bitcoin
Bitcoin and other cryptocurrencies require a digitally-secure foundation to be at all viable in the long term. Pixabay/MichaelWuensch

Bitcoin is everywhere! Its presence in mainstream media has reached near-ubiquity. And whether this frenzy of rapid appreciation represents a bubble or is a reflection of underlying value is a question that only time will be able to answer. But what’s beyond argument is that bitcoin — and other virtual, internet-based cryptocurrencies — require a digitally-secure foundation to be at all viable in the long term.

So how secure is that infrastructure? Let’s start with what we call the “technology stack,” meaning the blockchain encryption itself upon which bitcoin and other virtual currencies are based. The good news — and don’t pop the champagne quite yet, there’s bad news too — is that blockchain encryption is excellent. The underlying protocol is highly secured.

Some more good news is that the distributed nature of bitcoin — which is core to its ideology and means that there’s no centralized bank — is a security plus. That’s because there’s no single repository of account details or insider threats.

With this being the case, you may be wondering why we continually read about hacks and other breaches of bitcoin, whether it be with Enigma, CoinDash, or most recently, NiceHash. The vulnerabilities lie in the ecosystem of individuals and services who touch, handle and store the currency itself — all the way down to the endpoints.

Let me provide some framing because this gets a bit technical. Bitcoin transactions require two “keys” — both public and private — to be implemented. It’s the digital version of the famous “Two Man Rule,” which is part of our nuclear defense system. The public key includes the account number and is public because it exists on the public internet. The private number is secret and is known only to the owner. But “owners” of private information are tricked every day by conventional malware, viruses and social engineering techniques. Social engineering attacks are clever efforts that use psychological manipulation of emotions like fear and urgency to pry information out of users who feel threatened.

Once these two keys are obtained by attackers, they can steal bitcoins from digital wallets, transfer them to another account and make whatever transactions they want. This is the primary vulnerability that bitcoin owners face. Their digital wallets cannot be “air-gapped” — meaning they can’t be isolated from the internet, and there is a very low likelihood of offline wallets existing in today’s reality — so they are constantly open to attack. Some people have suggested that we create physical wallets, meaning hardware, that store keys in a protected area that malware cannot access. This is unlikely because of the cost — and beyond that, social engineering can work around this.

Another security challenge is the irreversible nature of bitcoin. In the event of a theft, there is no third-party with the standing or authority to deal with the theft. The bitcoin genie cannot be put back into the blockchain bottle.

We need enforceable regulations for bitcoin to thrive as a universally trusted, freely exchangeable currency — just as banks, stock exchanges, and clearinghouses are protected by them. The right regulatory regime wouldn’t undermine bitcoin’s free and open model; on the contrary, it would enable it.

If the market cannot trust the security around bitcoin, even small breaches will have significant impact on its volatility and value. Instability will remain its defining attribute. It will be increasingly hard to do business with entities unless they have sufficient and credible insurance that can absorb the loss that results from a breach. Criminal organizations will continue to find new ways to use bitcoin, as its anonymized nature is catnip to them. But without a strategic combination of regulation and insurance, cryptocurrencies will probably not survive, other than for very specific organizations and individuals.

I am confident that innovative entrepreneurs and traditional financial services companies will deliver on this challenge, as they have in the past when new transactional methods (think credit cards and other “trust infrastructures”).

On a personal level — and recognizing that what’s lost is gone — vigilance and ongoing education are essential. Learn how to better maintain privacy, tune your individual antennae to pick up social engineering, and make anti-virus and anti-malware programs part of your regular data hygiene.

In fact, it would be smart if the leading providers of bitcoin and blockchain got together to create a consortium with education and bitcoin hygiene as its primary mission. Right now, there’s no central place for a bitcoin owner to go to learn the latest social engineering stratagems and malware techniques focused on busting into the bitcoin vault. Those open threat exchanges — where data is shared and made available to all — exist in the world of cybersecurity. We need them in bitcoin. A currency designed to work outside the system needs its own system to guarantee its future.

Avi Chesla is the Founder and CEO of empow, a cyber-security startup focused on developing security infrastructure solutions for enterprises to better mitigate cyber attacks.