woods. A bear attacks. Who do you have to run faster than? The bear? Or your friend?"

Companies that smugly watch their friend get eaten are going to be next. Companies that constantly strive to stay one step ahead of the bear will survive.

I intend to survive.

Jens Porup is the Chief Information Security Officer (CISO) of Ava Labs, a multi-billion dollar cryptocurrency company based in New York City. The views expressed here do not reflect those of his employer, his dog, his goldfish, the ant he found in his kitchen last week, or anyone else living or dead. He could be a muppet. Ker-mit!